metasploit | 1929eb51be7d02cf66186eb172b4df9a04cd4cd5a278e42e784628febe0aea09

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-09-2024 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d20fe74386dbe61c0fb11c15341160d2_JaffaCakes118.exe
Size

206KB
MD5

d20fe74386dbe61c0fb11c15341160d2
SHA1

38403239a431496a95f79eb1587d40ca2f430122
SHA256

1929eb51be7d02cf66186eb172b4df9a04cd4cd5a278e42e784628febe0aea09
SHA512

f2f7f5bc1d5eda12ae5875973bcccf1fa06a6102ac70b3570cf4ece18354b6f2b5e7af4fe71e370b26081565f40c51906c926fe1a0520befa6a5a8f582554cb5
SSDEEP

6144:i8xopQbQ0NdWOa0uhZNXCRHvMUW85OSnd6s:NxoibQ0NdWO4hnCJj9TB

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Deletes itself 1 IoCs

pid	Process
2844	MsDxClient.exe

Executes dropped EXE 56 IoCs

pid	Process
2700	MsDxClient.exe
2844	MsDxClient.exe
2732	MsDxClient.exe
2952	MsDxClient.exe
2288	MsDxClient.exe
676	MsDxClient.exe
2932	MsDxClient.exe
2604	MsDxClient.exe
768	MsDxClient.exe
1828	MsDxClient.exe
1916	MsDxClient.exe
2116	MsDxClient.exe
704	MsDxClient.exe
1160	MsDxClient.exe
612	MsDxClient.exe
1380	MsDxClient.exe
1108	MsDxClient.exe
1032	MsDxClient.exe
2280	MsDxClient.exe
1068	MsDxClient.exe
1608	MsDxClient.exe
3052	MsDxClient.exe
1964	MsDxClient.exe
2820	MsDxClient.exe
2784	MsDxClient.exe
2492	MsDxClient.exe
2276	MsDxClient.exe
596	MsDxClient.exe
2676	MsDxClient.exe
2912	MsDxClient.exe
764	MsDxClient.exe
840	MsDxClient.exe
2096	MsDxClient.exe
2360	MsDxClient.exe
2160	MsDxClient.exe
1368	MsDxClient.exe
2572	MsDxClient.exe
960	MsDxClient.exe
1912	MsDxClient.exe
2452	MsDxClient.exe
1856	MsDxClient.exe
2408	MsDxClient.exe
2136	MsDxClient.exe
1612	MsDxClient.exe
2328	MsDxClient.exe
3036	MsDxClient.exe
2740	MsDxClient.exe
2992	MsDxClient.exe
2776	MsDxClient.exe
2728	MsDxClient.exe
2312	MsDxClient.exe
2752	MsDxClient.exe
2268	MsDxClient.exe
1172	MsDxClient.exe
2956	MsDxClient.exe
2636	MsDxClient.exe

Loads dropped DLL 56 IoCs

pid	Process
1204	d20fe74386dbe61c0fb11c15341160d2_JaffaCakes118.exe
1204	d20fe74386dbe61c0fb11c15341160d2_JaffaCakes118.exe
2844	MsDxClient.exe
2844	MsDxClient.exe
2952	MsDxClient.exe
2952	MsDxClient.exe
676	MsDxClient.exe
676	MsDxClient.exe
2604	MsDxClient.exe
2604	MsDxClient.exe
1828	MsDxClient.exe
1828	MsDxClient.exe
2116	MsDxClient.exe
2116	MsDxClient.exe
1160	MsDxClient.exe
1160	MsDxClient.exe
1380	MsDxClient.exe
1380	MsDxClient.exe
1032	MsDxClient.exe
1032	MsDxClient.exe
1068	MsDxClient.exe
1068	MsDxClient.exe
3052	MsDxClient.exe
3052	MsDxClient.exe
2820	MsDxClient.exe
2820	MsDxClient.exe
2492	MsDxClient.exe
2492	MsDxClient.exe
596	MsDxClient.exe
596	MsDxClient.exe
2912	MsDxClient.exe
2912	MsDxClient.exe
840	MsDxClient.exe
840	MsDxClient.exe
2360	MsDxClient.exe
2360	MsDxClient.exe
1368	MsDxClient.exe
1368	MsDxClient.exe
960	MsDxClient.exe
960	MsDxClient.exe
2452	MsDxClient.exe
2452	MsDxClient.exe
2408	MsDxClient.exe
2408	MsDxClient.exe
1612	MsDxClient.exe
1612	MsDxClient.exe
3036	MsDxClient.exe
3036	MsDxClient.exe
2992	MsDxClient.exe
2992	MsDxClient.exe
2728	MsDxClient.exe
2728	MsDxClient.exe
2752	MsDxClient.exe
2752	MsDxClient.exe
1172	MsDxClient.exe
1172	MsDxClient.exe

UPX packed file 47 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1204-2-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1204-3-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1204-8-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1204-9-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1204-7-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1204-6-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1204-4-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1204-22-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2844-34-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2844-33-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2844-32-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2844-31-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2844-40-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2952-51-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2952-57-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/676-73-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2604-82-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2604-83-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2604-87-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1828-97-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1828-98-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1828-104-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2116-121-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1160-137-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1380-153-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1032-170-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1068-186-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/3052-203-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2820-219-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2492-228-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2492-237-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/596-249-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2912-257-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2912-262-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/840-274-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2360-286-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1368-295-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1368-299-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/960-311-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2452-323-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2408-335-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1612-347-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/3036-359-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2992-371-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2728-383-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2752-395-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1172-407-0x0000000000400000-0x000000000046A000-memory.dmp	upx

Maps connected drives based on registry 3 TTPs 58 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDxClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsDxClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsDxClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsDxClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDxClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsDxClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDxClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDxClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsDxClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsDxClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDxClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	d20fe74386dbe61c0fb11c15341160d2_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsDxClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDxClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDxClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDxClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsDxClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsDxClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDxClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	d20fe74386dbe61c0fb11c15341160d2_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDxClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsDxClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDxClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDxClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDxClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsDxClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDxClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDxClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsDxClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsDxClient.exe

Drops file in System32 directory 56 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File created	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File created	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File created	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File created	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File created	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File created	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File created	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File created	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File created	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File created	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File created	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDxClient.exe	d20fe74386dbe61c0fb11c15341160d2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File created	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File created	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File created	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File created	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File created	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File created	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File created	C:\Windows\SysWOW64\MsDxClient.exe	d20fe74386dbe61c0fb11c15341160d2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File created	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File created	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File created	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File created	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File created	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File created	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File created	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File created	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDxClient.exe	MsDxClient.exe

Suspicious use of SetThreadContext 29 IoCs

description	pid	Process	procid_target
PID 1920 set thread context of 1204	1920	d20fe74386dbe61c0fb11c15341160d2_JaffaCakes118.exe	30
PID 2700 set thread context of 2844	2700	MsDxClient.exe	32
PID 2732 set thread context of 2952	2732	MsDxClient.exe	34
PID 2288 set thread context of 676	2288	MsDxClient.exe	37
PID 2932 set thread context of 2604	2932	MsDxClient.exe	39
PID 768 set thread context of 1828	768	MsDxClient.exe	41
PID 1916 set thread context of 2116	1916	MsDxClient.exe	43
PID 704 set thread context of 1160	704	MsDxClient.exe	45
PID 612 set thread context of 1380	612	MsDxClient.exe	47
PID 1108 set thread context of 1032	1108	MsDxClient.exe	49
PID 2280 set thread context of 1068	2280	MsDxClient.exe	51
PID 1608 set thread context of 3052	1608	MsDxClient.exe	53
PID 1964 set thread context of 2820	1964	MsDxClient.exe	55
PID 2784 set thread context of 2492	2784	MsDxClient.exe	57
PID 2276 set thread context of 596	2276	MsDxClient.exe	59
PID 2676 set thread context of 2912	2676	MsDxClient.exe	61
PID 764 set thread context of 840	764	MsDxClient.exe	63
PID 2096 set thread context of 2360	2096	MsDxClient.exe	65
PID 2160 set thread context of 1368	2160	MsDxClient.exe	67
PID 2572 set thread context of 960	2572	MsDxClient.exe	69
PID 1912 set thread context of 2452	1912	MsDxClient.exe	71
PID 1856 set thread context of 2408	1856	MsDxClient.exe	73
PID 2136 set thread context of 1612	2136	MsDxClient.exe	75
PID 2328 set thread context of 3036	2328	MsDxClient.exe	77
PID 2740 set thread context of 2992	2740	MsDxClient.exe	79
PID 2776 set thread context of 2728	2776	MsDxClient.exe	81
PID 2312 set thread context of 2752	2312	MsDxClient.exe	83
PID 2268 set thread context of 1172	2268	MsDxClient.exe	85
PID 2956 set thread context of 2636	2956	MsDxClient.exe	87

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 57 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d20fe74386dbe61c0fb11c15341160d2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d20fe74386dbe61c0fb11c15341160d2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDxClient.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
1204	d20fe74386dbe61c0fb11c15341160d2_JaffaCakes118.exe
2844	MsDxClient.exe
2952	MsDxClient.exe
676	MsDxClient.exe
2604	MsDxClient.exe
1828	MsDxClient.exe
2116	MsDxClient.exe
1160	MsDxClient.exe
1380	MsDxClient.exe
1032	MsDxClient.exe
1068	MsDxClient.exe
3052	MsDxClient.exe
2820	MsDxClient.exe
2492	MsDxClient.exe
596	MsDxClient.exe
2912	MsDxClient.exe
840	MsDxClient.exe
2360	MsDxClient.exe
1368	MsDxClient.exe
960	MsDxClient.exe
2452	MsDxClient.exe
2408	MsDxClient.exe
1612	MsDxClient.exe
3036	MsDxClient.exe
2992	MsDxClient.exe
2728	MsDxClient.exe
2752	MsDxClient.exe
1172	MsDxClient.exe
2636	MsDxClient.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 1204	1920	d20fe74386dbe61c0fb11c15341160d2_JaffaCakes118.exe	30
PID 1920 wrote to memory of 1204	1920	d20fe74386dbe61c0fb11c15341160d2_JaffaCakes118.exe	30
PID 1920 wrote to memory of 1204	1920	d20fe74386dbe61c0fb11c15341160d2_JaffaCakes118.exe	30
PID 1920 wrote to memory of 1204	1920	d20fe74386dbe61c0fb11c15341160d2_JaffaCakes118.exe	30
PID 1920 wrote to memory of 1204	1920	d20fe74386dbe61c0fb11c15341160d2_JaffaCakes118.exe	30
PID 1920 wrote to memory of 1204	1920	d20fe74386dbe61c0fb11c15341160d2_JaffaCakes118.exe	30
PID 1920 wrote to memory of 1204	1920	d20fe74386dbe61c0fb11c15341160d2_JaffaCakes118.exe	30
PID 1204 wrote to memory of 2700	1204	d20fe74386dbe61c0fb11c15341160d2_JaffaCakes118.exe	31
PID 1204 wrote to memory of 2700	1204	d20fe74386dbe61c0fb11c15341160d2_JaffaCakes118.exe	31
PID 1204 wrote to memory of 2700	1204	d20fe74386dbe61c0fb11c15341160d2_JaffaCakes118.exe	31
PID 1204 wrote to memory of 2700	1204	d20fe74386dbe61c0fb11c15341160d2_JaffaCakes118.exe	31
PID 2700 wrote to memory of 2844	2700	MsDxClient.exe	32
PID 2700 wrote to memory of 2844	2700	MsDxClient.exe	32
PID 2700 wrote to memory of 2844	2700	MsDxClient.exe	32
PID 2700 wrote to memory of 2844	2700	MsDxClient.exe	32
PID 2700 wrote to memory of 2844	2700	MsDxClient.exe	32
PID 2700 wrote to memory of 2844	2700	MsDxClient.exe	32
PID 2700 wrote to memory of 2844	2700	MsDxClient.exe	32
PID 2844 wrote to memory of 2732	2844	MsDxClient.exe	33
PID 2844 wrote to memory of 2732	2844	MsDxClient.exe	33
PID 2844 wrote to memory of 2732	2844	MsDxClient.exe	33
PID 2844 wrote to memory of 2732	2844	MsDxClient.exe	33
PID 2732 wrote to memory of 2952	2732	MsDxClient.exe	34
PID 2732 wrote to memory of 2952	2732	MsDxClient.exe	34
PID 2732 wrote to memory of 2952	2732	MsDxClient.exe	34
PID 2732 wrote to memory of 2952	2732	MsDxClient.exe	34
PID 2732 wrote to memory of 2952	2732	MsDxClient.exe	34
PID 2732 wrote to memory of 2952	2732	MsDxClient.exe	34
PID 2732 wrote to memory of 2952	2732	MsDxClient.exe	34
PID 2952 wrote to memory of 2288	2952	MsDxClient.exe	36
PID 2952 wrote to memory of 2288	2952	MsDxClient.exe	36
PID 2952 wrote to memory of 2288	2952	MsDxClient.exe	36
PID 2952 wrote to memory of 2288	2952	MsDxClient.exe	36
PID 2288 wrote to memory of 676	2288	MsDxClient.exe	37
PID 2288 wrote to memory of 676	2288	MsDxClient.exe	37
PID 2288 wrote to memory of 676	2288	MsDxClient.exe	37
PID 2288 wrote to memory of 676	2288	MsDxClient.exe	37
PID 2288 wrote to memory of 676	2288	MsDxClient.exe	37
PID 2288 wrote to memory of 676	2288	MsDxClient.exe	37
PID 2288 wrote to memory of 676	2288	MsDxClient.exe	37
PID 676 wrote to memory of 2932	676	MsDxClient.exe	38
PID 676 wrote to memory of 2932	676	MsDxClient.exe	38
PID 676 wrote to memory of 2932	676	MsDxClient.exe	38
PID 676 wrote to memory of 2932	676	MsDxClient.exe	38
PID 2932 wrote to memory of 2604	2932	MsDxClient.exe	39
PID 2932 wrote to memory of 2604	2932	MsDxClient.exe	39
PID 2932 wrote to memory of 2604	2932	MsDxClient.exe	39
PID 2932 wrote to memory of 2604	2932	MsDxClient.exe	39
PID 2932 wrote to memory of 2604	2932	MsDxClient.exe	39
PID 2932 wrote to memory of 2604	2932	MsDxClient.exe	39
PID 2932 wrote to memory of 2604	2932	MsDxClient.exe	39
PID 2604 wrote to memory of 768	2604	MsDxClient.exe	40
PID 2604 wrote to memory of 768	2604	MsDxClient.exe	40
PID 2604 wrote to memory of 768	2604	MsDxClient.exe	40
PID 2604 wrote to memory of 768	2604	MsDxClient.exe	40
PID 768 wrote to memory of 1828	768	MsDxClient.exe	41
PID 768 wrote to memory of 1828	768	MsDxClient.exe	41
PID 768 wrote to memory of 1828	768	MsDxClient.exe	41
PID 768 wrote to memory of 1828	768	MsDxClient.exe	41
PID 768 wrote to memory of 1828	768	MsDxClient.exe	41
PID 768 wrote to memory of 1828	768	MsDxClient.exe	41
PID 768 wrote to memory of 1828	768	MsDxClient.exe	41
PID 1828 wrote to memory of 1916	1828	MsDxClient.exe	42
PID 1828 wrote to memory of 1916	1828	MsDxClient.exe	42

