Analysis
-
max time kernel
150s -
max time network
56s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
01-07-2024 10:22
General
-
Target
1aeda6ec35f1076db6b88da73f670640_JaffaCakes118.exe
-
Size
160KB
-
MD5
1aeda6ec35f1076db6b88da73f670640
-
SHA1
8c77c2a2ed7e7d800b266fb09c03d913e863771d
-
SHA256
226d19ed695c9b68d08266d31b7260129846f8c24096b6b6f52d6f3a47e5203a
-
SHA512
17c2a05cf4e8f0616c5e31d1b41c083b95583510962a4c08c0743656f0d69e9a8886f9dc3eadc1314b323db6dc82fe9cf5b2cb0c41876efcf11e941a80231fa0
-
SSDEEP
3072:uv/1tNNdyaiRScHtelmKjXgMmMSRwA0zhL4cLMw5YQHGgUpJLxM5:uvvd2Nh8XgMmNczTMAY0kpZE
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 48 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Maps connected drives based on registry 3 TTPs 64 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory 64 IoCs
-
Suspicious use of SetThreadContext 48 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1aeda6ec35f1076db6b88da73f670640_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1aeda6ec35f1076db6b88da73f670640_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1aeda6ec35f1076db6b88da73f670640_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1aeda6ec35f1076db6b88da73f670640_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Users\Admin\AppData\Local\Temp\1AEDA6~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Users\Admin\AppData\Local\Temp\1AEDA6~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe32⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe34⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe36⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe38⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe40⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe42⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe44⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe46⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe48⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe50⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe52⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe54⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe56⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe58⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe60⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe62⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe63⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe64⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe65⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe66⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe67⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe68⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe69⤵
- Suspicious use of SetThreadContext
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe70⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe71⤵
- Suspicious use of SetThreadContext
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe72⤵
- Checks computer location settings
- Drops file in System32 directory
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe73⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe74⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe75⤵
- Suspicious use of SetThreadContext
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe76⤵
- Checks computer location settings
- Maps connected drives based on registry
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe77⤵
- Suspicious use of SetThreadContext
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe78⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe79⤵
- Suspicious use of SetThreadContext
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe80⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe81⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe82⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe83⤵
- Suspicious use of SetThreadContext
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe84⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe85⤵
- Suspicious use of SetThreadContext
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe86⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe87⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe88⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe89⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe90⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe91⤵
- Suspicious use of SetThreadContext
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe92⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe93⤵
- Suspicious use of SetThreadContext
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe94⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe95⤵
- Suspicious use of SetThreadContext
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe96⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe97⤵
-
C:\Windows\SysWOW64\wnplt4.exe"C:\Windows\system32\wnplt4.exe" C:\Windows\SysWOW64\wnplt4.exe98⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\wnplt4.exeFilesize
160KB
MD51aeda6ec35f1076db6b88da73f670640
SHA18c77c2a2ed7e7d800b266fb09c03d913e863771d
SHA256226d19ed695c9b68d08266d31b7260129846f8c24096b6b6f52d6f3a47e5203a
SHA51217c2a05cf4e8f0616c5e31d1b41c083b95583510962a4c08c0743656f0d69e9a8886f9dc3eadc1314b323db6dc82fe9cf5b2cb0c41876efcf11e941a80231fa0
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/364-288-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/364-291-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/836-361-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/836-357-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/888-278-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/888-275-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/1172-243-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/1248-246-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/1248-250-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/1356-386-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/1356-389-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/1604-368-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/1604-365-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/1860-335-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/1876-329-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/1876-326-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/2008-341-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/2020-393-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/2020-396-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/2108-93-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/2108-97-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/2196-137-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/2320-154-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/2352-303-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/2400-73-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/2400-70-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/2416-79-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/2416-81-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/2420-168-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/2420-173-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/2424-284-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/2516-112-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/2584-309-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/2652-47-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/2652-46-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/2652-49-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/2652-45-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/2652-44-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/2720-254-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/2720-257-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/2748-199-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/3080-64-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/3080-62-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/3080-61-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/3112-103-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/3112-105-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/3176-4-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/3176-3-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/3176-39-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/3176-0-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/3176-5-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/3204-297-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/3264-375-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/3264-372-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/3356-53-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/3356-57-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/3356-54-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/3488-379-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/3488-382-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/3652-322-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/4004-225-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/4032-191-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/4032-185-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/4100-260-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/4100-264-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/4272-120-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/4280-145-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/4288-181-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/4428-217-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/4472-209-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/4472-203-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/4504-126-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/4504-128-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/4664-316-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/4664-313-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/4696-345-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/4696-348-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/4712-354-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/4808-88-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/4904-271-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/4904-268-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/5076-163-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/5076-159-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/5100-235-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/5100-230-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB