Analysis
-
max time kernel
149s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
19-04-2024 04:19
Static task
static1
Behavioral task
behavioral1
Sample
f97d102560537360f9b1cc487320cc3b_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f97d102560537360f9b1cc487320cc3b_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f97d102560537360f9b1cc487320cc3b_JaffaCakes118.exe
-
Size
166KB
-
MD5
f97d102560537360f9b1cc487320cc3b
-
SHA1
9413714473e69ef18df5774278cbd5a3eef3a994
-
SHA256
bb15f93340147bb97e1606fd1faf02845290dbd47c78f9d7abc0e25420c78fce
-
SHA512
f039c983574697352e2a5ca88b39dac9ee3e7b3cdfce03795e24c7cc4d147bd8b2624b306b23c80403620fc4f8b2b733978ae8632c2c2f85330caa11454bd7e8
-
SSDEEP
3072:QJ7Wq6THNt2xDD1a56u45dNHoO9FqHK5O1eruzAg2DSDTlmznVsw:QJaq8NterNHtFqP1eyzAg2aT4znVsw
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 39 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation MsSpClient.exe Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation MsSpClient.exe Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation MsSpClient.exe Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation MsSpClient.exe Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation MsSpClient.exe Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation MsSpClient.exe Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation MsSpClient.exe Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation MsSpClient.exe Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation MsSpClient.exe Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation MsSpClient.exe Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation MsSpClient.exe Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation MsSpClient.exe Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation MsSpClient.exe Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation MsSpClient.exe Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation MsSpClient.exe Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation MsSpClient.exe Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation MsSpClient.exe Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation MsSpClient.exe Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation MsSpClient.exe Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation MsSpClient.exe Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation MsSpClient.exe Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation MsSpClient.exe Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation MsSpClient.exe Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation MsSpClient.exe Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation MsSpClient.exe Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation MsSpClient.exe Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation MsSpClient.exe Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation f97d102560537360f9b1cc487320cc3b_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation MsSpClient.exe Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation MsSpClient.exe Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation MsSpClient.exe Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation MsSpClient.exe Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation MsSpClient.exe Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation MsSpClient.exe Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation MsSpClient.exe Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation MsSpClient.exe Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation MsSpClient.exe Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation MsSpClient.exe Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation MsSpClient.exe -
Deletes itself 1 IoCs
pid Process 456 MsSpClient.exe -
Executes dropped EXE 64 IoCs
pid Process 2512 MsSpClient.exe 456 MsSpClient.exe 3624 MsSpClient.exe 3616 MsSpClient.exe 2308 MsSpClient.exe 4576 MsSpClient.exe 4368 MsSpClient.exe 1060 MsSpClient.exe 1784 MsSpClient.exe 5112 MsSpClient.exe 4264 MsSpClient.exe 732 MsSpClient.exe 4012 MsSpClient.exe 1904 MsSpClient.exe 1056 MsSpClient.exe 2428 MsSpClient.exe 3080 MsSpClient.exe 4812 MsSpClient.exe 1836 MsSpClient.exe 4580 MsSpClient.exe 700 MsSpClient.exe 2360 MsSpClient.exe 1020 MsSpClient.exe 1380 MsSpClient.exe 1732 MsSpClient.exe 1368 MsSpClient.exe 4728 MsSpClient.exe 1608 MsSpClient.exe 4308 MsSpClient.exe 1768 MsSpClient.exe 2388 MsSpClient.exe 468 MsSpClient.exe 2920 MsSpClient.exe 4960 MsSpClient.exe 2000 MsSpClient.exe 768 MsSpClient.exe 1316 MsSpClient.exe 3248 MsSpClient.exe 3676 MsSpClient.exe 4748 MsSpClient.exe 100 MsSpClient.exe 3044 MsSpClient.exe 4048 MsSpClient.exe 1992 MsSpClient.exe 8 MsSpClient.exe 840 MsSpClient.exe 1568 MsSpClient.exe 4980 MsSpClient.exe 4536 MsSpClient.exe 3488 MsSpClient.exe 2908 MsSpClient.exe 5116 MsSpClient.exe 3684 MsSpClient.exe 1808 MsSpClient.exe 4836 MsSpClient.exe 1040 MsSpClient.exe 4944 MsSpClient.exe 3792 MsSpClient.exe 1528 MsSpClient.exe 4208 MsSpClient.exe 2020 MsSpClient.exe 992 MsSpClient.exe 2008 MsSpClient.exe 4240 MsSpClient.exe -
resource yara_rule behavioral2/memory/2164-0-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/2164-2-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/2164-4-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/2164-3-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/2164-37-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/456-43-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/456-45-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/456-47-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3616-54-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3616-56-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4576-62-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4576-65-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/1060-73-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/1060-75-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/5112-82-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/5112-84-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/732-91-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/732-93-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/1904-100-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/1904-101-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/2428-109-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/2428-111-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4812-117-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4812-120-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4580-126-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4580-131-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/2360-137-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/2360-141-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/1380-147-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/1380-151-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/1368-156-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/1368-162-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/1608-167-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/1608-172-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/1768-177-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/1768-183-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/468-188-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/468-193-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4960-199-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4960-204-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/768-210-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/768-214-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3248-220-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3248-224-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4748-230-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4748-234-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3044-239-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3044-245-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/1992-250-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/1992-255-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/840-261-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/840-264-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4980-268-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/4980-272-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3488-276-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3488-280-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/5116-285-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/5116-288-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/1808-292-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/1808-296-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/1040-301-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/1040-304-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3792-308-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral2/memory/3792-312-0x0000000000400000-0x000000000046C000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 64 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 f97d102560537360f9b1cc487320cc3b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum f97d102560537360f9b1cc487320cc3b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 MsSpClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MsSpClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 MsSpClient.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe f97d102560537360f9b1cc487320cc3b_JaffaCakes118.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe f97d102560537360f9b1cc487320cc3b_JaffaCakes118.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File created C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe File opened for modification C:\Windows\SysWOW64\MsSpClient.exe MsSpClient.exe -
Suspicious use of SetThreadContext 40 IoCs
description pid Process procid_target PID 2196 set thread context of 2164 2196 f97d102560537360f9b1cc487320cc3b_JaffaCakes118.exe 88 PID 2512 set thread context of 456 2512 MsSpClient.exe 92 PID 3624 set thread context of 3616 3624 MsSpClient.exe 94 PID 2308 set thread context of 4576 2308 MsSpClient.exe 96 PID 4368 set thread context of 1060 4368 MsSpClient.exe 98 PID 1784 set thread context of 5112 1784 MsSpClient.exe 100 PID 4264 set thread context of 732 4264 MsSpClient.exe 102 PID 4012 set thread context of 1904 4012 MsSpClient.exe 104 PID 1056 set thread context of 2428 1056 MsSpClient.exe 108 PID 3080 set thread context of 4812 3080 MsSpClient.exe 111 PID 1836 set thread context of 4580 1836 MsSpClient.exe 113 PID 700 set thread context of 2360 700 MsSpClient.exe 115 PID 1020 set thread context of 1380 1020 MsSpClient.exe 117 PID 1732 set thread context of 1368 1732 MsSpClient.exe 119 PID 4728 set thread context of 1608 4728 MsSpClient.exe 121 PID 4308 set thread context of 1768 4308 MsSpClient.exe 123 PID 2388 set thread context of 468 2388 MsSpClient.exe 125 PID 2920 set thread context of 4960 2920 MsSpClient.exe 127 PID 2000 set thread context of 768 2000 MsSpClient.exe 129 PID 1316 set thread context of 3248 1316 MsSpClient.exe 131 PID 3676 set thread context of 4748 3676 MsSpClient.exe 133 PID 100 set thread context of 3044 100 MsSpClient.exe 135 PID 4048 set thread context of 1992 4048 MsSpClient.exe 137 PID 8 set thread context of 840 8 MsSpClient.exe 139 PID 1568 set thread context of 4980 1568 MsSpClient.exe 141 PID 4536 set thread context of 3488 4536 MsSpClient.exe 143 PID 2908 set thread context of 5116 2908 MsSpClient.exe 145 PID 3684 set thread context of 1808 3684 MsSpClient.exe 147 PID 4836 set thread context of 1040 4836 MsSpClient.exe 149 PID 4944 set thread context of 3792 4944 MsSpClient.exe 151 PID 1528 set thread context of 4208 1528 MsSpClient.exe 153 PID 2020 set thread context of 992 2020 MsSpClient.exe 155 PID 2008 set thread context of 4240 2008 MsSpClient.exe 157 PID 4360 set thread context of 3064 4360 MsSpClient.exe 159 PID 2788 set thread context of 228 2788 MsSpClient.exe 161 PID 4340 set thread context of 4024 4340 MsSpClient.exe 163 PID 4696 set thread context of 2384 4696 MsSpClient.exe 165 PID 4092 set thread context of 1836 4092 MsSpClient.exe 167 PID 1552 set thread context of 4712 1552 MsSpClient.exe 169 PID 1672 set thread context of 1028 1672 MsSpClient.exe 171 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 39 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ MsSpClient.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ MsSpClient.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ MsSpClient.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ f97d102560537360f9b1cc487320cc3b_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ MsSpClient.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ MsSpClient.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ MsSpClient.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ MsSpClient.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ MsSpClient.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ MsSpClient.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ MsSpClient.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ MsSpClient.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ MsSpClient.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ MsSpClient.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ MsSpClient.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ MsSpClient.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ MsSpClient.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ MsSpClient.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ MsSpClient.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ MsSpClient.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ MsSpClient.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ MsSpClient.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ MsSpClient.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ MsSpClient.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ MsSpClient.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ MsSpClient.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ MsSpClient.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ MsSpClient.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ MsSpClient.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ MsSpClient.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ MsSpClient.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ MsSpClient.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ MsSpClient.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ MsSpClient.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ MsSpClient.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ MsSpClient.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ MsSpClient.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ MsSpClient.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ MsSpClient.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2196 wrote to memory of 2164 2196 f97d102560537360f9b1cc487320cc3b_JaffaCakes118.exe 88 PID 2196 wrote to memory of 2164 2196 f97d102560537360f9b1cc487320cc3b_JaffaCakes118.exe 88 PID 2196 wrote to memory of 2164 2196 f97d102560537360f9b1cc487320cc3b_JaffaCakes118.exe 88 PID 2196 wrote to memory of 2164 2196 f97d102560537360f9b1cc487320cc3b_JaffaCakes118.exe 88 PID 2196 wrote to memory of 2164 2196 f97d102560537360f9b1cc487320cc3b_JaffaCakes118.exe 88 PID 2196 wrote to memory of 2164 2196 f97d102560537360f9b1cc487320cc3b_JaffaCakes118.exe 88 PID 2196 wrote to memory of 2164 2196 f97d102560537360f9b1cc487320cc3b_JaffaCakes118.exe 88 PID 2164 wrote to memory of 2512 2164 f97d102560537360f9b1cc487320cc3b_JaffaCakes118.exe 91 PID 2164 wrote to memory of 2512 2164 f97d102560537360f9b1cc487320cc3b_JaffaCakes118.exe 91 PID 2164 wrote to memory of 2512 2164 f97d102560537360f9b1cc487320cc3b_JaffaCakes118.exe 91 PID 2512 wrote to memory of 456 2512 MsSpClient.exe 92 PID 2512 wrote to memory of 456 2512 MsSpClient.exe 92 PID 2512 wrote to memory of 456 2512 MsSpClient.exe 92 PID 2512 wrote to memory of 456 2512 MsSpClient.exe 92 PID 2512 wrote to memory of 456 2512 MsSpClient.exe 92 PID 2512 wrote to memory of 456 2512 MsSpClient.exe 92 PID 2512 wrote to memory of 456 2512 MsSpClient.exe 92 PID 456 wrote to memory of 3624 456 MsSpClient.exe 93 PID 456 wrote to memory of 3624 456 MsSpClient.exe 93 PID 456 wrote to memory of 3624 456 MsSpClient.exe 93 PID 3624 wrote to memory of 3616 3624 MsSpClient.exe 94 PID 3624 wrote to memory of 3616 3624 MsSpClient.exe 94 PID 3624 wrote to memory of 3616 3624 MsSpClient.exe 94 PID 3624 wrote to memory of 3616 3624 MsSpClient.exe 94 PID 3624 wrote to memory of 3616 3624 MsSpClient.exe 94 PID 3624 wrote to memory of 3616 3624 MsSpClient.exe 94 PID 3624 wrote to memory of 3616 3624 MsSpClient.exe 94 PID 3616 wrote to memory of 2308 3616 MsSpClient.exe 95 PID 3616 wrote to memory of 2308 3616 MsSpClient.exe 95 PID 3616 wrote to memory of 2308 3616 MsSpClient.exe 95 PID 2308 wrote to memory of 4576 2308 MsSpClient.exe 96 PID 2308 wrote to memory of 4576 2308 MsSpClient.exe 96 PID 2308 wrote to memory of 4576 2308 MsSpClient.exe 96 PID 2308 wrote to memory of 4576 2308 MsSpClient.exe 96 PID 2308 wrote to memory of 4576 2308 MsSpClient.exe 96 PID 2308 wrote to memory of 4576 2308 MsSpClient.exe 96 PID 2308 wrote to memory of 4576 2308 MsSpClient.exe 96 PID 4576 wrote to memory of 4368 4576 MsSpClient.exe 97 PID 4576 wrote to memory of 4368 4576 MsSpClient.exe 97 PID 4576 wrote to memory of 4368 4576 MsSpClient.exe 97 PID 4368 wrote to memory of 1060 4368 MsSpClient.exe 98 PID 4368 wrote to memory of 1060 4368 MsSpClient.exe 98 PID 4368 wrote to memory of 1060 4368 MsSpClient.exe 98 PID 4368 wrote to memory of 1060 4368 MsSpClient.exe 98 PID 4368 wrote to memory of 1060 4368 MsSpClient.exe 98 PID 4368 wrote to memory of 1060 4368 MsSpClient.exe 98 PID 4368 wrote to memory of 1060 4368 MsSpClient.exe 98 PID 1060 wrote to memory of 1784 1060 MsSpClient.exe 99 PID 1060 wrote to memory of 1784 1060 MsSpClient.exe 99 PID 1060 wrote to memory of 1784 1060 MsSpClient.exe 99 PID 1784 wrote to memory of 5112 1784 MsSpClient.exe 100 PID 1784 wrote to memory of 5112 1784 MsSpClient.exe 100 PID 1784 wrote to memory of 5112 1784 MsSpClient.exe 100 PID 1784 wrote to memory of 5112 1784 MsSpClient.exe 100 PID 1784 wrote to memory of 5112 1784 MsSpClient.exe 100 PID 1784 wrote to memory of 5112 1784 MsSpClient.exe 100 PID 1784 wrote to memory of 5112 1784 MsSpClient.exe 100 PID 5112 wrote to memory of 4264 5112 MsSpClient.exe 101 PID 5112 wrote to memory of 4264 5112 MsSpClient.exe 101 PID 5112 wrote to memory of 4264 5112 MsSpClient.exe 101 PID 4264 wrote to memory of 732 4264 MsSpClient.exe 102 PID 4264 wrote to memory of 732 4264 MsSpClient.exe 102 PID 4264 wrote to memory of 732 4264 MsSpClient.exe 102 PID 4264 wrote to memory of 732 4264 MsSpClient.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\f97d102560537360f9b1cc487320cc3b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f97d102560537360f9b1cc487320cc3b_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Users\Admin\AppData\Local\Temp\f97d102560537360f9b1cc487320cc3b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f97d102560537360f9b1cc487320cc3b_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Users\Admin\AppData\Local\Temp\F97D10~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Users\Admin\AppData\Local\Temp\F97D10~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:732 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4012 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:1904 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1056 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:2428 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3080 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE20⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4812 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1836 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:4580 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:700 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1020 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:1380 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1732 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:1368 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4728 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4308 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE32⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:1768 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2388 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE34⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:468 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2920 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE36⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:4960 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2000 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE38⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:768 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1316 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE40⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:3248 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3676 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE42⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:4748 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:100 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE44⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:3044 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4048 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE46⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:1992 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:8 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE48⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:840 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1568 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE50⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:4980 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4536 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE52⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:3488 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2908 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE54⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:5116 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3684 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE56⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:1808 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4836 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE58⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:1040 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4944 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE60⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:3792 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1528 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE62⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:4208 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE63⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2020 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE64⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:992 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE65⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2008 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE66⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:4240 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE67⤵
- Suspicious use of SetThreadContext
PID:4360 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE68⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:3064 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE69⤵
- Suspicious use of SetThreadContext
PID:2788 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE70⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:228 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE71⤵
- Suspicious use of SetThreadContext
PID:4340 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE72⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:4024 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE73⤵
- Suspicious use of SetThreadContext
PID:4696 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE74⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE75⤵
- Suspicious use of SetThreadContext
PID:4092 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE76⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:1836 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE77⤵
- Suspicious use of SetThreadContext
PID:1552 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE78⤵
- Checks computer location settings
- Maps connected drives based on registry
- Modifies registry class
PID:4712 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\system32\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE79⤵
- Suspicious use of SetThreadContext
PID:1672 -
C:\Windows\SysWOW64\MsSpClient.exe"C:\Windows\SysWOW64\MsSpClient.exe" C:\Windows\SysWOW64\MSSPCL~1.EXE80⤵PID:1028
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
166KB
MD5f97d102560537360f9b1cc487320cc3b
SHA19413714473e69ef18df5774278cbd5a3eef3a994
SHA256bb15f93340147bb97e1606fd1faf02845290dbd47c78f9d7abc0e25420c78fce
SHA512f039c983574697352e2a5ca88b39dac9ee3e7b3cdfce03795e24c7cc4d147bd8b2624b306b23c80403620fc4f8b2b733978ae8632c2c2f85330caa11454bd7e8