metasploit | a8b699d9cd5339d414000673c7d26fd4ad7e06946d3e7454e852e2d85dec63af

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 05:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecf34a3625a109fbd2feb8b9f03f5e0a_JaffaCakes118.exe
Size

150KB
MD5

ecf34a3625a109fbd2feb8b9f03f5e0a
SHA1

44ba709400ce61a3919f6522ec1bf58119082663
SHA256

a8b699d9cd5339d414000673c7d26fd4ad7e06946d3e7454e852e2d85dec63af
SHA512

12d0dbc4bbd98dbff5688dfb9f2bf6aca78be11f4bf663528abb06d5b74f102c76fab81594864cf97604b37ed6d89e3f42e6706d37932689dd7ae5dc30f76f55
SSDEEP

3072:4oM56eEbaD+t9OKQ9kTyErxwSSyomXaGSgMPQJ4UskN7uo0:416RE+vO1FyomTSvQGe7ub

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Deletes itself 1 IoCs

pid	Process
2216	wmpxv1.exe

Executes dropped EXE 64 IoCs

pid	Process
2720	wmpxv1.exe
2216	wmpxv1.exe
1672	wmpxv1.exe
1788	wmpxv1.exe
2108	wmpxv1.exe
1288	wmpxv1.exe
1880	wmpxv1.exe
1616	wmpxv1.exe
2468	wmpxv1.exe
2448	wmpxv1.exe
2924	wmpxv1.exe
2644	wmpxv1.exe
2584	wmpxv1.exe
1928	wmpxv1.exe
1856	wmpxv1.exe
2116	wmpxv1.exe
1136	wmpxv1.exe
2508	wmpxv1.exe
1308	wmpxv1.exe
1436	wmpxv1.exe
2012	wmpxv1.exe
1556	wmpxv1.exe
2876	wmpxv1.exe
2652	wmpxv1.exe
2428	wmpxv1.exe
2164	wmpxv1.exe
1504	wmpxv1.exe
1640	wmpxv1.exe
1364	wmpxv1.exe
1396	wmpxv1.exe
692	wmpxv1.exe
1520	wmpxv1.exe
480	wmpxv1.exe
2192	wmpxv1.exe
2796	wmpxv1.exe
2168	wmpxv1.exe
2052	wmpxv1.exe
1868	wmpxv1.exe
2628	wmpxv1.exe
2776	wmpxv1.exe
1600	wmpxv1.exe
1800	wmpxv1.exe
604	wmpxv1.exe
2236	wmpxv1.exe
1696	wmpxv1.exe
1264	wmpxv1.exe
2848	wmpxv1.exe
3000	wmpxv1.exe
988	wmpxv1.exe
1104	wmpxv1.exe
2464	wmpxv1.exe
2268	wmpxv1.exe
2132	wmpxv1.exe
2360	wmpxv1.exe
840	wmpxv1.exe
1624	wmpxv1.exe
1488	wmpxv1.exe
1984	wmpxv1.exe
2696	wmpxv1.exe
2580	wmpxv1.exe
1860	wmpxv1.exe
1620	wmpxv1.exe
2384	wmpxv1.exe
2208	wmpxv1.exe

Loads dropped DLL 64 IoCs

pid	Process
2432	ecf34a3625a109fbd2feb8b9f03f5e0a_JaffaCakes118.exe
2444	ecf34a3625a109fbd2feb8b9f03f5e0a_JaffaCakes118.exe
2444	ecf34a3625a109fbd2feb8b9f03f5e0a_JaffaCakes118.exe
2720	wmpxv1.exe
2216	wmpxv1.exe
2216	wmpxv1.exe
1672	wmpxv1.exe
1788	wmpxv1.exe
1788	wmpxv1.exe
2108	wmpxv1.exe
1288	wmpxv1.exe
1288	wmpxv1.exe
1880	wmpxv1.exe
1616	wmpxv1.exe
1616	wmpxv1.exe
2468	wmpxv1.exe
2448	wmpxv1.exe
2448	wmpxv1.exe
2924	wmpxv1.exe
2644	wmpxv1.exe
2644	wmpxv1.exe
2584	wmpxv1.exe
1928	wmpxv1.exe
1928	wmpxv1.exe
1856	wmpxv1.exe
2116	wmpxv1.exe
2116	wmpxv1.exe
1136	wmpxv1.exe
2508	wmpxv1.exe
2508	wmpxv1.exe
1308	wmpxv1.exe
1436	wmpxv1.exe
1436	wmpxv1.exe
2012	wmpxv1.exe
1556	wmpxv1.exe
1556	wmpxv1.exe
2876	wmpxv1.exe
2652	wmpxv1.exe
2652	wmpxv1.exe
2428	wmpxv1.exe
2164	wmpxv1.exe
2164	wmpxv1.exe
1504	wmpxv1.exe
1640	wmpxv1.exe
1640	wmpxv1.exe
1364	wmpxv1.exe
1396	wmpxv1.exe
1396	wmpxv1.exe
692	wmpxv1.exe
1520	wmpxv1.exe
1520	wmpxv1.exe
480	wmpxv1.exe
2192	wmpxv1.exe
2192	wmpxv1.exe
2796	wmpxv1.exe
2168	wmpxv1.exe
2168	wmpxv1.exe
2052	wmpxv1.exe
1868	wmpxv1.exe
1868	wmpxv1.exe
2628	wmpxv1.exe
2776	wmpxv1.exe
2776	wmpxv1.exe
1600	wmpxv1.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2444-36-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2444-49-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2444-48-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2444-47-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2444-46-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2444-41-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2444-34-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2444-64-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2216-107-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2216-106-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2216-105-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2216-112-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1788-157-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1788-156-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1788-155-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1788-179-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1288-208-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1288-214-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1616-259-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1616-280-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2448-309-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2448-318-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2644-359-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2644-380-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1928-409-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1928-416-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2116-460-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2116-465-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2508-510-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2508-531-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1436-557-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1436-560-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1556-601-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1556-607-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2652-645-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2652-663-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2164-689-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2164-694-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1640-733-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1640-736-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1396-777-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1396-795-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1520-821-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1520-833-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2192-865-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2192-892-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2168-909-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2168-933-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1868-970-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2776-994-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2776-1014-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1800-1071-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2236-1087-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1264-1143-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/3000-1186-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1104-1211-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1104-1239-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2268-1273-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2360-1298-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2360-1304-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1624-1347-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1984-1394-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2580-1428-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2580-1470-0x0000000000400000-0x000000000046C000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	ecf34a3625a109fbd2feb8b9f03f5e0a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	ecf34a3625a109fbd2feb8b9f03f5e0a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe

Suspicious use of SetThreadContext 33 IoCs

description	pid	Process	procid_target
PID 2432 set thread context of 2444	2432	ecf34a3625a109fbd2feb8b9f03f5e0a_JaffaCakes118.exe	31
PID 2720 set thread context of 2216	2720	wmpxv1.exe	33
PID 1672 set thread context of 1788	1672	wmpxv1.exe	35
PID 2108 set thread context of 1288	2108	wmpxv1.exe	37
PID 1880 set thread context of 1616	1880	wmpxv1.exe	39
PID 2468 set thread context of 2448	2468	wmpxv1.exe	41
PID 2924 set thread context of 2644	2924	wmpxv1.exe	43
PID 2584 set thread context of 1928	2584	wmpxv1.exe	45
PID 1856 set thread context of 2116	1856	wmpxv1.exe	47
PID 1136 set thread context of 2508	1136	wmpxv1.exe	49
PID 1308 set thread context of 1436	1308	wmpxv1.exe	51
PID 2012 set thread context of 1556	2012	wmpxv1.exe	53
PID 2876 set thread context of 2652	2876	wmpxv1.exe	55
PID 2428 set thread context of 2164	2428	wmpxv1.exe	57
PID 1504 set thread context of 1640	1504	wmpxv1.exe	59
PID 1364 set thread context of 1396	1364	wmpxv1.exe	61
PID 692 set thread context of 1520	692	wmpxv1.exe	63
PID 480 set thread context of 2192	480	wmpxv1.exe	65
PID 2796 set thread context of 2168	2796	wmpxv1.exe	67
PID 2052 set thread context of 1868	2052	wmpxv1.exe	70
PID 2628 set thread context of 2776	2628	wmpxv1.exe	72
PID 1600 set thread context of 1800	1600	wmpxv1.exe	74
PID 604 set thread context of 2236	604	wmpxv1.exe	76
PID 1696 set thread context of 1264	1696	wmpxv1.exe	78
PID 2848 set thread context of 3000	2848	wmpxv1.exe	80
PID 988 set thread context of 1104	988	wmpxv1.exe	82
PID 2464 set thread context of 2268	2464	wmpxv1.exe	84
PID 2132 set thread context of 2360	2132	wmpxv1.exe	86
PID 840 set thread context of 1624	840	wmpxv1.exe	88
PID 1488 set thread context of 1984	1488	wmpxv1.exe	90
PID 2696 set thread context of 2580	2696	wmpxv1.exe	92
PID 1860 set thread context of 1620	1860	wmpxv1.exe	94
PID 2384 set thread context of 2208	2384	wmpxv1.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecf34a3625a109fbd2feb8b9f03f5e0a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecf34a3625a109fbd2feb8b9f03f5e0a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2444	ecf34a3625a109fbd2feb8b9f03f5e0a_JaffaCakes118.exe
2216	wmpxv1.exe
1788	wmpxv1.exe
1288	wmpxv1.exe
1616	wmpxv1.exe
2448	wmpxv1.exe
2644	wmpxv1.exe
1928	wmpxv1.exe
2116	wmpxv1.exe
2508	wmpxv1.exe
1436	wmpxv1.exe
1556	wmpxv1.exe
2652	wmpxv1.exe
2164	wmpxv1.exe
1640	wmpxv1.exe
1396	wmpxv1.exe
1520	wmpxv1.exe
2192	wmpxv1.exe
2168	wmpxv1.exe
1868	wmpxv1.exe
2776	wmpxv1.exe
1800	wmpxv1.exe
2236	wmpxv1.exe
1264	wmpxv1.exe
3000	wmpxv1.exe
1104	wmpxv1.exe
2268	wmpxv1.exe
2360	wmpxv1.exe
1624	wmpxv1.exe
1984	wmpxv1.exe
2580	wmpxv1.exe
1620	wmpxv1.exe
2208	wmpxv1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2444	2432	ecf34a3625a109fbd2feb8b9f03f5e0a_JaffaCakes118.exe	31
PID 2432 wrote to memory of 2444	2432	ecf34a3625a109fbd2feb8b9f03f5e0a_JaffaCakes118.exe	31
PID 2432 wrote to memory of 2444	2432	ecf34a3625a109fbd2feb8b9f03f5e0a_JaffaCakes118.exe	31
PID 2432 wrote to memory of 2444	2432	ecf34a3625a109fbd2feb8b9f03f5e0a_JaffaCakes118.exe	31
PID 2432 wrote to memory of 2444	2432	ecf34a3625a109fbd2feb8b9f03f5e0a_JaffaCakes118.exe	31
PID 2432 wrote to memory of 2444	2432	ecf34a3625a109fbd2feb8b9f03f5e0a_JaffaCakes118.exe	31
PID 2432 wrote to memory of 2444	2432	ecf34a3625a109fbd2feb8b9f03f5e0a_JaffaCakes118.exe	31
PID 2432 wrote to memory of 2444	2432	ecf34a3625a109fbd2feb8b9f03f5e0a_JaffaCakes118.exe	31
PID 2444 wrote to memory of 2720	2444	ecf34a3625a109fbd2feb8b9f03f5e0a_JaffaCakes118.exe	32
PID 2444 wrote to memory of 2720	2444	ecf34a3625a109fbd2feb8b9f03f5e0a_JaffaCakes118.exe	32
PID 2444 wrote to memory of 2720	2444	ecf34a3625a109fbd2feb8b9f03f5e0a_JaffaCakes118.exe	32
PID 2444 wrote to memory of 2720	2444	ecf34a3625a109fbd2feb8b9f03f5e0a_JaffaCakes118.exe	32
PID 2720 wrote to memory of 2216	2720	wmpxv1.exe	33
PID 2720 wrote to memory of 2216	2720	wmpxv1.exe	33
PID 2720 wrote to memory of 2216	2720	wmpxv1.exe	33
PID 2720 wrote to memory of 2216	2720	wmpxv1.exe	33
PID 2720 wrote to memory of 2216	2720	wmpxv1.exe	33
PID 2720 wrote to memory of 2216	2720	wmpxv1.exe	33
PID 2720 wrote to memory of 2216	2720	wmpxv1.exe	33
PID 2720 wrote to memory of 2216	2720	wmpxv1.exe	33
PID 2216 wrote to memory of 1672	2216	wmpxv1.exe	34
PID 2216 wrote to memory of 1672	2216	wmpxv1.exe	34
PID 2216 wrote to memory of 1672	2216	wmpxv1.exe	34
PID 2216 wrote to memory of 1672	2216	wmpxv1.exe	34
PID 1672 wrote to memory of 1788	1672	wmpxv1.exe	35
PID 1672 wrote to memory of 1788	1672	wmpxv1.exe	35
PID 1672 wrote to memory of 1788	1672	wmpxv1.exe	35
PID 1672 wrote to memory of 1788	1672	wmpxv1.exe	35
PID 1672 wrote to memory of 1788	1672	wmpxv1.exe	35
PID 1672 wrote to memory of 1788	1672	wmpxv1.exe	35
PID 1672 wrote to memory of 1788	1672	wmpxv1.exe	35
PID 1672 wrote to memory of 1788	1672	wmpxv1.exe	35
PID 1788 wrote to memory of 2108	1788	wmpxv1.exe	36
PID 1788 wrote to memory of 2108	1788	wmpxv1.exe	36
PID 1788 wrote to memory of 2108	1788	wmpxv1.exe	36
PID 1788 wrote to memory of 2108	1788	wmpxv1.exe	36
PID 2108 wrote to memory of 1288	2108	wmpxv1.exe	37
PID 2108 wrote to memory of 1288	2108	wmpxv1.exe	37
PID 2108 wrote to memory of 1288	2108	wmpxv1.exe	37
PID 2108 wrote to memory of 1288	2108	wmpxv1.exe	37
PID 2108 wrote to memory of 1288	2108	wmpxv1.exe	37
PID 2108 wrote to memory of 1288	2108	wmpxv1.exe	37
PID 2108 wrote to memory of 1288	2108	wmpxv1.exe	37
PID 2108 wrote to memory of 1288	2108	wmpxv1.exe	37
PID 1288 wrote to memory of 1880	1288	wmpxv1.exe	38
PID 1288 wrote to memory of 1880	1288	wmpxv1.exe	38
PID 1288 wrote to memory of 1880	1288	wmpxv1.exe	38
PID 1288 wrote to memory of 1880	1288	wmpxv1.exe	38
PID 1880 wrote to memory of 1616	1880	wmpxv1.exe	39
PID 1880 wrote to memory of 1616	1880	wmpxv1.exe	39
PID 1880 wrote to memory of 1616	1880	wmpxv1.exe	39
PID 1880 wrote to memory of 1616	1880	wmpxv1.exe	39
PID 1880 wrote to memory of 1616	1880	wmpxv1.exe	39
PID 1880 wrote to memory of 1616	1880	wmpxv1.exe	39
PID 1880 wrote to memory of 1616	1880	wmpxv1.exe	39
PID 1880 wrote to memory of 1616	1880	wmpxv1.exe	39
PID 1616 wrote to memory of 2468	1616	wmpxv1.exe	40
PID 1616 wrote to memory of 2468	1616	wmpxv1.exe	40
PID 1616 wrote to memory of 2468	1616	wmpxv1.exe	40
PID 1616 wrote to memory of 2468	1616	wmpxv1.exe	40
PID 2468 wrote to memory of 2448	2468	wmpxv1.exe	41
PID 2468 wrote to memory of 2448	2468	wmpxv1.exe	41
PID 2468 wrote to memory of 2448	2468	wmpxv1.exe	41
PID 2468 wrote to memory of 2448	2468	wmpxv1.exe	41

C:\Users\Admin\AppData\Local\Temp\ecf34a3625a109fbd2feb8b9f03f5e0a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ecf34a3625a109fbd2feb8b9f03f5e0a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Users\Admin\AppData\Local\Temp\ecf34a3625a109fbd2feb8b9f03f5e0a_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ecf34a3625a109fbd2feb8b9f03f5e0a_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\SysWOW64\wmpxv1.exe
    "C:\Windows\system32\wmpxv1.exe" C:\Users\Admin\AppData\Local\Temp\ECF34A~1.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\SysWOW64\wmpxv1.exe
      "C:\Windows\system32\wmpxv1.exe" C:\Users\Admin\AppData\Local\Temp\ECF34A~1.EXE
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2216
    - - C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1672
      - C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2448
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2644
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1928
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1856
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2116
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1136
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2508
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1308
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1436
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1556
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2652
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2164
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1504
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1640
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1364
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1396
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        33⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:692
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        34⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1520
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        35⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:480
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        36⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2192
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        37⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        38⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2168
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        39⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        40⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1868
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        41⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        42⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2776
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        43⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1800
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:604
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2236
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1696
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1264
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3000
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:988
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1104
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2268
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2360
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:840
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1624
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1488
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1984
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2580
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1860
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1620
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        66⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\AIJ.dll

Filesize
5KB

MD5
278d3864e98a1620991854ddeb0b771c

SHA1
c27a6eec37f0392a132496b8715d46217c2e73cf

SHA256
839511592e34a655edbeebda7f8c78a39bdfa834e9f4c54d8b0498537694f11f

SHA512
4addead42833157043042aa05ea448b4bd97be5d18085d99a8ab85eab2c6508be7db55a9d7163a521240ca55034ba68057e17875a92d4a3c868e15294aec8dcc

Download Submit
\Windows\SysWOW64\wmpxv1.exe

Filesize
150KB

MD5
ecf34a3625a109fbd2feb8b9f03f5e0a

SHA1
44ba709400ce61a3919f6522ec1bf58119082663

SHA256
a8b699d9cd5339d414000673c7d26fd4ad7e06946d3e7454e852e2d85dec63af

SHA512
12d0dbc4bbd98dbff5688dfb9f2bf6aca78be11f4bf663528abb06d5b74f102c76fab81594864cf97604b37ed6d89e3f42e6706d37932689dd7ae5dc30f76f55

Download Submit
memory/1104-1239-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1104-1211-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1264-1143-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1288-208-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1288-214-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1396-795-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1396-777-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1436-557-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1436-560-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1520-821-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1520-833-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1556-601-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1556-607-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1616-280-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1616-259-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1620-1490-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1624-1347-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1640-736-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1640-733-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1672-148-0x0000000000790000-0x00000000007A0000-memory.dmp

Filesize
64KB

Download
memory/1788-156-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1788-179-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1788-157-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1788-155-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1800-1071-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1868-970-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1928-416-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1928-409-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1984-1394-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2108-204-0x00000000005F0000-0x0000000000600000-memory.dmp

Filesize
64KB

Download
memory/2108-199-0x00000000005F0000-0x0000000000600000-memory.dmp

Filesize
64KB

Download
memory/2116-465-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2116-460-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2164-689-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2164-694-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2168-909-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2168-933-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2192-865-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2192-892-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2216-107-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2216-112-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2216-105-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2216-106-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2236-1087-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2268-1273-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2360-1304-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2360-1298-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2432-42-0x0000000000590000-0x00000000005A0000-memory.dmp

Filesize
64KB

Download
memory/2432-40-0x0000000000590000-0x00000000005A0000-memory.dmp

Filesize
64KB

Download
memory/2432-31-0x0000000000590000-0x00000000005A0000-memory.dmp

Filesize
64KB

Download
memory/2432-43-0x0000000000590000-0x00000000005A0000-memory.dmp

Filesize
64KB

Download
memory/2432-25-0x0000000000590000-0x00000000005A0000-memory.dmp

Filesize
64KB

Download
memory/2432-30-0x0000000000590000-0x00000000005A0000-memory.dmp

Filesize
64KB

Download
memory/2432-29-0x0000000000590000-0x00000000005A0000-memory.dmp

Filesize
64KB

Download
memory/2432-26-0x0000000000590000-0x00000000005A0000-memory.dmp

Filesize
64KB

Download
memory/2432-27-0x0000000000590000-0x00000000005A0000-memory.dmp

Filesize
64KB

Download
memory/2432-28-0x0000000000590000-0x00000000005A0000-memory.dmp

Filesize
64KB

Download
memory/2444-64-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2444-41-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2444-36-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2444-38-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2444-34-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2444-46-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2444-32-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2444-47-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2444-49-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2444-48-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2448-309-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2448-318-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2508-510-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2508-531-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2580-1428-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2580-1470-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2644-359-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2644-380-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2652-663-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2652-645-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2720-98-0x0000000000240000-0x0000000000250000-memory.dmp

Filesize
64KB

Download
memory/2776-1014-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2776-994-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3000-1186-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download