Analysis
-
max time kernel
150s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
09-09-2024 18:32
General
-
Target
d6e0f910f6dc906f6055af025b2ac200_JaffaCakes118.exe
-
Size
160KB
-
MD5
d6e0f910f6dc906f6055af025b2ac200
-
SHA1
f6a2b1dc32defba4d19cf6b4411c564b8c775060
-
SHA256
2739685adca05cfa408b1f53f18e2aa4a410351faf26016ccb98feeb18f0c69c
-
SHA512
1203962dd7d08e242c462fbf836d0dc22718874d36370a5b31d486a43e412c64ae9626b6a7a5772944ad053645d075b84a2c2f91347fffb75aa87f0efa1f45a5
-
SSDEEP
3072:u2GtnZTaLPEXPyr8D1PHGvKxIYc4UCo7lYgCc1qRLHWKs:uRZIGKr8D1PdxIz4UCylZgdHW3
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 46 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Maps connected drives based on registry 3 TTPs 64 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory 64 IoCs
-
Suspicious use of SetThreadContext 46 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6e0f910f6dc906f6055af025b2ac200_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d6e0f910f6dc906f6055af025b2ac200_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d6e0f910f6dc906f6055af025b2ac200_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d6e0f910f6dc906f6055af025b2ac200_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Users\Admin\AppData\Local\Temp\D6E0F9~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Users\Admin\AppData\Local\Temp\D6E0F9~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe32⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe34⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe36⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe38⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe40⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe42⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe44⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe46⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe48⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe50⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe52⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe54⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe56⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe58⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe60⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe62⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe63⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe64⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe65⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe66⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe67⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe68⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe69⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe70⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe71⤵
- Suspicious use of SetThreadContext
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe72⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe73⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe74⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe75⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe76⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe77⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe78⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe79⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe80⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe81⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe82⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe83⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe84⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe85⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe86⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe87⤵
- Suspicious use of SetThreadContext
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe88⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe89⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe90⤵
- Checks computer location settings
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe91⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe92⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\wnplt2.exe"C:\Windows\system32\wnplt2.exe" C:\Windows\SysWOW64\wnplt2.exe93⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
160KB
MD5d6e0f910f6dc906f6055af025b2ac200
SHA1f6a2b1dc32defba4d19cf6b4411c564b8c775060
SHA2562739685adca05cfa408b1f53f18e2aa4a410351faf26016ccb98feeb18f0c69c
SHA5121203962dd7d08e242c462fbf836d0dc22718874d36370a5b31d486a43e412c64ae9626b6a7a5772944ad053645d075b84a2c2f91347fffb75aa87f0efa1f45a5
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB