metasploit | 905d3ef8ccef644ebb75dfd2c6581e60f160f45c48690a6fd44e2a59529e9c36

Analysis

max time kernel
149s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15-09-2024 02:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e189feb2abd4f0705dd9857e1ef3d011_JaffaCakes118.exe
Size

173KB
MD5

e189feb2abd4f0705dd9857e1ef3d011
SHA1

0bf9cdf7d76ff16330aeb500635ec6dc6c2b9fee
SHA256

905d3ef8ccef644ebb75dfd2c6581e60f160f45c48690a6fd44e2a59529e9c36
SHA512

de82b6baf6fcd7708919d8f34078ae9e553be9b79cdef11e3cf060a8c727e0571be6a6be4d531db94908684e46b7396c5f773e6b95cf157fed4f6328410de642
SSDEEP

3072:lCH44oraCJ/+rzxc3N80h/B+chaZi+VST3c1KxIn+DoR/E6atw3kJeN46kSGJ:t4o5Q480h/MucwLc1KxI+Ehd0em7

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Checks computer location settings 2 TTPs 36 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	MsPfClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	MsPfClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	MsPfClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	MsPfClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	MsPfClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	MsPfClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	MsPfClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	MsPfClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	e189feb2abd4f0705dd9857e1ef3d011_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	MsPfClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	MsPfClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	MsPfClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	MsPfClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	MsPfClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	MsPfClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	MsPfClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	MsPfClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	MsPfClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	MsPfClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	MsPfClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	MsPfClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	MsPfClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	MsPfClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	MsPfClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	MsPfClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	MsPfClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	MsPfClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	MsPfClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	MsPfClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	MsPfClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	MsPfClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	MsPfClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	MsPfClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	MsPfClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	MsPfClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	MsPfClient.exe

Deletes itself 1 IoCs

pid	Process
4548	MsPfClient.exe

Executes dropped EXE 64 IoCs

pid	Process
2900	MsPfClient.exe
4548	MsPfClient.exe
1832	MsPfClient.exe
3992	MsPfClient.exe
1636	MsPfClient.exe
1516	MsPfClient.exe
3500	MsPfClient.exe
4368	MsPfClient.exe
1912	MsPfClient.exe
2176	MsPfClient.exe
2432	MsPfClient.exe
664	MsPfClient.exe
1256	MsPfClient.exe
828	MsPfClient.exe
4628	MsPfClient.exe
1412	MsPfClient.exe
4540	MsPfClient.exe
756	MsPfClient.exe
1140	MsPfClient.exe
2736	MsPfClient.exe
3916	MsPfClient.exe
2776	MsPfClient.exe
2012	MsPfClient.exe
2276	MsPfClient.exe
1240	MsPfClient.exe
5096	MsPfClient.exe
2980	MsPfClient.exe
4964	MsPfClient.exe
3184	MsPfClient.exe
4300	MsPfClient.exe
4840	MsPfClient.exe
4784	MsPfClient.exe
1884	MsPfClient.exe
1504	MsPfClient.exe
2156	MsPfClient.exe
2024	MsPfClient.exe
804	MsPfClient.exe
4360	MsPfClient.exe
3612	MsPfClient.exe
4628	MsPfClient.exe
3452	MsPfClient.exe
4928	MsPfClient.exe
2376	MsPfClient.exe
4072	MsPfClient.exe
3960	MsPfClient.exe
4228	MsPfClient.exe
2688	MsPfClient.exe
2988	MsPfClient.exe
1348	MsPfClient.exe
4380	MsPfClient.exe
2596	MsPfClient.exe
1812	MsPfClient.exe
4144	MsPfClient.exe
1908	MsPfClient.exe
3808	MsPfClient.exe
4416	MsPfClient.exe
4740	MsPfClient.exe
1408	MsPfClient.exe
2628	MsPfClient.exe
8	MsPfClient.exe
5000	MsPfClient.exe
3836	MsPfClient.exe
692	MsPfClient.exe
4776	MsPfClient.exe

UPX packed file 46 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/444-0-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/444-2-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/444-3-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/444-4-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/444-40-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/4548-44-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/4548-46-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/4548-45-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/4548-48-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3992-55-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1516-62-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/4368-70-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2176-76-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/664-82-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/664-86-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/828-92-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1412-97-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1412-98-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1412-101-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/756-108-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2736-114-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2776-121-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2276-131-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/5096-139-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/4964-147-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/4300-156-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/4784-164-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1504-172-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2024-180-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/4360-188-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/4628-197-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/4928-205-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/4072-213-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/4228-220-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2988-226-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/4380-232-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1812-238-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1908-244-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/4416-250-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1408-256-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/8-262-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3836-268-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/4776-274-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/4816-280-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1652-286-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2128-292-0x0000000000400000-0x000000000046B000-memory.dmp	upx

Maps connected drives based on registry 3 TTPs 64 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPfClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPfClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPfClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPfClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPfClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPfClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPfClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPfClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPfClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPfClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPfClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPfClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPfClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPfClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPfClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPfClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPfClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPfClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPfClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPfClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPfClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPfClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPfClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPfClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPfClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPfClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPfClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPfClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPfClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPfClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPfClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPfClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPfClient.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File created	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File created	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File created	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File created	C:\Windows\SysWOW64\MsPfClient.exe	e189feb2abd4f0705dd9857e1ef3d011_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File created	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File created	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File created	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File created	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File created	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File created	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File created	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File created	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File created	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File created	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File created	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File created	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File created	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File created	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File created	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File created	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File created	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File created	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File created	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File created	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File created	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File created	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File created	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File created	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File created	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File created	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPfClient.exe	e189feb2abd4f0705dd9857e1ef3d011_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File created	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe
File created	C:\Windows\SysWOW64\MsPfClient.exe	MsPfClient.exe

Suspicious use of SetThreadContext 37 IoCs

description	pid	Process	procid_target
PID 3492 set thread context of 444	3492	e189feb2abd4f0705dd9857e1ef3d011_JaffaCakes118.exe	86
PID 2900 set thread context of 4548	2900	MsPfClient.exe	93
PID 1832 set thread context of 3992	1832	MsPfClient.exe	96
PID 1636 set thread context of 1516	1636	MsPfClient.exe	100
PID 3500 set thread context of 4368	3500	MsPfClient.exe	102
PID 1912 set thread context of 2176	1912	MsPfClient.exe	104
PID 2432 set thread context of 664	2432	MsPfClient.exe	106
PID 1256 set thread context of 828	1256	MsPfClient.exe	108
PID 4628 set thread context of 1412	4628	MsPfClient.exe	112
PID 4540 set thread context of 756	4540	MsPfClient.exe	114
PID 1140 set thread context of 2736	1140	MsPfClient.exe	116
PID 3916 set thread context of 2776	3916	MsPfClient.exe	118
PID 2012 set thread context of 2276	2012	MsPfClient.exe	120
PID 1240 set thread context of 5096	1240	MsPfClient.exe	122
PID 2980 set thread context of 4964	2980	MsPfClient.exe	124
PID 3184 set thread context of 4300	3184	MsPfClient.exe	126
PID 4840 set thread context of 4784	4840	MsPfClient.exe	128
PID 1884 set thread context of 1504	1884	MsPfClient.exe	130
PID 2156 set thread context of 2024	2156	MsPfClient.exe	132
PID 804 set thread context of 4360	804	MsPfClient.exe	134
PID 3612 set thread context of 4628	3612	MsPfClient.exe	136
PID 3452 set thread context of 4928	3452	MsPfClient.exe	138
PID 2376 set thread context of 4072	2376	MsPfClient.exe	140
PID 3960 set thread context of 4228	3960	MsPfClient.exe	142
PID 2688 set thread context of 2988	2688	MsPfClient.exe	144
PID 1348 set thread context of 4380	1348	MsPfClient.exe	146
PID 2596 set thread context of 1812	2596	MsPfClient.exe	148
PID 4144 set thread context of 1908	4144	MsPfClient.exe	150
PID 3808 set thread context of 4416	3808	MsPfClient.exe	152
PID 4740 set thread context of 1408	4740	MsPfClient.exe	154
PID 2628 set thread context of 8	2628	MsPfClient.exe	156
PID 5000 set thread context of 3836	5000	MsPfClient.exe	158
PID 692 set thread context of 4776	692	MsPfClient.exe	160
PID 4120 set thread context of 4816	4120	MsPfClient.exe	162
PID 4956 set thread context of 1652	4956	MsPfClient.exe	164
PID 4188 set thread context of 2128	4188	MsPfClient.exe	166
PID 2212 set thread context of 5068	2212	MsPfClient.exe	168

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e189feb2abd4f0705dd9857e1ef3d011_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e189feb2abd4f0705dd9857e1ef3d011_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPfClient.exe

