Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
23-06-2024 00:03
Static task
static1
Behavioral task
behavioral1
Sample
047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe
-
Size
149KB
-
MD5
047dae41e0bf5ecfe648c87ccc3eb484
-
SHA1
ef41965e7f363197351a40d63abc1e338fd7c886
-
SHA256
739d54740e0c8614cce0729e64f922eff4b488b73048e5a2fd48fde3fdc971c2
-
SHA512
974389a6699d47bc8e34df810637e50f6486cdcf0b24218684ff25fa580200f3bd586214621ea83fc8ce96c765c558d32f4687e5febb5cac129ec7f75dce5bcd
-
SSDEEP
3072:7VbiVhF8Um1MsH3/mrsNdmT1YeDdctoQxmSWWcFlR4mWvz4oK:7VMhYmrsvuYsdctqj/5
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 29 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exe047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation wmisvrdf.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation wmisvrdf.exe -
Deletes itself 1 IoCs
Processes:
wmisvrdf.exepid process 4648 wmisvrdf.exe -
Executes dropped EXE 58 IoCs
Processes:
wmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exepid process 4160 wmisvrdf.exe 4648 wmisvrdf.exe 1208 wmisvrdf.exe 940 wmisvrdf.exe 2020 wmisvrdf.exe 2340 wmisvrdf.exe 4388 wmisvrdf.exe 568 wmisvrdf.exe 2392 wmisvrdf.exe 1088 wmisvrdf.exe 776 wmisvrdf.exe 4876 wmisvrdf.exe 4156 wmisvrdf.exe 1364 wmisvrdf.exe 4076 wmisvrdf.exe 1352 wmisvrdf.exe 3712 wmisvrdf.exe 3600 wmisvrdf.exe 2544 wmisvrdf.exe 968 wmisvrdf.exe 2040 wmisvrdf.exe 4672 wmisvrdf.exe 1696 wmisvrdf.exe 3532 wmisvrdf.exe 3904 wmisvrdf.exe 1264 wmisvrdf.exe 2316 wmisvrdf.exe 4276 wmisvrdf.exe 1176 wmisvrdf.exe 1392 wmisvrdf.exe 4396 wmisvrdf.exe 388 wmisvrdf.exe 3220 wmisvrdf.exe 4752 wmisvrdf.exe 3148 wmisvrdf.exe 5028 wmisvrdf.exe 2756 wmisvrdf.exe 1328 wmisvrdf.exe 4252 wmisvrdf.exe 3456 wmisvrdf.exe 2436 wmisvrdf.exe 5084 wmisvrdf.exe 3500 wmisvrdf.exe 3308 wmisvrdf.exe 2344 wmisvrdf.exe 2388 wmisvrdf.exe 3304 wmisvrdf.exe 4396 wmisvrdf.exe 372 wmisvrdf.exe 4300 wmisvrdf.exe 3004 wmisvrdf.exe 2000 wmisvrdf.exe 5016 wmisvrdf.exe 464 wmisvrdf.exe 4652 wmisvrdf.exe 4628 wmisvrdf.exe 876 wmisvrdf.exe 2704 wmisvrdf.exe -
Processes:
resource yara_rule behavioral2/memory/3132-0-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/3132-3-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/3132-4-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/3132-2-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/3132-38-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/4648-43-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/4648-45-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/4648-44-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/4648-47-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/940-53-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/940-56-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/2340-65-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/568-70-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/568-71-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/1088-77-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/1088-81-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/4876-87-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/1364-97-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/1352-102-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/3600-109-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/3600-110-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/968-117-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/968-119-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/4672-124-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/4672-128-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/3532-137-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/1264-145-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/4276-150-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/4276-154-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/1392-162-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/388-170-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/4752-178-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/5028-187-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/1328-195-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/3456-203-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/5084-211-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/3308-219-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/2388-224-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/2388-227-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/4396-233-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/4300-239-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/2000-242-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/2000-246-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/464-252-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/4628-256-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/4628-259-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/2704-262-0x0000000000400000-0x0000000000469000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 60 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
wmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exe047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exewmisvrdf.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmisvrdf.exe -
Drops file in System32 directory 58 IoCs
Processes:
wmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exe047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exedescription ioc process File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe File created C:\Windows\SysWOW64\wmisvrdf.exe wmisvrdf.exe -
Suspicious use of SetThreadContext 30 IoCs
Processes:
047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exedescription pid process target process PID 3732 set thread context of 3132 3732 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe PID 4160 set thread context of 4648 4160 wmisvrdf.exe wmisvrdf.exe PID 1208 set thread context of 940 1208 wmisvrdf.exe wmisvrdf.exe PID 2020 set thread context of 2340 2020 wmisvrdf.exe wmisvrdf.exe PID 4388 set thread context of 568 4388 wmisvrdf.exe wmisvrdf.exe PID 2392 set thread context of 1088 2392 wmisvrdf.exe wmisvrdf.exe PID 776 set thread context of 4876 776 wmisvrdf.exe wmisvrdf.exe PID 4156 set thread context of 1364 4156 wmisvrdf.exe wmisvrdf.exe PID 4076 set thread context of 1352 4076 wmisvrdf.exe wmisvrdf.exe PID 3712 set thread context of 3600 3712 wmisvrdf.exe wmisvrdf.exe PID 2544 set thread context of 968 2544 wmisvrdf.exe wmisvrdf.exe PID 2040 set thread context of 4672 2040 wmisvrdf.exe wmisvrdf.exe PID 1696 set thread context of 3532 1696 wmisvrdf.exe wmisvrdf.exe PID 3904 set thread context of 1264 3904 wmisvrdf.exe wmisvrdf.exe PID 2316 set thread context of 4276 2316 wmisvrdf.exe wmisvrdf.exe PID 1176 set thread context of 1392 1176 wmisvrdf.exe wmisvrdf.exe PID 4396 set thread context of 388 4396 wmisvrdf.exe wmisvrdf.exe PID 3220 set thread context of 4752 3220 wmisvrdf.exe wmisvrdf.exe PID 3148 set thread context of 5028 3148 wmisvrdf.exe wmisvrdf.exe PID 2756 set thread context of 1328 2756 wmisvrdf.exe wmisvrdf.exe PID 4252 set thread context of 3456 4252 wmisvrdf.exe wmisvrdf.exe PID 2436 set thread context of 5084 2436 wmisvrdf.exe wmisvrdf.exe PID 3500 set thread context of 3308 3500 wmisvrdf.exe wmisvrdf.exe PID 2344 set thread context of 2388 2344 wmisvrdf.exe wmisvrdf.exe PID 3304 set thread context of 4396 3304 wmisvrdf.exe wmisvrdf.exe PID 372 set thread context of 4300 372 wmisvrdf.exe wmisvrdf.exe PID 3004 set thread context of 2000 3004 wmisvrdf.exe wmisvrdf.exe PID 5016 set thread context of 464 5016 wmisvrdf.exe wmisvrdf.exe PID 4652 set thread context of 4628 4652 wmisvrdf.exe wmisvrdf.exe PID 876 set thread context of 2704 876 wmisvrdf.exe wmisvrdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 29 IoCs
Processes:
wmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exe047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmisvrdf.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exepid process 3132 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe 3132 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe 4648 wmisvrdf.exe 4648 wmisvrdf.exe 940 wmisvrdf.exe 940 wmisvrdf.exe 2340 wmisvrdf.exe 2340 wmisvrdf.exe 568 wmisvrdf.exe 568 wmisvrdf.exe 1088 wmisvrdf.exe 1088 wmisvrdf.exe 4876 wmisvrdf.exe 4876 wmisvrdf.exe 1364 wmisvrdf.exe 1364 wmisvrdf.exe 1352 wmisvrdf.exe 1352 wmisvrdf.exe 3600 wmisvrdf.exe 3600 wmisvrdf.exe 968 wmisvrdf.exe 968 wmisvrdf.exe 4672 wmisvrdf.exe 4672 wmisvrdf.exe 3532 wmisvrdf.exe 3532 wmisvrdf.exe 1264 wmisvrdf.exe 1264 wmisvrdf.exe 4276 wmisvrdf.exe 4276 wmisvrdf.exe 1392 wmisvrdf.exe 1392 wmisvrdf.exe 388 wmisvrdf.exe 388 wmisvrdf.exe 4752 wmisvrdf.exe 4752 wmisvrdf.exe 5028 wmisvrdf.exe 5028 wmisvrdf.exe 1328 wmisvrdf.exe 1328 wmisvrdf.exe 3456 wmisvrdf.exe 3456 wmisvrdf.exe 5084 wmisvrdf.exe 5084 wmisvrdf.exe 3308 wmisvrdf.exe 3308 wmisvrdf.exe 2388 wmisvrdf.exe 2388 wmisvrdf.exe 4396 wmisvrdf.exe 4396 