metasploit | b133dcdcfb0b24ad9e785a5e9ec701a0072b71de77c3f66065a17b1eee3acf1d

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-12-2024 14:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbe5345d36c187ff6097937069209e20_JaffaCakes118.exe
Size

202KB
MD5

fbe5345d36c187ff6097937069209e20
SHA1

768bce8542cd07122d6874848e01d509fd0e93ef
SHA256

b133dcdcfb0b24ad9e785a5e9ec701a0072b71de77c3f66065a17b1eee3acf1d
SHA512

1b61d370a898f6b9543d73735202fd39969d8f4a1808a6f48fb21761c35e8ccbb5f75e9b02a6d5bf2cc17596a5ebf00ef4bdeff8087f1b9b3e4fbaae670f13fc
SSDEEP

3072:BRXdRefOZgmxAXRyBix3ugNebpQx3Kf3UT7YrTPo2PnZycxAAEgE1WeZH/CRuApd:jXDefmwk8ev/rToyMcxEgVeZiuuOs

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wnpvc3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wnpvc3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wnpvc3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wnpvc3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wnpvc3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wnpvc3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wnpvc3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wnpvc3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	fbe5345d36c187ff6097937069209e20_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
544	wnpvc3.exe

Executes dropped EXE 17 IoCs

pid	Process
4664	wnpvc3.exe
544	wnpvc3.exe
1680	wnpvc3.exe
3564	wnpvc3.exe
4036	wnpvc3.exe
3476	wnpvc3.exe
2076	wnpvc3.exe
2724	wnpvc3.exe
1836	wnpvc3.exe
4048	wnpvc3.exe
1500	wnpvc3.exe
3644	wnpvc3.exe
1748	wnpvc3.exe
2180	wnpvc3.exe
116	wnpvc3.exe
1864	wnpvc3.exe
4460	wnpvc3.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wnpvc3.exe	wnpvc3.exe
File created	C:\Windows\SysWOW64\wnpvc3.exe	wnpvc3.exe
File created	C:\Windows\SysWOW64\wnpvc3.exe	wnpvc3.exe
File opened for modification	C:\Windows\SysWOW64\wnpvc3.exe	wnpvc3.exe
File opened for modification	C:\Windows\SysWOW64\wnpvc3.exe	fbe5345d36c187ff6097937069209e20_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wnpvc3.exe	wnpvc3.exe
File opened for modification	C:\Windows\SysWOW64\wnpvc3.exe	wnpvc3.exe
File created	C:\Windows\SysWOW64\wnpvc3.exe	fbe5345d36c187ff6097937069209e20_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wnpvc3.exe	wnpvc3.exe
File opened for modification	C:\Windows\SysWOW64\wnpvc3.exe	wnpvc3.exe
File created	C:\Windows\SysWOW64\wnpvc3.exe	wnpvc3.exe
File opened for modification	C:\Windows\SysWOW64\wnpvc3.exe	wnpvc3.exe
File created	C:\Windows\SysWOW64\wnpvc3.exe	wnpvc3.exe
File created	C:\Windows\SysWOW64\wnpvc3.exe	wnpvc3.exe
File opened for modification	C:\Windows\SysWOW64\wnpvc3.exe	wnpvc3.exe
File opened for modification	C:\Windows\SysWOW64\wnpvc3.exe	wnpvc3.exe
File created	C:\Windows\SysWOW64\wnpvc3.exe	wnpvc3.exe
File created	C:\Windows\SysWOW64\wnpvc3.exe	wnpvc3.exe

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 1748 set thread context of 1008	1748	fbe5345d36c187ff6097937069209e20_JaffaCakes118.exe	87
PID 4664 set thread context of 544	4664	wnpvc3.exe	91
PID 1680 set thread context of 3564	1680	wnpvc3.exe	95
PID 4036 set thread context of 3476	4036	wnpvc3.exe	97
PID 2076 set thread context of 2724	2076	wnpvc3.exe	99
PID 1836 set thread context of 4048	1836	wnpvc3.exe	101
PID 1500 set thread context of 3644	1500	wnpvc3.exe	103
PID 1748 set thread context of 2180	1748	wnpvc3.exe	105
PID 116 set thread context of 1864	116	wnpvc3.exe	107

UPX packed file 30 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1008-1-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1008-2-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1008-0-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1008-6-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1008-9-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1008-10-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1008-8-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1008-7-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1008-44-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/544-55-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/544-54-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/544-53-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/544-52-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/544-57-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3564-66-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3564-68-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3564-65-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3564-67-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3564-71-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3476-78-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3476-80-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3476-79-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3476-83-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2724-96-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/4048-104-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/4048-109-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3644-117-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3644-124-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2180-137-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1864-151-0x0000000000400000-0x000000000046B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpvc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpvc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpvc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpvc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpvc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpvc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpvc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpvc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpvc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fbe5345d36c187ff6097937069209e20_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpvc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpvc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpvc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpvc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpvc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpvc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpvc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fbe5345d36c187ff6097937069209e20_JaffaCakes118.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpvc3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpvc3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpvc3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpvc3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpvc3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	fbe5345d36c187ff6097937069209e20_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpvc3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpvc3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpvc3.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1008	fbe5345d36c187ff6097937069209e20_JaffaCakes118.exe
1008	fbe5345d36c187ff6097937069209e20_JaffaCakes118.exe
544	wnpvc3.exe
544	wnpvc3.exe
3564	wnpvc3.exe
3564	wnpvc3.exe
3476	wnpvc3.exe
3476	wnpvc3.exe
2724	wnpvc3.exe
2724	wnpvc3.exe
4048	wnpvc3.exe
4048	wnpvc3.exe
3644	wnpvc3.exe
3644	wnpvc3.exe
2180	wnpvc3.exe
2180	wnpvc3.exe
1864	wnpvc3.exe
1864	wnpvc3.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 1008	1748	fbe5345d36c187ff6097937069209e20_JaffaCakes118.exe	87
PID 1748 wrote to memory of 1008	1748	fbe5345d36c187ff6097937069209e20_JaffaCakes118.exe	87
PID 1748 wrote to memory of 1008	1748	fbe5345d36c187ff6097937069209e20_JaffaCakes118.exe	87
PID 1748 wrote to memory of 1008	1748	fbe5345d36c187ff6097937069209e20_JaffaCakes118.exe	87
PID 1748 wrote to memory of 1008	1748	fbe5345d36c187ff6097937069209e20_JaffaCakes118.exe	87
PID 1748 wrote to memory of 1008	1748	fbe5345d36c187ff6097937069209e20_JaffaCakes118.exe	87
PID 1748 wrote to memory of 1008	1748	fbe5345d36c187ff6097937069209e20_JaffaCakes118.exe	87
PID 1748 wrote to memory of 1008	1748	fbe5345d36c187ff6097937069209e20_JaffaCakes118.exe	87
PID 1008 wrote to memory of 4664	1008	fbe5345d36c187ff6097937069209e20_JaffaCakes118.exe	90
PID 1008 wrote to memory of 4664	1008	fbe5345d36c187ff6097937069209e20_JaffaCakes118.exe	90
PID 1008 wrote to memory of 4664	1008	fbe5345d36c187ff6097937069209e20_JaffaCakes118.exe	90
PID 4664 wrote to memory of 544	4664	wnpvc3.exe	91
PID 4664 wrote to memory of 544	4664	wnpvc3.exe	91
PID 4664 wrote to memory of 544	4664	wnpvc3.exe	91
PID 4664 wrote to memory of 544	4664	wnpvc3.exe	91
PID 4664 wrote to memory of 544	4664	wnpvc3.exe	91
PID 4664 wrote to memory of 544	4664	wnpvc3.exe	91
PID 4664 wrote to memory of 544	4664	wnpvc3.exe	91
PID 4664 wrote to memory of 544	4664	wnpvc3.exe	91
PID 544 wrote to memory of 1680	544	wnpvc3.exe	93
PID 544 wrote to memory of 1680	544	wnpvc3.exe	93
PID 544 wrote to memory of 1680	544	wnpvc3.exe	93
PID 1680 wrote to memory of 3564	1680	wnpvc3.exe	95
PID 1680 wrote to memory of 3564	1680	wnpvc3.exe	95
PID 1680 wrote to memory of 3564	1680	wnpvc3.exe	95
PID 1680 wrote to memory of 3564	1680	wnpvc3.exe	95
PID 1680 wrote to memory of 3564	1680	wnpvc3.exe	95
PID 1680 wrote to memory of 3564	1680	wnpvc3.exe	95
PID 1680 wrote to memory of 3564	1680	wnpvc3.exe	95
PID 1680 wrote to memory of 3564	1680	wnpvc3.exe	95
PID 3564 wrote to memory of 4036	3564	wnpvc3.exe	96
PID 3564 wrote to memory of 4036	3564	wnpvc3.exe	96
PID 3564 wrote to memory of 4036	3564	wnpvc3.exe	96
PID 4036 wrote to memory of 3476	4036	wnpvc3.exe	97
PID 4036 wrote to memory of 3476	4036	wnpvc3.exe	97
PID 4036 wrote to memory of 3476	4036	wnpvc3.exe	97
PID 4036 wrote to memory of 3476	4036	wnpvc3.exe	97
PID 4036 wrote to memory of 3476	4036	wnpvc3.exe	97
PID 4036 wrote to memory of 3476	4036	wnpvc3.exe	97
PID 4036 wrote to memory of 3476	4036	wnpvc3.exe	97
PID 4036 wrote to memory of 3476	4036	wnpvc3.exe	97
PID 3476 wrote to memory of 2076	3476	wnpvc3.exe	98
PID 3476 wrote to memory of 2076	3476	wnpvc3.exe	98
PID 3476 wrote to memory of 2076	3476	wnpvc3.exe	98
PID 2076 wrote to memory of 2724	2076	wnpvc3.exe	99
PID 2076 wrote to memory of 2724	2076	wnpvc3.exe	99
PID 2076 wrote to memory of 2724	2076	wnpvc3.exe	99
PID 2076 wrote to memory of 2724	2076	wnpvc3.exe	99
PID 2076 wrote to memory of 2724	2076	wnpvc3.exe	99
PID 2076 wrote to memory of 2724	2076	wnpvc3.exe	99
PID 2076 wrote to memory of 2724	2076	wnpvc3.exe	99
PID 2076 wrote to memory of 2724	2076	wnpvc3.exe	99
PID 2724 wrote to memory of 1836	2724	wnpvc3.exe	100
PID 2724 wrote to memory of 1836	2724	wnpvc3.exe	100
PID 2724 wrote to memory of 1836	2724	wnpvc3.exe	100
PID 1836 wrote to memory of 4048	1836	wnpvc3.exe	101
PID 1836 wrote to memory of 4048	1836	wnpvc3.exe	101
PID 1836 wrote to memory of 4048	1836	wnpvc3.exe	101
PID 1836 wrote to memory of 4048	1836	wnpvc3.exe	101
PID 1836 wrote to memory of 4048	1836	wnpvc3.exe	101
PID 1836 wrote to memory of 4048	1836	wnpvc3.exe	101
PID 1836 wrote to memory of 4048	1836	wnpvc3.exe	101
PID 1836 wrote to memory of 4048	1836	wnpvc3.exe	101
PID 4048 wrote to memory of 1500	4048	wnpvc3.exe	102

C:\Users\Admin\AppData\Local\Temp\fbe5345d36c187ff6097937069209e20_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fbe5345d36c187ff6097937069209e20_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Users\Admin\AppData\Local\Temp\fbe5345d36c187ff6097937069209e20_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fbe5345d36c187ff6097937069209e20_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1008
- - C:\Windows\SysWOW64\wnpvc3.exe
    "C:\Windows\system32\wnpvc3.exe" C:\Users\Admin\AppData\Local\Temp\FBE534~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4664
  - - C:\Windows\SysWOW64\wnpvc3.exe
      "C:\Windows\system32\wnpvc3.exe" C:\Users\Admin\AppData\Local\Temp\FBE534~1.EXE
      4⤵
      Checks computer location settings
      Deletes itself
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:544
    - - C:\Windows\SysWOW64\wnpvc3.exe
        
        "C:\Windows\system32\wnpvc3.exe" C:\Windows\SysWOW64\wnpvc3.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1680
      - C:\Windows\SysWOW64\wnpvc3.exe
        
        "C:\Windows\system32\wnpvc3.exe" C:\Windows\SysWOW64\wnpvc3.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3564
        
        C:\Windows\SysWOW64\wnpvc3.exe
        
        "C:\Windows\system32\wnpvc3.exe" C:\Windows\SysWOW64\wnpvc3.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Windows\SysWOW64\wnpvc3.exe
        
        "C:\Windows\system32\wnpvc3.exe" C:\Windows\SysWOW64\wnpvc3.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\SysWOW64\wnpvc3.exe
        
        "C:\Windows\system32\wnpvc3.exe" C:\Windows\SysWOW64\wnpvc3.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\SysWOW64\wnpvc3.exe
        
        "C:\Windows\system32\wnpvc3.exe" C:\Windows\SysWOW64\wnpvc3.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\SysWOW64\wnpvc3.exe
        
        "C:\Windows\system32\wnpvc3.exe" C:\Windows\SysWOW64\wnpvc3.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\SysWOW64\wnpvc3.exe
        
        "C:\Windows\system32\wnpvc3.exe" C:\Windows\SysWOW64\wnpvc3.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\SysWOW64\wnpvc3.exe
        
        "C:\Windows\system32\wnpvc3.exe" C:\Windows\SysWOW64\wnpvc3.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1500
        
        C:\Windows\SysWOW64\wnpvc3.exe
        
        "C:\Windows\system32\wnpvc3.exe" C:\Windows\SysWOW64\wnpvc3.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3644
        
        C:\Windows\SysWOW64\wnpvc3.exe
        
        "C:\Windows\system32\wnpvc3.exe" C:\Windows\SysWOW64\wnpvc3.exe
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Windows\SysWOW64\wnpvc3.exe
        
        "C:\Windows\system32\wnpvc3.exe" C:\Windows\SysWOW64\wnpvc3.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2180
        
        C:\Windows\SysWOW64\wnpvc3.exe
        
        "C:\Windows\system32\wnpvc3.exe" C:\Windows\SysWOW64\wnpvc3.exe
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:116
        
        C:\Windows\SysWOW64\wnpvc3.exe
        
        "C:\Windows\system32\wnpvc3.exe" C:\Windows\SysWOW64\wnpvc3.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1864
        
        C:\Windows\SysWOW64\wnpvc3.exe
        
        "C:\Windows\system32\wnpvc3.exe" C:\Windows\SysWOW64\wnpvc3.exe
        19⤵
        Executes dropped EXE
        
        PID:4460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wnpvc3.exe

Filesize
202KB

MD5
fbe5345d36c187ff6097937069209e20

SHA1
768bce8542cd07122d6874848e01d509fd0e93ef

SHA256
b133dcdcfb0b24ad9e785a5e9ec701a0072b71de77c3f66065a17b1eee3acf1d

SHA512
1b61d370a898f6b9543d73735202fd39969d8f4a1808a6f48fb21761c35e8ccbb5f75e9b02a6d5bf2cc17596a5ebf00ef4bdeff8087f1b9b3e4fbaae670f13fc

Download Submit
memory/544-57-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/544-52-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/544-53-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/544-54-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/544-55-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1008-9-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1008-6-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1008-8-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1008-44-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1008-10-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1008-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1008-2-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1008-7-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1008-0-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1680-69-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1748-5-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1836-107-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1864-151-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2076-93-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2180-137-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2724-96-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3476-83-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3476-78-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3476-80-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3476-79-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3564-65-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3564-71-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3564-67-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3564-68-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3564-66-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3644-117-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3644-124-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4036-81-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4048-104-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4048-109-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4664-56-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download