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPfClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPfClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPfClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPfClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPfClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPfClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPfClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPfClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPfClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPfClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPfClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPfClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPfClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPfClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPfClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPfClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPfClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPfClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPfClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPfClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPfClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPfClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPfClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPfClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPfClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	e189feb2abd4f0705dd9857e1ef3d011_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPfClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPfClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPfClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPfClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPfClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPfClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPfClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPfClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPfClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPfClient.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3492 wrote to memory of 444	3492	e189feb2abd4f0705dd9857e1ef3d011_JaffaCakes118.exe	86
PID 3492 wrote to memory of 444	3492	e189feb2abd4f0705dd9857e1ef3d011_JaffaCakes118.exe	86
PID 3492 wrote to memory of 444	3492	e189feb2abd4f0705dd9857e1ef3d011_JaffaCakes118.exe	86
PID 3492 wrote to memory of 444	3492	e189feb2abd4f0705dd9857e1ef3d011_JaffaCakes118.exe	86
PID 3492 wrote to memory of 444	3492	e189feb2abd4f0705dd9857e1ef3d011_JaffaCakes118.exe	86
PID 3492 wrote to memory of 444	3492	e189feb2abd4f0705dd9857e1ef3d011_JaffaCakes118.exe	86
PID 3492 wrote to memory of 444	3492	e189feb2abd4f0705dd9857e1ef3d011_JaffaCakes118.exe	86
PID 444 wrote to memory of 2900	444	e189feb2abd4f0705dd9857e1ef3d011_JaffaCakes118.exe	90
PID 444 wrote to memory of 2900	444	e189feb2abd4f0705dd9857e1ef3d011_JaffaCakes118.exe	90
PID 444 wrote to memory of 2900	444	e189feb2abd4f0705dd9857e1ef3d011_JaffaCakes118.exe	90
PID 2900 wrote to memory of 4548	2900	MsPfClient.exe	93
PID 2900 wrote to memory of 4548	2900	MsPfClient.exe	93
PID 2900 wrote to memory of 4548	2900	MsPfClient.exe	93
PID 2900 wrote to memory of 4548	2900	MsPfClient.exe	93
PID 2900 wrote to memory of 4548	2900	MsPfClient.exe	93
PID 2900 wrote to memory of 4548	2900	MsPfClient.exe	93
PID 2900 wrote to memory of 4548	2900	MsPfClient.exe	93
PID 4548 wrote to memory of 1832	4548	MsPfClient.exe	95
PID 4548 wrote to memory of 1832	4548	MsPfClient.exe	95
PID 4548 wrote to memory of 1832	4548	MsPfClient.exe	95
PID 1832 wrote to memory of 3992	1832	MsPfClient.exe	96
PID 1832 wrote to memory of 3992	1832	MsPfClient.exe	96
PID 1832 wrote to memory of 3992	1832	MsPfClient.exe	96
PID 1832 wrote to memory of 3992	1832	MsPfClient.exe	96
PID 1832 wrote to memory of 3992	1832	MsPfClient.exe	96
PID 1832 wrote to memory of 3992	1832	MsPfClient.exe	96
PID 1832 wrote to memory of 3992	1832	MsPfClient.exe	96
PID 3992 wrote to memory of 1636	3992	MsPfClient.exe	99
PID 3992 wrote to memory of 1636	3992	MsPfClient.exe	99
PID 3992 wrote to memory of 1636	3992	MsPfClient.exe	99
PID 1636 wrote to memory of 1516	1636	MsPfClient.exe	100
PID 1636 wrote to memory of 1516	1636	MsPfClient.exe	100
PID 1636 wrote to memory of 1516	1636	MsPfClient.exe	100
PID 1636 wrote to memory of 1516	1636	MsPfClient.exe	100
PID 1636 wrote to memory of 1516	1636	MsPfClient.exe	100
PID 1636 wrote to memory of 1516	1636	MsPfClient.exe	100
PID 1636 wrote to memory of 1516	1636	MsPfClient.exe	100
PID 1516 wrote to memory of 3500	1516	MsPfClient.exe	101
PID 1516 wrote to memory of 3500	1516	MsPfClient.exe	101
PID 1516 wrote to memory of 3500	1516	MsPfClient.exe	101
PID 3500 wrote to memory of 4368	3500	MsPfClient.exe	102
PID 3500 wrote to memory of 4368	3500	MsPfClient.exe	102
PID 3500 wrote to memory of 4368	3500	MsPfClient.exe	102
PID 3500 wrote to memory of 4368	3500	MsPfClient.exe	102
PID 3500 wrote to memory of 4368	3500	MsPfClient.exe	102
PID 3500 wrote to memory of 4368	3500	MsPfClient.exe	102
PID 3500 wrote to memory of 4368	3500	MsPfClient.exe	102
PID 4368 wrote to memory of 1912	4368	MsPfClient.exe	103
PID 4368 wrote to memory of 1912	4368	MsPfClient.exe	103
PID 4368 wrote to memory of 1912	4368	MsPfClient.exe	103
PID 1912 wrote to memory of 2176	1912	MsPfClient.exe	104
PID 1912 wrote to memory of 2176	1912	MsPfClient.exe	104
PID 1912 wrote to memory of 2176	1912	MsPfClient.exe	104
PID 1912 wrote to memory of 2176	1912	MsPfClient.exe	104
PID 1912 wrote to memory of 2176	1912	MsPfClient.exe	104
PID 1912 wrote to memory of 2176	1912	MsPfClient.exe	104
PID 1912 wrote to memory of 2176	1912	MsPfClient.exe	104
PID 2176 wrote to memory of 2432	2176	MsPfClient.exe	105
PID 2176 wrote to memory of 2432	2176	MsPfClient.exe	105
PID 2176 wrote to memory of 2432	2176	MsPfClient.exe	105
PID 2432 wrote to memory of 664	2432	MsPfClient.exe	106
PID 2432 wrote to memory of 664	2432	MsPfClient.exe	106
PID 2432 wrote to memory of 664	2432	MsPfClient.exe	106
PID 2432 wrote to memory of 664	2432	MsPfClient.exe	106

