39622cc17c146a63adc4166662246ea610283178ff232241c943bfa5148d2871

Analysis

max time kernel
149s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2024, 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa5e90ae7ee63cbb4d0445e7e15037d5_JaffaCakes118.exe
Size

129KB
MD5

fa5e90ae7ee63cbb4d0445e7e15037d5
SHA1

008bfd3c557c25783a5bb92406fe7454d92e50f9
SHA256

39622cc17c146a63adc4166662246ea610283178ff232241c943bfa5148d2871
SHA512

627e7e81e035634c74f517326f4424c2c36b22ccd27f528888b7787aee9b14df3c226ffebe31b7ceb632b0d01befae5d2f5a071c1570403f5fbdf50f250bca2a
SSDEEP

3072:u6UT5CvLXIrlMU/Y3tcjoq+IqhOC/GWvaflucQHUU9UpdU:u6UWIhY3tcjoq+VhwWvC

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 37 IoCs

pid	Process
4676	msime.exe
4324	msime.exe
1156	msime.exe
5024	msime.exe
1560	msime.exe
4332	msime.exe
3408	msime.exe
2540	msime.exe
2452	msime.exe
1744	msime.exe
2424	msime.exe
848	msime.exe
5060	msime.exe
5028	msime.exe
3068	msime.exe
1388	msime.exe
4588	msime.exe
4640	msime.exe
4392	msime.exe
3640	msime.exe
4292	msime.exe
3512	msime.exe
4848	msime.exe
1760	msime.exe
5032	msime.exe
1216	msime.exe
1864	msime.exe
724	msime.exe
2080	msime.exe
4544	msime.exe
4332	msime.exe
1700	msime.exe
4140	msime.exe
3856	msime.exe
1816	msime.exe
4864	msime.exe
1664	msime.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	fa5e90ae7ee63cbb4d0445e7e15037d5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	fa5e90ae7ee63cbb4d0445e7e15037d5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe
File opened for modification	C:\Windows\SysWOW64\SysIdt0.dll	msime.exe

System Location Discovery: System Language Discovery 1 TTPs 38 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa5e90ae7ee63cbb4d0445e7e15037d5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msime.exe

Suspicious behavior: RenamesItself 37 IoCs

pid	Process
3444	fa5e90ae7ee63cbb4d0445e7e15037d5_JaffaCakes118.exe
4676	msime.exe
4324	msime.exe
1156	msime.exe
5024	msime.exe
1560	msime.exe
4332	msime.exe
3408	msime.exe
2540	msime.exe
2452	msime.exe
1744	msime.exe
2424	msime.exe
848	msime.exe
5060	msime.exe
5028	msime.exe
3068	msime.exe
1388	msime.exe
4588	msime.exe
4640	msime.exe
4392	msime.exe
3640	msime.exe
4292	msime.exe
3512	msime.exe
4848	msime.exe
1760	msime.exe
5032	msime.exe
1216	msime.exe
1864	msime.exe
724	msime.exe
2080	msime.exe
4544	msime.exe
4332	msime.exe
1700	msime.exe
4140	msime.exe
3856	msime.exe
1816	msime.exe
4864	msime.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 4676	3444	fa5e90ae7ee63cbb4d0445e7e15037d5_JaffaCakes118.exe	85
PID 3444 wrote to memory of 4676	3444	fa5e90ae7ee63cbb4d0445e7e15037d5_JaffaCakes118.exe	85
PID 3444 wrote to memory of 4676	3444	fa5e90ae7ee63cbb4d0445e7e15037d5_JaffaCakes118.exe	85
PID 4676 wrote to memory of 4324	4676	msime.exe	90
PID 4676 wrote to memory of 4324	4676	msime.exe	90
PID 4676 wrote to memory of 4324	4676	msime.exe	90
PID 4324 wrote to memory of 1156	4324	msime.exe	92
PID 4324 wrote to memory of 1156	4324	msime.exe	92
PID 4324 wrote to memory of 1156	4324	msime.exe	92
PID 1156 wrote to memory of 5024	1156	msime.exe	95
PID 1156 wrote to memory of 5024	1156	msime.exe	95
PID 1156 wrote to memory of 5024	1156	msime.exe	95
PID 5024 wrote to memory of 1560	5024	msime.exe	96
PID 5024 wrote to memory of 1560	5024	msime.exe	96
PID 5024 wrote to memory of 1560	5024	msime.exe	96
PID 1560 wrote to memory of 4332	1560	msime.exe	97
PID 1560 wrote to memory of 4332	1560	msime.exe	97
PID 1560 wrote to memory of 4332	1560	msime.exe	97
PID 4332 wrote to memory of 3408	4332	msime.exe	98
PID 4332 wrote to memory of 3408	4332	msime.exe	98
PID 4332 wrote to memory of 3408	4332	msime.exe	98
PID 3408 wrote to memory of 2540	3408	msime.exe	100
PID 3408 wrote to memory of 2540	3408	msime.exe	100
PID 3408 wrote to memory of 2540	3408	msime.exe	100
PID 2540 wrote to memory of 2452	2540	msime.exe	102
PID 2540 wrote to memory of 2452	2540	msime.exe	102
PID 2540 wrote to memory of 2452	2540	msime.exe	102
PID 2452 wrote to memory of 1744	2452	msime.exe	103
PID 2452 wrote to memory of 1744	2452	msime.exe	103
PID 2452 wrote to memory of 1744	2452	msime.exe	103
PID 1744 wrote to memory of 2424	1744	msime.exe	104
PID 1744 wrote to memory of 2424	1744	msime.exe	104
PID 1744 wrote to memory of 2424	1744	msime.exe	104
PID 2424 wrote to memory of 848	2424	msime.exe	105
PID 2424 wrote to memory of 848	2424	msime.exe	105
PID 2424 wrote to memory of 848	2424	msime.exe	105
PID 848 wrote to memory of 5060	848	msime.exe	106
PID 848 wrote to memory of 5060	848	msime.exe	106
PID 848 wrote to memory of 5060	848	msime.exe	106
PID 5060 wrote to memory of 5028	5060	msime.exe	107
PID 5060 wrote to memory of 5028	5060	msime.exe	107
PID 5060 wrote to memory of 5028	5060	msime.exe	107
PID 5028 wrote to memory of 3068	5028	msime.exe	108
PID 5028 wrote to memory of 3068	5028	msime.exe	108
PID 5028 wrote to memory of 3068	5028	msime.exe	108
PID 3068 wrote to memory of 1388	3068	msime.exe	109
PID 3068 wrote to memory of 1388	3068	msime.exe	109
PID 3068 wrote to memory of 1388	3068	msime.exe	109
PID 1388 wrote to memory of 4588	1388	msime.exe	110
PID 1388 wrote to memory of 4588	1388	msime.exe	110
PID 1388 wrote to memory of 4588	1388	msime.exe	110
PID 4588 wrote to memory of 4640	4588	msime.exe	111
PID 4588 wrote to memory of 4640	4588	msime.exe	111
PID 4588 wrote to memory of 4640	4588	msime.exe	111
PID 4640 wrote to memory of 4392	4640	msime.exe	112
PID 4640 wrote to memory of 4392	4640	msime.exe	112
PID 4640 wrote to memory of 4392	4640	msime.exe	112
PID 4392 wrote to memory of 3640	4392	msime.exe	113
PID 4392 wrote to memory of 3640	4392	msime.exe	113
PID 4392 wrote to memory of 3640	4392	msime.exe	113
PID 3640 wrote to memory of 4292	3640	msime.exe	114
PID 3640 wrote to memory of 4292	3640	msime.exe	114
PID 3640 wrote to memory of 4292	3640	msime.exe	114
PID 4292 wrote to memory of 3512	4292	msime.exe	115

C:\Users\Admin\AppData\Local\Temp\fa5e90ae7ee63cbb4d0445e7e15037d5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa5e90ae7ee63cbb4d0445e7e15037d5_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Windows\SysWOW64\msime.exe
  "C:\Windows\system32\msime.exe" C:\Users\Admin\AppData\Local\Temp\fa5e90ae7ee63cbb4d0445e7e15037d5_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:4676
- - C:\Windows\SysWOW64\msime.exe
    "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: RenamesItself
    - Suspicious use of WriteProcessMemory
    PID:4324
  - - C:\Windows\SysWOW64\msime.exe
      "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: RenamesItself
      Suspicious use of WriteProcessMemory
      PID:1156
    - - C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:5024
      - C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        
        PID:3512
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        
        PID:4848
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        
        PID:1760
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        
        PID:5032
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        
        PID:1216
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        
        PID:1864
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        
        PID:724
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        
        PID:2080
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        
        PID:4544
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        
        PID:4332
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        
        PID:1700
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        
        PID:4140
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        
        PID:3856
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        
        PID:1816
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        
        PID:4864
        
        C:\Windows\SysWOW64\msime.exe
        
        "C:\Windows\system32\msime.exe" C:\Windows\SysWOW64\msime.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\SysIdt0.dll

Filesize
90KB

MD5
92531073e2f5bd515ccec4f69bb79648

SHA1
18a1885a1db64d104ebffdea94ea2cc86d83a570

SHA256
69a892551d5286ba06583b999e9bb4b3e1e2c1bd28cc9808008039a94e4f9924

SHA512
b41d80ae16d0e49e761627d3499176c63dec05e77f34771f7da970398b59d86aced8e15cd70708469455ea2adc0630277c07f0b2f6a47329fa4e89e9d23d857e

Download Submit
C:\Windows\SysWOW64\msime.exe

Filesize
129KB

MD5
fa5e90ae7ee63cbb4d0445e7e15037d5

SHA1
008bfd3c557c25783a5bb92406fe7454d92e50f9

SHA256
39622cc17c146a63adc4166662246ea610283178ff232241c943bfa5148d2871

SHA512
627e7e81e035634c74f517326f4424c2c36b22ccd27f528888b7787aee9b14df3c226ffebe31b7ceb632b0d01befae5d2f5a071c1570403f5fbdf50f250bca2a

Download Submit
memory/3444-5-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download