metasploit | 135a032c74799dfc2f5086d47e0a47685be81849d7a7e8886e072e4e180413ce

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-12-2024 00:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe
Size

197KB
MD5

df3ebbd747838b88de37c7dcf96ca408
SHA1

ee5946bb7b98027b5078e1fee5ac9d8d404f3bb0
SHA256

135a032c74799dfc2f5086d47e0a47685be81849d7a7e8886e072e4e180413ce
SHA512

fcabcbf5eea9c43fcffd80f574d9e84eeb307e2e7f20aff70f02b10ff62f1814ed6f1305233440109bf2e95351fbbfb5794be74dbb311bdddc573cc03bdd5ebe
SSDEEP

3072:8XG+uJi5O4zgRHPLRMFDb8Z4yl+U7CxCYItGKTNyn846yCN54TNPVD9utP6f+3:8W6AqCljYE5yn/6yQOTF7utP6fW

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmpdlc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmpdlc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmpdlc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmpdlc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmpdlc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmpdlc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmpdlc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmpdlc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmpdlc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmpdlc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmpdlc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmpdlc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmpdlc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmpdlc32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wmpdlc32.exe

Deletes itself 1 IoCs

pid	Process
4408	wmpdlc32.exe

Executes dropped EXE 32 IoCs

pid	Process
932	wmpdlc32.exe
4408	wmpdlc32.exe
3812	wmpdlc32.exe
4444	wmpdlc32.exe
2996	wmpdlc32.exe
3248	wmpdlc32.exe
1940	wmpdlc32.exe
520	wmpdlc32.exe
3880	wmpdlc32.exe
816	wmpdlc32.exe
4428	wmpdlc32.exe
4000	wmpdlc32.exe
3176	wmpdlc32.exe
3216	wmpdlc32.exe
2508	wmpdlc32.exe
4324	wmpdlc32.exe
4552	wmpdlc32.exe
5012	wmpdlc32.exe
1036	wmpdlc32.exe
5008	wmpdlc32.exe
4240	wmpdlc32.exe
1952	wmpdlc32.exe
5112	wmpdlc32.exe
4844	wmpdlc32.exe
1152	wmpdlc32.exe
1440	wmpdlc32.exe
2624	wmpdlc32.exe
4132	wmpdlc32.exe
5116	wmpdlc32.exe
2292	wmpdlc32.exe
368	wmpdlc32.exe
436	wmpdlc32.exe

Maps connected drives based on registry 3 TTPs 34 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdlc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdlc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdlc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdlc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdlc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdlc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdlc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlc32.exe

Drops file in System32 directory 48 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File created	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File created	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File created	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File created	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlc32.exe
File created	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File created	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File created	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File created	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File created	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File created	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlc32.exe
File created	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File created	C:\Windows\SysWOW64\wmpdlc32.exe	df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlc32.exe	df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File created	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\	df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlc32.exe
File created	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe

Suspicious use of SetThreadContext 17 IoCs

description	pid	Process	procid_target
PID 4380 set thread context of 4780	4380	df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe	83
PID 932 set thread context of 4408	932	wmpdlc32.exe	86
PID 3812 set thread context of 4444	3812	wmpdlc32.exe	88
PID 2996 set thread context of 3248	2996	wmpdlc32.exe	90
PID 1940 set thread context of 520	1940	wmpdlc32.exe	101
PID 3880 set thread context of 816	3880	wmpdlc32.exe	109
PID 4428 set thread context of 4000	4428	wmpdlc32.exe	111
PID 3176 set thread context of 3216	3176	wmpdlc32.exe	114
PID 2508 set thread context of 4324	2508	wmpdlc32.exe	116
PID 4552 set thread context of 5012	4552	wmpdlc32.exe	118
PID 1036 set thread context of 5008	1036	wmpdlc32.exe	120
PID 4240 set thread context of 1952	4240	wmpdlc32.exe	122
PID 5112 set thread context of 4844	5112	wmpdlc32.exe	124
PID 1152 set thread context of 1440	1152	wmpdlc32.exe	126
PID 2624 set thread context of 4132	2624	wmpdlc32.exe	128
PID 5116 set thread context of 2292	5116	wmpdlc32.exe	130
PID 368 set thread context of 436	368	wmpdlc32.exe	132

UPX packed file 33 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4780-0-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4780-2-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4780-3-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4780-4-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4780-32-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4408-44-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4780-45-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4408-47-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4444-54-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4408-56-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4444-62-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4444-65-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/3248-72-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/520-79-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/816-86-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4000-92-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4000-95-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/3216-100-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/3216-103-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4324-108-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4324-111-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/5012-116-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/5012-119-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/5008-127-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1952-132-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1952-137-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4844-145-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1440-149-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1440-154-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4132-158-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4132-163-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2292-167-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2292-172-0x0000000000400000-0x0000000000456000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdlc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdlc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdlc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdlc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdlc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdlc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdlc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdlc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdlc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdlc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdlc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdlc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdlc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdlc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpdlc32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4780	df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe
4780	df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe
4780	df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe
4780	df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe
4408	wmpdlc32.exe
4408	wmpdlc32.exe
4408	wmpdlc32.exe
4408	wmpdlc32.exe
4444	wmpdlc32.exe
4444	wmpdlc32.exe
4444	wmpdlc32.exe
4444	wmpdlc32.exe
3248	wmpdlc32.exe
3248	wmpdlc32.exe
3248	wmpdlc32.exe
3248	wmpdlc32.exe
520	wmpdlc32.exe
520	wmpdlc32.exe
520	wmpdlc32.exe
520	wmpdlc32.exe
816	wmpdlc32.exe
816	wmpdlc32.exe
816	wmpdlc32.exe
816	wmpdlc32.exe
4000	wmpdlc32.exe
4000	wmpdlc32.exe
4000	wmpdlc32.exe
4000	wmpdlc32.exe
3216	wmpdlc32.exe
3216	wmpdlc32.exe
3216	wmpdlc32.exe
3216	wmpdlc32.exe
4324	wmpdlc32.exe
4324	wmpdlc32.exe
4324	wmpdlc32.exe
4324	wmpdlc32.exe
5012	wmpdlc32.exe
5012	wmpdlc32.exe
5012	wmpdlc32.exe
5012	wmpdlc32.exe
5008	wmpdlc32.exe
5008	wmpdlc32.exe
5008	wmpdlc32.exe
5008	wmpdlc32.exe
1952	wmpdlc32.exe
1952	wmpdlc32.exe
1952	wmpdlc32.exe
1952	wmpdlc32.exe
4844	wmpdlc32.exe
4844	wmpdlc32.exe
4844	wmpdlc32.exe
4844	wmpdlc32.exe
1440	wmpdlc32.exe
1440	wmpdlc32.exe
1440	wmpdlc32.exe
1440	wmpdlc32.exe
4132	wmpdlc32.exe
4132	wmpdlc32.exe
4132	wmpdlc32.exe
4132	wmpdlc32.exe
2292	wmpdlc32.exe
2292	wmpdlc32.exe
2292	wmpdlc32.exe
2292	wmpdlc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4380 wrote to memory of 4780	4380	df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe	83
PID 4380 wrote to memory of 4780	4380	df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe	83
PID 4380 wrote to memory of 4780	4380	df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe	83
PID 4380 wrote to memory of 4780	4380	df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe	83
PID 4380 wrote to memory of 4780	4380	df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe	83
PID 4380 wrote to memory of 4780	4380	df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe	83
PID 4380 wrote to memory of 4780	4380	df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe	83
PID 4780 wrote to memory of 932	4780	df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe	85
PID 4780 wrote to memory of 932	4780	df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe	85
PID 4780 wrote to memory of 932	4780	df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe	85
PID 932 wrote to memory of 4408	932	wmpdlc32.exe	86
PID 932 wrote to memory of 4408	932	wmpdlc32.exe	86
PID 932 wrote to memory of 4408	932	wmpdlc32.exe	86
PID 932 wrote to memory of 4408	932	wmpdlc32.exe	86
PID 932 wrote to memory of 4408	932	wmpdlc32.exe	86
PID 932 wrote to memory of 4408	932	wmpdlc32.exe	86
PID 932 wrote to memory of 4408	932	wmpdlc32.exe	86
PID 4408 wrote to memory of 3812	4408	wmpdlc32.exe	87
PID 4408 wrote to memory of 3812	4408	wmpdlc32.exe	87
PID 4408 wrote to memory of 3812	4408	wmpdlc32.exe	87
PID 3812 wrote to memory of 4444	3812	wmpdlc32.exe	88
PID 3812 wrote to memory of 4444	3812	wmpdlc32.exe	88
PID 3812 wrote to memory of 4444	3812	wmpdlc32.exe	88
PID 3812 wrote to memory of 4444	3812	wmpdlc32.exe	88
PID 3812 wrote to memory of 4444	3812	wmpdlc32.exe	88
PID 3812 wrote to memory of 4444	3812	wmpdlc32.exe	88
PID 3812 wrote to memory of 4444	3812	wmpdlc32.exe	88
PID 4444 wrote to memory of 2996	4444	wmpdlc32.exe	89
PID 4444 wrote to memory of 2996	4444	wmpdlc32.exe	89
PID 4444 wrote to memory of 2996	4444	wmpdlc32.exe	89
PID 2996 wrote to memory of 3248	2996	wmpdlc32.exe	90
PID 2996 wrote to memory of 3248	2996	wmpdlc32.exe	90
PID 2996 wrote to memory of 3248	2996	wmpdlc32.exe	90
PID 2996 wrote to memory of 3248	2996	wmpdlc32.exe	90
PID 2996 wrote to memory of 3248	2996	wmpdlc32.exe	90
PID 2996 wrote to memory of 3248	2996	wmpdlc32.exe	90
PID 2996 wrote to memory of 3248	2996	wmpdlc32.exe	90
PID 3248 wrote to memory of 1940	3248	wmpdlc32.exe	100
PID 3248 wrote to memory of 1940	3248	wmpdlc32.exe	100
PID 3248 wrote to memory of 1940	3248	wmpdlc32.exe	100
PID 1940 wrote to memory of 520	1940	wmpdlc32.exe	101
PID 1940 wrote to memory of 520	1940	wmpdlc32.exe	101
PID 1940 wrote to memory of 520	1940	wmpdlc32.exe	101
PID 1940 wrote to memory of 520	1940	wmpdlc32.exe	101
PID 1940 wrote to memory of 520	1940	wmpdlc32.exe	101
PID 1940 wrote to memory of 520	1940	wmpdlc32.exe	101
PID 1940 wrote to memory of 520	1940	wmpdlc32.exe	101
PID 520 wrote to memory of 3880	520	wmpdlc32.exe	108
PID 520 wrote to memory of 3880	520	wmpdlc32.exe	108
PID 520 wrote to memory of 3880	520	wmpdlc32.exe	108
PID 3880 wrote to memory of 816	3880	wmpdlc32.exe	109
PID 3880 wrote to memory of 816	3880	wmpdlc32.exe	109
PID 3880 wrote to memory of 816	3880	wmpdlc32.exe	109
PID 3880 wrote to memory of 816	3880	wmpdlc32.exe	109
PID 3880 wrote to memory of 816	3880	wmpdlc32.exe	109
PID 3880 wrote to memory of 816	3880	wmpdlc32.exe	109
PID 3880 wrote to memory of 816	3880	wmpdlc32.exe	109
PID 816 wrote to memory of 4428	816	wmpdlc32.exe	110
PID 816 wrote to memory of 4428	816	wmpdlc32.exe	110
PID 816 wrote to memory of 4428	816	wmpdlc32.exe	110
PID 4428 wrote to memory of 4000	4428	wmpdlc32.exe	111
PID 4428 wrote to memory of 4000	4428	wmpdlc32.exe	111
PID 4428 wrote to memory of 4000	4428	wmpdlc32.exe	111
PID 4428 wrote to memory of 4000	4428	wmpdlc32.exe	111