C:\Users\Admin\AppData\Local\Temp\e189feb2abd4f0705dd9857e1ef3d011_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e189feb2abd4f0705dd9857e1ef3d011_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Users\Admin\AppData\Local\Temp\e189feb2abd4f0705dd9857e1ef3d011_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e189feb2abd4f0705dd9857e1ef3d011_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:444
- - C:\Windows\SysWOW64\MsPfClient.exe
    "C:\Windows\system32\MsPfClient.exe" C:\Users\Admin\AppData\Local\Temp\E189FE~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Windows\SysWOW64\MsPfClient.exe
      "C:\Windows\SysWOW64\MsPfClient.exe" C:\Users\Admin\AppData\Local\Temp\E189FE~1.EXE
      4⤵
      Checks computer location settings
      Deletes itself
      Executes dropped EXE
      Maps connected drives based on registry
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4548
    - - C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\system32\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1832
      - C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\SysWOW64\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\system32\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\SysWOW64\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\system32\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\SysWOW64\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\system32\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\SysWOW64\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\system32\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\SysWOW64\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:664
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\system32\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1256
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\SysWOW64\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:828
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\system32\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4628
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\SysWOW64\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1412
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\system32\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4540
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\SysWOW64\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:756
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\system32\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1140
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\SysWOW64\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\system32\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3916
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\SysWOW64\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\system32\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\SysWOW64\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\system32\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1240
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\SysWOW64\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\system32\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2980
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\SysWOW64\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\system32\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3184
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\SysWOW64\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\system32\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4840
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\SysWOW64\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\system32\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1884
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\SysWOW64\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\system32\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\SysWOW64\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\system32\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:804
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\SysWOW64\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\system32\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3612
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\SysWOW64\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\system32\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3452
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\SysWOW64\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\system32\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\SysWOW64\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\system32\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3960
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\SysWOW64\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4228
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\system32\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\SysWOW64\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\system32\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1348
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\SysWOW64\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\system32\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\SysWOW64\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\system32\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4144
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\SysWOW64\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\system32\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3808
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\SysWOW64\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\system32\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4740
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\SysWOW64\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        60⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1408
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\system32\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\SysWOW64\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\system32\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5000
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\SysWOW64\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3836
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\system32\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:692
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\SysWOW64\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        66⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\system32\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        67⤵
        Suspicious use of SetThreadContext
        
        PID:4120
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\SysWOW64\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        68⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\system32\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        69⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4956
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\SysWOW64\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        70⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\system32\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        71⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4188
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\SysWOW64\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        72⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\system32\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        73⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Windows\SysWOW64\MsPfClient.exe
        
        "C:\Windows\SysWOW64\MsPfClient.exe" C:\Windows\SysWOW64\MSPFCL~1.EXE
        74⤵
        Maps connected drives based on registry
        
        PID:5068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\MsPfClient.exe

Filesize
173KB

MD5
e189feb2abd4f0705dd9857e1ef3d011

SHA1
0bf9cdf7d76ff16330aeb500635ec6dc6c2b9fee

SHA256
905d3ef8ccef644ebb75dfd2c6581e60f160f45c48690a6fd44e2a59529e9c36

SHA512
de82b6baf6fcd7708919d8f34078ae9e553be9b79cdef11e3cf060a8c727e0571be6a6be4d531db94908684e46b7396c5f773e6b95cf157fed4f6328410de642

Download Submit
memory/8-262-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/444-2-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/444-3-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/444-4-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/444-40-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/444-0-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/664-86-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/664-82-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/756-108-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/828-92-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1408-256-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1412-97-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1412-98-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1412-101-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1504-172-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1516-62-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1652-286-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1812-238-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1908-244-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2024-180-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2128-292-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2176-76-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2276-131-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2736-114-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2776-121-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2988-226-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3836-268-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3992-55-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4072-213-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4228-220-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4300-156-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4360-188-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4368-70-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4380-232-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4416-250-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4548-45-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4548-44-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4548-46-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4548-48-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4628-197-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4776-274-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4784-164-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4816-280-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4928-205-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4964-147-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/5096-139-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads