metasploit | 008e85f1c73c905fba2a072db714e5e268548b8ec38646b2455cf0b8be1e2f88

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-09-2024 14:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe
Size

824KB
MD5

e95e5a67df941e7150f0c73a5c63f1b1
SHA1

1cfedfbbff4202fee0a38ecb775cf189ae4f9739
SHA256

008e85f1c73c905fba2a072db714e5e268548b8ec38646b2455cf0b8be1e2f88
SHA512

afe1fa188a2250c74ac7cad3cc9b400fa0759b691ebe126d812e3769b92364982e29e57c1eb4d42357ff89e2344efb8e312749044e4c8dd031a57ec872a7cfca
SSDEEP

24576:vaT1xyiQQNN3iR1n7HNhf1TlaBVUiYUT:ybAQH817HNhnaPUiYU

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Checks BIOS information in registry 2 TTPs 22 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wplayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wplayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wplayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wplayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wplayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wplayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wplayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wplayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wplayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wplayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wplayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wplayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wplayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wplayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wplayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wplayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wplayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wplayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wplayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wplayer.exe

Executes dropped EXE 20 IoCs

pid	Process
2840	wplayer.exe
2156	wplayer.exe
3048	wplayer.exe
1804	wplayer.exe
1352	wplayer.exe
2908	wplayer.exe
2456	wplayer.exe
2236	wplayer.exe
2960	wplayer.exe
2024	wplayer.exe
2548	wplayer.exe
1500	wplayer.exe
2812	wplayer.exe
2816	wplayer.exe
1836	wplayer.exe
2884	wplayer.exe
2924	wplayer.exe
1928	wplayer.exe
1504	wplayer.exe
980	wplayer.exe

Loads dropped DLL 21 IoCs

pid	Process
2484	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe
2484	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe
2840	wplayer.exe
2156	wplayer.exe
2156	wplayer.exe
1804	wplayer.exe
1804	wplayer.exe
2908	wplayer.exe
2908	wplayer.exe
2236	wplayer.exe
2236	wplayer.exe
2024	wplayer.exe
2024	wplayer.exe
1500	wplayer.exe
1500	wplayer.exe
2816	wplayer.exe
2816	wplayer.exe
2884	wplayer.exe
2884	wplayer.exe
1928	wplayer.exe
1928	wplayer.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wplayer.exe	wplayer.exe
File created	C:\Windows\SysWOW64\wplayer.exe	wplayer.exe
File created	C:\Windows\SysWOW64\wplayer.exe	wplayer.exe
File opened for modification	C:\Windows\SysWOW64\wplayer.exe	wplayer.exe
File opened for modification	C:\Windows\SysWOW64\wplayer.exe	wplayer.exe
File opened for modification	C:\Windows\SysWOW64\wplayer.exe	wplayer.exe
File opened for modification	C:\Windows\SysWOW64\wplayer.exe	wplayer.exe
File created	C:\Windows\SysWOW64\wplayer.exe	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wplayer.exe	wplayer.exe
File created	C:\Windows\SysWOW64\wplayer.exe	wplayer.exe
File opened for modification	C:\Windows\SysWOW64\wplayer.exe	wplayer.exe
File created	C:\Windows\SysWOW64\wplayer.exe	wplayer.exe
File created	C:\Windows\SysWOW64\wplayer.exe	wplayer.exe
File opened for modification	C:\Windows\SysWOW64\wplayer.exe	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wplayer.exe	wplayer.exe
File opened for modification	C:\Windows\SysWOW64\wplayer.exe	wplayer.exe
File created	C:\Windows\SysWOW64\wplayer.exe	wplayer.exe
File created	C:\Windows\SysWOW64\wplayer.exe	wplayer.exe
File opened for modification	C:\Windows\SysWOW64\wplayer.exe	wplayer.exe
File created	C:\Windows\SysWOW64\wplayer.exe	wplayer.exe
File created	C:\Windows\SysWOW64\wplayer.exe	wplayer.exe
File created	C:\Windows\SysWOW64\wplayer.exe	wplayer.exe

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wplayer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\xxqqeyqjM = "Cx[rg{mZSOoLAJ{Xq"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\HcCn = "~SB^BqpXDR[s`@"	wplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\HcCn = "~Pv^BqpXBpDL@p"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\HcCn = "~PJ^BqpX\|H`v@p"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\HcCn = "~SN^BqpXpUqSqp"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\Fdkf = "omZ}LpCUwdk\|bluwnZd{s"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\blphhk = "v@\x7fhdMxaZLnpmVwZlz@EoEyQ"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\tdazMpcavlmm = "hHMbU`fiPLa_PWc`yWFS~hEr\x7fOdI]"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\tdazMpcavlmm = "hHMbU`fiPLa_PWc`yWFS~hEr\x7fOdI]"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\Fdkf = "omZ}LpCUwdk\|bluwnZd{s"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\HcCn = "~Sb^BqpXeY@bf`"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\blphhk = "v@\x7fhdMxaZLnpmVwZlz@EaEyQ"	wplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\InprocServer32	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\InprocServer32\ThreadingModel = "Both"	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\jjbfTBiAeq = "TMZuPgDb\|wkyoLfyfj\\eal_"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\spoHmhiI = "rJ\x7fEihPxmUryh}]ta}epjZ"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\blphhk = "v@\x7fhdMxaZLnpmVwZlz@EoEyQ"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\blphhk = "v@\x7fhdMxaZLnpmVwZlz@E`EyQ"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\spoHmhiI = "rJ\x7fEfhPxmUrx}}]ta}epjZ"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\ = "PSDispatch"	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\HcCn = "~QB^BqpXiQer`p"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\blphhk = "v@\x7fhdMxaZLnpmVwZlz@EmEyQ"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\HcCn = "~S~^BqpXC\x7f{NQ@"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\spoHmhiI = "rJ\x7fEdhPxmUrxl}]ta}epjZ"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\HcCn = "~QR^BqpXjz~cM`"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\tdazMpcavlmm = "hHMbU`fiPLa_PWc`yWFS~hEr\x7fOdI]"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\spoHmhiI = "rJ\x7fEghPxmUrxN}]ta}epjZ"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\Fdkf = "omZ}LpCUwdk\|bluwnZd{s"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\blphhk = "v@\x7fhdMxaZLnpmVwZlz@EnEyQ"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\jjbfTBiAeq = "TMZuPgDb\|wkyoLfyfj\\eal_"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\efvjmeodzsmhd = "@CWmKBZv_ckETiN_"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\jjbfTBiAeq = "TMZuPgDb\|wkyoLfyfj\\eal_"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\spoHmhiI = "rJ\x7fEmhPxmUry[}]ta}epjZ"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\spoHmhiI = "rJ\x7fElhPxmUryJ}]ta}epjZ"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\HcCn = "~Sn^BqpXQg[Y\\@"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\blphhk = "v@\x7fhdMxaZLnpmVwZlz@EkEyQ"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\spoHmhiI = "rJ\x7fEjhPxmUryh}]ta}epjZ"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\Fdkf = "omZ}LpCUwdk\|bluwnZd{s"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\spoHmhiI = "rJ\x7fEghPxmUrx}}]ta}epjZ"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\HcCn = "~Sv^BqpXhbDDtp"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\blphhk = "v@\x7fhdMxaZLnpmVwZlz@EbEyQ"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\xxqqeyqjM = "Cx[rg{mZSOoLAJ{Xq"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\InprocServer32\ = "C:\\Windows\\SysWOW64\\oleaut32.dll"	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\spoHmhiI = "rJ\x7fEkhPxmUryJ}]ta}epjZ"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\blphhk = "v@\x7fhdMxaZLnpmVwZlz@EmEyQ"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\HcCn = "~PN^BqpXcRu\\tp"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\efvjmeodzsmhd = "@CWmKBZv_ckETiN_"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\blphhk = "v@\x7fhdMxaZLnpmVwZlz@EkEyQ"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\HcCn = "~Pj^BqpXF}tllP"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\HcCn = "~PF^BqpXS]HzQp"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\blphhk = "v@\x7fhdMxaZLnpmVwZlz@EjEyQ"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\xxqqeyqjM = "Cx[rg{mZSOoLAJ{Xq"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\efvjmeodzsmhd = "@CWmKBZv_ckETiN_"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\jjbfTBiAeq = "TMZuPgDb\|wkyoLfyfj\\eal_"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\spoHmhiI = "rJ\x7fEghPxmUrx}}]ta}epjZ"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\efvjmeodzsmhd = "@CWmKBZv_ckETiN_"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\blphhk = "v@\x7fhdMxaZLnpmVwZlz@EjEyQ"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\HcCn = "~QF^BqpXES@Ro`"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\spoHmhiI = "rJ\x7fElhPxmUryJ}]ta}epjZ"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\HcCn = "~Pn^BqpXYgaFXP"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\blphhk = "v@\x7fhdMxaZLnpmVwZlz@EnEyQ"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\spoHmhiI = "rJ\x7fEihPxmUryh}]ta}epjZ"	wplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\xxqqeyqjM = "Cx[rg{mZSOoLAJ{Xq"	wplayer.exe