C:\Users\Admin\AppData\Local\Temp\d20fe74386dbe61c0fb11c15341160d2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d20fe74386dbe61c0fb11c15341160d2_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Users\Admin\AppData\Local\Temp\d20fe74386dbe61c0fb11c15341160d2_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d20fe74386dbe61c0fb11c15341160d2_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Windows\SysWOW64\MsDxClient.exe
    "C:\Windows\system32\MsDxClient.exe" C:\Users\Admin\AppData\Local\Temp\D20FE7~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Windows\SysWOW64\MsDxClient.exe
      "C:\Windows\SysWOW64\MsDxClient.exe" C:\Users\Admin\AppData\Local\Temp\D20FE7~1.EXE
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Maps connected drives based on registry
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2844
    - - C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\system32\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2732
      - C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\SysWOW64\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\system32\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\SysWOW64\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:676
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\system32\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\SysWOW64\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\system32\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\SysWOW64\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\system32\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\SysWOW64\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2116
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\system32\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:704
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\SysWOW64\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1160
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\system32\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:612
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\SysWOW64\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1380
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\system32\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1108
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\SysWOW64\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1032
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\system32\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\SysWOW64\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1068
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\system32\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\SysWOW64\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3052
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\system32\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\SysWOW64\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2820
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\system32\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\SysWOW64\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2492
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\system32\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\SysWOW64\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:596
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\system32\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\SysWOW64\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2912
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\system32\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\SysWOW64\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        34⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:840
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\system32\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\SysWOW64\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        36⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2360
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\system32\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\SysWOW64\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        38⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1368
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\system32\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2572
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\SysWOW64\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        40⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:960
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\system32\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1912
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\SysWOW64\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        42⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2452
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\system32\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1856
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\SysWOW64\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        44⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2408
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\system32\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\SysWOW64\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        46⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1612
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\system32\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\SysWOW64\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        48⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3036
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\system32\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2740
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\SysWOW64\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        50⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2992
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\system32\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\SysWOW64\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        52⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2728
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\system32\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2312
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\SysWOW64\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        54⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2752
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\system32\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\SysWOW64\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        56⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1172
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\system32\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Windows\SysWOW64\MsDxClient.exe
        
        "C:\Windows\SysWOW64\MsDxClient.exe" C:\Windows\SysWOW64\MSDXCL~1.EXE
        58⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\MsDxClient.exe

Filesize
206KB

MD5
d20fe74386dbe61c0fb11c15341160d2

SHA1
38403239a431496a95f79eb1587d40ca2f430122

SHA256
1929eb51be7d02cf66186eb172b4df9a04cd4cd5a278e42e784628febe0aea09

SHA512
f2f7f5bc1d5eda12ae5875973bcccf1fa06a6102ac70b3570cf4ece18354b6f2b5e7af4fe71e370b26081565f40c51906c926fe1a0520befa6a5a8f582554cb5

Download Submit
memory/596-249-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/676-73-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/840-274-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/960-311-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1032-170-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1068-186-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1160-137-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1172-407-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1204-22-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1204-0-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1204-2-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1204-4-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1204-6-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1204-7-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1204-9-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1204-8-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1204-3-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1368-295-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1368-299-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1380-153-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1612-347-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1828-98-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1828-104-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1828-97-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2116-121-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2360-286-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2408-335-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2452-323-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2492-228-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2492-237-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2604-82-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2604-83-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2604-87-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2728-383-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2752-395-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2820-219-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2844-32-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2844-40-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2844-31-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2844-33-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2844-34-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2912-262-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2912-257-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2952-57-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2952-51-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2992-371-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3036-359-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3052-203-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download