metasploit | ddecfded7db6f7877e022d2a0c5175acaf4b38d2078ebd281cca09d45ece2f50

Analysis

max time kernel
149s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2024 14:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe
Size

172KB
MD5

c8330861d83f29369ce25b0ee9dc58f8
SHA1

8722c3626740f3c3ae152a83c2c0d16d61efee74
SHA256

ddecfded7db6f7877e022d2a0c5175acaf4b38d2078ebd281cca09d45ece2f50
SHA512

472af193b1089ce72a0e9a4610561eadad535dcc96482e31ae46918e9eed25ac5c119ac492bae11b4effd09761fba67867fe6ea7db8d1a4e703fe5f1a2653817
SSDEEP

3072:hlCEKWX/bM97h4N9U+TrIIfMAmm5BCPbdCAW3MFehirTuyVr6g:ha2g9N4Y+/3m2BCPRC1wVr

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Checks computer location settings 2 TTPs 48 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wmpfn1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wmpfn1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wmpfn1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wmpfn1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wmpfn1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wmpfn1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wmpfn1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wmpfn1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wmpfn1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wmpfn1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wmpfn1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wmpfn1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wmpfn1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wmpfn1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wmpfn1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wmpfn1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wmpfn1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wmpfn1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wmpfn1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wmpfn1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wmpfn1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wmpfn1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wmpfn1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wmpfn1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wmpfn1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wmpfn1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wmpfn1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wmpfn1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wmpfn1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wmpfn1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wmpfn1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wmpfn1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wmpfn1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wmpfn1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wmpfn1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wmpfn1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wmpfn1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wmpfn1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wmpfn1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wmpfn1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wmpfn1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wmpfn1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wmpfn1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wmpfn1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wmpfn1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wmpfn1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wmpfn1.exe

Deletes itself 1 IoCs

pid	Process
3128	wmpfn1.exe

Executes dropped EXE 64 IoCs

pid	Process
4828	wmpfn1.exe
3128	wmpfn1.exe
4368	wmpfn1.exe
1420	wmpfn1.exe
2660	wmpfn1.exe
2636	wmpfn1.exe
3624	wmpfn1.exe
4696	wmpfn1.exe
2184	wmpfn1.exe
3588	wmpfn1.exe
1388	wmpfn1.exe
3124	wmpfn1.exe
3872	wmpfn1.exe
4732	wmpfn1.exe
5016	wmpfn1.exe
1860	wmpfn1.exe
4120	wmpfn1.exe
3460	wmpfn1.exe
1548	wmpfn1.exe
3044	wmpfn1.exe
1976	wmpfn1.exe
4944	wmpfn1.exe
928	wmpfn1.exe
4760	wmpfn1.exe
3784	wmpfn1.exe
4676	wmpfn1.exe
4960	wmpfn1.exe
4396	wmpfn1.exe
2452	wmpfn1.exe
3864	wmpfn1.exe
4876	wmpfn1.exe
4276	wmpfn1.exe
2776	wmpfn1.exe
4272	wmpfn1.exe
2848	wmpfn1.exe
2432	wmpfn1.exe
1064	wmpfn1.exe
2644	wmpfn1.exe
4596	wmpfn1.exe
2740	wmpfn1.exe
1400	wmpfn1.exe
1988	wmpfn1.exe
2960	wmpfn1.exe
1136	wmpfn1.exe
1040	wmpfn1.exe
4456	wmpfn1.exe
1268	wmpfn1.exe
976	wmpfn1.exe
2972	wmpfn1.exe
2268	wmpfn1.exe
4152	wmpfn1.exe
928	wmpfn1.exe
1596	wmpfn1.exe
2484	wmpfn1.exe
4824	wmpfn1.exe
60	wmpfn1.exe
1532	wmpfn1.exe
4940	wmpfn1.exe
3800	wmpfn1.exe
384	wmpfn1.exe
3632	wmpfn1.exe
4496	wmpfn1.exe
4464	wmpfn1.exe
456	wmpfn1.exe

Maps connected drives based on registry 3 TTPs 64 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpfn1.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File created	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File created	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File created	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\	wmpfn1.exe
File created	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File created	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File created	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File created	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File created	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File created	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File created	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File created	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File created	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File created	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\	wmpfn1.exe
File created	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\	wmpfn1.exe
File created	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File created	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File created	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File created	C:\Windows\SysWOW64\wmpfn1.exe	c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\	wmpfn1.exe
File created	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File created	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\	wmpfn1.exe
File created	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File created	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File created	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe

Suspicious use of SetThreadContext 49 IoCs

description	pid	Process	procid_target
PID 1280 set thread context of 3220	1280	c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe	81
PID 4828 set thread context of 3128	4828	wmpfn1.exe	83
PID 4368 set thread context of 1420	4368	wmpfn1.exe	85
PID 2660 set thread context of 2636	2660	wmpfn1.exe	87
PID 3624 set thread context of 4696	3624	wmpfn1.exe	93
PID 2184 set thread context of 3588	2184	wmpfn1.exe	96
PID 1388 set thread context of 3124	1388	wmpfn1.exe	100
PID 3872 set thread context of 4732	3872	wmpfn1.exe	102
PID 5016 set thread context of 1860	5016	wmpfn1.exe	104
PID 4120 set thread context of 3460	4120	wmpfn1.exe	106
PID 1548 set thread context of 3044	1548	wmpfn1.exe	109
PID 1976 set thread context of 4944	1976	wmpfn1.exe	111
PID 928 set thread context of 4760	928	wmpfn1.exe	113
PID 3784 set thread context of 4676	3784	wmpfn1.exe	116
PID 4960 set thread context of 4396	4960	wmpfn1.exe	118
PID 2452 set thread context of 3864	2452	wmpfn1.exe	120
PID 4876 set thread context of 4276	4876	wmpfn1.exe	122
PID 2776 set thread context of 4272	2776	wmpfn1.exe	124
PID 2848 set thread context of 2432	2848	wmpfn1.exe	126
PID 1064 set thread context of 2644	1064	wmpfn1.exe	128
PID 4596 set thread context of 2740	4596	wmpfn1.exe	130
PID 1400 set thread context of 1988	1400	wmpfn1.exe	132
PID 2960 set thread context of 1136	2960	wmpfn1.exe	134
PID 1040 set thread context of 4456	1040	wmpfn1.exe	136
PID 1268 set thread context of 976	1268	wmpfn1.exe	138
PID 2972 set thread context of 2268	2972	wmpfn1.exe	140
PID 4152 set thread context of 928	4152	wmpfn1.exe	142
PID 1596 set thread context of 2484	1596	wmpfn1.exe	144
PID 4824 set thread context of 60	4824	wmpfn1.exe	146
PID 1532 set thread context of 4940	1532	wmpfn1.exe	148
PID 3800 set thread context of 384	3800	wmpfn1.exe	150
PID 3632 set thread context of 4496	3632	wmpfn1.exe	152
PID 4464 set thread context of 456	4464	wmpfn1.exe	154
PID 2624 set thread context of 2012	2624	wmpfn1.exe	156
PID 3704 set thread context of 4268	3704	wmpfn1.exe	158
PID 5104 set thread context of 3936	5104	wmpfn1.exe	160
PID 1812 set thread context of 2372	1812	wmpfn1.exe	162
PID 984 set thread context of 1444	984	wmpfn1.exe	164
PID 2824 set thread context of 4984	2824	wmpfn1.exe	166
PID 1104 set thread context of 1160	1104	wmpfn1.exe	168
PID 2544 set thread context of 4932	2544	wmpfn1.exe	170
PID 924 set thread context of 2852	924	wmpfn1.exe	172
PID 3392 set thread context of 648	3392	wmpfn1.exe	174
PID 2584 set thread context of 4112	2584	wmpfn1.exe	176
PID 5100 set thread context of 4884	5100	wmpfn1.exe	178
PID 2008 set thread context of 3312	2008	wmpfn1.exe	180
PID 3292 set thread context of 3076	3292	wmpfn1.exe	182
PID 2628 set thread context of 864	2628	wmpfn1.exe	184
PID 4320 set thread context of 564	4320	wmpfn1.exe	186

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3220-2-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3220-4-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3220-6-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3220-5-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3220-67-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3128-74-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3128-76-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3128-75-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3128-78-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/1420-85-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/1420-86-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/1420-87-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/1420-89-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2636-96-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2636-98-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2636-97-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2636-100-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4696-107-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4696-109-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4696-108-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4696-114-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3588-126-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3124-136-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4732-143-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4732-144-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4732-145-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4732-147-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/1860-159-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3460-172-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3044-184-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4944-196-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4760-209-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4676-222-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4396-234-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3864-246-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4276-258-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4272-270-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2432-282-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2644-294-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2740-306-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/1988-318-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/1136-330-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4456-341-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/976-351-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2268-361-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/928-371-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2484-381-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/60-391-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4940-401-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/384-411-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4496-421-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/456-431-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2012-441-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4268-451-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3936-461-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2372-471-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/1444-481-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4984-491-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/1160-501-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4932-511-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2852-521-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/648-531-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4112-541-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4884-553-0x0000000000400000-0x000000000045B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe

Modifies registry class 48 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfn1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfn1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfn1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfn1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfn1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfn1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfn1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfn1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfn1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfn1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfn1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfn1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfn1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfn1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfn1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfn1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfn1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfn1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfn1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfn1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfn1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfn1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfn1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfn1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfn1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfn1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfn1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfn1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfn1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfn1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfn1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfn1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfn1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfn1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfn1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfn1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfn1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfn1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfn1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfn1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfn1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfn1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfn1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfn1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfn1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfn1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpfn1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3220	c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe
3220	c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe
3128	wmpfn1.exe
3128	wmpfn1.exe
1420	wmpfn1.exe
1420	wmpfn1.exe
2636	wmpfn1.exe
2636	wmpfn1.exe
4696	wmpfn1.exe
4696	wmpfn1.exe
3588	wmpfn1.exe
3588	wmpfn1.exe
3124	wmpfn1.exe
3124	wmpfn1.exe
4732	wmpfn1.exe
4732	wmpfn1.exe
1860	wmpfn1.exe
1860	wmpfn1.exe
3460	wmpfn1.exe
3460	wmpfn1.exe
3044	wmpfn1.exe
3044	wmpfn1.exe
4944	wmpfn1.exe
4944	wmpfn1.exe
4760	wmpfn1.exe
4760	wmpfn1.exe
4676	wmpfn1.exe
4676	wmpfn1.exe
4396	wmpfn1.exe
4396	wmpfn1.exe
3864	wmpfn1.exe
3864	wmpfn1.exe
4276	wmpfn1.exe
4276	wmpfn1.exe
4272	wmpfn1.exe
4272	wmpfn1.exe
2432	wmpfn1.exe
2432	wmpfn1.exe
2644	wmpfn1.exe
2644	wmpfn1.exe
2740	wmpfn1.exe
2740	wmpfn1.exe
1988	wmpfn1.exe
1988	wmpfn1.exe
1136	wmpfn1.exe
1136	wmpfn1.exe
4456	wmpfn1.exe
4456	wmpfn1.exe
976	wmpfn1.exe
976	wmpfn1.exe
2268	wmpfn1.exe
2268	wmpfn1.exe
928	wmpfn1.exe
928	wmpfn1.exe
2484	wmpfn1.exe
2484	wmpfn1.exe
60	wmpfn1.exe
60	wmpfn1.exe
4940	wmpfn1.exe
4940	wmpfn1.exe
384	wmpfn1.exe
384	wmpfn1.exe
4496	wmpfn1.exe
4496	wmpfn1.exe

