metasploit | f0279fe1b492cb8e9fe74fa7cedbf6de3adb6eb8106cfbc52cf4b1d4cdf27d96

Analysis

max time kernel
141s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2024 02:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0f1cd20775f9e1ed0b40fb9122f529f_JaffaCakes118.exe
Size

155KB
MD5

a0f1cd20775f9e1ed0b40fb9122f529f
SHA1

639f8cd398fea2b12373c8ee4db5c3c6d7185517
SHA256

f0279fe1b492cb8e9fe74fa7cedbf6de3adb6eb8106cfbc52cf4b1d4cdf27d96
SHA512

483ab2ba34c301dad32e112813c52983362f103dd22fe7821184beab26f75854d2f86dcf436f93a23e8bd0e78b00509dac5dcf02ca81c1b698e5d10bef302ddf
SSDEEP

3072:9a+huKQDjjM78IWjdJWZdSleKY5MG0inih23hGB2odHwQxswNoqMbFNN:9ZuKQDLIWJS+49vnXhGB2C3swUx

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Checks computer location settings 2 TTPs 22 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	wnpkm1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	wnpkm1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	wnpkm1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	wnpkm1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	wnpkm1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	wnpkm1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	wnpkm1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	wnpkm1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	wnpkm1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	wnpkm1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	wnpkm1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	wnpkm1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	wnpkm1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	wnpkm1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	wnpkm1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	a0f1cd20775f9e1ed0b40fb9122f529f_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	wnpkm1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	wnpkm1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	wnpkm1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	wnpkm1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	wnpkm1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	wnpkm1.exe

Deletes itself 1 IoCs

pid	Process
232	wnpkm1.exe

Executes dropped EXE 42 IoCs

pid	Process
2868	wnpkm1.exe
232	wnpkm1.exe
3536	wnpkm1.exe
1652	wnpkm1.exe
3768	wnpkm1.exe
2684	wnpkm1.exe
1968	wnpkm1.exe
536	wnpkm1.exe
4656	wnpkm1.exe
4548	wnpkm1.exe
3020	wnpkm1.exe
2868	wnpkm1.exe
3564	wnpkm1.exe
4996	wnpkm1.exe
2668	wnpkm1.exe
1204	wnpkm1.exe
2904	wnpkm1.exe
976	wnpkm1.exe
4088	wnpkm1.exe
5024	wnpkm1.exe
2012	wnpkm1.exe
1136	wnpkm1.exe
4092	wnpkm1.exe
1904	wnpkm1.exe
2080	wnpkm1.exe
3564	wnpkm1.exe
3716	wnpkm1.exe
2956	wnpkm1.exe
2480	wnpkm1.exe
2820	wnpkm1.exe
1324	wnpkm1.exe
3536	wnpkm1.exe
1660	wnpkm1.exe
2584	wnpkm1.exe
2728	wnpkm1.exe
2072	wnpkm1.exe
4296	wnpkm1.exe
4008	wnpkm1.exe
1756	wnpkm1.exe
1924	wnpkm1.exe
4996	wnpkm1.exe
376	wnpkm1.exe

UPX packed file 42 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4924-0-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4924-2-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4924-3-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4924-4-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4924-40-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/232-43-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/232-44-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/232-45-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1652-51-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1652-50-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1652-52-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1652-53-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2684-60-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/536-65-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/536-66-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/536-68-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4548-74-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2868-82-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4996-88-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4996-90-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1204-97-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/976-104-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/5024-112-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1136-119-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1904-128-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3564-133-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3564-137-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2956-142-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2956-146-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2820-150-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2820-155-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3536-160-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3536-164-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2584-169-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2584-173-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2072-181-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4008-186-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4008-191-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1924-196-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1924-200-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/376-208-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3680-215-0x0000000000400000-0x000000000046C000-memory.dmp	upx

Maps connected drives based on registry 3 TTPs 44 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpkm1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpkm1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpkm1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpkm1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpkm1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpkm1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpkm1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpkm1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpkm1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpkm1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpkm1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpkm1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpkm1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpkm1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpkm1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpkm1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	a0f1cd20775f9e1ed0b40fb9122f529f_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	a0f1cd20775f9e1ed0b40fb9122f529f_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpkm1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpkm1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpkm1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpkm1.exe

Drops file in System32 directory 44 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wnpkm1.exe	wnpkm1.exe
File created	C:\Windows\SysWOW64\wnpkm1.exe	wnpkm1.exe
File created	C:\Windows\SysWOW64\wnpkm1.exe	wnpkm1.exe
File opened for modification	C:\Windows\SysWOW64\wnpkm1.exe	wnpkm1.exe
File opened for modification	C:\Windows\SysWOW64\wnpkm1.exe	wnpkm1.exe
File opened for modification	C:\Windows\SysWOW64\wnpkm1.exe	wnpkm1.exe
File opened for modification	C:\Windows\SysWOW64\wnpkm1.exe	wnpkm1.exe
File created	C:\Windows\SysWOW64\wnpkm1.exe	wnpkm1.exe
File created	C:\Windows\SysWOW64\wnpkm1.exe	a0f1cd20775f9e1ed0b40fb9122f529f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wnpkm1.exe	wnpkm1.exe
File created	C:\Windows\SysWOW64\wnpkm1.exe	wnpkm1.exe
File created	C:\Windows\SysWOW64\wnpkm1.exe	wnpkm1.exe
File opened for modification	C:\Windows\SysWOW64\wnpkm1.exe	wnpkm1.exe
File created	C:\Windows\SysWOW64\wnpkm1.exe	wnpkm1.exe
File created	C:\Windows\SysWOW64\wnpkm1.exe	wnpkm1.exe
File opened for modification	C:\Windows\SysWOW64\wnpkm1.exe	wnpkm1.exe
File opened for modification	C:\Windows\SysWOW64\wnpkm1.exe	wnpkm1.exe
File opened for modification	C:\Windows\SysWOW64\wnpkm1.exe	wnpkm1.exe
File created	C:\Windows\SysWOW64\wnpkm1.exe	wnpkm1.exe
File opened for modification	C:\Windows\SysWOW64\wnpkm1.exe	wnpkm1.exe
File opened for modification	C:\Windows\SysWOW64\wnpkm1.exe	wnpkm1.exe
File created	C:\Windows\SysWOW64\wnpkm1.exe	wnpkm1.exe
File opened for modification	C:\Windows\SysWOW64\wnpkm1.exe	wnpkm1.exe
File opened for modification	C:\Windows\SysWOW64\wnpkm1.exe	wnpkm1.exe
File created	C:\Windows\SysWOW64\wnpkm1.exe	wnpkm1.exe
File opened for modification	C:\Windows\SysWOW64\wnpkm1.exe	wnpkm1.exe
File created	C:\Windows\SysWOW64\wnpkm1.exe	wnpkm1.exe
File opened for modification	C:\Windows\SysWOW64\wnpkm1.exe	wnpkm1.exe
File created	C:\Windows\SysWOW64\wnpkm1.exe	wnpkm1.exe
File created	C:\Windows\SysWOW64\wnpkm1.exe	wnpkm1.exe
File opened for modification	C:\Windows\SysWOW64\wnpkm1.exe	wnpkm1.exe
File created	C:\Windows\SysWOW64\wnpkm1.exe	wnpkm1.exe
File opened for modification	C:\Windows\SysWOW64\wnpkm1.exe	wnpkm1.exe
File opened for modification	C:\Windows\SysWOW64\wnpkm1.exe	a0f1cd20775f9e1ed0b40fb9122f529f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wnpkm1.exe	wnpkm1.exe
File created	C:\Windows\SysWOW64\wnpkm1.exe	wnpkm1.exe
File opened for modification	C:\Windows\SysWOW64\wnpkm1.exe	wnpkm1.exe
File opened for modification	C:\Windows\SysWOW64\wnpkm1.exe	wnpkm1.exe
File opened for modification	C:\Windows\SysWOW64\wnpkm1.exe	wnpkm1.exe
File created	C:\Windows\SysWOW64\wnpkm1.exe	wnpkm1.exe
File opened for modification	C:\Windows\SysWOW64\wnpkm1.exe	wnpkm1.exe
File created	C:\Windows\SysWOW64\wnpkm1.exe	wnpkm1.exe
File opened for modification	C:\Windows\SysWOW64\wnpkm1.exe	wnpkm1.exe
File created	C:\Windows\SysWOW64\wnpkm1.exe	wnpkm1.exe

Suspicious use of SetThreadContext 22 IoCs

description	pid	Process	procid_target
PID 4044 set thread context of 4924	4044	a0f1cd20775f9e1ed0b40fb9122f529f_JaffaCakes118.exe	87
PID 2868 set thread context of 232	2868	wnpkm1.exe	96
PID 3536 set thread context of 1652	3536	wnpkm1.exe	100
PID 3768 set thread context of 2684	3768	wnpkm1.exe	102
PID 1968 set thread context of 536	1968	wnpkm1.exe	104
PID 4656 set thread context of 4548	4656	wnpkm1.exe	108
PID 3020 set thread context of 2868	3020	wnpkm1.exe	111
PID 3564 set thread context of 4996	3564	wnpkm1.exe	113
PID 2668 set thread context of 1204	2668	wnpkm1.exe	115
PID 2904 set thread context of 976	2904	wnpkm1.exe	117
PID 4088 set thread context of 5024	4088	wnpkm1.exe	119
PID 2012 set thread context of 1136	2012	wnpkm1.exe	122
PID 4092 set thread context of 1904	4092	wnpkm1.exe	124
PID 2080 set thread context of 3564	2080	wnpkm1.exe	126
PID 3716 set thread context of 2956	3716	wnpkm1.exe	128
PID 2480 set thread context of 2820	2480	wnpkm1.exe	130
PID 1324 set thread context of 3536	1324	wnpkm1.exe	140
PID 1660 set thread context of 2584	1660	wnpkm1.exe	142
PID 2728 set thread context of 2072	2728	wnpkm1.exe	144
PID 4296 set thread context of 4008	4296	wnpkm1.exe	146
PID 1756 set thread context of 1924	1756	wnpkm1.exe	148
PID 4996 set thread context of 376	4996	wnpkm1.exe	153

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 44 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a0f1cd20775f9e1ed0b40fb9122f529f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a0f1cd20775f9e1ed0b40fb9122f529f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpkm1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpkm1.exe

Modifies registry class 44 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	a0f1cd20775f9e1ed0b40fb9122f529f_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	wnpkm1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpkm1.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	wnpkm1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpkm1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpkm1.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	wnpkm1.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	wnpkm1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpkm1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	a0f1cd20775f9e1ed0b40fb9122f529f_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	wnpkm1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpkm1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpkm1.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	wnpkm1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpkm1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpkm1.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	wnpkm1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpkm1.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	wnpkm1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpkm1.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	wnpkm1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpkm1.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	wnpkm1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpkm1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpkm1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpkm1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpkm1.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	wnpkm1.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	wnpkm1.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	wnpkm1.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	wnpkm1.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	wnpkm1.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	wnpkm1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpkm1.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	wnpkm1.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	wnpkm1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpkm1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpkm1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpkm1.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	wnpkm1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpkm1.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	wnpkm1.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	wnpkm1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpkm1.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
4924	a0f1cd20775f9e1ed0b40fb9122f529f_JaffaCakes118.exe
4924	a0f1cd20775f9e1ed0b40fb9122f529f_JaffaCakes118.exe
232	wnpkm1.exe
232	wnpkm1.exe
1652	wnpkm1.exe
1652	wnpkm1.exe
2684	wnpkm1.exe
2684	wnpkm1.exe
536	wnpkm1.exe
536	wnpkm1.exe
4548	wnpkm1.exe
4548	wnpkm1.exe
2868	wnpkm1.exe
2868	wnpkm1.exe
4996	wnpkm1.exe
4996	wnpkm1.exe
1204	wnpkm1.exe
1204	wnpkm1.exe
976	wnpkm1.exe
976	wnpkm1.exe
5024	wnpkm1.exe
5024	wnpkm1.exe
1136	wnpkm1.exe
1136	wnpkm1.exe
1904	wnpkm1.exe
1904	wnpkm1.exe
3564	wnpkm1.exe
3564	wnpkm1.exe
2956	wnpkm1.exe
2956	wnpkm1.exe
2820	wnpkm1.exe
2820	wnpkm1.exe
3536	wnpkm1.exe
3536	wnpkm1.exe
2584	wnpkm1.exe
2584	wnpkm1.exe
2072	wnpkm1.exe
2072	wnpkm1.exe
4008	wnpkm1.exe
4008	wnpkm1.exe
1924	wnpkm1.exe
1924	wnpkm1.exe
376	wnpkm1.exe
376	wnpkm1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4044 wrote to memory of 4924	4044	a0f1cd20775f9e1ed0b40fb9122f529f_JaffaCakes118.exe	87
PID 4044 wrote to memory of 4924	4044	a0f1cd20775f9e1ed0b40fb9122f529f_JaffaCakes118.exe	87
PID 4044 wrote to memory of 4924	4044	a0f1cd20775f9e1ed0b40fb9122f529f_JaffaCakes118.exe	87
PID 4044 wrote to memory of 4924	4044	a0f1cd20775f9e1ed0b40fb9122f529f_JaffaCakes118.exe	87
PID 4044 wrote to memory of 4924	4044	a0f1cd20775f9e1ed0b40fb9122f529f_JaffaCakes118.exe	87
PID 4044 wrote to memory of 4924	4044	a0f1cd20775f9e1ed0b40fb9122f529f_JaffaCakes118.exe	87
PID 4044 wrote to memory of 4924	4044	a0f1cd20775f9e1ed0b40fb9122f529f_JaffaCakes118.exe	87
PID 4924 wrote to memory of 2868	4924	a0f1cd20775f9e1ed0b40fb9122f529f_JaffaCakes118.exe	93
PID 4924 wrote to memory of 2868	4924	a0f1cd20775f9e1ed0b40fb9122f529f_JaffaCakes118.exe	93
PID 4924 wrote to memory of 2868	4924	a0f1cd20775f9e1ed0b40fb9122f529f_JaffaCakes118.exe	93
PID 2868 wrote to memory of 232	2868	wnpkm1.exe	96
PID 2868 wrote to memory of 232	2868	wnpkm1.exe	96
PID 2868 wrote to memory of 232	2868	wnpkm1.exe	96
PID 2868 wrote to memory of 232	2868	wnpkm1.exe	96
PID 2868 wrote to memory of 232	2868	wnpkm1.exe	96
PID 2868 wrote to memory of 232	2868	wnpkm1.exe	96
PID 2868 wrote to memory of 232	2868	wnpkm1.exe	96
PID 232 wrote to memory of 3536	232	wnpkm1.exe	99
PID 232 wrote to memory of 3536	232	wnpkm1.exe	99
PID 232 wrote to memory of 3536	232	wnpkm1.exe	99
PID 3536 wrote to memory of 1652	3536	wnpkm1.exe	100
PID 3536 wrote to memory of 1652	3536	wnpkm1.exe	100
PID 3536 wrote to memory of 1652	3536	wnpkm1.exe	100
PID 3536 wrote to memory of 1652	3536	wnpkm1.exe	100
PID 3536 wrote to memory of 1652	3536	wnpkm1.exe	100
PID 3536 wrote to memory of 1652	3536	wnpkm1.exe	100
PID 3536 wrote to memory of 1652	3536	wnpkm1.exe	100
PID 1652 wrote to memory of 3768	1652	wnpkm1.exe	101
PID 1652 wrote to memory of 3768	1652	wnpkm1.exe	101
PID 1652 wrote to memory of 3768	1652	wnpkm1.exe	101
PID 3768 wrote to memory of 2684	3768	wnpkm1.exe	102
PID 3768 wrote to memory of 2684	3768	wnpkm1.exe	102
PID 3768 wrote to memory of 2684	3768	wnpkm1.exe	102
PID 3768 wrote to memory of 2684	3768	wnpkm1.exe	102
PID 3768 wrote to memory of 2684	3768	wnpkm1.exe	102
PID 3768 wrote to memory of 2684	3768	wnpkm1.exe	102
PID 3768 wrote to memory of 2684	3768	wnpkm1.exe	102
PID 2684 wrote to memory of 1968	2684	wnpkm1.exe	103
PID 2684 wrote to memory of 1968	2684	wnpkm1.exe	103
PID 2684 wrote to memory of 1968	2684	wnpkm1.exe	103
PID 1968 wrote to memory of 536	1968	wnpkm1.exe	104
PID 1968 wrote to memory of 536	1968	wnpkm1.exe	104
PID 1968 wrote to memory of 536	1968	wnpkm1.exe	104
PID 1968 wrote to memory of 536	1968	wnpkm1.exe	104
PID 1968 wrote to memory of 536	1968	wnpkm1.exe	104
PID 1968 wrote to memory of 536	1968	wnpkm1.exe	104
PID 1968 wrote to memory of 536	1968	wnpkm1.exe	104
PID 536 wrote to memory of 4656	536	wnpkm1.exe	107
PID 536 wrote to memory of 4656	536	wnpkm1.exe	107
PID 536 wrote to memory of 4656	536	wnpkm1.exe	107
PID 4656 wrote to memory of 4548	4656	wnpkm1.exe	108
PID 4656 wrote to memory of 4548	4656	wnpkm1.exe	108
PID 4656 wrote to memory of 4548	4656	wnpkm1.exe	108
PID 4656 wrote to memory of 4548	4656	wnpkm1.exe	108
PID 4656 wrote to memory of 4548	4656	wnpkm1.exe	108
PID 4656 wrote to memory of 4548	4656	wnpkm1.exe	108
PID 4656 wrote to memory of 4548	4656	wnpkm1.exe	108
PID 4548 wrote to memory of 3020	4548	wnpkm1.exe	110
PID 4548 wrote to memory of 3020	4548	wnpkm1.exe	110
PID 4548 wrote to memory of 3020	4548	wnpkm1.exe	110
PID 3020 wrote to memory of 2868	3020	wnpkm1.exe	111
PID 3020 wrote to memory of 2868	3020	wnpkm1.exe	111
PID 3020 wrote to memory of 2868	3020	wnpkm1.exe	111
PID 3020 wrote to memory of 2868	3020	wnpkm1.exe	111

C:\Users\Admin\AppData\Local\Temp\a0f1cd20775f9e1ed0b40fb9122f529f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a0f1cd20775f9e1ed0b40fb9122f529f_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Users\Admin\AppData\Local\Temp\a0f1cd20775f9e1ed0b40fb9122f529f_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a0f1cd20775f9e1ed0b40fb9122f529f_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Windows\SysWOW64\wnpkm1.exe
    "C:\Windows\system32\wnpkm1.exe" C:\Users\Admin\AppData\Local\Temp\A0F1CD~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Windows\SysWOW64\wnpkm1.exe
      "C:\Windows\system32\wnpkm1.exe" C:\Users\Admin\AppData\Local\Temp\A0F1CD~1.EXE
      4⤵
      Checks computer location settings
      Deletes itself
      Executes dropped EXE
      Maps connected drives based on registry
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:232
    - - C:\Windows\SysWOW64\wnpkm1.exe
        
        "C:\Windows\system32\wnpkm1.exe" C:\Windows\SysWOW64\wnpkm1.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3536
      - C:\Windows\SysWOW64\wnpkm1.exe
        
        "C:\Windows\system32\wnpkm1.exe" C:\Windows\SysWOW64\wnpkm1.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\wnpkm1.exe
        
        "C:\Windows\system32\wnpkm1.exe" C:\Windows\SysWOW64\wnpkm1.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3768
        
        C:\Windows\SysWOW64\wnpkm1.exe
        
        "C:\Windows\system32\wnpkm1.exe" C:\Windows\SysWOW64\wnpkm1.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\wnpkm1.exe
        
        "C:\Windows\system32\wnpkm1.exe" C:\Windows\SysWOW64\wnpkm1.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\wnpkm1.exe
        
        "C:\Windows\system32\wnpkm1.exe" C:\Windows\SysWOW64\wnpkm1.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\wnpkm1.exe
        
        "C:\Windows\system32\wnpkm1.exe" C:\Windows\SysWOW64\wnpkm1.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\SysWOW64\wnpkm1.exe
        
        "C:\Windows\system32\wnpkm1.exe" C:\Windows\SysWOW64\wnpkm1.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\wnpkm1.exe
        
        "C:\Windows\system32\wnpkm1.exe" C:\Windows\SysWOW64\wnpkm1.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\wnpkm1.exe
        
        "C:\Windows\system32\wnpkm1.exe" C:\Windows\SysWOW64\wnpkm1.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2868
        
        C:\Windows\SysWOW64\wnpkm1.exe
        
        "C:\Windows\system32\wnpkm1.exe" C:\Windows\SysWOW64\wnpkm1.exe
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3564
        
        C:\Windows\SysWOW64\wnpkm1.exe
        
        "C:\Windows\system32\wnpkm1.exe" C:\Windows\SysWOW64\wnpkm1.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4996
        
        C:\Windows\SysWOW64\wnpkm1.exe
        
        "C:\Windows\system32\wnpkm1.exe" C:\Windows\SysWOW64\wnpkm1.exe
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\wnpkm1.exe
        
        "C:\Windows\system32\wnpkm1.exe" C:\Windows\SysWOW64\wnpkm1.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1204
        
        C:\Windows\SysWOW64\wnpkm1.exe
        
        "C:\Windows\system32\wnpkm1.exe" C:\Windows\SysWOW64\wnpkm1.exe
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\wnpkm1.exe
        
        "C:\Windows\system32\wnpkm1.exe" C:\Windows\SysWOW64\wnpkm1.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:976
        
        C:\Windows\SysWOW64\wnpkm1.exe
        
        "C:\Windows\system32\wnpkm1.exe" C:\Windows\SysWOW64\wnpkm1.exe
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\wnpkm1.exe
        
        "C:\Windows\system32\wnpkm1.exe" C:\Windows\SysWOW64\wnpkm1.exe
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:5024
        
        C:\Windows\SysWOW64\wnpkm1.exe
        
        "C:\Windows\system32\wnpkm1.exe" C:\Windows\SysWOW64\wnpkm1.exe
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\wnpkm1.exe
        
        "C:\Windows\system32\wnpkm1.exe" C:\Windows\SysWOW64\wnpkm1.exe
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1136
        
        C:\Windows\SysWOW64\wnpkm1.exe
        
        "C:\Windows\system32\wnpkm1.exe" C:\Windows\SysWOW64\wnpkm1.exe
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\wnpkm1.exe
        
        "C:\Windows\system32\wnpkm1.exe" C:\Windows\SysWOW64\wnpkm1.exe
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1904
        
        C:\Windows\SysWOW64\wnpkm1.exe
        
        "C:\Windows\system32\wnpkm1.exe" C:\Windows\SysWOW64\wnpkm1.exe
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\wnpkm1.exe
        
        "C:\Windows\system32\wnpkm1.exe" C:\Windows\SysWOW64\wnpkm1.exe
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3564
        
        C:\Windows\SysWOW64\wnpkm1.exe
        
        "C:\Windows\system32\wnpkm1.exe" C:\Windows\SysWOW64\wnpkm1.exe
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3716
        
        C:\Windows\SysWOW64\wnpkm1.exe
        
        "C:\Windows\system32\wnpkm1.exe" C:\Windows\SysWOW64\wnpkm1.exe
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2956
        
        C:\Windows\SysWOW64\wnpkm1.exe
        
        "C:\Windows\system32\wnpkm1.exe" C:\Windows\SysWOW64\wnpkm1.exe
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\wnpkm1.exe
        
        "C:\Windows\system32\wnpkm1.exe" C:\Windows\SysWOW64\wnpkm1.exe
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2820
        
        C:\Windows\SysWOW64\wnpkm1.exe
        
        "C:\Windows\system32\wnpkm1.exe" C:\Windows\SysWOW64\wnpkm1.exe
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1324
        
        C:\Windows\SysWOW64\wnpkm1.exe
        
        "C:\Windows\system32\wnpkm1.exe" C:\Windows\SysWOW64\wnpkm1.exe
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3536
        
        C:\Windows\SysWOW64\wnpkm1.exe
        
        "C:\Windows\system32\wnpkm1.exe" C:\Windows\SysWOW64\wnpkm1.exe
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\wnpkm1.exe
        
        "C:\Windows\system32\wnpkm1.exe" C:\Windows\SysWOW64\wnpkm1.exe
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2584
        
        C:\Windows\SysWOW64\wnpkm1.exe
        
        "C:\Windows\system32\wnpkm1.exe" C:\Windows\SysWOW64\wnpkm1.exe
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\wnpkm1.exe
        
        "C:\Windows\system32\wnpkm1.exe" C:\Windows\SysWOW64\wnpkm1.exe
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2072
        
        C:\Windows\SysWOW64\wnpkm1.exe
        
        "C:\Windows\system32\wnpkm1.exe" C:\Windows\SysWOW64\wnpkm1.exe
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\wnpkm1.exe
        
        "C:\Windows\system32\wnpkm1.exe" C:\Windows\SysWOW64\wnpkm1.exe
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4008
        
        C:\Windows\SysWOW64\wnpkm1.exe
        
        "C:\Windows\system32\wnpkm1.exe" C:\Windows\SysWOW64\wnpkm1.exe
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\wnpkm1.exe
        
        "C:\Windows\system32\wnpkm1.exe" C:\Windows\SysWOW64\wnpkm1.exe
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1924
        
        C:\Windows\SysWOW64\wnpkm1.exe
        
        "C:\Windows\system32\wnpkm1.exe" C:\Windows\SysWOW64\wnpkm1.exe
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\wnpkm1.exe
        
        "C:\Windows\system32\wnpkm1.exe" C:\Windows\SysWOW64\wnpkm1.exe
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:376
        
        C:\Windows\SysWOW64\wnpkm1.exe
        
        "C:\Windows\system32\wnpkm1.exe" C:\Windows\SysWOW64\wnpkm1.exe
        45⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\wnpkm1.exe
        
        "C:\Windows\system32\wnpkm1.exe" C:\Windows\SysWOW64\wnpkm1.exe
        46⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\wnpkm1.exe
        
        "C:\Windows\system32\wnpkm1.exe" C:\Windows\SysWOW64\wnpkm1.exe
        47⤵
        
        PID:2728

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wnpkm1.exe

Filesize
155KB

MD5
a0f1cd20775f9e1ed0b40fb9122f529f

SHA1
639f8cd398fea2b12373c8ee4db5c3c6d7185517

SHA256
f0279fe1b492cb8e9fe74fa7cedbf6de3adb6eb8106cfbc52cf4b1d4cdf27d96

SHA512
483ab2ba34c301dad32e112813c52983362f103dd22fe7821184beab26f75854d2f86dcf436f93a23e8bd0e78b00509dac5dcf02ca81c1b698e5d10bef302ddf

Download Submit
memory/232-43-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/232-44-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/232-45-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/376-208-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/536-65-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/536-68-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/536-66-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/976-104-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1136-119-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1204-97-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1652-52-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1652-51-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1652-53-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1652-50-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1904-128-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1924-196-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1924-200-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2072-181-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2584-173-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2584-169-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2684-60-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2820-155-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2820-150-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2868-82-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2956-146-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2956-142-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3536-164-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3536-160-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3564-133-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3564-137-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3680-215-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4008-186-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4008-191-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4548-74-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4924-4-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4924-40-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4924-0-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4924-2-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4924-3-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4996-88-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4996-90-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5024-112-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download