Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19-04-2024 04:19
Static task
static1
Behavioral task
behavioral1
Sample
f97d102560537360f9b1cc487320cc3b_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f97d102560537360f9b1cc487320cc3b_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f97d102560537360f9b1cc487320cc3b_JaffaCakes118.exe
-
Size
166KB
-
MD5
f97d102560537360f9b1cc487320cc3b
-
SHA1
9413714473e69ef18df5774278cbd5a3eef3a994
-
SHA256
bb15f93340147bb97e1606fd1faf02845290dbd47c78f9d7abc0e25420c78fce
-
SHA512
f039c983574697352e2a5ca88b39dac9ee3e7b3cdfce03795e24c7cc4d147bd8b2624b306b23c80403620fc4f8b2b733978ae8632c2c2f85330caa11454bd7e8
-
SSDEEP
3072:QJ7Wq6THNt2xDD1a56u45dNHoO9FqHK5O1eruzAg2DSDTlmznVsw:QJaq8NterNHtFqP1eyzAg2aT4znVsw
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Deletes itself 1 IoCs
pid Process 2948 MsSpClient.exe -
Executes dropped EXE 64 IoCs
pid Process 2888 MsSpClient.exe 2948 MsSpClient.exe 2592 MsSpClient.exe 2540 MsSpClient.exe 2696 MsSpClient.exe 2548 MsSpClient.exe 2364 MsSpClient.exe 2312 MsSpClient.exe 1156 MsSpClient.exe 1720 MsSpClient.exe 1780 MsSpClient.exe 1784 MsSpClient.exe 2720 MsSpClient.exe 2484 MsSpClient.exe 948 MsSpClient.exe 1320 MsSpClient.exe 1636 MsSpClient.exe 1160 MsSpClient.exe 1840 MsSpClient.exe 2108 MsSpClient.exe 888 MsSpClient.exe 1912 MsSpClient.exe 2300 MsSpClient.exe 2868 MsSpClient.exe 1040 MsSpClient.exe 1800 MsSpClient.exe 2644 MsSpClient.exe 2500 MsSpClient.exe 2556 MsSpClient.exe 2696 MsSpClient.exe 2860 MsSpClient.exe 2360 MsSpClient.exe 1900 MsSpClient.exe 2336 MsSpClient.exe 2036 MsSpClient.exe 2432 MsSpClient.exe 2740 MsSpClient.exe 3052 MsSpClient.exe 1136 MsSpClient.exe 868 MsSpClient.exe 1372 MsSpClient.exe 1580 MsSpClient.exe 996 MsSpClient.exe 3000 MsSpClient.exe 2172 MsSpClient.exe 2968 MsSpClient.exe 2200 MsSpClient.exe 2076 MsSpClient.exe 2308 MsSpClient.exe 2760 MsSpClient.exe 3028 MsSpClient.exe 2476 MsSpClient.exe 2600 MsSpClient.exe 2028 MsSpClient.exe 1676 MsSpClient.exe 2436 MsSpClient.exe 828 MsSpClient.exe 1512 MsSpClient.exe 2900 MsSpClient.exe 2908 MsSpClient.exe 1932 MsSpClient.exe 2208 MsSpClient.exe 2400 MsSpClient.exe 2440 MsSpClient.exe -
Loads dropped DLL 64 IoCs
pid Process 1524 f97d102560537360f9b1cc487320cc3b_JaffaCakes118.exe 1524 f97d102560537360f9b1cc487320cc3b_JaffaCakes118.exe 2948 MsSpClient.exe 2948 MsSpClient.exe 2540 MsSpClient.exe 2540 MsSpClient.exe 2548 MsSpClient.exe 2548 MsSpClient.exe 2312 MsSpClient.exe 2312 MsSpClient.exe 1720 MsSpClient.exe 1720 MsSpClient.exe 1784 MsSpClient.exe 1784 MsSpClient.exe 2484 MsSpClient.exe 2484 MsSpClient.exe 1320 MsSpClient.exe 1320 MsSpClient.exe 1160 MsSpClient.exe 1160 MsSpClient.exe 2108 MsSpClient.exe 2108 MsSpClient.exe 1912 MsSpClient.exe 1912 MsSpClient.exe 2868 MsSpClient.exe 2868 MsSpClient.exe 1800 MsSpClient.exe 1800 MsSpClient.exe 2500 MsSpClient.exe 2500 MsSpClient.exe 2696 MsSpClient.exe 2696 MsSpClient.exe 2360 MsSpClient.exe 2360 MsSpClient.exe 2336 MsSpClient.exe 2336 MsSpClient.exe 2432 MsSpClient.exe 2432 MsSpClient.exe 3052 MsSpClient.exe 3052 MsSpClient.exe 868 MsSpClient.exe 868 MsSpClient.exe 1580 MsSpClient.exe 1580 MsSpClient.exe 3000 MsSpClient.exe 3000 MsSpClient.exe 2968 MsSpClient.exe 2968 MsSpClient.exe 2076 MsSpClient.exe 2076 MsSpClient.exe 2760 MsSpClient.exe 2760 MsSpClient.exe 2476 MsSpClient.exe 2476 MsSpClient.exe 2028 MsSpClient.exe 2028 MsSpClient.exe 2436 MsSpClient.exe 2436 MsSpClient.exe 1512 MsSpClient.exe 1512 MsSpClient.exe 2908 MsSpClient.exe 2908 MsSpClient.exe 2208 MsSpClient.exe 2208 MsSpClient.exe -
resource yara_rule behavioral1/memory/1524-2-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1524-3-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1524-4-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1524-6-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1524-7-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1524-8-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1524-9-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1524-20-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2948-31-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2948-32-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2948-33-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2948-36-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2540-52-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2548-67-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2312-82-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1720-99-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1784-118-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2484-134-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1320-151-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1160-167-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2108-184-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1912-200-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2868-216-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1800-233-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2500-245-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2696-257-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2360-265-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2360-270-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2336-281-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2336-285-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2432-295-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2432-300-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/3052-312-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/868-324-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1580-331-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1580-337-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/3000-349-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2968-361-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2076-373-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2760-385-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2476-397-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2028-409-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2436-421-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1512-435-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2908-447-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2208-459-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2440-471-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2216-483-0x0000000000400000-0x000000000046C000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 64 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 f97d102560537360f9b1cc487320cc3b_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum f97d102560537360f9b1cc487320cc3b_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe f97d102560537360f9b1cc487320cc3b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe f97d102560537360f9b1cc487320cc3b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe -
Suspicious use of SetThreadContext 35 IoCs
description pid Process procid_target PID 1556 set thread context of 1524 1556 f97d102560537360f9b1cc487320cc3b_JaffaCakes118.exe 28 PID 2888 set thread context of 2948 2888 MsSpClient.exe 30 PID 2592 set thread context of 2540 2592 MsSpClient.exe 32 PID 2696 set thread context of 2548 2696 MsSpClient.exe 34 PID 2364 set thread context of 2312 2364 MsSpClient.exe 38 PID 1156 set thread context of 1720 1156 MsSpClient.exe 40 PID 1780 set thread context of 1784 1780 MsSpClient.exe 42 PID 2720 set thread context of 2484 2720 MsSpClient.exe 44 PID 948 set thread context of 1320 948 MsSpClient.exe 46 PID 1636 set thread context of 1160 1636 MsSpClient.exe 48 PID 1840 set thread context of 2108 1840 MsSpClient.exe 50 PID 888 set thread context of 1912 888 MsSpClient.exe 52 PID 2300 set thread context of 2868 2300 MsSpClient.exe 54 PID 1040 set thread context of 1800 1040 MsSpClient.exe 56 PID 2644 set thread context of 2500 2644 MsSpClient.exe 58 PID 2556 set thread context of 2696 2556 MsSpClient.exe 60 PID 2860 set thread context of 2360 2860 MsSpClient.exe 62 PID 1900 set thread context of 2336 1900 MsSpClient.exe 64 PID 2036 set thread context of 2432 2036 MsSpClient.exe 66 PID 2740 set thread context of 3052 2740 MsSpClient.exe 68 PID 1136 set thread context of 868 1136 MsSpClient.exe 70 PID 1372 set thread context of 1580 1372 MsSpClient.exe 72 PID 996 set thread context of 3000 996 MsSpClient.exe 74 PID 2172 set thread context of 2968 2172 MsSpClient.exe 76 PID 2200 set thread context of 2076 2200 MsSpClient.exe 78 PID 2308 set thread context of 2760 2308 MsSpClient.exe 80 PID 3028 set thread context of 2476 3028 MsSpClient.exe 82 PID 2600 set thread context of 2028 2600 MsSpClient.exe 84 PID 1676 set thread context of 2436 1676 MsSpClient.exe 86 PID 828 set thread context of 1512 828 MsSpClient.exe 88 PID 2900 set thread context of 2908 2900 MsSpClient.exe 90 PID 1932 set thread context of 2208 1932 MsSpClient.exe 92 PID 2400 set thread context of 2440 2400 MsSpClient.exe 94 PID 2560 set thread context of 2216 2560 MsSpClient.exe 96 PID 2944 set thread context of 1804 2944 MsSpClient.exe 98 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1556 wrote to memory of 1524 1556 f97d102560537360f9b1cc487320cc3b_JaffaCakes118.exe 28 PID 1556 wrote to memory of 1524 1556 f97d102560537360f9b1cc487320cc3b_JaffaCakes118.exe 28 PID 1556 wrote to memory of 1524 1556 f97d102560537360f9b1cc487320cc3b_JaffaCakes118.exe 28 PID 1556 wrote to memory of 1524 1556 f97d102560537360f9b1cc487320cc3b_JaffaCakes118.exe 28 PID 1556 wrote to memory of 1524 1556 f97d102560537360f9b1cc487320cc3b_JaffaCakes118.exe 28 PID 1556 wrote to memory of 1524 1556 f97d102560537360f9b1cc487320cc3b_JaffaCakes118.exe 28 PID 1556 wrote to memory of 1524 1556 f97d102560537360f9b1cc487320cc3b_JaffaCakes118.exe 28 PID 1524 wrote to memory of 2888 1524 f97d102560537360f9b1cc487320cc3b_JaffaCakes118.exe 29 PID 1524 wrote to memory of 2888 1524 f97d102560537360f9b1cc487320cc3b_JaffaCakes118.exe 29 PID 1524 wrote to memory of 2888 1524 f97d102560537360f9b1cc487320cc3b_JaffaCakes118.exe 29 PID 1524 wrote to memory of 2888 1524 f97d102560537360f9b1cc487320cc3b_JaffaCakes118.exe 29 PID 2888 wrote to memory of 2948 2888 MsSpClient.exe 30 PID 2888 wrote to memory of 2948 2888 MsSpClient.exe 30 PID 2888 wrote to memory of 2948 2888 MsSpClient.exe 30 PID 2888 wrote to memory of 2948 2888 MsSpClient.exe 30 PID 2888 wrote to memory of 2948 2888 MsSpClient.exe 30 PID 2888 wrote to memory of 2948 2888 MsSpClient.exe 30 PID 2888 wrote to memory of 2948 2888 MsSpClient.exe 30 PID 2948 wrote to memory of 2592 2948 MsSpClient.exe 31 PID 2948 wrote to memory of 2592 2948 MsSpClient.exe 31 PID 2948 wrote to memory of 2592 2948 MsSpClient.exe 31 PID 2948 wrote to memory of 2592 2948 MsSpClient.exe 31 PID 2592 wrote to memory of 2540 2592 MsSpClient.exe 32 PID 2592 wrote to memory of 2540 2592 MsSpClient.exe 32 PID 2592 wrote to memory of 2540 2592 MsSpClient.exe 32 PID 2592 wrote to memory of 2540 2592 MsSpClient.exe 32 PID 2592 wrote to memory of 2540 2592 MsSpClient.exe 32 PID 2592 wrote to memory of 2540 2592 MsSpClient.exe 32 PID 2592 wrote to memory of 2540 2592 MsSpClient.exe 32 PID 2540 wrote to memory of 2696 2540 MsSpClient.exe 33 PID 2540 wrote to memory of 2696 2540 MsSpClient.exe 33 PID 2540 wrote to memory of 2696 2540 MsSpClient.exe 33 PID 2540 wrote to memory of 2696 2540 MsSpClient.exe 33 PID 2696 wrote to memory of 2548 2696 MsSpClient.exe 34 PID 2696 wrote to memory of 2548 2696 MsSpClient.exe 34 PID 2696 wrote to memory of 2548 2696 MsSpClient.exe 34 PID 2696 wrote to memory of 2548 2696 MsSpClient.exe 34 PID 2696 wrote to memory of 2548 2696 MsSpClient.exe 34 PID 2696 wrote to memory of 2548 2696 MsSpClient.exe 34 PID 2696 wrote to memory of 2548 2696 MsSpClient.exe 34 PID 2548 wrote to memory of 2364 2548 MsSpClient.exe 37 PID 2548 wrote to memory of 2364 2548 MsSpClient.exe 37 PID 2548 wrote to memory of 2364 2548 MsSpClient.exe 37 PID 2548 wrote to memory of 2364 2548 MsSpClient.exe 37 PID 2364 wrote to memory of 2312 2364 MsSpClient.exe 38 PID 2364 wrote to memory of 2312 2364 MsSpClient.exe 38 PID 2364 wrote to memory of 2312 2364 MsSpClient.exe 38 PID 2364 wrote to memory of 2312 2364 MsSpClient.exe 38 PID 2364 wrote to memory of 2312 2364 MsSpClient.exe 38 PID 2364 wrote to memory of 2312 2364 MsSpClient.exe 38 PID 2364 wrote to memory of 2312 2364 MsSpClient.exe 38 PID 2312 wrote to memory of 1156 2312 MsSpClient.exe 39 PID 2312 wrote to memory of 1156 2312 MsSpClient.exe 39 PID 2312 wrote to memory of 1156 2312 MsSpClient.exe 39 PID 2312 wrote to memory of 1156 2312 MsSpClient.exe 39 PID 1156 wrote to memory of 1720 1156 MsSpClient.exe 40 PID 1156 wrote to memory of 1720 1156 MsSpClient.exe 40 PID 1156 wrote to memory of 1720 1156 MsSpClient.exe 40 PID 1156 wrote to memory of 1720 1156 MsSpClient.exe 40 PID 1156 wrote to memory of 1720 1156 MsSpClient.exe 40 PID 1156 wrote to memory of 1720 1156 MsSpClient.exe 40 PID 1156 wrote to memory of 1720 1156 MsSpClient.exe 40 PID 1720 wrote to memory of 1780 1720 MsSpClient.exe 41 PID 1720 wrote to memory of 1780 1720 MsSpClient.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\f97d102560537360f9b1cc487320cc3b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f97d102560537360f9b1cc487320cc3b_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Users\Admin\AppData\Local\Temp\f97d102560537360f9b1cc487320cc3b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f97d102560537360f9b1cc487320cc3b_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Users\Admin\AppData\Local\Temp\F97D10~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Users\Admin\AppData\Local\Temp\F97D10~1.EXE4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE6⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE8⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE10⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE12⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1780 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE14⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
PID:1784 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2720 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE16⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
PID:2484 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:948 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE18⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
PID:1320 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1636 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE20⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
PID:1160 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1840 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE22⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
PID:2108 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:888 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE24⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
PID:1912 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2300 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE26⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
PID:2868 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1040 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE28⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
PID:1800 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2644 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE30⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
PID:2500 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2556 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE32⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
PID:2696 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2860 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE34⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
PID:2360 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1900 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE36⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2036 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE38⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
PID:2432 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2740 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE40⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
PID:3052 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1136 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE42⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
PID:868 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1372 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE44⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
PID:1580 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:996 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE46⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
PID:3000 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2172 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE48⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
PID:2968 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2200 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE50⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
PID:2076 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2308 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE52⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3028 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE54⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
PID:2476 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2600 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE56⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1676 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE58⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
PID:2436 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:828 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE60⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
PID:1512 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2900 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE62⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
PID:2908 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE63⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1932 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE64⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
PID:2208 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE65⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2400 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE66⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
PID:2440 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE67⤵
- Suspicious use of SetThreadContext
PID:2560 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE68⤵
- Maps connected drives based on registry
- Drops file in System32 directory
PID:2216 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE69⤵
- Suspicious use of SetThreadContext
PID:2944 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE70⤵PID:1804
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
166KB
MD5f97d102560537360f9b1cc487320cc3b
SHA19413714473e69ef18df5774278cbd5a3eef3a994
SHA256bb15f93340147bb97e1606fd1faf02845290dbd47c78f9d7abc0e25420c78fce
SHA512f039c983574697352e2a5ca88b39dac9ee3e7b3cdfce03795e24c7cc4d147bd8b2624b306b23c80403620fc4f8b2b733978ae8632c2c2f85330caa11454bd7e8