Suspicious use of SetWindowsHookEx 49 IoCs

pid	Process
1280	c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe
4828	wmpfn1.exe
4368	wmpfn1.exe
2660	wmpfn1.exe
3624	wmpfn1.exe
2184	wmpfn1.exe
1388	wmpfn1.exe
3872	wmpfn1.exe
5016	wmpfn1.exe
4120	wmpfn1.exe
1548	wmpfn1.exe
1976	wmpfn1.exe
928	wmpfn1.exe
3784	wmpfn1.exe
4960	wmpfn1.exe
2452	wmpfn1.exe
4876	wmpfn1.exe
2776	wmpfn1.exe
2848	wmpfn1.exe
1064	wmpfn1.exe
4596	wmpfn1.exe
1400	wmpfn1.exe
2960	wmpfn1.exe
1040	wmpfn1.exe
1268	wmpfn1.exe
2972	wmpfn1.exe
4152	wmpfn1.exe
1596	wmpfn1.exe
4824	wmpfn1.exe
1532	wmpfn1.exe
3800	wmpfn1.exe
3632	wmpfn1.exe
4464	wmpfn1.exe
2624	wmpfn1.exe
3704	wmpfn1.exe
5104	wmpfn1.exe
1812	wmpfn1.exe
984	wmpfn1.exe
2824	wmpfn1.exe
1104	wmpfn1.exe
2544	wmpfn1.exe
924	wmpfn1.exe
3392	wmpfn1.exe
2584	wmpfn1.exe
5100	wmpfn1.exe
2008	wmpfn1.exe
3292	wmpfn1.exe
2628	wmpfn1.exe
4320	wmpfn1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 3220	1280	c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe	81
PID 1280 wrote to memory of 3220	1280	c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe	81
PID 1280 wrote to memory of 3220	1280	c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe	81
PID 1280 wrote to memory of 3220	1280	c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe	81
PID 1280 wrote to memory of 3220	1280	c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe	81
PID 1280 wrote to memory of 3220	1280	c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe	81
PID 1280 wrote to memory of 3220	1280	c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe	81
PID 1280 wrote to memory of 3220	1280	c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe	81
PID 3220 wrote to memory of 4828	3220	c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe	82
PID 3220 wrote to memory of 4828	3220	c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe	82
PID 3220 wrote to memory of 4828	3220	c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe	82
PID 4828 wrote to memory of 3128	4828	wmpfn1.exe	83
PID 4828 wrote to memory of 3128	4828	wmpfn1.exe	83
PID 4828 wrote to memory of 3128	4828	wmpfn1.exe	83
PID 4828 wrote to memory of 3128	4828	wmpfn1.exe	83
PID 4828 wrote to memory of 3128	4828	wmpfn1.exe	83
PID 4828 wrote to memory of 3128	4828	wmpfn1.exe	83
PID 4828 wrote to memory of 3128	4828	wmpfn1.exe	83
PID 4828 wrote to memory of 3128	4828	wmpfn1.exe	83
PID 3128 wrote to memory of 4368	3128	wmpfn1.exe	84
PID 3128 wrote to memory of 4368	3128	wmpfn1.exe	84
PID 3128 wrote to memory of 4368	3128	wmpfn1.exe	84
PID 4368 wrote to memory of 1420	4368	wmpfn1.exe	85
PID 4368 wrote to memory of 1420	4368	wmpfn1.exe	85
PID 4368 wrote to memory of 1420	4368	wmpfn1.exe	85
PID 4368 wrote to memory of 1420	4368	wmpfn1.exe	85
PID 4368 wrote to memory of 1420	4368	wmpfn1.exe	85
PID 4368 wrote to memory of 1420	4368	wmpfn1.exe	85
PID 4368 wrote to memory of 1420	4368	wmpfn1.exe	85
PID 4368 wrote to memory of 1420	4368	wmpfn1.exe	85
PID 1420 wrote to memory of 2660	1420	wmpfn1.exe	86
PID 1420 wrote to memory of 2660	1420	wmpfn1.exe	86
PID 1420 wrote to memory of 2660	1420	wmpfn1.exe	86
PID 2660 wrote to memory of 2636	2660	wmpfn1.exe	87
PID 2660 wrote to memory of 2636	2660	wmpfn1.exe	87
PID 2660 wrote to memory of 2636	2660	wmpfn1.exe	87
PID 2660 wrote to memory of 2636	2660	wmpfn1.exe	87
PID 2660 wrote to memory of 2636	2660	wmpfn1.exe	87
PID 2660 wrote to memory of 2636	2660	wmpfn1.exe	87
PID 2660 wrote to memory of 2636	2660	wmpfn1.exe	87
PID 2660 wrote to memory of 2636	2660	wmpfn1.exe	87
PID 2636 wrote to memory of 3624	2636	wmpfn1.exe	92
PID 2636 wrote to memory of 3624	2636	wmpfn1.exe	92
PID 2636 wrote to memory of 3624	2636	wmpfn1.exe	92
PID 3624 wrote to memory of 4696	3624	wmpfn1.exe	93
PID 3624 wrote to memory of 4696	3624	wmpfn1.exe	93
PID 3624 wrote to memory of 4696	3624	wmpfn1.exe	93
PID 3624 wrote to memory of 4696	3624	wmpfn1.exe	93
PID 3624 wrote to memory of 4696	3624	wmpfn1.exe	93
PID 3624 wrote to memory of 4696	3624	wmpfn1.exe	93
PID 3624 wrote to memory of 4696	3624	wmpfn1.exe	93
PID 3624 wrote to memory of 4696	3624	wmpfn1.exe	93
PID 4696 wrote to memory of 2184	4696	wmpfn1.exe	95
PID 4696 wrote to memory of 2184	4696	wmpfn1.exe	95
PID 4696 wrote to memory of 2184	4696	wmpfn1.exe	95
PID 2184 wrote to memory of 3588	2184	wmpfn1.exe	96
PID 2184 wrote to memory of 3588	2184	wmpfn1.exe	96
PID 2184 wrote to memory of 3588	2184	wmpfn1.exe	96
PID 2184 wrote to memory of 3588	2184	wmpfn1.exe	96
PID 2184 wrote to memory of 3588	2184	wmpfn1.exe	96
PID 2184 wrote to memory of 3588	2184	wmpfn1.exe	96
PID 2184 wrote to memory of 3588	2184	wmpfn1.exe	96
PID 2184 wrote to memory of 3588	2184	wmpfn1.exe	96
PID 3588 wrote to memory of 1388	3588	wmpfn1.exe	99

C:\Users\Admin\AppData\Local\Temp\c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Users\Admin\AppData\Local\Temp\c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe
  2⤵
  - Checks computer location settings
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3220
- - C:\Windows\SysWOW64\wmpfn1.exe
    "C:\Windows\system32\wmpfn1.exe" C:\Users\Admin\AppData\Local\Temp\C83308~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4828
  - - C:\Windows\SysWOW64\wmpfn1.exe
      "C:\Windows\SysWOW64\wmpfn1.exe" C:\Users\Admin\AppData\Local\Temp\C83308~1.EXE
      4⤵
      Checks computer location settings
      Deletes itself
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3128
    - - C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4368
      - C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1388
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3124
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3872
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4732
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5016
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1860
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4120
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3460
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1548
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3044
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1976
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4944
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:928
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4760
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3784
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4676
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4960
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4396
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2452
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3864
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4876
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4276
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2776
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4272
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2848
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2432
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1064
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2644
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4596
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2740
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1400
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1988
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2960
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1136
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1040
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4456
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1268
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:976
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2972
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2268
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4152
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:928
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1596
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2484
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4824
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:60
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1532
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        60⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4940
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3800
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:384
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3632
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4496
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4464
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        66⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:456
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        67⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2624
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        68⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        69⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3704
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        70⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        71⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5104
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        72⤵
        Checks computer location settings
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3936
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        73⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1812
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        74⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        75⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:984
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        76⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        77⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2824
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        78⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:4984
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        79⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1104
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        80⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1160
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        81⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2544
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        82⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        83⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:924
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        84⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2852
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        85⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3392
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        86⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:648
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        87⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2584
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        88⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4112
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        89⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5100
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        90⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        91⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2008
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        92⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        93⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3292
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        94⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:3076
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        95⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2628
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        96⤵
        Checks computer location settings
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        97⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4320
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        98⤵
        Maps connected drives based on registry
        
        PID:564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wmpfn1.exe

Filesize
172KB

MD5
c8330861d83f29369ce25b0ee9dc58f8

SHA1
8722c3626740f3c3ae152a83c2c0d16d61efee74

SHA256
ddecfded7db6f7877e022d2a0c5175acaf4b38d2078ebd281cca09d45ece2f50

SHA512
472af193b1089ce72a0e9a4610561eadad535dcc96482e31ae46918e9eed25ac5c119ac492bae11b4effd09761fba67867fe6ea7db8d1a4e703fe5f1a2653817

Download Submit
memory/60-391-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/384-411-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/456-431-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/648-531-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/864-581-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/928-371-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/976-351-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1136-330-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1160-501-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1420-89-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1420-86-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1420-87-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1420-85-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1444-481-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1860-159-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1988-318-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2012-441-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2268-361-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2372-471-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2432-282-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2484-381-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2636-97-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2636-96-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2636-98-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2636-100-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2644-294-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2740-306-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2852-521-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3044-184-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3076-571-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3124-136-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3128-75-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3128-74-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3128-78-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3128-76-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3220-67-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3220-5-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3220-6-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3220-4-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3220-2-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3312-561-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3460-172-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3588-126-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3864-246-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3936-461-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4112-541-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4268-451-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4272-270-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4276-258-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4396-234-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4456-341-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4496-421-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4676-222-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4696-114-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4696-107-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4696-109-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4696-108-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4732-143-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4732-145-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4732-144-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4732-147-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4760-209-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4884-553-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4932-511-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4940-401-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4944-196-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4984-491-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download