metasploit | 52bd891fe5e54aba4b381eae5f74efba20d3c8b46aa94b550627615cbb9ca5fd

Analysis

max time kernel
148s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8aa0892ed756ce1a48507cf2ce970bec.exe
Size

548KB
MD5

8aa0892ed756ce1a48507cf2ce970bec
SHA1

855faa99639923c7a9a88ae8409e0d59f1443ae3
SHA256

52bd891fe5e54aba4b381eae5f74efba20d3c8b46aa94b550627615cbb9ca5fd
SHA512

19200fdc0ce0be456bbaa23e860c8b873f254cb375d58d6417d0bd25654c67299413f122922c93ca70d641a52fc4471b1a80caa6db3318e84ff4d587edaed441
SSDEEP

12288:izP3mTLt4Buvhzdjn+xT64x5nLO0CrnMzqzvR:byBuvhzAx6E52rMz

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Deletes itself 1 IoCs

pid	Process
2836	wmpxv1.exe

Executes dropped EXE 19 IoCs

pid	Process
2836	wmpxv1.exe
2564	wmpxv1.exe
2780	wmpxv1.exe
1488	wmpxv1.exe
2716	wmpxv1.exe
2448	wmpxv1.exe
1492	wmpxv1.exe
984	wmpxv1.exe
1808	wmpxv1.exe
2928	wmpxv1.exe
1752	wmpxv1.exe
2080	wmpxv1.exe
2240	wmpxv1.exe
1256	wmpxv1.exe
1584	wmpxv1.exe
2708	wmpxv1.exe
844	wmpxv1.exe
836	wmpxv1.exe
2008	wmpxv1.exe

Loads dropped DLL 38 IoCs

pid	Process
2460	JaffaCakes118_8aa0892ed756ce1a48507cf2ce970bec.exe
2460	JaffaCakes118_8aa0892ed756ce1a48507cf2ce970bec.exe
2836	wmpxv1.exe
2836	wmpxv1.exe
2564	wmpxv1.exe
2564	wmpxv1.exe
2780	wmpxv1.exe
2780	wmpxv1.exe
1488	wmpxv1.exe
1488	wmpxv1.exe
2716	wmpxv1.exe
2716	wmpxv1.exe
2448	wmpxv1.exe
2448	wmpxv1.exe
1492	wmpxv1.exe
1492	wmpxv1.exe
984	wmpxv1.exe
984	wmpxv1.exe
1808	wmpxv1.exe
1808	wmpxv1.exe
2928	wmpxv1.exe
2928	wmpxv1.exe
1752	wmpxv1.exe
1752	wmpxv1.exe
2080	wmpxv1.exe
2080	wmpxv1.exe
2240	wmpxv1.exe
2240	wmpxv1.exe
1256	wmpxv1.exe
1256	wmpxv1.exe
1584	wmpxv1.exe
1584	wmpxv1.exe
2708	wmpxv1.exe
2708	wmpxv1.exe
844	wmpxv1.exe
844	wmpxv1.exe
836	wmpxv1.exe
836	wmpxv1.exe

Maps connected drives based on registry 3 TTPs 38 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxv1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpxv1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpxv1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxv1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxv1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	JaffaCakes118_8aa0892ed756ce1a48507cf2ce970bec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxv1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpxv1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpxv1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpxv1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxv1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpxv1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	JaffaCakes118_8aa0892ed756ce1a48507cf2ce970bec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxv1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxv1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxv1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpxv1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxv1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpxv1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpxv1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxv1.exe

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	JaffaCakes118_8aa0892ed756ce1a48507cf2ce970bec.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	JaffaCakes118_8aa0892ed756ce1a48507cf2ce970bec.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe
File created	C:\Windows\SysWOW64\wmpxv1.exe	wmpxv1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8aa0892ed756ce1a48507cf2ce970bec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxv1.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2460	JaffaCakes118_8aa0892ed756ce1a48507cf2ce970bec.exe
2836	wmpxv1.exe
2564	wmpxv1.exe
2780	wmpxv1.exe
1488	wmpxv1.exe
2716	wmpxv1.exe
2448	wmpxv1.exe
1492	wmpxv1.exe
984	wmpxv1.exe
1808	wmpxv1.exe
2928	wmpxv1.exe
1752	wmpxv1.exe
2080	wmpxv1.exe
2240	wmpxv1.exe
1256	wmpxv1.exe
1584	wmpxv1.exe
2708	wmpxv1.exe
844	wmpxv1.exe
836	wmpxv1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 2836	2460	JaffaCakes118_8aa0892ed756ce1a48507cf2ce970bec.exe	29
PID 2460 wrote to memory of 2836	2460	JaffaCakes118_8aa0892ed756ce1a48507cf2ce970bec.exe	29
PID 2460 wrote to memory of 2836	2460	JaffaCakes118_8aa0892ed756ce1a48507cf2ce970bec.exe	29
PID 2460 wrote to memory of 2836	2460	JaffaCakes118_8aa0892ed756ce1a48507cf2ce970bec.exe	29
PID 2836 wrote to memory of 2564	2836	wmpxv1.exe	30
PID 2836 wrote to memory of 2564	2836	wmpxv1.exe	30
PID 2836 wrote to memory of 2564	2836	wmpxv1.exe	30
PID 2836 wrote to memory of 2564	2836	wmpxv1.exe	30
PID 2564 wrote to memory of 2780	2564	wmpxv1.exe	31
PID 2564 wrote to memory of 2780	2564	wmpxv1.exe	31
PID 2564 wrote to memory of 2780	2564	wmpxv1.exe	31
PID 2564 wrote to memory of 2780	2564	wmpxv1.exe	31
PID 2780 wrote to memory of 1488	2780	wmpxv1.exe	32
PID 2780 wrote to memory of 1488	2780	wmpxv1.exe	32
PID 2780 wrote to memory of 1488	2780	wmpxv1.exe	32
PID 2780 wrote to memory of 1488	2780	wmpxv1.exe	32
PID 1488 wrote to memory of 2716	1488	wmpxv1.exe	33
PID 1488 wrote to memory of 2716	1488	wmpxv1.exe	33
PID 1488 wrote to memory of 2716	1488	wmpxv1.exe	33
PID 1488 wrote to memory of 2716	1488	wmpxv1.exe	33
PID 2716 wrote to memory of 2448	2716	wmpxv1.exe	34
PID 2716 wrote to memory of 2448	2716	wmpxv1.exe	34
PID 2716 wrote to memory of 2448	2716	wmpxv1.exe	34
PID 2716 wrote to memory of 2448	2716	wmpxv1.exe	34
PID 2448 wrote to memory of 1492	2448	wmpxv1.exe	35
PID 2448 wrote to memory of 1492	2448	wmpxv1.exe	35
PID 2448 wrote to memory of 1492	2448	wmpxv1.exe	35
PID 2448 wrote to memory of 1492	2448	wmpxv1.exe	35
PID 1492 wrote to memory of 984	1492	wmpxv1.exe	36
PID 1492 wrote to memory of 984	1492	wmpxv1.exe	36
PID 1492 wrote to memory of 984	1492	wmpxv1.exe	36
PID 1492 wrote to memory of 984	1492	wmpxv1.exe	36
PID 984 wrote to memory of 1808	984	wmpxv1.exe	37
PID 984 wrote to memory of 1808	984	wmpxv1.exe	37
PID 984 wrote to memory of 1808	984	wmpxv1.exe	37
PID 984 wrote to memory of 1808	984	wmpxv1.exe	37
PID 1808 wrote to memory of 2928	1808	wmpxv1.exe	38
PID 1808 wrote to memory of 2928	1808	wmpxv1.exe	38
PID 1808 wrote to memory of 2928	1808	wmpxv1.exe	38
PID 1808 wrote to memory of 2928	1808	wmpxv1.exe	38
PID 2928 wrote to memory of 1752	2928	wmpxv1.exe	39
PID 2928 wrote to memory of 1752	2928	wmpxv1.exe	39
PID 2928 wrote to memory of 1752	2928	wmpxv1.exe	39
PID 2928 wrote to memory of 1752	2928	wmpxv1.exe	39
PID 1752 wrote to memory of 2080	1752	wmpxv1.exe	40
PID 1752 wrote to memory of 2080	1752	wmpxv1.exe	40
PID 1752 wrote to memory of 2080	1752	wmpxv1.exe	40
PID 1752 wrote to memory of 2080	1752	wmpxv1.exe	40
PID 2080 wrote to memory of 2240	2080	wmpxv1.exe	41
PID 2080 wrote to memory of 2240	2080	wmpxv1.exe	41
PID 2080 wrote to memory of 2240	2080	wmpxv1.exe	41
PID 2080 wrote to memory of 2240	2080	wmpxv1.exe	41
PID 2240 wrote to memory of 1256	2240	wmpxv1.exe	42
PID 2240 wrote to memory of 1256	2240	wmpxv1.exe	42
PID 2240 wrote to memory of 1256	2240	wmpxv1.exe	42
PID 2240 wrote to memory of 1256	2240	wmpxv1.exe	42
PID 1256 wrote to memory of 1584	1256	wmpxv1.exe	43
PID 1256 wrote to memory of 1584	1256	wmpxv1.exe	43
PID 1256 wrote to memory of 1584	1256	wmpxv1.exe	43
PID 1256 wrote to memory of 1584	1256	wmpxv1.exe	43
PID 1584 wrote to memory of 2708	1584	wmpxv1.exe	44
PID 1584 wrote to memory of 2708	1584	wmpxv1.exe	44
PID 1584 wrote to memory of 2708	1584	wmpxv1.exe	44
PID 1584 wrote to memory of 2708	1584	wmpxv1.exe	44

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8aa0892ed756ce1a48507cf2ce970bec.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8aa0892ed756ce1a48507cf2ce970bec.exe"
1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Windows\SysWOW64\wmpxv1.exe
  "C:\Windows\system32\wmpxv1.exe" C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\SysWOW64\wmpxv1.exe
    "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\SysWOW64\wmpxv1.exe
      "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Maps connected drives based on registry
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2780
    - - C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1488
      - C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:984
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1256
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2708
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:844
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:836
        
        C:\Windows\SysWOW64\wmpxv1.exe
        
        "C:\Windows\system32\wmpxv1.exe" C:\Windows\SysWOW64\wmpxv1.exe
        20⤵
        Executes dropped EXE
        
        PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\wmpxv1.exe

Filesize
548KB

MD5
8aa0892ed756ce1a48507cf2ce970bec

SHA1
855faa99639923c7a9a88ae8409e0d59f1443ae3

SHA256
52bd891fe5e54aba4b381eae5f74efba20d3c8b46aa94b550627615cbb9ca5fd

SHA512
19200fdc0ce0be456bbaa23e860c8b873f254cb375d58d6417d0bd25654c67299413f122922c93ca70d641a52fc4471b1a80caa6db3318e84ff4d587edaed441

Download Submit
memory/836-96-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/836-99-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/836-98-0x0000000004270000-0x00000000042F9000-memory.dmp

Filesize
548KB

Download
memory/844-97-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/844-95-0x0000000002E40000-0x0000000002EC9000-memory.dmp

Filesize
548KB

Download
memory/844-93-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/984-48-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/984-51-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1256-80-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1488-28-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1488-33-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1492-81-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1584-86-0x0000000002FF0000-0x0000000003079000-memory.dmp

Filesize
548KB

Download
memory/1584-79-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1584-87-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1752-66-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1808-56-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2008-100-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2080-71-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2080-70-0x00000000030E0000-0x0000000003169000-memory.dmp

Filesize
548KB

Download
memory/2080-65-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2240-75-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2448-42-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2460-11-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2460-0-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2564-23-0x0000000002DC0000-0x0000000002E49000-memory.dmp

Filesize
548KB

Download
memory/2564-22-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2708-90-0x0000000004530000-0x00000000045B9000-memory.dmp

Filesize
548KB

Download
memory/2708-92-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2716-39-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2716-34-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2780-29-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2836-19-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2836-17-0x0000000002ED0000-0x0000000002F59000-memory.dmp

Filesize
548KB

Download
memory/2836-12-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2928-60-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download