metasploit | 226d19ed695c9b68d08266d31b7260129846f8c24096b6b6f52d6f3a47e5203a

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1aeda6ec35f1076db6b88da73f670640_JaffaCakes118.exe
Size

160KB
MD5

1aeda6ec35f1076db6b88da73f670640
SHA1

8c77c2a2ed7e7d800b266fb09c03d913e863771d
SHA256

226d19ed695c9b68d08266d31b7260129846f8c24096b6b6f52d6f3a47e5203a
SHA512

17c2a05cf4e8f0616c5e31d1b41c083b95583510962a4c08c0743656f0d69e9a8886f9dc3eadc1314b323db6dc82fe9cf5b2cb0c41876efcf11e941a80231fa0
SSDEEP

3072:uv/1tNNdyaiRScHtelmKjXgMmMSRwA0zhL4cLMw5YQHGgUpJLxM5:uvvd2Nh8XgMmNczTMAY0kpZE

Score

10^/10

metasploit backdoor trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Deletes itself 1 IoCs

Processes:

wnplt4.exe

pid process

2792 wnplt4.exe

pid	process
2792	wnplt4.exe

Executes dropped EXE 64 IoCs

Processes:

wnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exe

pid	process
2736	wnplt4.exe
2792	wnplt4.exe
2472	wnplt4.exe
2948	wnplt4.exe
2548	wnplt4.exe
2560	wnplt4.exe
1848	wnplt4.exe
2268	wnplt4.exe
1740	wnplt4.exe
1044	wnplt4.exe
844	wnplt4.exe
568	wnplt4.exe
1868	wnplt4.exe
1544	wnplt4.exe
952	wnplt4.exe
1724	wnplt4.exe
2208	wnplt4.exe
1580	wnplt4.exe
3056	wnplt4.exe
2648	wnplt4.exe
2576	wnplt4.exe
2464	wnplt4.exe
1828	wnplt4.exe
1104	wnplt4.exe
2724	wnplt4.exe
2832	wnplt4.exe
1848	wnplt4.exe
2344	wnplt4.exe
1740	wnplt4.exe
544	wnplt4.exe
1224	wnplt4.exe
1468	wnplt4.exe
1132	wnplt4.exe
1056	wnplt4.exe
2272	wnplt4.exe
2888	wnplt4.exe
1952	wnplt4.exe
1600	wnplt4.exe
2604	wnplt4.exe
2780	wnplt4.exe
2452	wnplt4.exe
1908	wnplt4.exe
1764	wnplt4.exe
2628	wnplt4.exe
1192	wnplt4.exe
2800	wnplt4.exe
2672	wnplt4.exe
628	wnplt4.exe
2852	wnplt4.exe
692	wnplt4.exe
1084	wnplt4.exe
2052	wnplt4.exe
1680	wnplt4.exe
1856	wnplt4.exe
2272	wnplt4.exe
2540	wnplt4.exe
2988	wnplt4.exe
2592	wnplt4.exe
2640	wnplt4.exe
2576	wnplt4.exe
2164	wnplt4.exe
2520	wnplt4.exe
936	wnplt4.exe
852	wnplt4.exe

Loads dropped DLL 64 IoCs

Processes:

pid	process
3024	1aeda6ec35f1076db6b88da73f670640_JaffaCakes118.exe
3024	1aeda6ec35f1076db6b88da73f670640_JaffaCakes118.exe
2792	wnplt4.exe
2792	wnplt4.exe
2948	wnplt4.exe
2948	wnplt4.exe
2560	wnplt4.exe
2560	wnplt4.exe
2268	wnplt4.exe
2268	wnplt4.exe
1044	wnplt4.exe
1044	wnplt4.exe
568	wnplt4.exe
568	wnplt4.exe
1544	wnplt4.exe
1544	wnplt4.exe
1724	wnplt4.exe
1724	wnplt4.exe
1580	wnplt4.exe
1580	wnplt4.exe
2648	wnplt4.exe
2648	wnplt4.exe
2464	wnplt4.exe
2464	wnplt4.exe
1104	wnplt4.exe
1104	wnplt4.exe
2832	wnplt4.exe
2832	wnplt4.exe
2344	wnplt4.exe
2344	wnplt4.exe
544	wnplt4.exe
544	wnplt4.exe
1468	wnplt4.exe
1468	wnplt4.exe
1056	wnplt4.exe
1056	wnplt4.exe
2888	wnplt4.exe
2888	wnplt4.exe
1600	wnplt4.exe
1600	wnplt4.exe
2780	wnplt4.exe
2780	wnplt4.exe
1908	wnplt4.exe
1908	wnplt4.exe
2628	wnplt4.exe
2628	wnplt4.exe
2800	wnplt4.exe
2800	wnplt4.exe
628	wnplt4.exe
628	wnplt4.exe
692	wnplt4.exe
692	wnplt4.exe
2052	wnplt4.exe
2052	wnplt4.exe
1856	wnplt4.exe
1856	wnplt4.exe
2540	wnplt4.exe
2540	wnplt4.exe
2592	wnplt4.exe
2592	wnplt4.exe
2576	wnplt4.exe
2576	wnplt4.exe
2520	wnplt4.exe
2520	wnplt4.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3024-2-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/3024-8-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/3024-9-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/3024-7-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/3024-6-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/3024-4-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/3024-3-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/3024-22-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2792-33-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2792-34-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2792-32-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2792-40-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2948-51-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2948-50-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2948-49-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2948-57-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2560-68-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2560-75-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2268-86-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2268-92-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/1044-103-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/1044-109-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/568-121-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/568-126-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/1544-138-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/1544-143-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/1724-155-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/1724-160-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/1580-172-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/1580-178-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2648-188-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2648-195-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2464-207-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2464-213-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/1104-224-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/1104-230-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2832-241-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2832-247-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2344-257-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2344-260-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/544-270-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/544-273-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/1468-283-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/1468-286-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/1056-296-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/1056-299-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2888-309-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2888-312-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/1600-322-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/1600-325-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2780-335-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2780-338-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/1908-348-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/1908-351-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2628-360-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2628-364-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2800-374-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2800-377-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/628-387-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/628-390-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/692-400-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/692-403-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2052-413-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2052-416-0x0000000000400000-0x0000000000468000-memory.dmp	upx

Maps connected drives based on registry 3 TTPs 64 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

wnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exe1aeda6ec35f1076db6b88da73f670640_JaffaCakes118.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnplt4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnplt4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnplt4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnplt4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnplt4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnplt4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnplt4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnplt4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnplt4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnplt4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnplt4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnplt4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnplt4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnplt4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	1aeda6ec35f1076db6b88da73f670640_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnplt4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnplt4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnplt4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnplt4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnplt4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnplt4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnplt4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnplt4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnplt4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnplt4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnplt4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnplt4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnplt4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnplt4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnplt4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnplt4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnplt4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnplt4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnplt4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnplt4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnplt4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnplt4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnplt4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnplt4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnplt4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnplt4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnplt4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnplt4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnplt4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnplt4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnplt4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnplt4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnplt4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnplt4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnplt4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnplt4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnplt4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnplt4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnplt4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnplt4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnplt4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnplt4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnplt4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnplt4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnplt4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnplt4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnplt4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnplt4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wnplt4.exe

Drops file in System32 directory 64 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File created	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File created	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File created	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File opened for modification	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File opened for modification	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File opened for modification	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File created	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File opened for modification	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File opened for modification	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File opened for modification	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File opened for modification	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File opened for modification	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File created	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File created	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File opened for modification	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File created	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File opened for modification	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File opened for modification	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File created	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File created	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File created	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File created	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File opened for modification	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File created	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File opened for modification	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File created	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File opened for modification	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File opened for modification	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File created	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File created	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File opened for modification	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File created	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File created	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File created	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File created	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File opened for modification	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File opened for modification	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File created	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File opened for modification	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File opened for modification	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File opened for modification	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File opened for modification	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File opened for modification	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File created	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File created	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File opened for modification	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File opened for modification	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File created	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File opened for modification	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File opened for modification	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File created	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File opened for modification	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File opened for modification	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File created	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File opened for modification	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File opened for modification	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File created	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File created	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File created	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File created	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File created	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File opened for modification	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe
File created	C:\Windows\SysWOW64\wnplt4.exe	wnplt4.exe

Suspicious use of SetThreadContext 59 IoCs

Processes:

1aeda6ec35f1076db6b88da73f670640_JaffaCakes118.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exe

description	pid	process	target process
PID 2916 set thread context of 3024	2916	1aeda6ec35f1076db6b88da73f670640_JaffaCakes118.exe	1aeda6ec35f1076db6b88da73f670640_JaffaCakes118.exe
PID 2736 set thread context of 2792	2736	wnplt4.exe	wnplt4.exe
PID 2472 set thread context of 2948	2472	wnplt4.exe	wnplt4.exe
PID 2548 set thread context of 2560	2548	wnplt4.exe	wnplt4.exe
PID 1848 set thread context of 2268	1848	wnplt4.exe	wnplt4.exe
PID 1740 set thread context of 1044	1740	wnplt4.exe	wnplt4.exe
PID 844 set thread context of 568	844	wnplt4.exe	wnplt4.exe
PID 1868 set thread context of 1544	1868	wnplt4.exe	wnplt4.exe
PID 952 set thread context of 1724	952	wnplt4.exe	wnplt4.exe
PID 2208 set thread context of 1580	2208	wnplt4.exe	wnplt4.exe
PID 3056 set thread context of 2648	3056	wnplt4.exe	wnplt4.exe
PID 2576 set thread context of 2464	2576	wnplt4.exe	wnplt4.exe
PID 1828 set thread context of 1104	1828	wnplt4.exe	wnplt4.exe
PID 2724 set thread context of 2832	2724	wnplt4.exe	wnplt4.exe
PID 1848 set thread context of 2344	1848	wnplt4.exe	wnplt4.exe
PID 1740 set thread context of 544	1740	wnplt4.exe	wnplt4.exe
PID 1224 set thread context of 1468	1224	wnplt4.exe	wnplt4.exe
PID 1132 set thread context of 1056	1132	wnplt4.exe	wnplt4.exe
PID 2272 set thread context of 2888	2272	wnplt4.exe	wnplt4.exe
PID 1952 set thread context of 1600	1952	wnplt4.exe	wnplt4.exe
PID 2604 set thread context of 2780	2604	wnplt4.exe	wnplt4.exe
PID 2452 set thread context of 1908	2452	wnplt4.exe	wnplt4.exe
PID 1764 set thread context of 2628	1764	wnplt4.exe	wnplt4.exe
PID 1192 set thread context of 2800	1192	wnplt4.exe	wnplt4.exe
PID 2672 set thread context of 628	2672	wnplt4.exe	wnplt4.exe
PID 2852 set thread context of 692	2852	wnplt4.exe	wnplt4.exe
PID 1084 set thread context of 2052	1084	wnplt4.exe	wnplt4.exe
PID 1680 set thread context of 1856	1680	wnplt4.exe	wnplt4.exe
PID 2272 set thread context of 2540	2272	wnplt4.exe	wnplt4.exe
PID 2988 set thread context of 2592	2988	wnplt4.exe	wnplt4.exe
PID 2640 set thread context of 2576	2640	wnplt4.exe	wnplt4.exe
PID 2164 set thread context of 2520	2164	wnplt4.exe	wnplt4.exe
PID 936 set thread context of 852	936	wnplt4.exe	wnplt4.exe
PID 1692 set thread context of 3064	1692	wnplt4.exe	wnplt4.exe
PID 1092 set thread context of 2244	1092	wnplt4.exe	wnplt4.exe
PID 2852 set thread context of 844	2852	wnplt4.exe	wnplt4.exe
PID 240 set thread context of 2392	240	wnplt4.exe	wnplt4.exe
PID 1896 set thread context of 1064	1896	wnplt4.exe	wnplt4.exe
PID 3020 set thread context of 2272	3020	wnplt4.exe	wnplt4.exe
PID 892 set thread context of 2988	892	wnplt4.exe	wnplt4.exe
PID 2604 set thread context of 2640	2604	wnplt4.exe	wnplt4.exe
PID 2504 set thread context of 2348	2504	wnplt4.exe	wnplt4.exe
PID 940 set thread context of 1308	940	wnplt4.exe	wnplt4.exe
PID 2196 set thread context of 2184	2196	wnplt4.exe	wnplt4.exe
PID 1748 set thread context of 336	1748	wnplt4.exe	wnplt4.exe
PID 588 set thread context of 1728	588	wnplt4.exe	wnplt4.exe
PID 836 set thread context of 2100	836	wnplt4.exe	wnplt4.exe
PID 2880 set thread context of 1176	2880	wnplt4.exe	wnplt4.exe
PID 1440 set thread context of 3068	1440	wnplt4.exe	wnplt4.exe
PID 688 set thread context of 608	688	wnplt4.exe	wnplt4.exe
PID 2764 set thread context of 2924	2764	wnplt4.exe	wnplt4.exe
PID 2164 set thread context of 1456	2164	wnplt4.exe	wnplt4.exe
PID 2712 set thread context of 2972	2712	wnplt4.exe	wnplt4.exe
PID 1632 set thread context of 1712	1632	wnplt4.exe	wnplt4.exe
PID 868 set thread context of 1740	868	wnplt4.exe	wnplt4.exe
PID 1820 set thread context of 1084	1820	wnplt4.exe	wnplt4.exe
PID 2160 set thread context of 996	2160	wnplt4.exe	wnplt4.exe
PID 1536 set thread context of 1416	1536	wnplt4.exe	wnplt4.exe
PID 1200 set thread context of 1720	1200	wnplt4.exe	wnplt4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 59 IoCs

Processes:

pid	process
3024	1aeda6ec35f1076db6b88da73f670640_JaffaCakes118.exe
2792	wnplt4.exe
2948	wnplt4.exe
2560	wnplt4.exe
2268	wnplt4.exe
1044	wnplt4.exe
568	wnplt4.exe
1544	wnplt4.exe
1724	wnplt4.exe
1580	wnplt4.exe
2648	wnplt4.exe
2464	wnplt4.exe
1104	wnplt4.exe
2832	wnplt4.exe
2344	wnplt4.exe
544	wnplt4.exe
1468	wnplt4.exe
1056	wnplt4.exe
2888	wnplt4.exe
1600	wnplt4.exe
2780	wnplt4.exe
1908	wnplt4.exe
2628	wnplt4.exe
2800	wnplt4.exe
628	wnplt4.exe
692	wnplt4.exe
2052	wnplt4.exe
1856	wnplt4.exe
2540	wnplt4.exe
2592	wnplt4.exe
2576	wnplt4.exe
2520	wnplt4.exe
852	wnplt4.exe
3064	wnplt4.exe
2244	wnplt4.exe
844	wnplt4.exe
2392	wnplt4.exe
1064	wnplt4.exe
2272	wnplt4.exe
2988	wnplt4.exe
2640	wnplt4.exe
2348	wnplt4.exe
1308	wnplt4.exe
2184	wnplt4.exe
336	wnplt4.exe
1728	wnplt4.exe
2100	wnplt4.exe
1176	wnplt4.exe
3068	wnplt4.exe
608	wnplt4.exe
2924	wnplt4.exe
1456	wnplt4.exe
2972	wnplt4.exe
1712	wnplt4.exe
1740	wnplt4.exe
1084	wnplt4.exe
996	wnplt4.exe
1416	wnplt4.exe
1720	wnplt4.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1aeda6ec35f1076db6b88da73f670640_JaffaCakes118.exe1aeda6ec35f1076db6b88da73f670640_JaffaCakes118.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exewnplt4.exe

description	pid	process	target process
PID 2916 wrote to memory of 3024	2916	1aeda6ec35f1076db6b88da73f670640_JaffaCakes118.exe	1aeda6ec35f1076db6b88da73f670640_JaffaCakes118.exe
PID 2916 wrote to memory of 3024	2916	1aeda6ec35f1076db6b88da73f670640_JaffaCakes118.exe	1aeda6ec35f1076db6b88da73f670640_JaffaCakes118.exe
PID 2916 wrote to memory of 3024	2916	1aeda6ec35f1076db6b88da73f670640_JaffaCakes118.exe	1aeda6ec35f1076db6b88da73f670640_JaffaCakes118.exe
PID 2916 wrote to memory of 3024	2916	1aeda6ec35f1076db6b88da73f670640_JaffaCakes118.exe	1aeda6ec35f1076db6b88da73f670640_JaffaCakes118.exe
PID 2916 wrote to memory of 3024	2916	1aeda6ec35f1076db6b88da73f670640_JaffaCakes118.exe	1aeda6ec35f1076db6b88da73f670640_JaffaCakes118.exe
PID 2916 wrote to memory of 3024	2916	1aeda6ec35f1076db6b88da73f670640_JaffaCakes118.exe	1aeda6ec35f1076db6b88da73f670640_JaffaCakes118.exe
PID 2916 wrote to memory of 3024	2916	1aeda6ec35f1076db6b88da73f670640_JaffaCakes118.exe	1aeda6ec35f1076db6b88da73f670640_JaffaCakes118.exe
PID 3024 wrote to memory of 2736	3024	1aeda6ec35f1076db6b88da73f670640_JaffaCakes118.exe	wnplt4.exe
PID 3024 wrote to memory of 2736	3024	1aeda6ec35f1076db6b88da73f670640_JaffaCakes118.exe	wnplt4.exe
PID 3024 wrote to memory of 2736	3024	1aeda6ec35f1076db6b88da73f670640_JaffaCakes118.exe	wnplt4.exe
PID 3024 wrote to memory of 2736	3024	1aeda6ec35f1076db6b88da73f670640_JaffaCakes118.exe	wnplt4.exe
PID 2736 wrote to memory of 2792	2736	wnplt4.exe	wnplt4.exe
PID 2736 wrote to memory of 2792	2736	wnplt4.exe	wnplt4.exe
PID 2736 wrote to memory of 2792	2736	wnplt4.exe	wnplt4.exe
PID 2736 wrote to memory of 2792	2736	wnplt4.exe	wnplt4.exe
PID 2736 wrote to memory of 2792	2736	wnplt4.exe	wnplt4.exe
PID 2736 wrote to memory of 2792	2736	wnplt4.exe	wnplt4.exe
PID 2736 wrote to memory of 2792	2736	wnplt4.exe	wnplt4.exe
PID 2792 wrote to memory of 2472	2792	wnplt4.exe	wnplt4.exe
PID 2792 wrote to memory of 2472	2792	wnplt4.exe	wnplt4.exe
PID 2792 wrote to memory of 2472	2792	wnplt4.exe	wnplt4.exe
PID 2792 wrote to memory of 2472	2792	wnplt4.exe	wnplt4.exe
PID 2472 wrote to memory of 2948	2472	wnplt4.exe	wnplt4.exe
PID 2472 wrote to memory of 2948	2472	wnplt4.exe	wnplt4.exe
PID 2472 wrote to memory of 2948	2472	wnplt4.exe	wnplt4.exe
PID 2472 wrote to memory of 2948	2472	wnplt4.exe	wnplt4.exe
PID 2472 wrote to memory of 2948	2472	wnplt4.exe	wnplt4.exe
PID 2472 wrote to memory of 2948	2472	wnplt4.exe	wnplt4.exe
PID 2472 wrote to memory of 2948	2472	wnplt4.exe	wnplt4.exe
PID 2948 wrote to memory of 2548	2948	wnplt4.exe	wnplt4.exe
PID 2948 wrote to memory of 2548	2948	wnplt4.exe	wnplt4.exe
PID 2948 wrote to memory of 2548	2948	wnplt4.exe	wnplt4.exe
PID 2948 wrote to memory of 2548	2948	wnplt4.exe	wnplt4.exe
PID 2548 wrote to memory of 2560	2548	wnplt4.exe	wnplt4.exe
PID 2548 wrote to memory of 2560	2548	wnplt4.exe	wnplt4.exe
PID 2548 wrote to memory of 2560	2548	wnplt4.exe	wnplt4.exe
PID 2548 wrote to memory of 2560	2548	wnplt4.exe	wnplt4.exe
PID 2548 wrote to memory of 2560	2548	wnplt4.exe	wnplt4.exe
PID 2548 wrote to memory of 2560	2548	wnplt4.exe	wnplt4.exe
PID 2548 wrote to memory of 2560	2548	wnplt4.exe	wnplt4.exe
PID 2560 wrote to memory of 1848	2560	wnplt4.exe	wnplt4.exe
PID 2560 wrote to memory of 1848	2560	wnplt4.exe	wnplt4.exe
PID 2560 wrote to memory of 1848	2560	wnplt4.exe	wnplt4.exe
PID 2560 wrote to memory of 1848	2560	wnplt4.exe	wnplt4.exe
PID 1848 wrote to memory of 2268	1848	wnplt4.exe	wnplt4.exe
PID 1848 wrote to memory of 2268	1848	wnplt4.exe	wnplt4.exe
PID 1848 wrote to memory of 2268	1848	wnplt4.exe	wnplt4.exe
PID 1848 wrote to memory of 2268	1848	wnplt4.exe	wnplt4.exe
PID 1848 wrote to memory of 2268	1848	wnplt4.exe	wnplt4.exe
PID 1848 wrote to memory of 2268	1848	wnplt4.exe	wnplt4.exe
PID 1848 wrote to memory of 2268	1848	wnplt4.exe	wnplt4.exe
PID 2268 wrote to memory of 1740	2268	wnplt4.exe	wnplt4.exe
PID 2268 wrote to memory of 1740	2268	wnplt4.exe	wnplt4.exe
PID 2268 wrote to memory of 1740	2268	wnplt4.exe	wnplt4.exe
PID 2268 wrote to memory of 1740	2268	wnplt4.exe	wnplt4.exe
PID 1740 wrote to memory of 1044	1740	wnplt4.exe	wnplt4.exe
PID 1740 wrote to memory of 1044	1740	wnplt4.exe	wnplt4.exe
PID 1740 wrote to memory of 1044	1740	wnplt4.exe	wnplt4.exe
PID 1740 wrote to memory of 1044	1740	wnplt4.exe	wnplt4.exe
PID 1740 wrote to memory of 1044	1740	wnplt4.exe	wnplt4.exe
PID 1740 wrote to memory of 1044	1740	wnplt4.exe	wnplt4.exe
PID 1740 wrote to memory of 1044	1740	wnplt4.exe	wnplt4.exe
PID 1044 wrote to memory of 844	1044	wnplt4.exe	wnplt4.exe
PID 1044 wrote to memory of 844	1044	wnplt4.exe	wnplt4.exe

C:\Users\Admin\AppData\Local\Temp\1aeda6ec35f1076db6b88da73f670640_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1aeda6ec35f1076db6b88da73f670640_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2916

C:\Users\Admin\AppData\Local\Temp\1aeda6ec35f1076db6b88da73f670640_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1aeda6ec35f1076db6b88da73f670640_JaffaCakes118.exe"
2⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Users\Admin\AppData\Local\Temp\1AEDA6~1.EXE
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2736

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Users\Admin\AppData\Local\Temp\1AEDA6~1.EXE
4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2792

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2472

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2948

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1848

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2268

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
12⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1044

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:844

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
14⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:568

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1868

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
16⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1544

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:952

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
18⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1724

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2208

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
20⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:1580

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3056

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
22⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2648

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2576

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
24⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2464

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1828

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
26⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:1104

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2724

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
28⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2832

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1848

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
30⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2344

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1740

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
32⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:544

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1224

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
34⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1468

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1132

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
36⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1056

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2272

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
38⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2888

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1952

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
40⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1600

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2604

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
42⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2780

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2452

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
44⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:1908

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1764

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
46⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2628

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1192

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
48⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2800

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2672

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
50⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:628

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2852

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
52⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:692

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1084

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
54⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2052

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1680

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
56⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1856

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2272

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
58⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2540

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2988

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
60⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2592

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2640

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
62⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2576

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
63⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2164

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
64⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2520

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
65⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:936

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
66⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:852

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
67⤵
- Suspicious use of SetThreadContext
PID:1692

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
68⤵
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:3064

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
69⤵
- Suspicious use of SetThreadContext
PID:1092

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
70⤵
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2244

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
71⤵
- Suspicious use of SetThreadContext
PID:2852

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
72⤵
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:844

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
73⤵
- Suspicious use of SetThreadContext
PID:240

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
74⤵
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2392

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
75⤵
- Suspicious use of SetThreadContext
PID:1896

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
76⤵
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:1064

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
77⤵
- Suspicious use of SetThreadContext
PID:3020

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
78⤵
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:2272

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
79⤵
- Suspicious use of SetThreadContext
PID:892

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
80⤵
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2988

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
81⤵
- Suspicious use of SetThreadContext
PID:2604

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
82⤵
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:2640

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
83⤵
- Suspicious use of SetThreadContext
PID:2504

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
84⤵
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2348

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
85⤵
- Suspicious use of SetThreadContext
PID:940

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
86⤵
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1308

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
87⤵
- Suspicious use of SetThreadContext
PID:2196

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
88⤵
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2184

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
89⤵
- Suspicious use of SetThreadContext
PID:1748

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
90⤵
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:336

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
91⤵
- Suspicious use of SetThreadContext
PID:588

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
92⤵
- Suspicious behavior: EnumeratesProcesses
PID:1728

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
93⤵
- Suspicious use of SetThreadContext
PID:836

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
94⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2100

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
95⤵
- Suspicious use of SetThreadContext
PID:2880

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
96⤵
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1176

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
97⤵
- Suspicious use of SetThreadContext
PID:1440

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
98⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3068

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
99⤵
- Suspicious use of SetThreadContext
PID:688

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
100⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:608

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
101⤵
- Suspicious use of SetThreadContext
PID:2764

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
102⤵
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2924

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
103⤵
- Suspicious use of SetThreadContext
PID:2164

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
104⤵
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1456

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
105⤵
- Suspicious use of SetThreadContext
PID:2712

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
106⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2972

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
107⤵
- Suspicious use of SetThreadContext
PID:1632

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
108⤵
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:1712

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
109⤵
- Suspicious use of SetThreadContext
PID:868

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
110⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1740

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
111⤵
- Suspicious use of SetThreadContext
PID:1820

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
112⤵
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1084

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
113⤵
- Suspicious use of SetThreadContext
PID:2160

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
114⤵
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:996

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
115⤵
- Suspicious use of SetThreadContext
PID:1536

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
116⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1416

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
117⤵
- Suspicious use of SetThreadContext
PID:1200

C:\Windows\SysWOW64\wnplt4.exe
"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe
118⤵
- Suspicious behavior: EnumeratesProcesses
PID:1720

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Windows\SysWOW64\wnplt4.exe
Filesize
160KB

MD5
1aeda6ec35f1076db6b88da73f670640

SHA1
8c77c2a2ed7e7d800b266fb09c03d913e863771d

SHA256
226d19ed695c9b68d08266d31b7260129846f8c24096b6b6f52d6f3a47e5203a

SHA512
17c2a05cf4e8f0616c5e31d1b41c083b95583510962a4c08c0743656f0d69e9a8886f9dc3eadc1314b323db6dc82fe9cf5b2cb0c41876efcf11e941a80231fa0

Download Submit
memory/336-647-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/336-650-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/544-273-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/544-270-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/568-121-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/568-126-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/628-390-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/628-387-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/692-403-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/692-400-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/844-533-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/844-529-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/852-491-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/852-494-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1044-103-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1044-109-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1056-296-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1056-299-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1064-559-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1064-556-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1104-230-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1104-224-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1176-689-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1176-686-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1308-624-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1308-621-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1468-283-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1468-286-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1544-138-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1544-143-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1580-172-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1580-178-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1600-325-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1600-322-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1724-155-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1724-160-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1728-663-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1728-660-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1856-426-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1856-429-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1908-351-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1908-348-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2052-416-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2052-413-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2100-676-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2100-672-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2184-637-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2184-634-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2244-520-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2244-517-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2268-92-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2268-86-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2272-572-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2272-569-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2344-260-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2344-257-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2348-608-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2348-611-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2392-543-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2392-546-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2464-207-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2464-213-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2520-481-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2520-478-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2540-439-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2540-442-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2560-68-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2560-75-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2576-465-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2576-468-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2592-452-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2592-455-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2628-364-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2628-360-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2640-595-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2640-598-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2648-195-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2648-188-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2780-338-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2780-335-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2792-33-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2792-34-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2792-32-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2792-40-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2800-374-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2800-377-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2832-247-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2832-241-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2888-309-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2888-312-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2948-51-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2948-57-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2948-50-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2948-49-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2988-585-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2988-582-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3024-2-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3024-22-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3024-3-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3024-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3024-4-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3024-6-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3024-7-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3024-9-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3024-8-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3064-504-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3064-507-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads