Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
22-06-2024 22:13
Static task
static1
Behavioral task
behavioral1
Sample
04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe
-
Size
149KB
-
MD5
04148cc87304ef7a3ceebbad09c09084
-
SHA1
d8921c3e5480704c173b061ba48be3bba73883ce
-
SHA256
5f8cfcf6ac7e58a3d0ab6a6f6ad171bb210eb23ac97e5e4c872a2aad18a015e6
-
SHA512
8884f7ba8e917644e4333c528d63443ceb513cb6d5939828db60d0c6bca5da263031fa0fce0e1b9e57543c50193b5277259d4302a3c2bb87dac18a047a8c419a
-
SSDEEP
3072:RKsjlMON2+MEjIU/3aO/iXkwvCF4oW4YyYxXlmfRrJOwWrhUZ:fl3g+ML4Kfv4474YyYx1m5JgUZ
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Deletes itself 1 IoCs
Processes:
wmisvrdf.exepid process 2756 wmisvrdf.exe -
Executes dropped EXE 64 IoCs
Processes:
wmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exepid process 2704 wmisvrdf.exe 2756 wmisvrdf.exe 2520 wmisvrdf.exe 3012 wmisvrdf.exe 2800 wmisvrdf.exe 2856 wmisvrdf.exe 1364 wmisvrdf.exe 1848 wmisvrdf.exe 1348 wmisvrdf.exe 1036 wmisvrdf.exe 2364 wmisvrdf.exe 756 wmisvrdf.exe 1068 wmisvrdf.exe 1568 wmisvrdf.exe 868 wmisvrdf.exe 2916 wmisvrdf.exe 1480 wmisvrdf.exe 1292 wmisvrdf.exe 944 wmisvrdf.exe 2068 wmisvrdf.exe 316 wmisvrdf.exe 2128 wmisvrdf.exe 2680 wmisvrdf.exe 2704 wmisvrdf.exe 1828 wmisvrdf.exe 2484 wmisvrdf.exe 2552 wmisvrdf.exe 2560 wmisvrdf.exe 2116 wmisvrdf.exe 836 wmisvrdf.exe 2452 wmisvrdf.exe 1732 wmisvrdf.exe 1020 wmisvrdf.exe 1232 wmisvrdf.exe 2364 wmisvrdf.exe 1772 wmisvrdf.exe 584 wmisvrdf.exe 816 wmisvrdf.exe 340 wmisvrdf.exe 804 wmisvrdf.exe 2908 wmisvrdf.exe 1700 wmisvrdf.exe 2232 wmisvrdf.exe 2404 wmisvrdf.exe 988 wmisvrdf.exe 2212 wmisvrdf.exe 2056 wmisvrdf.exe 2648 wmisvrdf.exe 2876 wmisvrdf.exe 2504 wmisvrdf.exe 2960 wmisvrdf.exe 2352 wmisvrdf.exe 2476 wmisvrdf.exe 2800 wmisvrdf.exe 2116 wmisvrdf.exe 1624 wmisvrdf.exe 1916 wmisvrdf.exe 2840 wmisvrdf.exe 1820 wmisvrdf.exe 1832 wmisvrdf.exe 2228 wmisvrdf.exe 760 wmisvrdf.exe 676 wmisvrdf.exe 1072 wmisvrdf.exe -
Loads dropped DLL 64 IoCs
Processes:
04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exepid process 2060 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe 2060 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe 2704 wmisvrdf.exe 2756 wmisvrdf.exe 2756 wmisvrdf.exe 3012 wmisvrdf.exe 3012 wmisvrdf.exe 2856 wmisvrdf.exe 2856 wmisvrdf.exe 1848 wmisvrdf.exe 1848 wmisvrdf.exe 1036 wmisvrdf.exe 1036 wmisvrdf.exe 756 wmisvrdf.exe 756 wmisvrdf.exe 1568 wmisvrdf.exe 1568 wmisvrdf.exe 2916 wmisvrdf.exe 2916 wmisvrdf.exe 1292 wmisvrdf.exe 1292 wmisvrdf.exe 2068 wmisvrdf.exe 2068 wmisvrdf.exe 2128 wmisvrdf.exe 2128 wmisvrdf.exe 2704 wmisvrdf.exe 2704 wmisvrdf.exe 2484 wmisvrdf.exe 2484 wmisvrdf.exe 2560 wmisvrdf.exe 2560 wmisvrdf.exe 836 wmisvrdf.exe 836 wmisvrdf.exe 1732 wmisvrdf.exe 1732 wmisvrdf.exe 1232 wmisvrdf.exe 1232 wmisvrdf.exe 1772 wmisvrdf.exe 1772 wmisvrdf.exe 816 wmisvrdf.exe 816 wmisvrdf.exe 804 wmisvrdf.exe 804 wmisvrdf.exe 1700 wmisvrdf.exe 1700 wmisvrdf.exe 2404 wmisvrdf.exe 2404 wmisvrdf.exe 2212 wmisvrdf.exe 2212 wmisvrdf.exe 2648 wmisvrdf.exe 2648 wmisvrdf.exe 2504 wmisvrdf.exe 2504 wmisvrdf.exe 2352 wmisvrdf.exe 2352 wmisvrdf.exe 2800 wmisvrdf.exe 2800 wmisvrdf.exe 1624 wmisvrdf.exe 1624 wmisvrdf.exe 2840 wmisvrdf.exe 2840 wmisvrdf.exe 1832 wmisvrdf.exe 1832 wmisvrdf.exe 760 wmisvrdf.exe -
Processes:
resource yara_rule behavioral1/memory/2060-3-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2060-4-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2060-6-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2060-2-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2060-7-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2060-9-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2060-8-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2060-22-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2756-35-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2756-34-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2756-33-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2756-32-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2756-41-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/3012-52-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/3012-59-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2856-70-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2856-76-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1848-87-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1848-93-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1036-104-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1036-110-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/756-121-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/756-127-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1568-139-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1568-145-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2916-156-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2916-161-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1292-173-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1292-179-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2068-190-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2068-197-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2128-208-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2128-213-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2704-225-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2704-232-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2484-243-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2484-248-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2560-258-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2560-261-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/836-271-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/836-274-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1732-284-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1732-287-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1232-297-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1232-300-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1772-310-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1772-313-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/816-323-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/816-326-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/804-336-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/804-339-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1700-349-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1700-352-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2404-362-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2404-365-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2212-375-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2212-378-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2648-388-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2648-391-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2504-401-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2504-404-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2352-414-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2352-417-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2800-427-0x0000000000400000-0x0000000000469000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 64 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
wmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exe04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe -
Drops file in System32 directory 64 IoCs
Processes:
wmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exe04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exedescription ioc process File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe -
Suspicious use of SetThreadContext 34 IoCs
Processes:
04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exedescription pid process target process PID 1648 set thread context of 2060 1648 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe PID 2704 set thread context of 2756 2704 wmisvrdf.exe wmisvrdf.exe PID 2520 set thread context of 3012 2520 wmisvrdf.exe wmisvrdf.exe PID 2800 set thread context of 2856 2800 wmisvrdf.exe wmisvrdf.exe PID 1364 set thread context of 1848 1364 wmisvrdf.exe wmisvrdf.exe PID 1348 set thread context of 1036 1348 wmisvrdf.exe wmisvrdf.exe PID 2364 set thread context of 756 2364 wmisvrdf.exe wmisvrdf.exe PID 1068 set thread context of 1568 1068 wmisvrdf.exe wmisvrdf.exe PID 868 set thread context of 2916 868 wmisvrdf.exe wmisvrdf.exe PID 1480 set thread context of 1292 1480 wmisvrdf.exe wmisvrdf.exe PID 944 set thread context of 2068 944 wmisvrdf.exe wmisvrdf.exe PID 316 set thread context of 2128 316 wmisvrdf.exe wmisvrdf.exe PID 2680 set thread context of 2704 2680 wmisvrdf.exe wmisvrdf.exe PID 1828 set thread context of 2484 1828 wmisvrdf.exe wmisvrdf.exe PID 2552 set thread context of 2560 2552 wmisvrdf.exe wmisvrdf.exe PID 2116 set thread context of 836 2116 wmisvrdf.exe wmisvrdf.exe PID 2452 set thread context of 1732 2452 wmisvrdf.exe wmisvrdf.exe PID 1020 set thread context of 1232 1020 wmisvrdf.exe wmisvrdf.exe PID 2364 set thread context of 1772 2364 wmisvrdf.exe wmisvrdf.exe PID 584 set thread context of 816 584 wmisvrdf.exe wmisvrdf.exe PID 340 set thread context of 804 340 wmisvrdf.exe wmisvrdf.exe PID 2908 set thread context of 1700 2908 wmisvrdf.exe wmisvrdf.exe PID 2232 set thread context of 2404 2232 wmisvrdf.exe wmisvrdf.exe PID 988 set thread context of 2212 988 wmisvrdf.exe wmisvrdf.exe PID 2056 set thread context of 2648 2056 wmisvrdf.exe wmisvrdf.exe PID 2876 set thread context of 2504 2876 wmisvrdf.exe wmisvrdf.exe PID 2960 set thread context of 2352 2960 wmisvrdf.exe wmisvrdf.exe PID 2476 set thread context of 2800 2476 wmisvrdf.exe wmisvrdf.exe PID 2116 set thread context of 1624 2116 wmisvrdf.exe wmisvrdf.exe PID 1916 set thread context of 2840 1916 wmisvrdf.exe wmisvrdf.exe PID 1820 set thread context of 1832 1820 wmisvrdf.exe wmisvrdf.exe PID 2228 set thread context of 760 2228 wmisvrdf.exe wmisvrdf.exe PID 676 set thread context of 1072 676 wmisvrdf.exe wmisvrdf.exe PID 1628 set thread context of 768 1628 wmisvrdf.exe wmisvrdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes:
04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exepid process 2060 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe 2756 wmisvrdf.exe 3012 wmisvrdf.exe 2856 wmisvrdf.exe 1848 wmisvrdf.exe 1036 wmisvrdf.exe 756 wmisvrdf.exe 1568 wmisvrdf.exe 2916 wmisvrdf.exe 1292 wmisvrdf.exe 2068 wmisvrdf.exe 2128 wmisvrdf.exe 2704 wmisvrdf.exe 2484 wmisvrdf.exe 2560 wmisvrdf.exe 836 wmisvrdf.exe 1732 wmisvrdf.exe 1232 wmisvrdf.exe 1772 wmisvrdf.exe 816 wmisvrdf.exe 804 wmisvrdf.exe 1700 wmisvrdf.exe 2404 wmisvrdf.exe 2212 wmisvrdf.exe 2648 wmisvrdf.exe 2504 wmisvrdf.exe 2352 wmisvrdf.exe 2800 wmisvrdf.exe 1624 wmisvrdf.exe 2840 wmisvrdf.exe 1832 wmisvrdf.exe 760 wmisvrdf.exe 1072 wmisvrdf.exe 768 wmisvrdf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exedescription pid process target process PID 1648 wrote to memory of 2060 1648 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe PID 1648 wrote to memory of 2060 1648 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe PID 1648 wrote to memory of 2060 1648 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe PID 1648 wrote to memory of 2060 1648 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe PID 1648 wrote to memory of 2060 1648 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe PID 1648 wrote to memory of 2060 1648 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe PID 1648 wrote to memory of 2060 1648 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe PID 2060 wrote to memory of 2704 2060 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe wmisvrdf.exe PID 2060 wrote to memory of 2704 2060 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe wmisvrdf.exe PID 2060 wrote to memory of 2704 2060 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe wmisvrdf.exe PID 2060 wrote to memory of 2704 2060 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe wmisvrdf.exe PID 2704 wrote to memory of 2756 2704 wmisvrdf.exe wmisvrdf.exe PID 2704 wrote to memory of 2756 2704 wmisvrdf.exe wmisvrdf.exe PID 2704 wrote to memory of 2756 2704 wmisvrdf.exe wmisvrdf.exe PID 2704 wrote to memory of 2756 2704 wmisvrdf.exe wmisvrdf.exe PID 2704 wrote to memory of 2756 2704 wmisvrdf.exe wmisvrdf.exe PID 2704 wrote to memory of 2756 2704 wmisvrdf.exe wmisvrdf.exe PID 2704 wrote to memory of 2756 2704 wmisvrdf.exe wmisvrdf.exe PID 2756 wrote to memory of 2520 2756 wmisvrdf.exe wmisvrdf.exe PID 2756 wrote to memory of 2520 2756 wmisvrdf.exe wmisvrdf.exe PID 2756 wrote to memory of 2520 2756 wmisvrdf.exe wmisvrdf.exe PID 2756 wrote to memory of 2520 2756 wmisvrdf.exe wmisvrdf.exe PID 2520 wrote to memory of 3012 2520 wmisvrdf.exe wmisvrdf.exe PID 2520 wrote to memory of 3012 2520 wmisvrdf.exe wmisvrdf.exe PID 2520 wrote to memory of 3012 2520 wmisvrdf.exe wmisvrdf.exe PID 2520 wrote to memory of 3012 2520 wmisvrdf.exe wmisvrdf.exe PID 2520 wrote to memory of 3012 2520 wmisvrdf.exe wmisvrdf.exe PID 2520 wrote to memory of 3012 2520 wmisvrdf.exe wmisvrdf.exe PID 2520 wrote to memory of 3012 2520 wmisvrdf.exe wmisvrdf.exe PID 3012 wrote to memory of 2800 3012 wmisvrdf.exe wmisvrdf.exe PID 3012 wrote to memory of 2800 3012 wmisvrdf.exe wmisvrdf.exe PID 3012 wrote to memory of 2800 3012 wmisvrdf.exe wmisvrdf.exe PID 3012 wrote to memory of 2800 3012 wmisvrdf.exe wmisvrdf.exe PID 2800 wrote to memory of 2856 2800 wmisvrdf.exe wmisvrdf.exe PID 2800 wrote to memory of 2856 2800 wmisvrdf.exe wmisvrdf.exe PID 2800 wrote to memory of 2856 2800 wmisvrdf.exe wmisvrdf.exe PID 2800 wrote to memory of 2856 2800 wmisvrdf.exe wmisvrdf.exe PID 2800 wrote to memory of 2856 2800 wmisvrdf.exe wmisvrdf.exe PID 2800 wrote to memory of 2856 2800 wmisvrdf.exe wmisvrdf.exe PID 2800 wrote to memory of 2856 2800 wmisvrdf.exe wmisvrdf.exe PID 2856 wrote to memory of 1364 2856 wmisvrdf.exe wmisvrdf.exe PID 2856 wrote to memory of 1364 2856 wmisvrdf.exe wmisvrdf.exe PID 2856 wrote to memory of 1364 2856 wmisvrdf.exe wmisvrdf.exe PID 2856 wrote to memory of 1364 2856 wmisvrdf.exe wmisvrdf.exe PID 1364 wrote to memory of 1848 1364 wmisvrdf.exe wmisvrdf.exe PID 1364 wrote to memory of 1848 1364 wmisvrdf.exe wmisvrdf.exe PID 1364 wrote to memory of 1848 1364 wmisvrdf.exe wmisvrdf.exe PID 1364 wrote to memory of 1848 1364 wmisvrdf.exe wmisvrdf.exe PID 1364 wrote to memory of 1848 1364 wmisvrdf.exe wmisvrdf.exe PID 1364 wrote to memory of 1848 1364 wmisvrdf.exe wmisvrdf.exe PID 1364 wrote to memory of 1848 1364 wmisvrdf.exe wmisvrdf.exe PID 1848 wrote to memory of 1348 1848 wmisvrdf.exe wmisvrdf.exe PID 1848 wrote to memory of 1348 1848 wmisvrdf.exe wmisvrdf.exe PID 1848 wrote to memory of 1348 1848 wmisvrdf.exe wmisvrdf.exe PID 1848 wrote to memory of 1348 1848 wmisvrdf.exe wmisvrdf.exe PID 1348 wrote to memory of 1036 1348 wmisvrdf.exe wmisvrdf.exe PID 1348 wrote to memory of 1036 1348 wmisvrdf.exe wmisvrdf.exe PID 1348 wrote to memory of 1036 1348 wmisvrdf.exe wmisvrdf.exe PID 1348 wrote to memory of 1036 1348 wmisvrdf.exe wmisvrdf.exe PID 1348 wrote to memory of 1036 1348 wmisvrdf.exe wmisvrdf.exe PID 1348 wrote to memory of 1036 1348 wmisvrdf.exe wmisvrdf.exe PID 1348 wrote to memory of 1036 1348 wmisvrdf.exe wmisvrdf.exe PID 1036 wrote to memory of 2364 1036 wmisvrdf.exe wmisvrdf.exe PID 1036 wrote to memory of 2364 1036 wmisvrdf.exe wmisvrdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Users\Admin\AppData\Local\Temp\04148C~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Users\Admin\AppData\Local\Temp\04148C~1.EXE4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2364 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:756 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1068 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1568 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:868 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2916 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1480 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1292 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:944 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2068 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:316 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2128 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2680 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2704 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1828 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2484 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2552 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2560 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2116 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:836 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2452 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe34⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1732 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1020 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe36⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1232 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2364 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe38⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1772 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:584 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe40⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:816 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:340 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe42⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:804 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2908 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe44⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1700 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2232 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe46⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2404 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:988 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe48⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2212 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2056 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe50⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2648 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2876 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe52⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2504 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2960 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe54⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2352 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2476 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe56⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2800 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2116 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe58⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1624 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1916 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe60⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2840 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1820 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe62⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1832 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe63⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2228 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe64⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:760 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe65⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:676 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe66⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1072 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe67⤵
- Suspicious use of SetThreadContext
PID:1628 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe68⤵
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:768
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
149KB
MD504148cc87304ef7a3ceebbad09c09084
SHA1d8921c3e5480704c173b061ba48be3bba73883ce
SHA2565f8cfcf6ac7e58a3d0ab6a6f6ad171bb210eb23ac97e5e4c872a2aad18a015e6
SHA5128884f7ba8e917644e4333c528d63443ceb513cb6d5939828db60d0c6bca5da263031fa0fce0e1b9e57543c50193b5277259d4302a3c2bb87dac18a047a8c419a