NTFS ADS 11 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\TEMP:5D2892D9	wplayer.exe
File opened for modification	C:\ProgramData\TEMP:5D2892D9	wplayer.exe
File created	C:\ProgramData\TEMP:5D2892D9	wplayer.exe
File opened for modification	C:\ProgramData\TEMP:5D2892D9	wplayer.exe
File opened for modification	C:\ProgramData\TEMP:5D2892D9	wplayer.exe
File opened for modification	C:\ProgramData\TEMP:5D2892D9	wplayer.exe
File opened for modification	C:\ProgramData\TEMP:5D2892D9	wplayer.exe
File opened for modification	C:\ProgramData\TEMP:5D2892D9	wplayer.exe
File opened for modification	C:\ProgramData\TEMP:5D2892D9	wplayer.exe
File opened for modification	C:\ProgramData\TEMP:5D2892D9	wplayer.exe
File opened for modification	C:\ProgramData\TEMP:5D2892D9	wplayer.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: 33	2484	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2484	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe
Token: 33	2484	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2484	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe
Token: 33	2156	wplayer.exe
Token: SeIncBasePriorityPrivilege	2156	wplayer.exe
Token: 33	2156	wplayer.exe
Token: SeIncBasePriorityPrivilege	2156	wplayer.exe
Token: 33	1804	wplayer.exe
Token: SeIncBasePriorityPrivilege	1804	wplayer.exe
Token: 33	1804	wplayer.exe
Token: SeIncBasePriorityPrivilege	1804	wplayer.exe
Token: 33	2908	wplayer.exe
Token: SeIncBasePriorityPrivilege	2908	wplayer.exe
Token: 33	2908	wplayer.exe
Token: SeIncBasePriorityPrivilege	2908	wplayer.exe
Token: 33	2236	wplayer.exe
Token: SeIncBasePriorityPrivilege	2236	wplayer.exe
Token: 33	2236	wplayer.exe
Token: SeIncBasePriorityPrivilege	2236	wplayer.exe
Token: 33	2024	wplayer.exe
Token: SeIncBasePriorityPrivilege	2024	wplayer.exe
Token: 33	2024	wplayer.exe
Token: SeIncBasePriorityPrivilege	2024	wplayer.exe
Token: 33	1500	wplayer.exe
Token: SeIncBasePriorityPrivilege	1500	wplayer.exe
Token: 33	1500	wplayer.exe
Token: SeIncBasePriorityPrivilege	1500	wplayer.exe
Token: 33	2816	wplayer.exe
Token: SeIncBasePriorityPrivilege	2816	wplayer.exe
Token: 33	2816	wplayer.exe
Token: SeIncBasePriorityPrivilege	2816	wplayer.exe
Token: 33	2884	wplayer.exe
Token: SeIncBasePriorityPrivilege	2884	wplayer.exe
Token: 33	2884	wplayer.exe
Token: SeIncBasePriorityPrivilege	2884	wplayer.exe
Token: 33	1928	wplayer.exe
Token: SeIncBasePriorityPrivilege	1928	wplayer.exe
Token: 33	1928	wplayer.exe
Token: SeIncBasePriorityPrivilege	1928	wplayer.exe
Token: 33	980	wplayer.exe
Token: SeIncBasePriorityPrivilege	980	wplayer.exe
Token: 33	980	wplayer.exe
Token: SeIncBasePriorityPrivilege	980	wplayer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 2484	2788	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe	30
PID 2788 wrote to memory of 2484	2788	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe	30
PID 2788 wrote to memory of 2484	2788	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe	30
PID 2788 wrote to memory of 2484	2788	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe	30
PID 2788 wrote to memory of 2484	2788	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe	30
PID 2788 wrote to memory of 2484	2788	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe	30
PID 2788 wrote to memory of 2484	2788	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe	30
PID 2788 wrote to memory of 2484	2788	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe	30
PID 2788 wrote to memory of 2484	2788	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe	30
PID 2788 wrote to memory of 2484	2788	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe	30
PID 2788 wrote to memory of 2484	2788	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe	30
PID 2788 wrote to memory of 2484	2788	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe	30
PID 2788 wrote to memory of 2484	2788	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe	30
PID 2788 wrote to memory of 2484	2788	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe	30
PID 2788 wrote to memory of 2484	2788	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe	30
PID 2788 wrote to memory of 2484	2788	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe	30
PID 2788 wrote to memory of 2484	2788	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe	30
PID 2788 wrote to memory of 2484	2788	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe	30
PID 2788 wrote to memory of 2484	2788	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe	30
PID 2788 wrote to memory of 2484	2788	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe	30
PID 2788 wrote to memory of 2484	2788	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe	30
PID 2788 wrote to memory of 2484	2788	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe	30
PID 2788 wrote to memory of 2484	2788	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe	30
PID 2788 wrote to memory of 2484	2788	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe	30
PID 2788 wrote to memory of 2484	2788	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe	30
PID 2788 wrote to memory of 2484	2788	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe	30
PID 2788 wrote to memory of 2484	2788	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe	30
PID 2788 wrote to memory of 2484	2788	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe	30
PID 2788 wrote to memory of 2484	2788	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe	30
PID 2788 wrote to memory of 2484	2788	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe	30
PID 2788 wrote to memory of 2484	2788	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe	30
PID 2788 wrote to memory of 2484	2788	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe	30
PID 2788 wrote to memory of 2484	2788	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe	30
PID 2788 wrote to memory of 2484	2788	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe	30
PID 2788 wrote to memory of 2484	2788	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe	30
PID 2788 wrote to memory of 2484	2788	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe	30
PID 2484 wrote to memory of 2840	2484	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe	31
PID 2484 wrote to memory of 2840	2484	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe	31
PID 2484 wrote to memory of 2840	2484	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe	31
PID 2484 wrote to memory of 2840	2484	e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe	31
PID 2840 wrote to memory of 2156	2840	wplayer.exe	32
PID 2840 wrote to memory of 2156	2840	wplayer.exe	32
PID 2840 wrote to memory of 2156	2840	wplayer.exe	32
PID 2840 wrote to memory of 2156	2840	wplayer.exe	32
PID 2840 wrote to memory of 2156	2840	wplayer.exe	32
PID 2840 wrote to memory of 2156	2840	wplayer.exe	32
PID 2840 wrote to memory of 2156	2840	wplayer.exe	32
PID 2840 wrote to memory of 2156	2840	wplayer.exe	32
PID 2840 wrote to memory of 2156	2840	wplayer.exe	32
PID 2840 wrote to memory of 2156	2840	wplayer.exe	32
PID 2840 wrote to memory of 2156	2840	wplayer.exe	32
PID 2840 wrote to memory of 2156	2840	wplayer.exe	32
PID 2840 wrote to memory of 2156	2840	wplayer.exe	32
PID 2840 wrote to memory of 2156	2840	wplayer.exe	32
PID 2840 wrote to memory of 2156	2840	wplayer.exe	32
PID 2840 wrote to memory of 2156	2840	wplayer.exe	32
PID 2840 wrote to memory of 2156	2840	wplayer.exe	32
PID 2840 wrote to memory of 2156	2840	wplayer.exe	32
PID 2840 wrote to memory of 2156	2840	wplayer.exe	32
PID 2840 wrote to memory of 2156	2840	wplayer.exe	32
PID 2840 wrote to memory of 2156	2840	wplayer.exe	32
PID 2840 wrote to memory of 2156	2840	wplayer.exe	32
PID 2840 wrote to memory of 2156	2840	wplayer.exe	32
PID 2840 wrote to memory of 2156	2840	wplayer.exe	32

C:\Users\Admin\AppData\Local\Temp\e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Users\Admin\AppData\Local\Temp\e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe"
  2⤵
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\SysWOW64\wplayer.exe
    C:\Windows\system32\wplayer.exe 720 "C:\Users\Admin\AppData\Local\Temp\e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\SysWOW64\wplayer.exe
      C:\Windows\system32\wplayer.exe 720 "C:\Users\Admin\AppData\Local\Temp\e95e5a67df941e7150f0c73a5c63f1b1_JaffaCakes118.exe"
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      NTFS ADS
      Suspicious use of AdjustPrivilegeToken
      PID:2156
    - - C:\Windows\SysWOW64\wplayer.exe
        
        C:\Windows\system32\wplayer.exe 760 "C:\Windows\SysWOW64\wplayer.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3048
      - C:\Windows\SysWOW64\wplayer.exe
        
        C:\Windows\system32\wplayer.exe 760 "C:\Windows\SysWOW64\wplayer.exe"
        6⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:1804
        
        C:\Windows\SysWOW64\wplayer.exe
        
        C:\Windows\system32\wplayer.exe 776 "C:\Windows\SysWOW64\wplayer.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1352
        
        C:\Windows\SysWOW64\wplayer.exe
        
        C:\Windows\system32\wplayer.exe 776 "C:\Windows\SysWOW64\wplayer.exe"
        8⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
        
        C:\Windows\SysWOW64\wplayer.exe
        
        C:\Windows\system32\wplayer.exe 764 "C:\Windows\SysWOW64\wplayer.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        C:\Windows\SysWOW64\wplayer.exe
        
        C:\Windows\system32\wplayer.exe 764 "C:\Windows\SysWOW64\wplayer.exe"
        10⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
        
        C:\Windows\SysWOW64\wplayer.exe
        
        C:\Windows\system32\wplayer.exe 784 "C:\Windows\SysWOW64\wplayer.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\wplayer.exe
        
        C:\Windows\system32\wplayer.exe 784 "C:\Windows\SysWOW64\wplayer.exe"
        12⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
        
        C:\Windows\SysWOW64\wplayer.exe
        
        C:\Windows\system32\wplayer.exe 792 "C:\Windows\SysWOW64\wplayer.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2548
        
        C:\Windows\SysWOW64\wplayer.exe
        
        C:\Windows\system32\wplayer.exe 792 "C:\Windows\SysWOW64\wplayer.exe"
        14⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
        
        C:\Windows\SysWOW64\wplayer.exe
        
        C:\Windows\system32\wplayer.exe 812 "C:\Windows\SysWOW64\wplayer.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Windows\SysWOW64\wplayer.exe
        
        C:\Windows\system32\wplayer.exe 812 "C:\Windows\SysWOW64\wplayer.exe"
        16⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
        
        C:\Windows\SysWOW64\wplayer.exe
        
        C:\Windows\system32\wplayer.exe 816 "C:\Windows\SysWOW64\wplayer.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1836
        
        C:\Windows\SysWOW64\wplayer.exe
        
        C:\Windows\system32\wplayer.exe 816 "C:\Windows\SysWOW64\wplayer.exe"
        18⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
        
        C:\Windows\SysWOW64\wplayer.exe
        
        C:\Windows\system32\wplayer.exe 828 "C:\Windows\SysWOW64\wplayer.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\wplayer.exe
        
        C:\Windows\system32\wplayer.exe 828 "C:\Windows\SysWOW64\wplayer.exe"
        20⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:1928
        
        C:\Windows\SysWOW64\wplayer.exe
        
        C:\Windows\system32\wplayer.exe 840 "C:\Windows\SysWOW64\wplayer.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1504
        
        C:\Windows\SysWOW64\wplayer.exe
        
        C:\Windows\system32\wplayer.exe 840 "C:\Windows\SysWOW64\wplayer.exe"
        22⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TEMP:5D2892D9

Filesize
123B

MD5
a24d65223a9c8e90122e611c1752e8ac

SHA1
a569bf5483a58bfeec5046bb1b555ae049c09b76

SHA256
02fbd5a8fefcd060684c890875e2d9d4b2b36fef26d53fb796fb1e79ad3ea883

SHA512
cb6143911ae82bbf96d7eb0ea155e71a6140ce42c1824e5bc4ccce90654512f2bfa96a6200cfb34c84fba84ae6dd7d23d94f5a4e552991e1d6e2141a6d9413b2

Download Submit
C:\ProgramData\TEMP:5D2892D9

Filesize
123B

MD5
18727a19f8a64fb5c268dba8ce6b0d2e

SHA1
7a5d44ce118a9d125c52ea3748e14fe366fa3ac6

SHA256
2a0d22d6b43980208c5d3cce10433ff899a71bd591411d01b19b512f71cc7f69

SHA512
5d70a236384339ad9986463084ab6e03ddd66ccea87924e1005f381a38d39a073e6677c28afd08ad681e6879ea0f7145d2d17ed76bb852f98faed96033303242

Download Submit
C:\ProgramData\TEMP:5D2892D9

Filesize
123B

MD5
0620ece7d2b68801892201407a756460

SHA1
dd015b828a789db3c8cf5afa1dbc59f88fc49292

SHA256
b237dc4c208fdf09c35953371f06d9826a4034a415e10e77d8fd627dc73f96b4

SHA512
aaa0ee6994ecc3f1451eda5e11e520fe107e6f56555213da0a48fe51b28bfdd397d658007dd849b0e015d762b5513193192fdf70534f9020b2bb3acd9c2f1e15

Download Submit
C:\ProgramData\TEMP:5D2892D9

Filesize
123B

MD5
d580e2449d24c2a72d24a459e16e4313

SHA1
d56ee30ea1c4a0ca1bc9fe73301fa87442eb09f7

SHA256
2e9c2c25d42970e26d41d6d97bbca1a84faf130d70c35a71558cf0f795866ce4

SHA512
d3776a3af38c64af5c7c952c7c7c3a6ef8a9fa17acdf0d122832c9f288dda654659cb8181d670993fbcdd0ff02f66a7cefad14f8acef9d30f0c398db0c7cf132

Download Submit
C:\ProgramData\TEMP:5D2892D9

Filesize
123B

MD5
ca34c7e61180fcea5cb8641c8a12bcbc

SHA1
7baa4eccf69ff5ea8983f60faab0e043da89f197

SHA256
29abf29676e12eada63f62a914cab71e9f6cacda2ecce26d2e18a2157239608b

SHA512
a7366f1e1987b886d4e2b8184ab35f45f5bdd0ae5fd01f46464da9e9befc97e23fcaa355a4449927d6b43c6a35d324665be70ad24645876492437e49cc956219

Download Submit
C:\ProgramData\TEMP:5D2892D9

Filesize
123B

MD5
0484c6eadc07486a617188951ba11224

SHA1
4ee1e206049aaf5b74a3438a8b27c64619f09dc9

SHA256
7a78c44bc7563768bb0433403e773b34503ea0eb7765c84ae0e747f625d95108

SHA512
9cdcf979c23d9ffec9479454316cbe9310fab7e867956ab69c9b07771dda07132f79344ad6cd8f4232ccc6ef18efe329c5ab1cd37f5bdf9583f83388a2dcc744

Download Submit
C:\ProgramData\TEMP:5D2892D9

Filesize
123B

MD5
da5f16403ee1f74d5ee76ee08754446c

SHA1
35d94bb2472c8cd79488de99c7f9f3031bdb3191

SHA256
f78de550b2aea5dad84c7a0bbd923caadfd9e136387f762c815a5b98c7c639f6

SHA512
b75dcb874d914279fc0d1d5d0e471548507334ab2f5748c253a3a4b6d04694a75f04441716f0c71fc79e921a9e377810c83b8a269fc5c09cf1e96575e933e3f2

Download Submit
C:\ProgramData\TEMP:5D2892D9

Filesize
123B

MD5
075057bcea19a418d589480d3d541a79

SHA1
3c9e09cd13351550e5101a65e2373358fdd905ff

SHA256
3dce66791f75b8c6bc711aa7ab23768d106beb285b195066eb1ff745b2a1d08f

SHA512
db5cb0cbff9497e3a3523d745739c1c5ec96ae4115d500380dd1b252cd024c6eefe48c8d162a6455b8b6829baabdfcbe0b2838b1481af59d6222c63b7aa0258c

Download Submit
C:\ProgramData\TEMP:5D2892D9

Filesize
123B

MD5
98bb0b0445d24a583d6fb05b38da5afc

SHA1
0fc4a62400e16f0d19566bbde89b54e01dcb768d

SHA256
505ce2e641b860f9f02104baf6a8ac0b76516a8ac1170a80a824d7d81e511c56

SHA512
bda5ef7a4efe116aef48e02d61856901d41546891b3065a2ab05da0de3ce054eae545eed7538920c1a3fdab7ab979aa47f7985b2d269e3c1c88c14856c0e0f24

Download Submit
C:\ProgramData\TEMP:5D2892D9

Filesize
123B

MD5
d88d000c8b789b8d1ee42d1b6a48ac53

SHA1
cd342d0091ad39c09e257c72a5b04fecfbd0c67d

SHA256
6a8ed406211a485823ac3bb8729a318f905ac0ea86ef419367021d90f98be357

SHA512
4da797ab5c6bb8ff81c0c9976100c3655e874ffc62050fd94f0894c359fb087d4d57dc0662ff06c184bb6665e484822eb00a91b4e779d6c48c696d27be7258a2

Download Submit
C:\ProgramData\TEMP:5D2892D9

Filesize
123B

MD5
e5641dfaf8e0d98b724c261dc9e838d0

SHA1
31042d055ad7d96f197f16ab75e63f8d2419a6aa

SHA256
80ba0a97c87b192c8908b8e1faf873c8a4583ceed5a96ca62b2f929af7d75565

SHA512
e6aafcf0c2accdfb4ac13691b8cd0406a795763c6258895bd280e837b6532e71f85943a701627a50588190a9e9b524e8a578a6bde0701684f3c2870f10b37a37

Download Submit
C:\Windows\SysWOW64\wplayer.exe

Filesize
824KB

MD5
e95e5a67df941e7150f0c73a5c63f1b1

SHA1
1cfedfbbff4202fee0a38ecb775cf189ae4f9739

SHA256
008e85f1c73c905fba2a072db714e5e268548b8ec38646b2455cf0b8be1e2f88

SHA512
afe1fa188a2250c74ac7cad3cc9b400fa0759b691ebe126d812e3769b92364982e29e57c1eb4d42357ff89e2344efb8e312749044e4c8dd031a57ec872a7cfca

Download Submit
memory/1352-91-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/1352-129-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/1352-114-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/1500-208-0x00000000031A0000-0x000000000333E000-memory.dmp

Filesize
1.6MB

Download
memory/1500-209-0x00000000031A0000-0x000000000333E000-memory.dmp

Filesize
1.6MB

Download
memory/1504-327-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/1504-302-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/1804-76-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/1804-99-0x0000000001DE0000-0x0000000001E75000-memory.dmp

Filesize
596KB

Download
memory/1804-83-0x0000000001DE0000-0x0000000001E75000-memory.dmp

Filesize
596KB

Download
memory/1804-81-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/1804-80-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/1804-82-0x0000000001DE0000-0x0000000001E75000-memory.dmp

Filesize
596KB

Download
memory/1804-63-0x0000000001DE0000-0x0000000001E75000-memory.dmp

Filesize
596KB

Download
memory/1804-77-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/1804-78-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/1804-75-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/1836-266-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/1836-294-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2024-178-0x0000000003350000-0x00000000034EE000-memory.dmp

Filesize
1.6MB

Download
memory/2024-177-0x0000000003350000-0x00000000034EE000-memory.dmp

Filesize
1.6MB

Download
memory/2156-50-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2156-57-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2156-51-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2156-53-0x00000000005A0000-0x0000000000635000-memory.dmp

Filesize
596KB

Download
memory/2156-52-0x00000000005A0000-0x0000000000635000-memory.dmp

Filesize
596KB

Download
memory/2156-47-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2156-48-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2156-49-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2156-33-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2156-43-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2156-42-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2156-46-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2156-37-0x00000000005A0000-0x0000000000635000-memory.dmp

Filesize
596KB

Download
memory/2156-70-0x00000000005A0000-0x0000000000635000-memory.dmp

Filesize
596KB

Download
memory/2236-134-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2236-148-0x0000000003380000-0x000000000351E000-memory.dmp

Filesize
1.6MB

Download
memory/2236-147-0x0000000003380000-0x000000000351E000-memory.dmp

Filesize
1.6MB

Download
memory/2456-143-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2456-155-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-34-0x0000000001FC0000-0x0000000002055000-memory.dmp

Filesize
596KB

Download
memory/2484-3-0x00000000004E5000-0x00000000004E6000-memory.dmp

Filesize
4KB

Download
memory/2484-16-0x0000000001FC0000-0x0000000002055000-memory.dmp

Filesize
596KB

Download
memory/2484-4-0x0000000001FC0000-0x0000000002055000-memory.dmp

Filesize
596KB

Download
memory/2484-9-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-13-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-12-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-11-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-1-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-14-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-27-0x0000000003050000-0x00000000031EE000-memory.dmp

Filesize
1.6MB

Download
memory/2484-10-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-15-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2548-204-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2548-217-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2788-36-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2788-2-0x0000000000800000-0x000000000099E000-memory.dmp

Filesize
1.6MB

Download
memory/2788-0-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2812-235-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2812-248-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2816-240-0x0000000003260000-0x00000000033FE000-memory.dmp

Filesize
1.6MB

Download
memory/2816-239-0x0000000003260000-0x00000000033FE000-memory.dmp

Filesize
1.6MB

Download
memory/2840-31-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-56-0x0000000001E30000-0x0000000001FCE000-memory.dmp

Filesize
1.6MB

Download
memory/2840-55-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-79-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2884-243-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2884-271-0x0000000003040000-0x00000000031DE000-memory.dmp

Filesize
1.6MB

Download
memory/2884-270-0x0000000003040000-0x00000000031DE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-112-0x0000000001F40000-0x0000000001FD5000-memory.dmp

Filesize
596KB

Download
memory/2908-110-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2908-128-0x0000000001F40000-0x0000000001FD5000-memory.dmp

Filesize
596KB

Download
memory/2908-109-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2908-118-0x0000000003230000-0x00000000033CE000-memory.dmp

Filesize
1.6MB

Download
memory/2908-106-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2908-111-0x0000000001F40000-0x0000000001FD5000-memory.dmp

Filesize
596KB

Download
memory/2908-92-0x0000000001F40000-0x0000000001FD5000-memory.dmp

Filesize
596KB

Download
memory/2908-107-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2908-105-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2908-108-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2924-297-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2924-324-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-173-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2960-201-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/3048-85-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/3048-103-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download