39622cc17c146a63adc4166662246ea610283178ff232241c943bfa5148d2871

Analysis

max time kernel
148s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/09/2024, 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa5e90ae7ee63cbb4d0445e7e15037d5_JaffaCakes118.exe
Size

129KB
MD5

fa5e90ae7ee63cbb4d0445e7e15037d5
SHA1

008bfd3c557c25783a5bb92406fe7454d92e50f9
SHA256

39622cc17c146a63adc4166662246ea610283178ff232241c943bfa5148d2871
SHA512

627e7e81e035634c74f517326f4424c2c36b22ccd27f528888b7787aee9b14df3c226ffebe31b7ceb632b0d01befae5d2f5a071c1570403f5fbdf50f250bca2a
SSDEEP

3072:u6UT5CvLXIrlMU/Y3tcjoq+IqhOC/GWvaflucQHUU9UpdU:u6UWIhY3tcjoq+VhwWvC

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 36 IoCs

pid	Process
2168	msime.exe
2916	msime.exe
2800	msime.exe
2332	msime.exe
2848	msime.exe
2732	msime.exe
2740	msime.exe
2316	msime.exe
836	msime.exe
2656	msime.exe
2632	msime.exe
964	msime.exe
2524	msime.exe
2960	msime.exe
2180	msime.exe
1000	msime.exe
2772	msime.exe
1184	msime.exe
1992	msime.exe
2096	msime.exe
2484	msime.exe
1964	msime.exe
1508	msime.exe
1004	msime.exe
2396	msime.exe
2636	msime.exe
1040	msime.exe
588	msime.exe
916	msime.exe
1516	msime.exe
2440	msime.exe
3036	msime.exe
2368	msime.exe
1580	msime.exe
2164	msime.exe
2824	msime.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	fa5e90ae7ee63cbb4d0445e7e15037d5_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SysIdt0.dll	fa5e90ae7ee63cbb4d0445e7e15037d5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	fa5e90ae7ee63cbb4d0445e7e15037d5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe

System Location Discovery: System Language Discovery 1 TTPs 37 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa5e90ae7ee63cbb4d0445e7e15037d5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe

Suspicious behavior: RenamesItself 36 IoCs

pid	Process
2888	fa5e90ae7ee63cbb4d0445e7e15037d5_JaffaCakes118.exe
2168	msime.exe
2916	msime.exe
2800	msime.exe
2332	msime.exe
2848	msime.exe
2732	msime.exe
2740	msime.exe
2316	msime.exe
836	msime.exe
2656	msime.exe
2632	msime.exe
964	msime.exe
2524	msime.exe
2960	msime.exe
2180	msime.exe
1000	msime.exe
2772	msime.exe
1184	msime.exe
1992	msime.exe
2096	msime.exe
2484	msime.exe
1964	msime.exe
1508	msime.exe
1004	msime.exe
2396	msime.exe
2636	msime.exe
1040	msime.exe
588	msime.exe
916	msime.exe
1516	msime.exe
2440	msime.exe
3036	msime.exe
2368	msime.exe
1580	msime.exe
2164	msime.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2168	2888	fa5e90ae7ee63cbb4d0445e7e15037d5_JaffaCakes118.exe	29
PID 2888 wrote to memory of 2168	2888	fa5e90ae7ee63cbb4d0445e7e15037d5_JaffaCakes118.exe	29
PID 2888 wrote to memory of 2168	2888	fa5e90ae7ee63cbb4d0445e7e15037d5_JaffaCakes118.exe	29
PID 2888 wrote to memory of 2168	2888	fa5e90ae7ee63cbb4d0445e7e15037d5_JaffaCakes118.exe	29
PID 2168 wrote to memory of 2916	2168	msime.exe	30
PID 2168 wrote to memory of 2916	2168	msime.exe	30
PID 2168 wrote to memory of 2916	2168	msime.exe	30
PID 2168 wrote to memory of 2916	2168	msime.exe	30
PID 2916 wrote to memory of 2800	2916	msime.exe	31
PID 2916 wrote to memory of 2800	2916	msime.exe	31
PID 2916 wrote to memory of 2800	2916	msime.exe	31
PID 2916 wrote to memory of 2800	2916	msime.exe	31
PID 2800 wrote to memory of 2332	2800	msime.exe	32
PID 2800 wrote to memory of 2332	2800	msime.exe	32
PID 2800 wrote to memory of 2332	2800	msime.exe	32
PID 2800 wrote to memory of 2332	2800	msime.exe	32
PID 2332 wrote to memory of 2848	2332	msime.exe	33
PID 2332 wrote to memory of 2848	2332	msime.exe	33
PID 2332 wrote to memory of 2848	2332	msime.exe	33
PID 2332 wrote to memory of 2848	2332	msime.exe	33
PID 2848 wrote to memory of 2732	2848	msime.exe	34
PID 2848 wrote to memory of 2732	2848	msime.exe	34
PID 2848 wrote to memory of 2732	2848	msime.exe	34
PID 2848 wrote to memory of 2732	2848	msime.exe	34
PID 2732 wrote to memory of 2740	2732	msime.exe	35
PID 2732 wrote to memory of 2740	2732	msime.exe	35
PID 2732 wrote to memory of 2740	2732	msime.exe	35
PID 2732 wrote to memory of 2740	2732	msime.exe	35
PID 2740 wrote to memory of 2316	2740	msime.exe	36
PID 2740 wrote to memory of 2316	2740	msime.exe	36
PID 2740 wrote to memory of 2316	2740	msime.exe	36
PID 2740 wrote to memory of 2316	2740	msime.exe	36
PID 2316 wrote to memory of 836	2316	msime.exe	37
PID 2316 wrote to memory of 836	2316	msime.exe	37
PID 2316 wrote to memory of 836	2316	msime.exe	37
PID 2316 wrote to memory of 836	2316	msime.exe	37
PID 836 wrote to memory of 2656	836	msime.exe	38
PID 836 wrote to memory of 2656	836	msime.exe	38
PID 836 wrote to memory of 2656	836	msime.exe	38
PID 836 wrote to memory of 2656	836	msime.exe	38
PID 2656 wrote to memory of 2632	2656	msime.exe	39
PID 2656 wrote to memory of 2632	2656	msime.exe	39
PID 2656 wrote to memory of 2632	2656	msime.exe	39
PID 2656 wrote to memory of 2632	2656	msime.exe	39
PID 2632 wrote to memory of 964	2632	msime.exe	40
PID 2632 wrote to memory of 964	2632	msime.exe	40
PID 2632 wrote to memory of 964	2632	msime.exe	40
PID 2632 wrote to memory of 964	2632	msime.exe	40
PID 964 wrote to memory of 2524	964	msime.exe	41
PID 964 wrote to memory of 2524	964	msime.exe	41
PID 964 wrote to memory of 2524	964	msime.exe	41
PID 964 wrote to memory of 2524	964	msime.exe	41
PID 2524 wrote to memory of 2960	2524	msime.exe	42
PID 2524 wrote to memory of 2960	2524	msime.exe	42
PID 2524 wrote to memory of 2960	2524	msime.exe	42
PID 2524 wrote to memory of 2960	2524	msime.exe	42
PID 2960 wrote to memory of 2180	2960	msime.exe	43
PID 2960 wrote to memory of 2180	2960	msime.exe	43
PID 2960 wrote to memory of 2180	2960	msime.exe	43
PID 2960 wrote to memory of 2180	2960	msime.exe	43
PID 2180 wrote to memory of 1000	2180	msime.exe	44
PID 2180 wrote to memory of 1000	2180	msime.exe	44
PID 2180 wrote to memory of 1000	2180	msime.exe	44
PID 2180 wrote to memory of 1000	2180	msime.exe	44

C:\Users\Admin\AppData\Local\Temp\fa5e90ae7ee63cbb4d0445e7e15037d5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa5e90ae7ee63cbb4d0445e7e15037d5_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Windows\SysWOW64\msime.exe
  "C:\Windows\system32\msime.exe" C:\Users\Admin\AppData\Local\Temp\fa5e90ae7ee63cbb4d0445e7e15037d5_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\SysWOW64\msime.exe
    "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: RenamesItself
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\SysWOW64\msime.exe
      "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: RenamesItself
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:2332
      - C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:836
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        
        PID:1000
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        
        PID:2772
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        
        PID:1184
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        
        PID:1992
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        
        PID:2096
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        
        PID:2484
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        
        PID:1964
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        
        PID:1508
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        
        PID:1004
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        
        PID:2396
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        
        PID:2636
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        
        PID:1040
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        
        PID:588
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        
        PID:916
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        
        PID:1516
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        
        PID:2440
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        
        PID:3036
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        
        PID:2368
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        
        PID:1580
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        
        PID:2164
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\SysIdt0.dll

Filesize
90KB

MD5
92531073e2f5bd515ccec4f69bb79648

SHA1
18a1885a1db64d104ebffdea94ea2cc86d83a570

SHA256
69a892551d5286ba06583b999e9bb4b3e1e2c1bd28cc9808008039a94e4f9924

SHA512
b41d80ae16d0e49e761627d3499176c63dec05e77f34771f7da970398b59d86aced8e15cd70708469455ea2adc0630277c07f0b2f6a47329fa4e89e9d23d857e

Download Submit
C:\Windows\SysWOW64\msime.exe

Filesize
129KB

MD5
fa5e90ae7ee63cbb4d0445e7e15037d5

SHA1
008bfd3c557c25783a5bb92406fe7454d92e50f9

SHA256
39622cc17c146a63adc4166662246ea610283178ff232241c943bfa5148d2871

SHA512
627e7e81e035634c74f517326f4424c2c36b22ccd27f528888b7787aee9b14df3c226ffebe31b7ceb632b0d01befae5d2f5a071c1570403f5fbdf50f250bca2a

Download Submit
memory/2888-5-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download