wmisvrdf.exe 4300 wmisvrdf.exe 4300 wmisvrdf.exe 2000 wmisvrdf.exe 2000 wmisvrdf.exe 464 wmisvrdf.exe 464 wmisvrdf.exe 4628 wmisvrdf.exe 4628 wmisvrdf.exe 2704 wmisvrdf.exe 2704 wmisvrdf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exewmisvrdf.exedescription pid process target process PID 3732 wrote to memory of 3132 3732 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe PID 3732 wrote to memory of 3132 3732 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe PID 3732 wrote to memory of 3132 3732 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe PID 3732 wrote to memory of 3132 3732 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe PID 3732 wrote to memory of 3132 3732 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe PID 3732 wrote to memory of 3132 3732 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe PID 3732 wrote to memory of 3132 3732 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe PID 3132 wrote to memory of 4160 3132 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe wmisvrdf.exe PID 3132 wrote to memory of 4160 3132 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe wmisvrdf.exe PID 3132 wrote to memory of 4160 3132 047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe wmisvrdf.exe PID 4160 wrote to memory of 4648 4160 wmisvrdf.exe wmisvrdf.exe PID 4160 wrote to memory of 4648 4160 wmisvrdf.exe wmisvrdf.exe PID 4160 wrote to memory of 4648 4160 wmisvrdf.exe wmisvrdf.exe PID 4160 wrote to memory of 4648 4160 wmisvrdf.exe wmisvrdf.exe PID 4160 wrote to memory of 4648 4160 wmisvrdf.exe wmisvrdf.exe PID 4160 wrote to memory of 4648 4160 wmisvrdf.exe wmisvrdf.exe PID 4160 wrote to memory of 4648 4160 wmisvrdf.exe wmisvrdf.exe PID 4648 wrote to memory of 1208 4648 wmisvrdf.exe wmisvrdf.exe PID 4648 wrote to memory of 1208 4648 wmisvrdf.exe wmisvrdf.exe PID 4648 wrote to memory of 1208 4648 wmisvrdf.exe wmisvrdf.exe PID 1208 wrote to memory of 940 1208 wmisvrdf.exe wmisvrdf.exe PID 1208 wrote to memory of 940 1208 wmisvrdf.exe wmisvrdf.exe PID 1208 wrote to memory of 940 1208 wmisvrdf.exe wmisvrdf.exe PID 1208 wrote to memory of 940 1208 wmisvrdf.exe wmisvrdf.exe PID 1208 wrote to memory of 940 1208 wmisvrdf.exe wmisvrdf.exe PID 1208 wrote to memory of 940 1208 wmisvrdf.exe wmisvrdf.exe PID 1208 wrote to memory of 940 1208 wmisvrdf.exe wmisvrdf.exe PID 940 wrote to memory of 2020 940 wmisvrdf.exe wmisvrdf.exe PID 940 wrote to memory of 2020 940 wmisvrdf.exe wmisvrdf.exe PID 940 wrote to memory of 2020 940 wmisvrdf.exe wmisvrdf.exe PID 2020 wrote to memory of 2340 2020 wmisvrdf.exe wmisvrdf.exe PID 2020 wrote to memory of 2340 2020 wmisvrdf.exe wmisvrdf.exe PID 2020 wrote to memory of 2340 2020 wmisvrdf.exe wmisvrdf.exe PID 2020 wrote to memory of 2340 2020 wmisvrdf.exe wmisvrdf.exe PID 2020 wrote to memory of 2340 2020 wmisvrdf.exe wmisvrdf.exe PID 2020 wrote to memory of 2340 2020 wmisvrdf.exe wmisvrdf.exe PID 2020 wrote to memory of 2340 2020 wmisvrdf.exe wmisvrdf.exe PID 2340 wrote to memory of 4388 2340 wmisvrdf.exe wmisvrdf.exe PID 2340 wrote to memory of 4388 2340 wmisvrdf.exe wmisvrdf.exe PID 2340 wrote to memory of 4388 2340 wmisvrdf.exe wmisvrdf.exe PID 4388 wrote to memory of 568 4388 wmisvrdf.exe wmisvrdf.exe PID 4388 wrote to memory of 568 4388 wmisvrdf.exe wmisvrdf.exe PID 4388 wrote to memory of 568 4388 wmisvrdf.exe wmisvrdf.exe PID 4388 wrote to memory of 568 4388 wmisvrdf.exe wmisvrdf.exe PID 4388 wrote to memory of 568 4388 wmisvrdf.exe wmisvrdf.exe PID 4388 wrote to memory of 568 4388 wmisvrdf.exe wmisvrdf.exe PID 4388 wrote to memory of 568 4388 wmisvrdf.exe wmisvrdf.exe PID 568 wrote to memory of 2392 568 wmisvrdf.exe wmisvrdf.exe PID 568 wrote to memory of 2392 568 wmisvrdf.exe wmisvrdf.exe PID 568 wrote to memory of 2392 568 wmisvrdf.exe wmisvrdf.exe PID 2392 wrote to memory of 1088 2392 wmisvrdf.exe wmisvrdf.exe PID 2392 wrote to memory of 1088 2392 wmisvrdf.exe wmisvrdf.exe PID 2392 wrote to memory of 1088 2392 wmisvrdf.exe wmisvrdf.exe PID 2392 wrote to memory of 1088 2392 wmisvrdf.exe wmisvrdf.exe PID 2392 wrote to memory of 1088 2392 wmisvrdf.exe wmisvrdf.exe PID 2392 wrote to memory of 1088 2392 wmisvrdf.exe wmisvrdf.exe PID 2392 wrote to memory of 1088 2392 wmisvrdf.exe wmisvrdf.exe PID 1088 wrote to memory of 776 1088 wmisvrdf.exe wmisvrdf.exe PID 1088 wrote to memory of 776 1088 wmisvrdf.exe wmisvrdf.exe PID 1088 wrote to memory of 776 1088 wmisvrdf.exe wmisvrdf.exe PID 776 wrote to memory of 4876 776 wmisvrdf.exe wmisvrdf.exe PID 776 wrote to memory of 4876 