Analysis
-
max time kernel
149s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18/09/2024, 02:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe
-
Size
169KB
-
MD5
e82734e688f7acf18b0fcbd21ebae5f0
-
SHA1
2574b4d35f9cd038f19c1f82272d24f011436681
-
SHA256
389ef436a20233d214ae7429a3a6917e4925dd40a01a23a26dfa33cc0bdbba95
-
SHA512
06392761978bbb0bb84d47f38368a53490d2c1ee4a293a85c77c4101f3346e9d6d9b74285dd3b1c5cffe6c6d60b56badb7faa5028c9bc87db3d4c473dfe9b9e5
-
SSDEEP
3072:gGEEhq67tQXpmp6EEhX114wcNQivA0eGEsHJP91VCACFk+hV59U3ZcyiqMh8:gGAktQ5VX1CNqiVeGEy9nCfFk+hV+cyx
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 19 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation wmptfx.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation wmptfx.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation wmptfx.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation wmptfx.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation wmptfx.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation wmptfx.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation wmptfx.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation wmptfx.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation wmptfx.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation wmptfx.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation wmptfx.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation wmptfx.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation wmptfx.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation wmptfx.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation wmptfx.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation wmptfx.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation wmptfx.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation wmptfx.exe -
Deletes itself 1 IoCs
pid Process 4900 wmptfx.exe -
Executes dropped EXE 37 IoCs
pid Process 4292 wmptfx.exe 4900 wmptfx.exe 4992 wmptfx.exe 3592 wmptfx.exe 3576 wmptfx.exe 2408 wmptfx.exe 3736 wmptfx.exe 5040 wmptfx.exe 2296 wmptfx.exe 3428 wmptfx.exe 2892 wmptfx.exe 2420 wmptfx.exe 4364 wmptfx.exe 4836 wmptfx.exe 4948 wmptfx.exe 1344 wmptfx.exe 2952 wmptfx.exe 5080 wmptfx.exe 4212 wmptfx.exe 4476 wmptfx.exe 3004 wmptfx.exe 976 wmptfx.exe 2292 wmptfx.exe 548 wmptfx.exe 3588 wmptfx.exe 1912 wmptfx.exe 4332 wmptfx.exe 5064 wmptfx.exe 3080 wmptfx.exe 5020 wmptfx.exe 4620 wmptfx.exe 4408 wmptfx.exe 3032 wmptfx.exe 400 wmptfx.exe 2964 wmptfx.exe 4948 wmptfx.exe 2004 wmptfx.exe -
resource yara_rule behavioral2/memory/3284-1-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3284-0-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3284-2-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3284-6-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3284-9-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3284-8-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3284-7-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3284-43-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4900-53-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4900-51-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4900-55-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4900-54-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4900-56-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4900-58-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3592-65-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3592-68-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3592-67-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3592-66-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3592-71-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/2408-80-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/2408-82-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/2408-79-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/2408-81-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/2408-84-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/5040-93-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/5040-99-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3428-107-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3428-112-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/2420-126-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4836-140-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/1344-147-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/1344-154-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/5080-161-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/5080-168-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4476-182-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/976-195-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/548-209-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/1912-216-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/1912-223-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/5064-230-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/5064-237-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/5020-251-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4408-264-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/400-273-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4948-286-0x0000000000400000-0x000000000046C000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 38 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmptfx.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmptfx.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmptfx.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmptfx.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmptfx.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmptfx.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmptfx.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmptfx.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmptfx.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmptfx.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmptfx.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmptfx.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmptfx.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmptfx.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmptfx.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmptfx.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmptfx.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmptfx.exe -
Drops file in System32 directory 38 IoCs
description ioc Process File created C:\Windows\SysWOW64\wmptfx.exe wmptfx.exe File opened for modification C:\Windows\SysWOW64\wmptfx.exe wmptfx.exe File created C:\Windows\SysWOW64\wmptfx.exe wmptfx.exe File created C:\Windows\SysWOW64\wmptfx.exe wmptfx.exe File opened for modification C:\Windows\SysWOW64\wmptfx.exe wmptfx.exe File opened for modification C:\Windows\SysWOW64\wmptfx.exe wmptfx.exe File created C:\Windows\SysWOW64\wmptfx.exe wmptfx.exe File opened for modification C:\Windows\SysWOW64\wmptfx.exe wmptfx.exe File opened for modification C:\Windows\SysWOW64\wmptfx.exe wmptfx.exe File created C:\Windows\SysWOW64\wmptfx.exe wmptfx.exe File opened for modification C:\Windows\SysWOW64\wmptfx.exe wmptfx.exe File opened for modification C:\Windows\SysWOW64\wmptfx.exe wmptfx.exe File opened for modification C:\Windows\SysWOW64\wmptfx.exe wmptfx.exe File created C:\Windows\SysWOW64\wmptfx.exe wmptfx.exe File created C:\Windows\SysWOW64\wmptfx.exe wmptfx.exe File created C:\Windows\SysWOW64\wmptfx.exe wmptfx.exe File opened for modification C:\Windows\SysWOW64\wmptfx.exe wmptfx.exe File opened for modification C:\Windows\SysWOW64\wmptfx.exe wmptfx.exe File opened for modification C:\Windows\SysWOW64\wmptfx.exe e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wmptfx.exe wmptfx.exe File created C:\Windows\SysWOW64\wmptfx.exe wmptfx.exe File opened for modification C:\Windows\SysWOW64\wmptfx.exe wmptfx.exe File opened for modification C:\Windows\SysWOW64\wmptfx.exe wmptfx.exe File created C:\Windows\SysWOW64\wmptfx.exe wmptfx.exe File created C:\Windows\SysWOW64\wmptfx.exe wmptfx.exe File created C:\Windows\SysWOW64\wmptfx.exe wmptfx.exe File opened for modification C:\Windows\SysWOW64\wmptfx.exe wmptfx.exe File created C:\Windows\SysWOW64\wmptfx.exe wmptfx.exe File created C:\Windows\SysWOW64\wmptfx.exe wmptfx.exe File opened for modification C:\Windows\SysWOW64\wmptfx.exe wmptfx.exe File created C:\Windows\SysWOW64\wmptfx.exe wmptfx.exe File created C:\Windows\SysWOW64\wmptfx.exe wmptfx.exe File created C:\Windows\SysWOW64\wmptfx.exe e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wmptfx.exe wmptfx.exe File opened for modification C:\Windows\SysWOW64\wmptfx.exe wmptfx.exe File created C:\Windows\SysWOW64\wmptfx.exe wmptfx.exe File created C:\Windows\SysWOW64\wmptfx.exe wmptfx.exe File opened for modification C:\Windows\SysWOW64\wmptfx.exe wmptfx.exe -
Suspicious use of SetThreadContext 18 IoCs
description pid Process procid_target PID 4472 set thread context of 3284 4472 e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe 84 PID 4292 set thread context of 4900 4292 wmptfx.exe 91 PID 4992 set thread context of 3592 4992 wmptfx.exe 93 PID 3576 set thread context of 2408 3576 wmptfx.exe 95 PID 3736 set thread context of 5040 3736 wmptfx.exe 99 PID 2296 set thread context of 3428 2296 wmptfx.exe 101 PID 2892 set thread context of 2420 2892 wmptfx.exe 103 PID 4364 set thread context of 4836 4364 wmptfx.exe 105 PID 4948 set thread context of 1344 4948 wmptfx.exe 107 PID 2952 set thread context of 5080 2952 wmptfx.exe 109 PID 4212 set thread context of 4476 4212 wmptfx.exe 111 PID 3004 set thread context of 976 3004 wmptfx.exe 113 PID 2292 set thread context of 548 2292 wmptfx.exe 115 PID 3588 set thread context of 1912 3588 wmptfx.exe 117 PID 4332 set thread context of 5064 4332 wmptfx.exe 119 PID 3080 set thread context of 5020 3080 wmptfx.exe 121 PID 4620 set thread context of 4408 4620 wmptfx.exe 123 PID 2964 set thread context of 4948 2964 wmptfx.exe 127 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 38 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmptfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmptfx.exe -
Modifies registry class 19 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmptfx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmptfx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmptfx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmptfx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmptfx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmptfx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmptfx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmptfx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmptfx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmptfx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmptfx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmptfx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmptfx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmptfx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmptfx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmptfx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmptfx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmptfx.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
pid Process 3284 e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe 3284 e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe 4900 wmptfx.exe 4900 wmptfx.exe 3592 wmptfx.exe 3592 wmptfx.exe 2408 wmptfx.exe 2408 wmptfx.exe 5040 wmptfx.exe 5040 wmptfx.exe 3428 wmptfx.exe 3428 wmptfx.exe 2420 wmptfx.exe 2420 wmptfx.exe 4836 wmptfx.exe 4836 wmptfx.exe 1344 wmptfx.exe 1344 wmptfx.exe 5080 wmptfx.exe 5080 wmptfx.exe 4476 wmptfx.exe 4476 wmptfx.exe 976 wmptfx.exe 976 wmptfx.exe 548 wmptfx.exe 548 wmptfx.exe 1912 wmptfx.exe 1912 wmptfx.exe 5064 wmptfx.exe 5064 wmptfx.exe 5020 wmptfx.exe 5020 wmptfx.exe 4408 wmptfx.exe 4408 wmptfx.exe 400 wmptfx.exe 400 wmptfx.exe 4948 wmptfx.exe 4948 wmptfx.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4472 wrote to memory of 3284 4472 e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe 84 PID 4472 wrote to memory of 3284 4472 e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe 84 PID 4472 wrote to memory of 3284 4472 e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe 84 PID 4472 wrote to memory of 3284 4472 e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe 84 PID 4472 wrote to memory of 3284 4472 e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe 84 PID 4472 wrote to memory of 3284 4472 e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe 84 PID 4472 wrote to memory of 3284 4472 e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe 84 PID 4472 wrote to memory of 3284 4472 e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe 84 PID 3284 wrote to memory of 4292 3284 e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe 88 PID 3284 wrote to memory of 4292 3284 e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe 88 PID 3284 wrote to memory of 4292 3284 e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe 88 PID 4292 wrote to memory of 4900 4292 wmptfx.exe 91 PID 4292 wrote to memory of 4900 4292 wmptfx.exe 91 PID 4292 wrote to memory of 4900 4292 wmptfx.exe 91 PID 4292 wrote to memory of 4900 4292 wmptfx.exe 91 PID 4292 wrote to memory of 4900 4292 wmptfx.exe 91 PID 4292 wrote to memory of 4900 4292 wmptfx.exe 91 PID 4292 wrote to memory of 4900 4292 wmptfx.exe 91 PID 4292 wrote to memory of 4900 4292 wmptfx.exe 91 PID 4900 wrote to memory of 4992 4900 wmptfx.exe 92 PID 4900 wrote to memory of 4992 4900 wmptfx.exe 92 PID 4900 wrote to memory of 4992 4900 wmptfx.exe 92 PID 4992 wrote to memory of 3592 4992 wmptfx.exe 93 PID 4992 wrote to memory of 3592 4992 wmptfx.exe 93 PID 4992 wrote to memory of 3592 4992 wmptfx.exe 93 PID 4992 wrote to memory of 3592 4992 wmptfx.exe 93 PID 4992 wrote to memory of 3592 4992 wmptfx.exe 93 PID 4992 wrote to memory of 3592 4992 wmptfx.exe 93 PID 4992 wrote to memory of 3592 4992 wmptfx.exe 93 PID 4992 wrote to memory of 3592 4992 wmptfx.exe 93 PID 3592 wrote to memory of 3576 3592 wmptfx.exe 94 PID 3592 wrote to memory of 3576 3592 wmptfx.exe 94 PID 3592 wrote to memory of 3576 3592 wmptfx.exe 94 PID 3576 wrote to memory of 2408 3576 wmptfx.exe 95 PID 3576 wrote to memory of 2408 3576 wmptfx.exe 95 PID 3576 wrote to memory of 2408 3576 wmptfx.exe 95 PID 3576 wrote to memory of 2408 3576 wmptfx.exe 95 PID 3576 wrote to memory of 2408 3576 wmptfx.exe 95 PID 3576 wrote to memory of 2408 3576 wmptfx.exe 95 PID 3576 wrote to memory of 2408 3576 wmptfx.exe 95 PID 3576 wrote to memory of 2408 3576 wmptfx.exe 95 PID 2408 wrote to memory of 3736 2408 wmptfx.exe 97 PID 2408 wrote to memory of 3736 2408 wmptfx.exe 97 PID 2408 wrote to memory of 3736 2408 wmptfx.exe 97 PID 3736 wrote to memory of 5040 3736 wmptfx.exe 99 PID 3736 wrote to memory of 5040 3736 wmptfx.exe 99 PID 3736 wrote to memory of 5040 3736 wmptfx.exe 99 PID 3736 wrote to memory of 5040 3736 wmptfx.exe 99 PID 3736 wrote to memory of 5040 3736 wmptfx.exe 99 PID 3736 wrote to memory of 5040 3736 wmptfx.exe 99 PID 3736 wrote to memory of 5040 3736 wmptfx.exe 99 PID 3736 wrote to memory of 5040 3736 wmptfx.exe 99 PID 5040 wrote to memory of 2296 5040 wmptfx.exe 100 PID 5040 wrote to memory of 2296 5040 wmptfx.exe 100 PID 5040 wrote to memory of 2296 5040 wmptfx.exe 100 PID 2296 wrote to memory of 3428 2296 wmptfx.exe 101 PID 2296 wrote to memory of 3428 2296 wmptfx.exe 101 PID 2296 wrote to memory of 3428 2296 wmptfx.exe 101 PID 2296 wrote to memory of 3428 2296 wmptfx.exe 101 PID 2296 wrote to memory of 3428 2296 wmptfx.exe 101 PID 2296 wrote to memory of 3428 2296 wmptfx.exe 101 PID 2296 wrote to memory of 3428 2296 wmptfx.exe 101 PID 2296 wrote to memory of 3428 2296 wmptfx.exe 101 PID 3428 wrote to memory of 2892 3428 wmptfx.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Users\Admin\AppData\Local\Temp\e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\SysWOW64\wmptfx.exe"C:\Windows\system32\wmptfx.exe" C:\Users\Admin\AppData\Local\Temp\E82734~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\SysWOW64\wmptfx.exe"C:\Windows\system32\wmptfx.exe" C:\Users\Admin\AppData\Local\Temp\E82734~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\wmptfx.exe"C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\wmptfx.exe"C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\SysWOW64\wmptfx.exe"C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Windows\SysWOW64\wmptfx.exe"C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\wmptfx.exe"C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Windows\SysWOW64\wmptfx.exe"C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\wmptfx.exe"C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\wmptfx.exe"C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Windows\SysWOW64\wmptfx.exe"C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2892 -
C:\Windows\SysWOW64\wmptfx.exe"C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2420 -
C:\Windows\SysWOW64\wmptfx.exe"C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4364 -
C:\Windows\SysWOW64\wmptfx.exe"C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4836 -
C:\Windows\SysWOW64\wmptfx.exe"C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4948 -
C:\Windows\SysWOW64\wmptfx.exe"C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1344 -
C:\Windows\SysWOW64\wmptfx.exe"C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2952 -
C:\Windows\SysWOW64\wmptfx.exe"C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5080 -
C:\Windows\SysWOW64\wmptfx.exe"C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4212 -
C:\Windows\SysWOW64\wmptfx.exe"C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4476 -
C:\Windows\SysWOW64\wmptfx.exe"C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3004 -
C:\Windows\SysWOW64\wmptfx.exe"C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:976 -
C:\Windows\SysWOW64\wmptfx.exe"C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2292 -
C:\Windows\SysWOW64\wmptfx.exe"C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:548 -
C:\Windows\SysWOW64\wmptfx.exe"C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3588 -
C:\Windows\SysWOW64\wmptfx.exe"C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1912 -
C:\Windows\SysWOW64\wmptfx.exe"C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4332 -
C:\Windows\SysWOW64\wmptfx.exe"C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5064 -
C:\Windows\SysWOW64\wmptfx.exe"C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3080 -
C:\Windows\SysWOW64\wmptfx.exe"C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe32⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5020 -
C:\Windows\SysWOW64\wmptfx.exe"C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4620 -
C:\Windows\SysWOW64\wmptfx.exe"C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe34⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4408 -
C:\Windows\SysWOW64\wmptfx.exe"C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3032 -
C:\Windows\SysWOW64\wmptfx.exe"C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe36⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:400 -
C:\Windows\SysWOW64\wmptfx.exe"C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2964 -
C:\Windows\SysWOW64\wmptfx.exe"C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe38⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4948 -
C:\Windows\SysWOW64\wmptfx.exe"C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe39⤵
- Executes dropped EXE
PID:2004
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
169KB
MD5e82734e688f7acf18b0fcbd21ebae5f0
SHA12574b4d35f9cd038f19c1f82272d24f011436681
SHA256389ef436a20233d214ae7429a3a6917e4925dd40a01a23a26dfa33cc0bdbba95
SHA51206392761978bbb0bb84d47f38368a53490d2c1ee4a293a85c77c4101f3346e9d6d9b74285dd3b1c5cffe6c6d60b56badb7faa5028c9bc87db3d4c473dfe9b9e5