Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
23-06-2024 00:03
Static task
static1
Behavioral task
behavioral1
Sample
047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe
-
Size
149KB
-
MD5
047dae41e0bf5ecfe648c87ccc3eb484
-
SHA1
ef41965e7f363197351a40d63abc1e338fd7c886
-
SHA256
739d54740e0c8614cce0729e64f922eff4b488b73048e5a2fd48fde3fdc971c2
-
SHA512
974389a6699d47bc8e34df810637e50f6486cdcf0b24218684ff25fa580200f3bd586214621ea83fc8ce96c765c558d32f4687e5febb5cac129ec7f75dce5bcd
-
SSDEEP
3072:7VbiVhF8Um1MsH3/mrsNdmT1YeDdctoQxmSWWcFlR4mWvz4oK:7VMhYmrsvuYsdctqj/5
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Deletes itself 1 IoCs
Processes:
wmisvrdf.exepid process 2648 wmisvrdf.exe -
Executes dropped EXE 64 IoCs
Processes:
wmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exepid process 3004 wmisvrdf.exe 2648 wmisvrdf.exe 2640 wmisvrdf.exe 2428 wmisvrdf.exe 1752 wmisvrdf.exe 1504 wmisvrdf.exe 1868 wmisvrdf.exe 1036 wmisvrdf.exe 2200 wmisvrdf.exe 776 wmisvrdf.exe 656 wmisvrdf.exe 2184 wmisvrdf.exe 2452 wmisvrdf.exe 2600 wmisvrdf.exe 1636 wmisvrdf.exe 1540 wmisvrdf.exe 304 wmisvrdf.exe 944 wmisvrdf.exe 1916 wmisvrdf.exe 2376 wmisvrdf.exe 1608 wmisvrdf.exe 2024 wmisvrdf.exe 2608 wmisvrdf.exe 2748 wmisvrdf.exe 2696 wmisvrdf.exe 2676 wmisvrdf.exe 620 wmisvrdf.exe 1524 wmisvrdf.exe 2704 wmisvrdf.exe 1196 wmisvrdf.exe 2236 wmisvrdf.exe 2192 wmisvrdf.exe 1684 wmisvrdf.exe 584 wmisvrdf.exe 1304 wmisvrdf.exe 2324 wmisvrdf.exe 2864 wmisvrdf.exe 2828 wmisvrdf.exe 1636 wmisvrdf.exe 1476 wmisvrdf.exe 1804 wmisvrdf.exe 768 wmisvrdf.exe 1336 wmisvrdf.exe 2364 wmisvrdf.exe 2816 wmisvrdf.exe 1968 wmisvrdf.exe 804 wmisvrdf.exe 2088 wmisvrdf.exe 1592 wmisvrdf.exe 2524 wmisvrdf.exe 2516 wmisvrdf.exe 2564 wmisvrdf.exe 1516 wmisvrdf.exe 1864 wmisvrdf.exe 2720 wmisvrdf.exe 2572 wmisvrdf.exe 1492 wmisvrdf.exe 1924 wmisvrdf.exe 2228 wmisvrdf.exe 1528 wmisvrdf.exe 300 wmisvrdf.exe 1224 wmisvrdf.exe 2824 wmisvrdf.exe 2336 wmisvrdf.exe -
Loads dropped DLL 64 IoCs
Processes:
047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exepid process 1756 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe 1756 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe 3004 wmisvrdf.exe 2648 wmisvrdf.exe 2648 wmisvrdf.exe 2428 wmisvrdf.exe 2428 wmisvrdf.exe 1504 wmisvrdf.exe 1504 wmisvrdf.exe 1036 wmisvrdf.exe 1036 wmisvrdf.exe 776 wmisvrdf.exe 776 wmisvrdf.exe 2184 wmisvrdf.exe 2184 wmisvrdf.exe 2600 wmisvrdf.exe 2600 wmisvrdf.exe 1540 wmisvrdf.exe 1540 wmisvrdf.exe 944 wmisvrdf.exe 944 wmisvrdf.exe 2376 wmisvrdf.exe 2376 wmisvrdf.exe 2024 wmisvrdf.exe 2024 wmisvrdf.exe 2748 wmisvrdf.exe 2748 wmisvrdf.exe 2676 wmisvrdf.exe 2676 wmisvrdf.exe 1524 wmisvrdf.exe 1524 wmisvrdf.exe 1196 wmisvrdf.exe 1196 wmisvrdf.exe 2192 wmisvrdf.exe 2192 wmisvrdf.exe 584 wmisvrdf.exe 584 wmisvrdf.exe 2324 wmisvrdf.exe 2324 wmisvrdf.exe 2828 wmisvrdf.exe 2828 wmisvrdf.exe 1476 wmisvrdf.exe 1476 wmisvrdf.exe 768 wmisvrdf.exe 768 wmisvrdf.exe 2364 wmisvrdf.exe 2364 wmisvrdf.exe 1968 wmisvrdf.exe 1968 wmisvrdf.exe 2088 wmisvrdf.exe 2088 wmisvrdf.exe 2524 wmisvrdf.exe 2524 wmisvrdf.exe 2564 wmisvrdf.exe 2564 wmisvrdf.exe 1864 wmisvrdf.exe 1864 wmisvrdf.exe 2572 wmisvrdf.exe 2572 wmisvrdf.exe 1924 wmisvrdf.exe 1924 wmisvrdf.exe 1528 wmisvrdf.exe 1528 wmisvrdf.exe 1224 wmisvrdf.exe -
Processes:
resource yara_rule behavioral1/memory/1756-4-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1756-6-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1756-3-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1756-2-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1756-7-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1756-9-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1756-8-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1756-22-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2648-33-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2648-35-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2648-32-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2648-34-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2648-40-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2428-52-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2428-58-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1504-68-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1504-69-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1504-70-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1504-76-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1036-87-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1036-92-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/776-104-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/776-103-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/776-102-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/776-110-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2184-121-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2184-126-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2600-138-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2600-144-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1540-155-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1540-162-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/944-173-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/944-178-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2376-189-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2376-196-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2024-208-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2024-213-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2748-225-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2748-231-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2676-243-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2676-248-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1524-259-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1524-262-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1196-271-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1196-275-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2192-285-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2192-288-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/584-298-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/584-301-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2324-311-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2324-314-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2828-324-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2828-327-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1476-337-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1476-340-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/768-350-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/768-353-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2364-363-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2364-366-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1968-376-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1968-379-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2088-389-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2088-392-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2524-402-0x0000000000400000-0x0000000000469000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 64 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
wmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exe047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exewmisvrdf.exewmisvrdf.exewmisvrdf.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe -
Drops file in System32 directory 64 IoCs
Processes:
wmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exe047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exedescription ioc process File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe -
Suspicious use of SetThreadContext 34 IoCs
Processes:
047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exedescription pid process target process PID 2060 set thread context of 1756 2060 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe PID 3004 set thread context of 2648 3004 wmisvrdf.exe wmisvrdf.exe PID 2640 set thread context of 2428 2640 wmisvrdf.exe wmisvrdf.exe PID 1752 set thread context of 1504 1752 wmisvrdf.exe wmisvrdf.exe PID 1868 set thread context of 1036 1868 wmisvrdf.exe wmisvrdf.exe PID 2200 set thread context of 776 2200 wmisvrdf.exe wmisvrdf.exe PID 656 set thread context of 2184 656 wmisvrdf.exe wmisvrdf.exe PID 2452 set thread context of 2600 2452 wmisvrdf.exe wmisvrdf.exe PID 1636 set thread context of 1540 1636 wmisvrdf.exe wmisvrdf.exe PID 304 set thread context of 944 304 wmisvrdf.exe wmisvrdf.exe PID 1916 set thread context of 2376 1916 wmisvrdf.exe wmisvrdf.exe PID 1608 set thread context of 2024 1608 wmisvrdf.exe wmisvrdf.exe PID 2608 set thread context of 2748 2608 wmisvrdf.exe wmisvrdf.exe PID 2696 set thread context of 2676 2696 wmisvrdf.exe wmisvrdf.exe PID 620 set thread context of 1524 620 wmisvrdf.exe wmisvrdf.exe PID 2704 set thread context of 1196 2704 wmisvrdf.exe wmisvrdf.exe PID 2236 set thread context of 2192 2236 wmisvrdf.exe wmisvrdf.exe PID 1684 set thread context of 584 1684 wmisvrdf.exe wmisvrdf.exe PID 1304 set thread context of 2324 1304 wmisvrdf.exe wmisvrdf.exe PID 2864 set thread context of 2828 2864 wmisvrdf.exe wmisvrdf.exe PID 1636 set thread context of 1476 1636 wmisvrdf.exe wmisvrdf.exe PID 1804 set thread context of 768 1804 wmisvrdf.exe wmisvrdf.exe PID 1336 set thread context of 2364 1336 wmisvrdf.exe wmisvrdf.exe PID 2816 set thread context of 1968 2816 wmisvrdf.exe wmisvrdf.exe PID 804 set thread context of 2088 804 wmisvrdf.exe wmisvrdf.exe PID 1592 set thread context of 2524 1592 wmisvrdf.exe wmisvrdf.exe PID 2516 set thread context of 2564 2516 wmisvrdf.exe wmisvrdf.exe PID 1516 set thread context of 1864 1516 wmisvrdf.exe wmisvrdf.exe PID 2720 set thread context of 2572 2720 wmisvrdf.exe wmisvrdf.exe PID 1492 set thread context of 1924 1492 wmisvrdf.exe wmisvrdf.exe PID 2228 set thread context of 1528 2228 wmisvrdf.exe wmisvrdf.exe PID 300 set thread context of 1224 300 wmisvrdf.exe wmisvrdf.exe PID 2824 set thread context of 2336 2824 wmisvrdf.exe wmisvrdf.exe PID 2464 set thread context of 1800 2464 wmisvrdf.exe wmisvrdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes:
047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exepid process 1756 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe 2648 wmisvrdf.exe 2428 wmisvrdf.exe 1504 wmisvrdf.exe 1036 wmisvrdf.exe 776 wmisvrdf.exe 2184 wmisvrdf.exe 2600 wmisvrdf.exe 1540 wmisvrdf.exe 944 wmisvrdf.exe 2376 wmisvrdf.exe 2024 wmisvrdf.exe 2748 wmisvrdf.exe 2676 wmisvrdf.exe 1524 wmisvrdf.exe 1196 wmisvrdf.exe 2192 wmisvrdf.exe 584 wmisvrdf.exe 2324 wmisvrdf.exe 2828 wmisvrdf.exe 1476 wmisvrdf.exe 768 wmisvrdf.exe 2364 wmisvrdf.exe 1968 wmisvrdf.exe 2088 wmisvrdf.exe 2524 wmisvrdf.exe 2564 wmisvrdf.exe 1864 wmisvrdf.exe 2572 wmisvrdf.exe 1924 wmisvrdf.exe 1528 wmisvrdf.exe 1224 wmisvrdf.exe 2336 wmisvrdf.exe 1800 wmisvrdf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exedescription pid process target process PID 2060 wrote to memory of 1756 2060 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe PID 2060 wrote to memory of 1756 2060 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe PID 2060 wrote to memory of 1756 2060 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe PID 2060 wrote to memory of 1756 2060 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe PID 2060 wrote to memory of 1756 2060 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe PID 2060 wrote to memory of 1756 2060 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe PID 2060 wrote to memory of 1756 2060 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe PID 1756 wrote to memory of 3004 1756 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe wmisvrdf.exe PID 1756 wrote to memory of 3004 1756 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe wmisvrdf.exe PID 1756 wrote to memory of 3004 1756 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe wmisvrdf.exe PID 1756 wrote to memory of 3004 1756 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe wmisvrdf.exe PID 3004 wrote to memory of 2648 3004 wmisvrdf.exe wmisvrdf.exe PID 3004 wrote to memory of 2648 3004 wmisvrdf.exe wmisvrdf.exe PID 3004 wrote to memory of 2648 3004 wmisvrdf.exe wmisvrdf.exe PID 3004 wrote to memory of 2648 3004 wmisvrdf.exe wmisvrdf.exe PID 3004 wrote to memory of 2648 3004 wmisvrdf.exe wmisvrdf.exe PID 3004 wrote to memory of 2648 3004 wmisvrdf.exe wmisvrdf.exe PID 3004 wrote to memory of 2648 3004 wmisvrdf.exe wmisvrdf.exe PID 2648 wrote to memory of 2640 2648 wmisvrdf.exe wmisvrdf.exe PID 2648 wrote to memory of 2640 2648 wmisvrdf.exe wmisvrdf.exe PID 2648 wrote to memory of 2640 2648 wmisvrdf.exe wmisvrdf.exe PID 2648 wrote to memory of 2640 2648 wmisvrdf.exe wmisvrdf.exe PID 2640 wrote to memory of 2428 2640 wmisvrdf.exe wmisvrdf.exe PID 2640 wrote to memory of 2428 2640 wmisvrdf.exe wmisvrdf.exe PID 2640 wrote to memory of 2428 2640 wmisvrdf.exe wmisvrdf.exe PID 2640 wrote to memory of 2428 2640 wmisvrdf.exe wmisvrdf.exe PID 2640 wrote to memory of 2428 2640 wmisvrdf.exe wmisvrdf.exe PID 2640 wrote to memory of 2428 2640 wmisvrdf.exe wmisvrdf.exe PID 2640 wrote to memory of 2428 2640 wmisvrdf.exe wmisvrdf.exe PID 2428 wrote to memory of 1752 2428 wmisvrdf.exe wmisvrdf.exe PID 2428 wrote to memory of 1752 2428 wmisvrdf.exe wmisvrdf.exe PID 2428 wrote to memory of 1752 2428 wmisvrdf.exe wmisvrdf.exe PID 2428 wrote to memory of 1752 2428 wmisvrdf.exe wmisvrdf.exe PID 1752 wrote to memory of 1504 1752 wmisvrdf.exe wmisvrdf.exe PID 1752 wrote to memory of 1504 1752 wmisvrdf.exe wmisvrdf.exe PID 1752 wrote to memory of 1504 1752 wmisvrdf.exe wmisvrdf.exe PID 1752 wrote to memory of 1504 1752 wmisvrdf.exe wmisvrdf.exe PID 1752 wrote to memory of 1504 1752 wmisvrdf.exe wmisvrdf.exe PID 1752 wrote to memory of 1504 1752 wmisvrdf.exe wmisvrdf.exe PID 1752 wrote to memory of 1504 1752 wmisvrdf.exe wmisvrdf.exe PID 1504 wrote to memory of 1868 1504 wmisvrdf.exe wmisvrdf.exe PID 1504 wrote to memory of 1868 1504 wmisvrdf.exe wmisvrdf.exe PID 1504 wrote to memory of 1868 1504 wmisvrdf.exe wmisvrdf.exe PID 1504 wrote to memory of 1868 1504 wmisvrdf.exe wmisvrdf.exe PID 1868 wrote to memory of 1036 1868 wmisvrdf.exe wmisvrdf.exe PID 1868 wrote to memory of 1036 1868 wmisvrdf.exe wmisvrdf.exe PID 1868 wrote to memory of 1036 1868 wmisvrdf.exe wmisvrdf.exe PID 1868 wrote to memory of 1036 1868 wmisvrdf.exe wmisvrdf.exe PID 1868 wrote to memory of 1036 1868 wmisvrdf.exe wmisvrdf.exe PID 1868 wrote to memory of 1036 1868 wmisvrdf.exe wmisvrdf.exe PID 1868 wrote to memory of 1036 1868 wmisvrdf.exe wmisvrdf.exe PID 1036 wrote to memory of 2200 1036 wmisvrdf.exe wmisvrdf.exe PID 1036 wrote to memory of 2200 1036 wmisvrdf.exe wmisvrdf.exe PID 1036 wrote to memory of 2200 1036 wmisvrdf.exe wmisvrdf.exe PID 1036 wrote to memory of 2200 1036 wmisvrdf.exe wmisvrdf.exe PID 2200 wrote to memory of 776 2200 wmisvrdf.exe wmisvrdf.exe PID 2200 wrote to memory of 776 2200 wmisvrdf.exe wmisvrdf.exe PID 2200 wrote to memory of 776 2200 wmisvrdf.exe wmisvrdf.exe PID 2200 wrote to memory of 776 2200 wmisvrdf.exe wmisvrdf.exe PID 2200 wrote to memory of 776 2200 wmisvrdf.exe wmisvrdf.exe PID 2200 wrote to memory of 776 2200 wmisvrdf.exe wmisvrdf.exe PID 2200 wrote to memory of 776 2200 wmisvrdf.exe wmisvrdf.exe PID 776 wrote to memory of 656 776 wmisvrdf.exe wmisvrdf.exe PID 776 wrote to memory of 656 776 wmisvrdf.exe wmisvrdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Users\Admin\AppData\Local\Temp\047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Users\Admin\AppData\Local\Temp\047DAE~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Users\Admin\AppData\Local\Temp\047DAE~1.EXE4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:656 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2184 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2452 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2600 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1636 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1540 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:304 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:944 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1916 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2376 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1608 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2024 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2608 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2748 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2696 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2676 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:620 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1524 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2704 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1196 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2236 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe34⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2192 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1684 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe36⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:584 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1304 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe38⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2324 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2864 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe40⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2828 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1636 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe42⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1476 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1804 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe44⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:768 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1336 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe46⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2364 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2816 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe48⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1968 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:804 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe50⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2088 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1592 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe52⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2524 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2516 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe54⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2564 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1516 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe56⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1864 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2720 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe58⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2572 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1492 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe60⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1924 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2228 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe62⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1528 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe63⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:300 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe64⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1224 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe65⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2824 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe66⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2336 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe67⤵
- Suspicious use of SetThreadContext
PID:2464 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe68⤵
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:1800
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
149KB
MD5047dae41e0bf5ecfe648c87ccc3eb484
SHA1ef41965e7f363197351a40d63abc1e338fd7c886
SHA256739d54740e0c8614cce0729e64f922eff4b488b73048e5a2fd48fde3fdc971c2
SHA512974389a6699d47bc8e34df810637e50f6486cdcf0b24218684ff25fa580200f3bd586214621ea83fc8ce96c765c558d32f4687e5febb5cac129ec7f75dce5bcd
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e