776 wmisvrdf.exe wmisvrdf.exe PID 776 wrote to memory of 4876 776 wmisvrdf.exe wmisvrdf.exe PID 776 wrote to memory of 4876 776 wmisvrdf.exe wmisvrdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Users\Admin\AppData\Local\Temp\047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\047dae41e0bf5ecfe648c87ccc3eb484_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Users\Admin\AppData\Local\Temp\047DAE~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Users\Admin\AppData\Local\Temp\047DAE~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4876 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4156 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1364 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4076 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1352 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3712 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3600 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2544 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:968 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2040 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4672 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1696 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3532 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3904 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1264 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2316 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4276 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1176 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe32⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1392 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4396 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe34⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:388 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3220 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe36⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4752 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3148 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe38⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5028 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2756 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe40⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1328 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4252 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe42⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3456 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2436 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe44⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5084 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3500 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe46⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3308 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2344 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe48⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2388 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3304 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe50⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4396 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:372 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe52⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4300 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3004 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe54⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2000 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5016 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe56⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:464 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4652 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe58⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4628 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:876 -
C:\Windows\SysWOW64\wmisvrdf.exe"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe60⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:2704
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
149KB
MD5047dae41e0bf5ecfe648c87ccc3eb484
SHA1ef41965e7f363197351a40d63abc1e338fd7c886
SHA256739d54740e0c8614cce0729e64f922eff4b488b73048e5a2fd48fde3fdc971c2
SHA512974389a6699d47bc8e34df810637e50f6486cdcf0b24218684ff25fa580200f3bd586214621ea83fc8ce96c765c558d32f4687e5febb5cac129ec7f75dce5bcd
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e