C:\Users\Admin\AppData\Local\Temp\df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4380
- C:\Users\Admin\AppData\Local\Temp\df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Windows\SysWOW64\wmpdlc32.exe
    "C:\Windows\system32\wmpdlc32.exe" C:\Users\Admin\AppData\Local\Temp\DF3EBB~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:932
  - - C:\Windows\SysWOW64\wmpdlc32.exe
      "C:\Windows\system32\wmpdlc32.exe" C:\Users\Admin\AppData\Local\Temp\DF3EBB~1.EXE
      4⤵
      Checks computer location settings
      Deletes itself
      Executes dropped EXE
      Maps connected drives based on registry
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4408
    - - C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3812
      - C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:520
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:816
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4000
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3176
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3216
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2508
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4324
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4552
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:5012
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1036
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:5008
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4240
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1952
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5112
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4844
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1152
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1440
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4132
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5116
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2292
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:368
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        34⤵
        Executes dropped EXE
        Maps connected drives based on registry
        
        PID:436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wmpdlc32.exe

Filesize
197KB

MD5
df3ebbd747838b88de37c7dcf96ca408

SHA1
ee5946bb7b98027b5078e1fee5ac9d8d404f3bb0

SHA256
135a032c74799dfc2f5086d47e0a47685be81849d7a7e8886e072e4e180413ce

SHA512
fcabcbf5eea9c43fcffd80f574d9e84eeb307e2e7f20aff70f02b10ff62f1814ed6f1305233440109bf2e95351fbbfb5794be74dbb311bdddc573cc03bdd5ebe

Download Submit
memory/520-79-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/816-86-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1440-154-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1440-149-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1952-137-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1952-132-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2292-167-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2292-172-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3216-100-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3216-103-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3248-72-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4000-92-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4000-95-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4132-158-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4132-163-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4324-111-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4324-108-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4408-47-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4408-56-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4408-44-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4444-54-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4444-62-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4444-65-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4780-45-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4780-0-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4780-32-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4780-4-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4780-3-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4780-2-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4844-145-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5008-127-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5012-119-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5012-116-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download