Analysis
-
max time kernel
151s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
23-06-2024 07:59
Static task
static1
Behavioral task
behavioral1
Sample
05a01aca9aa8167b69104f61974392c4_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
05a01aca9aa8167b69104f61974392c4_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
05a01aca9aa8167b69104f61974392c4_JaffaCakes118.exe
-
Size
158KB
-
MD5
05a01aca9aa8167b69104f61974392c4
-
SHA1
e9e817e631cc6e9081ed6e9574ce66896bd5466b
-
SHA256
bb90cebc57c6254ee88868ea0635b54e27e0b4076087db0d9db6fe712da2ce00
-
SHA512
fdc2942ab05b8d58aea2089d25887679038a1a3a85249db412167361c636e1c8799f7eb787193b3b451f960c41f33a3cd70ae921171b56959d8be037d2595ccb
-
SSDEEP
3072:A3iOPDhkZHdMGKhkXaW+/8z4SmwIGkr/VP4qFksnliFvt8AC+R:EPeSSxtKwxkr/p4qiIix
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 19 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exe05a01aca9aa8167b69104f61974392c4_JaffaCakes118.exewnpkm2.exewnpkm2.exewnpkm2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation wnpkm2.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation wnpkm2.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation wnpkm2.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation wnpkm2.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation wnpkm2.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation wnpkm2.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation wnpkm2.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation wnpkm2.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation wnpkm2.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation wnpkm2.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation wnpkm2.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation wnpkm2.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation wnpkm2.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation wnpkm2.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation wnpkm2.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 05a01aca9aa8167b69104f61974392c4_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation wnpkm2.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation wnpkm2.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation wnpkm2.exe -
Deletes itself 1 IoCs
Processes:
wnpkm2.exepid process 2256 wnpkm2.exe -
Executes dropped EXE 38 IoCs
Processes:
wnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exepid process 748 wnpkm2.exe 2256 wnpkm2.exe 4516 wnpkm2.exe 4064 wnpkm2.exe 4476 wnpkm2.exe 1980 wnpkm2.exe 3828 wnpkm2.exe 4444 wnpkm2.exe 900 wnpkm2.exe 5108 wnpkm2.exe 2992 wnpkm2.exe 2296 wnpkm2.exe 2620 wnpkm2.exe 4008 wnpkm2.exe 1516 wnpkm2.exe 456 wnpkm2.exe 3112 wnpkm2.exe 1636 wnpkm2.exe 712 wnpkm2.exe 876 wnpkm2.exe 2432 wnpkm2.exe 4856 wnpkm2.exe 2536 wnpkm2.exe 2620 wnpkm2.exe 2312 wnpkm2.exe 452 wnpkm2.exe 4472 wnpkm2.exe 4736 wnpkm2.exe 1720 wnpkm2.exe 2308 wnpkm2.exe 2108 wnpkm2.exe 2344 wnpkm2.exe 3616 wnpkm2.exe 2172 wnpkm2.exe 2480 wnpkm2.exe 3164 wnpkm2.exe 3980 wnpkm2.exe 820 wnpkm2.exe -
Processes:
resource yara_rule behavioral2/memory/3912-0-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3912-2-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3912-3-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3912-4-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3912-40-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/2256-44-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/2256-45-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/2256-46-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/2256-47-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4064-52-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4064-54-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4064-53-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4064-56-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/1980-62-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/1980-61-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/1980-60-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/1980-64-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4444-69-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4444-74-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/5108-78-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/5108-77-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/5108-79-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/5108-82-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/2296-88-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/2296-87-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/2296-90-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4008-96-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4008-99-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/456-105-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/456-107-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/1636-113-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/876-120-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/876-122-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4856-129-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4856-128-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4856-127-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4856-131-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/2620-137-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/2620-141-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/452-145-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/452-150-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4736-154-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4736-159-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/2308-164-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/2308-168-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/2344-173-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/2344-177-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/2172-181-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/2172-186-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3164-191-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3164-195-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/820-199-0x0000000000400000-0x000000000046C000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 40 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
wnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exe05a01aca9aa8167b69104f61974392c4_JaffaCakes118.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnpkm2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnpkm2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnpkm2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnpkm2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnpkm2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnpkm2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnpkm2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnpkm2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnpkm2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnpkm2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnpkm2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnpkm2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnpkm2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnpkm2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnpkm2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnpkm2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnpkm2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 05a01aca9aa8167b69104f61974392c4_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnpkm2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnpkm2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnpkm2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnpkm2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnpkm2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnpkm2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnpkm2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnpkm2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnpkm2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnpkm2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnpkm2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnpkm2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnpkm2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnpkm2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnpkm2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnpkm2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnpkm2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wnpkm2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnpkm2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 05a01aca9aa8167b69104f61974392c4_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnpkm2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wnpkm2.exe -
Drops file in System32 directory 38 IoCs
Processes:
wnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exe05a01aca9aa8167b69104f61974392c4_JaffaCakes118.exewnpkm2.exewnpkm2.exedescription ioc process File created C:\Windows\SysWOW64\wnpkm2.exe wnpkm2.exe File opened for modification C:\Windows\SysWOW64\wnpkm2.exe wnpkm2.exe File opened for modification C:\Windows\SysWOW64\wnpkm2.exe wnpkm2.exe File opened for modification C:\Windows\SysWOW64\wnpkm2.exe wnpkm2.exe File created C:\Windows\SysWOW64\wnpkm2.exe wnpkm2.exe File created C:\Windows\SysWOW64\wnpkm2.exe wnpkm2.exe File opened for modification C:\Windows\SysWOW64\wnpkm2.exe wnpkm2.exe File opened for modification C:\Windows\SysWOW64\wnpkm2.exe wnpkm2.exe File created C:\Windows\SysWOW64\wnpkm2.exe wnpkm2.exe File opened for modification C:\Windows\SysWOW64\wnpkm2.exe wnpkm2.exe File created C:\Windows\SysWOW64\wnpkm2.exe wnpkm2.exe File opened for modification C:\Windows\SysWOW64\wnpkm2.exe wnpkm2.exe File opened for modification C:\Windows\SysWOW64\wnpkm2.exe wnpkm2.exe File opened for modification C:\Windows\SysWOW64\wnpkm2.exe wnpkm2.exe File created C:\Windows\SysWOW64\wnpkm2.exe wnpkm2.exe File opened for modification C:\Windows\SysWOW64\wnpkm2.exe wnpkm2.exe File opened for modification C:\Windows\SysWOW64\wnpkm2.exe wnpkm2.exe File created C:\Windows\SysWOW64\wnpkm2.exe wnpkm2.exe File created C:\Windows\SysWOW64\wnpkm2.exe wnpkm2.exe File opened for modification C:\Windows\SysWOW64\wnpkm2.exe 05a01aca9aa8167b69104f61974392c4_JaffaCakes118.exe File created C:\Windows\SysWOW64\wnpkm2.exe wnpkm2.exe File opened for modification C:\Windows\SysWOW64\wnpkm2.exe wnpkm2.exe File created C:\Windows\SysWOW64\wnpkm2.exe wnpkm2.exe File created C:\Windows\SysWOW64\wnpkm2.exe wnpkm2.exe File created C:\Windows\SysWOW64\wnpkm2.exe wnpkm2.exe File created C:\Windows\SysWOW64\wnpkm2.exe 05a01aca9aa8167b69104f61974392c4_JaffaCakes118.exe File created C:\Windows\SysWOW64\wnpkm2.exe wnpkm2.exe File created C:\Windows\SysWOW64\wnpkm2.exe wnpkm2.exe File created C:\Windows\SysWOW64\wnpkm2.exe wnpkm2.exe File opened for modification C:\Windows\SysWOW64\wnpkm2.exe wnpkm2.exe File opened for modification C:\Windows\SysWOW64\wnpkm2.exe wnpkm2.exe File created C:\Windows\SysWOW64\wnpkm2.exe wnpkm2.exe File opened for modification C:\Windows\SysWOW64\wnpkm2.exe wnpkm2.exe File opened for modification C:\Windows\SysWOW64\wnpkm2.exe wnpkm2.exe File opened for modification C:\Windows\SysWOW64\wnpkm2.exe wnpkm2.exe File created C:\Windows\SysWOW64\wnpkm2.exe wnpkm2.exe File created C:\Windows\SysWOW64\wnpkm2.exe wnpkm2.exe File opened for modification C:\Windows\SysWOW64\wnpkm2.exe wnpkm2.exe -
Suspicious use of SetThreadContext 20 IoCs
Processes:
05a01aca9aa8167b69104f61974392c4_JaffaCakes118.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exedescription pid process target process PID 824 set thread context of 3912 824 05a01aca9aa8167b69104f61974392c4_JaffaCakes118.exe 05a01aca9aa8167b69104f61974392c4_JaffaCakes118.exe PID 748 set thread context of 2256 748 wnpkm2.exe wnpkm2.exe PID 4516 set thread context of 4064 4516 wnpkm2.exe wnpkm2.exe PID 4476 set thread context of 1980 4476 wnpkm2.exe wnpkm2.exe PID 3828 set thread context of 4444 3828 wnpkm2.exe wnpkm2.exe PID 900 set thread context of 5108 900 wnpkm2.exe wnpkm2.exe PID 2992 set thread context of 2296 2992 wnpkm2.exe wnpkm2.exe PID 2620 set thread context of 4008 2620 wnpkm2.exe wnpkm2.exe PID 1516 set thread context of 456 1516 wnpkm2.exe wnpkm2.exe PID 3112 set thread context of 1636 3112 wnpkm2.exe wnpkm2.exe PID 712 set thread context of 876 712 wnpkm2.exe wnpkm2.exe PID 2432 set thread context of 4856 2432 wnpkm2.exe wnpkm2.exe PID 2536 set thread context of 2620 2536 wnpkm2.exe wnpkm2.exe PID 2312 set thread context of 452 2312 wnpkm2.exe wnpkm2.exe PID 4472 set thread context of 4736 4472 wnpkm2.exe wnpkm2.exe PID 1720 set thread context of 2308 1720 wnpkm2.exe wnpkm2.exe PID 2108 set thread context of 2344 2108 wnpkm2.exe wnpkm2.exe PID 3616 set thread context of 2172 3616 wnpkm2.exe wnpkm2.exe PID 2480 set thread context of 3164 2480 wnpkm2.exe wnpkm2.exe PID 3980 set thread context of 820 3980 wnpkm2.exe wnpkm2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 39 IoCs
Processes:
05a01aca9aa8167b69104f61974392c4_JaffaCakes118.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exe05a01aca9aa8167b69104f61974392c4_JaffaCakes118.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 05a01aca9aa8167b69104f61974392c4_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings wnpkm2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnpkm2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnpkm2.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings wnpkm2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnpkm2.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings wnpkm2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnpkm2.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings wnpkm2.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings wnpkm2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnpkm2.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings wnpkm2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnpkm2.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings wnpkm2.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings wnpkm2.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings wnpkm2.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings wnpkm2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnpkm2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnpkm2.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings wnpkm2.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings 05a01aca9aa8167b69104f61974392c4_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings wnpkm2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnpkm2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnpkm2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnpkm2.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings wnpkm2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnpkm2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnpkm2.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings wnpkm2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnpkm2.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings wnpkm2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnpkm2.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings wnpkm2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnpkm2.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings wnpkm2.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings wnpkm2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnpkm2.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings wnpkm2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wnpkm2.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
Processes:
05a01aca9aa8167b69104f61974392c4_JaffaCakes118.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exepid process 3912 05a01aca9aa8167b69104f61974392c4_JaffaCakes118.exe 3912 05a01aca9aa8167b69104f61974392c4_JaffaCakes118.exe 2256 wnpkm2.exe 2256 wnpkm2.exe 4064 wnpkm2.exe 4064 wnpkm2.exe 1980 wnpkm2.exe 1980 wnpkm2.exe 4444 wnpkm2.exe 4444 wnpkm2.exe 5108 wnpkm2.exe 5108 wnpkm2.exe 2296 wnpkm2.exe 2296 wnpkm2.exe 4008 wnpkm2.exe 4008 wnpkm2.exe 456 wnpkm2.exe 456 wnpkm2.exe 1636 wnpkm2.exe 1636 wnpkm2.exe 876 wnpkm2.exe 876 wnpkm2.exe 4856 wnpkm2.exe 4856 wnpkm2.exe 2620 wnpkm2.exe 2620 wnpkm2.exe 452 wnpkm2.exe 452 wnpkm2.exe 4736 wnpkm2.exe 4736 wnpkm2.exe 2308 wnpkm2.exe 2308 wnpkm2.exe 2344 wnpkm2.exe 2344 wnpkm2.exe 2172 wnpkm2.exe 2172 wnpkm2.exe 3164 wnpkm2.exe 3164 wnpkm2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
05a01aca9aa8167b69104f61974392c4_JaffaCakes118.exe05a01aca9aa8167b69104f61974392c4_JaffaCakes118.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exewnpkm2.exedescription pid process target process PID 824 wrote to memory of 3912 824 05a01aca9aa8167b69104f61974392c4_JaffaCakes118.exe 05a01aca9aa8167b69104f61974392c4_JaffaCakes118.exe PID 824 wrote to memory of 3912 824 05a01aca9aa8167b69104f61974392c4_JaffaCakes118.exe 05a01aca9aa8167b69104f61974392c4_JaffaCakes118.exe PID 824 wrote to memory of 3912 824 05a01aca9aa8167b69104f61974392c4_JaffaCakes118.exe 05a01aca9aa8167b69104f61974392c4_JaffaCakes118.exe PID 824 wrote to memory of 3912 824 05a01aca9aa8167b69104f61974392c4_JaffaCakes118.exe 05a01aca9aa8167b69104f61974392c4_JaffaCakes118.exe PID 824 wrote to memory of 3912 824 05a01aca9aa8167b69104f61974392c4_JaffaCakes118.exe 05a01aca9aa8167b69104f61974392c4_JaffaCakes118.exe PID 824 wrote to memory of 3912 824 05a01aca9aa8167b69104f61974392c4_JaffaCakes118.exe 05a01aca9aa8167b69104f61974392c4_JaffaCakes118.exe PID 824 wrote to memory of 3912 824 05a01aca9aa8167b69104f61974392c4_JaffaCakes118.exe 05a01aca9aa8167b69104f61974392c4_JaffaCakes118.exe PID 3912 wrote to memory of 748 3912 05a01aca9aa8167b69104f61974392c4_JaffaCakes118.exe wnpkm2.exe PID 3912 wrote to memory of 748 3912 05a01aca9aa8167b69104f61974392c4_JaffaCakes118.exe wnpkm2.exe PID 3912 wrote to memory of 748 3912 05a01aca9aa8167b69104f61974392c4_JaffaCakes118.exe wnpkm2.exe PID 748 wrote to memory of 2256 748 wnpkm2.exe wnpkm2.exe PID 748 wrote to memory of 2256 748 wnpkm2.exe wnpkm2.exe PID 748 wrote to memory of 2256 748 wnpkm2.exe wnpkm2.exe PID 748 wrote to memory of 2256 748 wnpkm2.exe wnpkm2.exe PID 748 wrote to memory of 2256 748 wnpkm2.exe wnpkm2.exe PID 748 wrote to memory of 2256 748 wnpkm2.exe wnpkm2.exe PID 748 wrote to memory of 2256 748 wnpkm2.exe wnpkm2.exe PID 2256 wrote to memory of 4516 2256 wnpkm2.exe wnpkm2.exe PID 2256 wrote to memory of 4516 2256 wnpkm2.exe wnpkm2.exe PID 2256 wrote to memory of 4516 2256 wnpkm2.exe wnpkm2.exe PID 4516 wrote to memory of 4064 4516 wnpkm2.exe wnpkm2.exe PID 4516 wrote to memory of 4064 4516 wnpkm2.exe wnpkm2.exe PID 4516 wrote to memory of 4064 4516 wnpkm2.exe wnpkm2.exe PID 4516 wrote to memory of 4064 4516 wnpkm2.exe wnpkm2.exe PID 4516 wrote to memory of 4064 4516 wnpkm2.exe wnpkm2.exe PID 4516 wrote to memory of 4064 4516 wnpkm2.exe wnpkm2.exe PID 4516 wrote to memory of 4064 4516 wnpkm2.exe wnpkm2.exe PID 4064 wrote to memory of 4476 4064 wnpkm2.exe wnpkm2.exe PID 4064 wrote to memory of 4476 4064 wnpkm2.exe wnpkm2.exe PID 4064 wrote to memory of 4476 4064 wnpkm2.exe wnpkm2.exe PID 4476 wrote to memory of 1980 4476 wnpkm2.exe wnpkm2.exe PID 4476 wrote to memory of 1980 4476 wnpkm2.exe wnpkm2.exe PID 4476 wrote to memory of 1980 4476 wnpkm2.exe wnpkm2.exe PID 4476 wrote to memory of 1980 4476 wnpkm2.exe wnpkm2.exe PID 4476 wrote to memory of 1980 4476 wnpkm2.exe wnpkm2.exe PID 4476 wrote to memory of 1980 4476 wnpkm2.exe wnpkm2.exe PID 4476 wrote to memory of 1980 4476 wnpkm2.exe wnpkm2.exe PID 1980 wrote to memory of 3828 1980 wnpkm2.exe wnpkm2.exe PID 1980 wrote to memory of 3828 1980 wnpkm2.exe wnpkm2.exe PID 1980 wrote to memory of 3828 1980 wnpkm2.exe wnpkm2.exe PID 3828 wrote to memory of 4444 3828 wnpkm2.exe wnpkm2.exe PID 3828 wrote to memory of 4444 3828 wnpkm2.exe wnpkm2.exe PID 3828 wrote to memory of 4444 3828 wnpkm2.exe wnpkm2.exe PID 3828 wrote to memory of 4444 3828 wnpkm2.exe wnpkm2.exe PID 3828 wrote to memory of 4444 3828 wnpkm2.exe wnpkm2.exe PID 3828 wrote to memory of 4444 3828 wnpkm2.exe wnpkm2.exe PID 3828 wrote to memory of 4444 3828 wnpkm2.exe wnpkm2.exe PID 4444 wrote to memory of 900 4444 wnpkm2.exe wnpkm2.exe PID 4444 wrote to memory of 900 4444 wnpkm2.exe wnpkm2.exe PID 4444 wrote to memory of 900 4444 wnpkm2.exe wnpkm2.exe PID 900 wrote to memory of 5108 900 wnpkm2.exe wnpkm2.exe PID 900 wrote to memory of 5108 900 wnpkm2.exe wnpkm2.exe PID 900 wrote to memory of 5108 900 wnpkm2.exe wnpkm2.exe PID 900 wrote to memory of 5108 900 wnpkm2.exe wnpkm2.exe PID 900 wrote to memory of 5108 900 wnpkm2.exe wnpkm2.exe PID 900 wrote to memory of 5108 900 wnpkm2.exe wnpkm2.exe PID 900 wrote to memory of 5108 900 wnpkm2.exe wnpkm2.exe PID 5108 wrote to memory of 2992 5108 wnpkm2.exe wnpkm2.exe PID 5108 wrote to memory of 2992 5108 wnpkm2.exe wnpkm2.exe PID 5108 wrote to memory of 2992 5108 wnpkm2.exe wnpkm2.exe PID 2992 wrote to memory of 2296 2992 wnpkm2.exe wnpkm2.exe PID 2992 wrote to memory of 2296 2992 wnpkm2.exe wnpkm2.exe PID 2992 wrote to memory of 2296 2992 wnpkm2.exe wnpkm2.exe PID 2992 wrote to memory of 2296 2992 wnpkm2.exe wnpkm2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\05a01aca9aa8167b69104f61974392c4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\05a01aca9aa8167b69104f61974392c4_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Users\Admin\AppData\Local\Temp\05a01aca9aa8167b69104f61974392c4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\05a01aca9aa8167b69104f61974392c4_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Windows\SysWOW64\wnpkm2.exe"C:\Windows\system32\wnpkm2.exe" C:\Users\Admin\AppData\Local\Temp\05A01A~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\wnpkm2.exe"C:\Windows\system32\wnpkm2.exe" C:\Users\Admin\AppData\Local\Temp\05A01A~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\wnpkm2.exe"C:\Windows\system32\wnpkm2.exe" C:\Windows\SysWOW64\wnpkm2.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\wnpkm2.exe"C:\Windows\system32\wnpkm2.exe" C:\Windows\SysWOW64\wnpkm2.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\SysWOW64\wnpkm2.exe"C:\Windows\system32\wnpkm2.exe" C:\Windows\SysWOW64\wnpkm2.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\SysWOW64\wnpkm2.exe"C:\Windows\system32\wnpkm2.exe" C:\Windows\SysWOW64\wnpkm2.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\wnpkm2.exe"C:\Windows\system32\wnpkm2.exe" C:\Windows\SysWOW64\wnpkm2.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Windows\SysWOW64\wnpkm2.exe"C:\Windows\system32\wnpkm2.exe" C:\Windows\SysWOW64\wnpkm2.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\SysWOW64\wnpkm2.exe"C:\Windows\system32\wnpkm2.exe" C:\Windows\SysWOW64\wnpkm2.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\SysWOW64\wnpkm2.exe"C:\Windows\system32\wnpkm2.exe" C:\Windows\SysWOW64\wnpkm2.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\SysWOW64\wnpkm2.exe"C:\Windows\system32\wnpkm2.exe" C:\Windows\SysWOW64\wnpkm2.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\wnpkm2.exe"C:\Windows\system32\wnpkm2.exe" C:\Windows\SysWOW64\wnpkm2.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2296 -
C:\Windows\SysWOW64\wnpkm2.exe"C:\Windows\system32\wnpkm2.exe" C:\Windows\SysWOW64\wnpkm2.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\wnpkm2.exe"C:\Windows\system32\wnpkm2.exe" C:\Windows\SysWOW64\wnpkm2.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4008 -
C:\Windows\SysWOW64\wnpkm2.exe"C:\Windows\system32\wnpkm2.exe" C:\Windows\SysWOW64\wnpkm2.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
PID:1516 -
C:\Windows\SysWOW64\wnpkm2.exe"C:\Windows\system32\wnpkm2.exe" C:\Windows\SysWOW64\wnpkm2.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:456 -
C:\Windows\SysWOW64\wnpkm2.exe"C:\Windows\system32\wnpkm2.exe" C:\Windows\SysWOW64\wnpkm2.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
PID:3112 -
C:\Windows\SysWOW64\wnpkm2.exe"C:\Windows\system32\wnpkm2.exe" C:\Windows\SysWOW64\wnpkm2.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1636 -
C:\Windows\SysWOW64\wnpkm2.exe"C:\Windows\system32\wnpkm2.exe" C:\Windows\SysWOW64\wnpkm2.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
PID:712 -
C:\Windows\SysWOW64\wnpkm2.exe"C:\Windows\system32\wnpkm2.exe" C:\Windows\SysWOW64\wnpkm2.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:876 -
C:\Windows\SysWOW64\wnpkm2.exe"C:\Windows\system32\wnpkm2.exe" C:\Windows\SysWOW64\wnpkm2.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\wnpkm2.exe"C:\Windows\system32\wnpkm2.exe" C:\Windows\SysWOW64\wnpkm2.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4856 -
C:\Windows\SysWOW64\wnpkm2.exe"C:\Windows\system32\wnpkm2.exe" C:\Windows\SysWOW64\wnpkm2.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\wnpkm2.exe"C:\Windows\system32\wnpkm2.exe" C:\Windows\SysWOW64\wnpkm2.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2620 -
C:\Windows\SysWOW64\wnpkm2.exe"C:\Windows\system32\wnpkm2.exe" C:\Windows\SysWOW64\wnpkm2.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
PID:2312 -
C:\Windows\SysWOW64\wnpkm2.exe"C:\Windows\system32\wnpkm2.exe" C:\Windows\SysWOW64\wnpkm2.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:452 -
C:\Windows\SysWOW64\wnpkm2.exe"C:\Windows\system32\wnpkm2.exe" C:\Windows\SysWOW64\wnpkm2.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
PID:4472 -
C:\Windows\SysWOW64\wnpkm2.exe"C:\Windows\system32\wnpkm2.exe" C:\Windows\SysWOW64\wnpkm2.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4736 -
C:\Windows\SysWOW64\wnpkm2.exe"C:\Windows\system32\wnpkm2.exe" C:\Windows\SysWOW64\wnpkm2.exe31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\wnpkm2.exe"C:\Windows\system32\wnpkm2.exe" C:\Windows\SysWOW64\wnpkm2.exe32⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2308 -
C:\Windows\SysWOW64\wnpkm2.exe"C:\Windows\system32\wnpkm2.exe" C:\Windows\SysWOW64\wnpkm2.exe33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\wnpkm2.exe"C:\Windows\system32\wnpkm2.exe" C:\Windows\SysWOW64\wnpkm2.exe34⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2344 -
C:\Windows\SysWOW64\wnpkm2.exe"C:\Windows\system32\wnpkm2.exe" C:\Windows\SysWOW64\wnpkm2.exe35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
PID:3616 -
C:\Windows\SysWOW64\wnpkm2.exe"C:\Windows\system32\wnpkm2.exe" C:\Windows\SysWOW64\wnpkm2.exe36⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2172 -
C:\Windows\SysWOW64\wnpkm2.exe"C:\Windows\system32\wnpkm2.exe" C:\Windows\SysWOW64\wnpkm2.exe37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
PID:2480 -
C:\Windows\SysWOW64\wnpkm2.exe"C:\Windows\system32\wnpkm2.exe" C:\Windows\SysWOW64\wnpkm2.exe38⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3164 -
C:\Windows\SysWOW64\wnpkm2.exe"C:\Windows\system32\wnpkm2.exe" C:\Windows\SysWOW64\wnpkm2.exe39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
PID:3980 -
C:\Windows\SysWOW64\wnpkm2.exe"C:\Windows\system32\wnpkm2.exe" C:\Windows\SysWOW64\wnpkm2.exe40⤵
- Executes dropped EXE
- Maps connected drives based on registry
PID:820
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4108
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1316 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:81⤵PID:2840
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
158KB
MD505a01aca9aa8167b69104f61974392c4
SHA1e9e817e631cc6e9081ed6e9574ce66896bd5466b
SHA256bb90cebc57c6254ee88868ea0635b54e27e0b4076087db0d9db6fe712da2ce00
SHA512fdc2942ab05b8d58aea2089d25887679038a1a3a85249db412167361c636e1c8799f7eb787193b3b451f960c41f33a3cd70ae921171b56959d8be037d2595ccb
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e