metasploit | ee97763a532f7d56560fd36b3a9eb1a76b762cf2f4162b367bf9decc2bd80bd8

Analysis

max time kernel
149s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 15:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f650f5a24a68da19467a30235be01730_JaffaCakes118.exe
Size

158KB
MD5

f650f5a24a68da19467a30235be01730
SHA1

d4a0a4d034a54061e78750678eb60cb6a073967a
SHA256

ee97763a532f7d56560fd36b3a9eb1a76b762cf2f4162b367bf9decc2bd80bd8
SHA512

3eb35619b8c52809f4e1dc41dbc04083df4696dd72d1a0a0faa887c3f211d11b4f732394f779da6f94699929ce600e66a140f8f5c2650fad8eaa5ce8a0acbb59
SSDEEP

3072:whhb3TpnKnlKKxxr2WG9u+L9kZEiRiRdibdoNb6n3hVSPd/Bg:whhDTy9xr2R9VL9CEkEKONbMVSV/Bg

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Checks computer location settings 2 TTPs 37 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	f650f5a24a68da19467a30235be01730_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	MsDbClient.exe

Deletes itself 1 IoCs

pid	Process
1992	MsDbClient.exe

Executes dropped EXE 64 IoCs

pid	Process
3456	MsDbClient.exe
1992	MsDbClient.exe
4080	MsDbClient.exe
680	MsDbClient.exe
2036	MsDbClient.exe
3044	MsDbClient.exe
2088	MsDbClient.exe
2272	MsDbClient.exe
4912	MsDbClient.exe
548	MsDbClient.exe
2984	MsDbClient.exe
2500	MsDbClient.exe
2360	MsDbClient.exe
1456	MsDbClient.exe
3996	MsDbClient.exe
3528	MsDbClient.exe
3860	MsDbClient.exe
216	MsDbClient.exe
2972	MsDbClient.exe
3324	MsDbClient.exe
452	MsDbClient.exe
4784	MsDbClient.exe
756	MsDbClient.exe
4996	MsDbClient.exe
2108	MsDbClient.exe
3560	MsDbClient.exe
888	MsDbClient.exe
5028	MsDbClient.exe
4796	MsDbClient.exe
4204	MsDbClient.exe
3104	MsDbClient.exe
3224	MsDbClient.exe
4112	MsDbClient.exe
2924	MsDbClient.exe
4956	MsDbClient.exe
1576	MsDbClient.exe
1084	MsDbClient.exe
964	MsDbClient.exe
3596	MsDbClient.exe
4620	MsDbClient.exe
1508	MsDbClient.exe
2220	MsDbClient.exe
4564	MsDbClient.exe
4380	MsDbClient.exe
5004	MsDbClient.exe
1812	MsDbClient.exe
3576	MsDbClient.exe
2680	MsDbClient.exe
2304	MsDbClient.exe
60	MsDbClient.exe
2844	MsDbClient.exe
1644	MsDbClient.exe
1448	MsDbClient.exe
2852	MsDbClient.exe
2684	MsDbClient.exe
1184	MsDbClient.exe
456	MsDbClient.exe
4016	MsDbClient.exe
3312	MsDbClient.exe
1112	MsDbClient.exe
1908	MsDbClient.exe
4312	MsDbClient.exe
4372	MsDbClient.exe
244	MsDbClient.exe

Maps connected drives based on registry 3 TTPs 64 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	f650f5a24a68da19467a30235be01730_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	f650f5a24a68da19467a30235be01730_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe

Suspicious use of SetThreadContext 38 IoCs

description	pid	Process	procid_target
PID 1912 set thread context of 2544	1912	f650f5a24a68da19467a30235be01730_JaffaCakes118.exe	82
PID 3456 set thread context of 1992	3456	MsDbClient.exe	84
PID 4080 set thread context of 680	4080	MsDbClient.exe	86
PID 2036 set thread context of 3044	2036	MsDbClient.exe	88
PID 2088 set thread context of 2272	2088	MsDbClient.exe	90
PID 4912 set thread context of 548	4912	MsDbClient.exe	96
PID 2984 set thread context of 2500	2984	MsDbClient.exe	99
PID 2360 set thread context of 1456	2360	MsDbClient.exe	103
PID 3996 set thread context of 3528	3996	MsDbClient.exe	106
PID 3860 set thread context of 216	3860	MsDbClient.exe	109
PID 2972 set thread context of 3324	2972	MsDbClient.exe	111
PID 452 set thread context of 4784	452	MsDbClient.exe	113
PID 756 set thread context of 4996	756	MsDbClient.exe	115
PID 2108 set thread context of 3560	2108	MsDbClient.exe	117
PID 888 set thread context of 5028	888	MsDbClient.exe	119
PID 4796 set thread context of 4204	4796	MsDbClient.exe	121
PID 3104 set thread context of 3224	3104	MsDbClient.exe	123
PID 4112 set thread context of 2924	4112	MsDbClient.exe	125
PID 4956 set thread context of 1576	4956	MsDbClient.exe	127
PID 1084 set thread context of 964	1084	MsDbClient.exe	129
PID 3596 set thread context of 4620	3596	MsDbClient.exe	131
PID 1508 set thread context of 2220	1508	MsDbClient.exe	133
PID 4564 set thread context of 4380	4564	MsDbClient.exe	135
PID 5004 set thread context of 1812	5004	MsDbClient.exe	137
PID 3576 set thread context of 2680	3576	MsDbClient.exe	139
PID 2304 set thread context of 60	2304	MsDbClient.exe	141
PID 2844 set thread context of 1644	2844	MsDbClient.exe	143
PID 1448 set thread context of 2852	1448	MsDbClient.exe	145
PID 2684 set thread context of 1184	2684	MsDbClient.exe	147
PID 456 set thread context of 4016	456	MsDbClient.exe	149
PID 3312 set thread context of 1112	3312	MsDbClient.exe	151
PID 1908 set thread context of 4312	1908	MsDbClient.exe	153
PID 4372 set thread context of 244	4372	MsDbClient.exe	155
PID 4300 set thread context of 2632	4300	MsDbClient.exe	157
PID 2376 set thread context of 2984	2376	MsDbClient.exe	159
PID 3480 set thread context of 824	3480	MsDbClient.exe	161
PID 4916 set thread context of 3692	4916	MsDbClient.exe	163
PID 2004 set thread context of 3120	2004	MsDbClient.exe	165

UPX packed file 44 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2544-0-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2544-2-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2544-3-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2544-4-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2544-38-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1992-43-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1992-45-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1992-44-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1992-47-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/680-55-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3044-62-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2272-69-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/548-76-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2500-82-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1456-90-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3528-97-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/216-105-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3324-114-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/4784-121-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/4996-130-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3560-138-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/5028-147-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/4204-155-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3224-163-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2924-171-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1576-179-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/964-187-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/4620-195-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2220-203-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/4380-212-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1812-219-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2680-225-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/60-231-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1644-237-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2852-243-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1184-249-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/4016-255-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1112-261-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/4312-267-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/244-273-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2632-279-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2984-285-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/824-291-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3692-297-0x0000000000400000-0x000000000046B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f650f5a24a68da19467a30235be01730_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f650f5a24a68da19467a30235be01730_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe

Modifies registry class 37 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	f650f5a24a68da19467a30235be01730_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 2544	1912	f650f5a24a68da19467a30235be01730_JaffaCakes118.exe	82
PID 1912 wrote to memory of 2544	1912	f650f5a24a68da19467a30235be01730_JaffaCakes118.exe	82
PID 1912 wrote to memory of 2544	1912	f650f5a24a68da19467a30235be01730_JaffaCakes118.exe	82
PID 1912 wrote to memory of 2544	1912	f650f5a24a68da19467a30235be01730_JaffaCakes118.exe	82
PID 1912 wrote to memory of 2544	1912	f650f5a24a68da19467a30235be01730_JaffaCakes118.exe	82
PID 1912 wrote to memory of 2544	1912	f650f5a24a68da19467a30235be01730_JaffaCakes118.exe	82
PID 1912 wrote to memory of 2544	1912	f650f5a24a68da19467a30235be01730_JaffaCakes118.exe	82
PID 2544 wrote to memory of 3456	2544	f650f5a24a68da19467a30235be01730_JaffaCakes118.exe	83
PID 2544 wrote to memory of 3456	2544	f650f5a24a68da19467a30235be01730_JaffaCakes118.exe	83
PID 2544 wrote to memory of 3456	2544	f650f5a24a68da19467a30235be01730_JaffaCakes118.exe	83
PID 3456 wrote to memory of 1992	3456	MsDbClient.exe	84
PID 3456 wrote to memory of 1992	3456	MsDbClient.exe	84
PID 3456 wrote to memory of 1992	3456	MsDbClient.exe	84
PID 3456 wrote to memory of 1992	3456	MsDbClient.exe	84
PID 3456 wrote to memory of 1992	3456	MsDbClient.exe	84
PID 3456 wrote to memory of 1992	3456	MsDbClient.exe	84
PID 3456 wrote to memory of 1992	3456	MsDbClient.exe	84
PID 1992 wrote to memory of 4080	1992	MsDbClient.exe	85
PID 1992 wrote to memory of 4080	1992	MsDbClient.exe	85
PID 1992 wrote to memory of 4080	1992	MsDbClient.exe	85
PID 4080 wrote to memory of 680	4080	MsDbClient.exe	86
PID 4080 wrote to memory of 680	4080	MsDbClient.exe	86
PID 4080 wrote to memory of 680	4080	MsDbClient.exe	86
PID 4080 wrote to memory of 680	4080	MsDbClient.exe	86
PID 4080 wrote to memory of 680	4080	MsDbClient.exe	86
PID 4080 wrote to memory of 680	4080	MsDbClient.exe	86
PID 4080 wrote to memory of 680	4080	MsDbClient.exe	86
PID 680 wrote to memory of 2036	680	MsDbClient.exe	87
PID 680 wrote to memory of 2036	680	MsDbClient.exe	87
PID 680 wrote to memory of 2036	680	MsDbClient.exe	87
PID 2036 wrote to memory of 3044	2036	MsDbClient.exe	88
PID 2036 wrote to memory of 3044	2036	MsDbClient.exe	88
PID 2036 wrote to memory of 3044	2036	MsDbClient.exe	88
PID 2036 wrote to memory of 3044	2036	MsDbClient.exe	88
PID 2036 wrote to memory of 3044	2036	MsDbClient.exe	88
PID 2036 wrote to memory of 3044	2036	MsDbClient.exe	88
PID 2036 wrote to memory of 3044	2036	MsDbClient.exe	88
PID 3044 wrote to memory of 2088	3044	MsDbClient.exe	89
PID 3044 wrote to memory of 2088	3044	MsDbClient.exe	89
PID 3044 wrote to memory of 2088	3044	MsDbClient.exe	89
PID 2088 wrote to memory of 2272	2088	MsDbClient.exe	90
PID 2088 wrote to memory of 2272	2088	MsDbClient.exe	90
PID 2088 wrote to memory of 2272	2088	MsDbClient.exe	90
PID 2088 wrote to memory of 2272	2088	MsDbClient.exe	90
PID 2088 wrote to memory of 2272	2088	MsDbClient.exe	90
PID 2088 wrote to memory of 2272	2088	MsDbClient.exe	90
PID 2088 wrote to memory of 2272	2088	MsDbClient.exe	90
PID 2272 wrote to memory of 4912	2272	MsDbClient.exe	95
PID 2272 wrote to memory of 4912	2272	MsDbClient.exe	95
PID 2272 wrote to memory of 4912	2272	MsDbClient.exe	95
PID 4912 wrote to memory of 548	4912	MsDbClient.exe	96
PID 4912 wrote to memory of 548	4912	MsDbClient.exe	96
PID 4912 wrote to memory of 548	4912	MsDbClient.exe	96
PID 4912 wrote to memory of 548	4912	MsDbClient.exe	96
PID 4912 wrote to memory of 548	4912	MsDbClient.exe	96
PID 4912 wrote to memory of 548	4912	MsDbClient.exe	96
PID 4912 wrote to memory of 548	4912	MsDbClient.exe	96
PID 548 wrote to memory of 2984	548	MsDbClient.exe	98
PID 548 wrote to memory of 2984	548	MsDbClient.exe	98
PID 548 wrote to memory of 2984	548	MsDbClient.exe	98
PID 2984 wrote to memory of 2500	2984	MsDbClient.exe	99
PID 2984 wrote to memory of 2500	2984	MsDbClient.exe	99
PID 2984 wrote to memory of 2500	2984	MsDbClient.exe	99
PID 2984 wrote to memory of 2500	2984	MsDbClient.exe	99

C:\Users\Admin\AppData\Local\Temp\f650f5a24a68da19467a30235be01730_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f650f5a24a68da19467a30235be01730_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Users\Admin\AppData\Local\Temp\f650f5a24a68da19467a30235be01730_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f650f5a24a68da19467a30235be01730_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\SysWOW64\MsDbClient.exe
    "C:\Windows\system32\MsDbClient.exe" C:\Users\Admin\AppData\Local\Temp\F650F5~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3456
  - - C:\Windows\SysWOW64\MsDbClient.exe
      "C:\Windows\SysWOW64\MsDbClient.exe" C:\Users\Admin\AppData\Local\Temp\F650F5~1.EXE
      4⤵
      Checks computer location settings
      Deletes itself
      Executes dropped EXE
      Maps connected drives based on registry
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1992
    - - C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4080
      - C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:680
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1456
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3996
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3528
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3860
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3324
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:452
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:756
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3560
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:888
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4796
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4204
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3104
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3224
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4112
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4956
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1084
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:964
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3596
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:4620
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1508
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4564
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5004
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3576
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:60
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1448
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:2852
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1184
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:456
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        60⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:4016
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3312
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4372
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        66⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:244
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        67⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4300
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        68⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2632
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        69⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        70⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        71⤵
        Suspicious use of SetThreadContext
        
        PID:3480
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        72⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:824
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        73⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4916
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        74⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        75⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        76⤵
        Maps connected drives based on registry
        
        PID:3120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\MsDbClient.exe

Filesize
158KB

MD5
f650f5a24a68da19467a30235be01730

SHA1
d4a0a4d034a54061e78750678eb60cb6a073967a

SHA256
ee97763a532f7d56560fd36b3a9eb1a76b762cf2f4162b367bf9decc2bd80bd8

SHA512
3eb35619b8c52809f4e1dc41dbc04083df4696dd72d1a0a0faa887c3f211d11b4f732394f779da6f94699929ce600e66a140f8f5c2650fad8eaa5ce8a0acbb59

Download Submit
memory/60-231-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/216-105-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/244-273-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/548-76-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/680-55-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/824-291-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/964-187-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1112-261-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1184-249-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1456-90-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1576-179-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1644-237-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1812-219-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1992-44-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1992-45-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1992-43-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1992-47-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2220-203-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2272-69-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2500-82-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2544-38-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2544-2-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2544-0-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2544-3-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2544-4-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2632-279-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2680-225-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2852-243-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2924-171-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2984-285-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3044-62-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3224-163-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3324-114-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3528-97-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3560-138-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3692-297-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4016-255-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4204-155-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4312-267-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4380-212-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4620-195-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4784-121-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4996-130-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/5028-147-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads