metasploit | f47cf6692d019d6858c76b9fb1876f6475bd17463ba6178472c5eec45a4caef8

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26-11-2024 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1bdbd9dd382218492ae030ac5583d5b_JaffaCakes118.exe
Size

267KB
MD5

a1bdbd9dd382218492ae030ac5583d5b
SHA1

e0a85cacf27bd38b868c23e000f35c757b2751ab
SHA256

f47cf6692d019d6858c76b9fb1876f6475bd17463ba6178472c5eec45a4caef8
SHA512

294f77494c66099d6f3d5c08e94310b5706178b172504019e084effc91cfaefcb486f461d79f4403a18f8c0fa3132a17fe28d3fd0efffaf195a86927582fba0d
SSDEEP

6144:fc0TbSwrbQpuYp6qdwXG3uMHNvU/OkGhuqBF0mF+2cXTXfrgR:NTbSKysqdPDHBjFB+2cXQ

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Deletes itself 1 IoCs

pid	Process
2744	wcoredg.exe

Executes dropped EXE 64 IoCs

pid	Process
2512	wcoredg.exe
2744	wcoredg.exe
2612	wcoredg.exe
2068	wcoredg.exe
2608	wcoredg.exe
2012	wcoredg.exe
1088	wcoredg.exe
2976	wcoredg.exe
2904	wcoredg.exe
1312	wcoredg.exe
1760	wcoredg.exe
3052	wcoredg.exe
2116	wcoredg.exe
688	wcoredg.exe
2032	wcoredg.exe
1864	wcoredg.exe
1828	wcoredg.exe
1552	wcoredg.exe
3056	wcoredg.exe
1924	wcoredg.exe
1992	wcoredg.exe
1576	wcoredg.exe
1956	wcoredg.exe
2360	wcoredg.exe
2872	wcoredg.exe
2820	wcoredg.exe
2628	wcoredg.exe
2660	wcoredg.exe
2772	wcoredg.exe
1476	wcoredg.exe
852	wcoredg.exe
2368	wcoredg.exe
1676	wcoredg.exe
1328	wcoredg.exe
2056	wcoredg.exe
2572	wcoredg.exe
2192	wcoredg.exe
1288	wcoredg.exe
1608	wcoredg.exe
1348	wcoredg.exe
2100	wcoredg.exe
2080	wcoredg.exe
556	wcoredg.exe
1788	wcoredg.exe
3056	wcoredg.exe
1624	wcoredg.exe
1916	wcoredg.exe
2536	wcoredg.exe
2148	wcoredg.exe
1956	wcoredg.exe
2868	wcoredg.exe
2804	wcoredg.exe
3000	wcoredg.exe
2908	wcoredg.exe
2920	wcoredg.exe
2648	wcoredg.exe
2132	wcoredg.exe
1308	wcoredg.exe
1772	wcoredg.exe
1264	wcoredg.exe
2292	wcoredg.exe
1988	wcoredg.exe
2236	wcoredg.exe
2116	wcoredg.exe

Loads dropped DLL 64 IoCs

pid	Process
2372	a1bdbd9dd382218492ae030ac5583d5b_JaffaCakes118.exe
2372	a1bdbd9dd382218492ae030ac5583d5b_JaffaCakes118.exe
2744	wcoredg.exe
2744	wcoredg.exe
2068	wcoredg.exe
2068	wcoredg.exe
2012	wcoredg.exe
2012	wcoredg.exe
2976	wcoredg.exe
2976	wcoredg.exe
1312	wcoredg.exe
1312	wcoredg.exe
3052	wcoredg.exe
3052	wcoredg.exe
688	wcoredg.exe
688	wcoredg.exe
1864	wcoredg.exe
1864	wcoredg.exe
1552	wcoredg.exe
1552	wcoredg.exe
1924	wcoredg.exe
1924	wcoredg.exe
1576	wcoredg.exe
1576	wcoredg.exe
2360	wcoredg.exe
2360	wcoredg.exe
2820	wcoredg.exe
2820	wcoredg.exe
2660	wcoredg.exe
2660	wcoredg.exe
1476	wcoredg.exe
1476	wcoredg.exe
2368	wcoredg.exe
2368	wcoredg.exe
1328	wcoredg.exe
1328	wcoredg.exe
2572	wcoredg.exe
2572	wcoredg.exe
1288	wcoredg.exe
1288	wcoredg.exe
1348	wcoredg.exe
1348	wcoredg.exe
2080	wcoredg.exe
2080	wcoredg.exe
1788	wcoredg.exe
1788	wcoredg.exe
1624	wcoredg.exe
1624	wcoredg.exe
2536	wcoredg.exe
2536	wcoredg.exe
1956	wcoredg.exe
1956	wcoredg.exe
2804	wcoredg.exe
2804	wcoredg.exe
2908	wcoredg.exe
2908	wcoredg.exe
2648	wcoredg.exe
2648	wcoredg.exe
1308	wcoredg.exe
1308	wcoredg.exe
1264	wcoredg.exe
1264	wcoredg.exe
1988	wcoredg.exe
1988	wcoredg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File created	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File opened for modification	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File created	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File opened for modification	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File created	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File created	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File opened for modification	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File opened for modification	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File opened for modification	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File opened for modification	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File opened for modification	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File opened for modification	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File opened for modification	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File opened for modification	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File created	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File created	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File opened for modification	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File created	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File opened for modification	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File opened for modification	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File created	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File created	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File opened for modification	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File created	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File opened for modification	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File opened for modification	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File created	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File opened for modification	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File opened for modification	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File created	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File opened for modification	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File created	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File created	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File opened for modification	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File opened for modification	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File opened for modification	C:\Windows\SysWOW64\wcoredg.exe	a1bdbd9dd382218492ae030ac5583d5b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File opened for modification	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File created	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File opened for modification	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File opened for modification	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File created	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File opened for modification	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File created	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File created	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File opened for modification	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File created	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File opened for modification	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File opened for modification	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File opened for modification	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File created	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File opened for modification	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File created	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File created	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File created	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File created	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File created	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File opened for modification	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File opened for modification	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File created	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File opened for modification	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File opened for modification	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe
File created	C:\Windows\SysWOW64\wcoredg.exe	wcoredg.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 1688 set thread context of 2372	1688	a1bdbd9dd382218492ae030ac5583d5b_JaffaCakes118.exe	30
PID 2512 set thread context of 2744	2512	wcoredg.exe	32
PID 2612 set thread context of 2068	2612	wcoredg.exe	34
PID 2608 set thread context of 2012	2608	wcoredg.exe	36
PID 1088 set thread context of 2976	1088	wcoredg.exe	39
PID 2904 set thread context of 1312	2904	wcoredg.exe	41
PID 1760 set thread context of 3052	1760	wcoredg.exe	43
PID 2116 set thread context of 688	2116	wcoredg.exe	45
PID 2032 set thread context of 1864	2032	wcoredg.exe	47
PID 1828 set thread context of 1552	1828	wcoredg.exe	49
PID 3056 set thread context of 1924	3056	wcoredg.exe	51
PID 1992 set thread context of 1576	1992	wcoredg.exe	53
PID 1956 set thread context of 2360	1956	wcoredg.exe	55
PID 2872 set thread context of 2820	2872	wcoredg.exe	57
PID 2628 set thread context of 2660	2628	wcoredg.exe	59
PID 2772 set thread context of 1476	2772	wcoredg.exe	61
PID 852 set thread context of 2368	852	wcoredg.exe	63
PID 1676 set thread context of 1328	1676	wcoredg.exe	65
PID 2056 set thread context of 2572	2056	wcoredg.exe	67
PID 2192 set thread context of 1288	2192	wcoredg.exe	69
PID 1608 set thread context of 1348	1608	wcoredg.exe	71
PID 2100 set thread context of 2080	2100	wcoredg.exe	73
PID 556 set thread context of 1788	556	wcoredg.exe	75
PID 3056 set thread context of 1624	3056	wcoredg.exe	77
PID 1916 set thread context of 2536	1916	wcoredg.exe	79
PID 2148 set thread context of 1956	2148	wcoredg.exe	81
PID 2868 set thread context of 2804	2868	wcoredg.exe	83
PID 3000 set thread context of 2908	3000	wcoredg.exe	85
PID 2920 set thread context of 2648	2920	wcoredg.exe	87
PID 2132 set thread context of 1308	2132	wcoredg.exe	89
PID 1772 set thread context of 1264	1772	wcoredg.exe	91
PID 2292 set thread context of 1988	2292	wcoredg.exe	93
PID 2236 set thread context of 2116	2236	wcoredg.exe	95
PID 764 set thread context of 2900	764	wcoredg.exe	97
PID 2496 set thread context of 2100	2496	wcoredg.exe	99
PID 936 set thread context of 2500	936	wcoredg.exe	101
PID 2208 set thread context of 2344	2208	wcoredg.exe	103
PID 1916 set thread context of 2412	1916	wcoredg.exe	105
PID 1968 set thread context of 2788	1968	wcoredg.exe	107
PID 2732 set thread context of 2860	2732	wcoredg.exe	109
PID 2356 set thread context of 2172	2356	wcoredg.exe	111
PID 1056 set thread context of 1108	1056	wcoredg.exe	113
PID 2844 set thread context of 840	2844	wcoredg.exe	115
PID 1196 set thread context of 2956	1196	wcoredg.exe	117
PID 2700 set thread context of 1944	2700	wcoredg.exe	119
PID 2248 set thread context of 1792	2248	wcoredg.exe	121
PID 1396 set thread context of 2060	1396	wcoredg.exe	123
PID 3024 set thread context of 856	3024	wcoredg.exe	125
PID 2444 set thread context of 944	2444	wcoredg.exe	127
PID 568 set thread context of 3064	568	wcoredg.exe	129
PID 3056 set thread context of 1740	3056	wcoredg.exe	131
PID 1592 set thread context of 1448	1592	wcoredg.exe	133
PID 2556 set thread context of 2564	2556	wcoredg.exe	135
PID 2520 set thread context of 2612	2520	wcoredg.exe	137
PID 2920 set thread context of 2768	2920	wcoredg.exe	139
PID 1720 set thread context of 2576	1720	wcoredg.exe	141
PID 1588 set thread context of 1676	1588	wcoredg.exe	143
PID 1028 set thread context of 2028	1028	wcoredg.exe	145
PID 444 set thread context of 916	444	wcoredg.exe	147
PID 3020 set thread context of 1344	3020	wcoredg.exe	149
PID 1044 set thread context of 1368	1044	wcoredg.exe	151
PID 1780 set thread context of 1932	1780	wcoredg.exe	153
PID 580 set thread context of 700	580	wcoredg.exe	155
PID 2480 set thread context of 1708	2480	wcoredg.exe	157

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2372-4-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/2372-7-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/2372-6-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/2372-3-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/2372-2-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/2372-8-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/2372-9-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/2372-22-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/2744-35-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/2744-37-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/2744-36-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/2744-34-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/2744-33-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/2744-43-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/2068-53-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/2068-52-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/2068-54-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/2068-60-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/2012-70-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/2012-69-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/2012-71-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/2012-77-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/2976-87-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/2976-86-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/2976-94-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/1312-110-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/3052-119-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/3052-128-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/688-137-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/688-146-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/1864-161-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/1552-172-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/1552-180-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/1924-196-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/1576-206-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/1576-214-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/2360-224-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/2360-231-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/2820-248-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/2660-257-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/2660-261-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/1476-273-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/2368-281-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/2368-286-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/1328-298-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/2572-310-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/1288-319-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/1288-323-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/1348-335-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/2080-347-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/1788-359-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/1624-368-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/1624-372-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/2536-381-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/2536-385-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/1956-397-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/2804-409-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/2908-421-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/2648-431-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/2648-434-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/1308-446-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/1264-458-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/1988-466-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/1988-471-0x0000000000400000-0x0000000000464000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcoredg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2372	a1bdbd9dd382218492ae030ac5583d5b_JaffaCakes118.exe
2744	wcoredg.exe
2068	wcoredg.exe
2012	wcoredg.exe
2976	wcoredg.exe
1312	wcoredg.exe
3052	wcoredg.exe
688	wcoredg.exe
1864	wcoredg.exe
1552	wcoredg.exe
1924	wcoredg.exe
1576	wcoredg.exe
2360	wcoredg.exe
2820	wcoredg.exe
2660	wcoredg.exe
1476	wcoredg.exe
2368	wcoredg.exe
1328	wcoredg.exe
2572	wcoredg.exe
1288	wcoredg.exe
1348	wcoredg.exe
2080	wcoredg.exe
1788	wcoredg.exe
1624	wcoredg.exe
2536	wcoredg.exe
1956	wcoredg.exe
2804	wcoredg.exe
2908	wcoredg.exe
2648	wcoredg.exe
1308	wcoredg.exe
1264	wcoredg.exe
1988	wcoredg.exe
2116	wcoredg.exe
2900	wcoredg.exe
2100	wcoredg.exe
2500	wcoredg.exe
2344	wcoredg.exe
2412	wcoredg.exe
2788	wcoredg.exe
2860	wcoredg.exe
2172	wcoredg.exe
1108	wcoredg.exe
840	wcoredg.exe
2956	wcoredg.exe
1944	wcoredg.exe
1792	wcoredg.exe
2060	wcoredg.exe
856	wcoredg.exe
944	wcoredg.exe
3064	wcoredg.exe
1740	wcoredg.exe
1448	wcoredg.exe
2564	wcoredg.exe
2612	wcoredg.exe
2768	wcoredg.exe
2576	wcoredg.exe
1676	wcoredg.exe
2028	wcoredg.exe
916	wcoredg.exe
1344	wcoredg.exe
1368	wcoredg.exe
1932	wcoredg.exe
700	wcoredg.exe
1708	wcoredg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2372	1688	a1bdbd9dd382218492ae030ac5583d5b_JaffaCakes118.exe	30
PID 1688 wrote to memory of 2372	1688	a1bdbd9dd382218492ae030ac5583d5b_JaffaCakes118.exe	30
PID 1688 wrote to memory of 2372	1688	a1bdbd9dd382218492ae030ac5583d5b_JaffaCakes118.exe	30
PID 1688 wrote to memory of 2372	1688	a1bdbd9dd382218492ae030ac5583d5b_JaffaCakes118.exe	30
PID 1688 wrote to memory of 2372	1688	a1bdbd9dd382218492ae030ac5583d5b_JaffaCakes118.exe	30
PID 1688 wrote to memory of 2372	1688	a1bdbd9dd382218492ae030ac5583d5b_JaffaCakes118.exe	30
PID 1688 wrote to memory of 2372	1688	a1bdbd9dd382218492ae030ac5583d5b_JaffaCakes118.exe	30
PID 2372 wrote to memory of 2512	2372	a1bdbd9dd382218492ae030ac5583d5b_JaffaCakes118.exe	31
PID 2372 wrote to memory of 2512	2372	a1bdbd9dd382218492ae030ac5583d5b_JaffaCakes118.exe	31
PID 2372 wrote to memory of 2512	2372	a1bdbd9dd382218492ae030ac5583d5b_JaffaCakes118.exe	31
PID 2372 wrote to memory of 2512	2372	a1bdbd9dd382218492ae030ac5583d5b_JaffaCakes118.exe	31
PID 2512 wrote to memory of 2744	2512	wcoredg.exe	32
PID 2512 wrote to memory of 2744	2512	wcoredg.exe	32
PID 2512 wrote to memory of 2744	2512	wcoredg.exe	32
PID 2512 wrote to memory of 2744	2512	wcoredg.exe	32
PID 2512 wrote to memory of 2744	2512	wcoredg.exe	32
PID 2512 wrote to memory of 2744	2512	wcoredg.exe	32
PID 2512 wrote to memory of 2744	2512	wcoredg.exe	32
PID 2744 wrote to memory of 2612	2744	wcoredg.exe	33
PID 2744 wrote to memory of 2612	2744	wcoredg.exe	33
PID 2744 wrote to memory of 2612	2744	wcoredg.exe	33
PID 2744 wrote to memory of 2612	2744	wcoredg.exe	33
PID 2612 wrote to memory of 2068	2612	wcoredg.exe	34
PID 2612 wrote to memory of 2068	2612	wcoredg.exe	34
PID 2612 wrote to memory of 2068	2612	wcoredg.exe	34
PID 2612 wrote to memory of 2068	2612	wcoredg.exe	34
PID 2612 wrote to memory of 2068	2612	wcoredg.exe	34
PID 2612 wrote to memory of 2068	2612	wcoredg.exe	34
PID 2612 wrote to memory of 2068	2612	wcoredg.exe	34
PID 2068 wrote to memory of 2608	2068	wcoredg.exe	35
PID 2068 wrote to memory of 2608	2068	wcoredg.exe	35
PID 2068 wrote to memory of 2608	2068	wcoredg.exe	35
PID 2068 wrote to memory of 2608	2068	wcoredg.exe	35
PID 2608 wrote to memory of 2012	2608	wcoredg.exe	36
PID 2608 wrote to memory of 2012	2608	wcoredg.exe	36
PID 2608 wrote to memory of 2012	2608	wcoredg.exe	36
PID 2608 wrote to memory of 2012	2608	wcoredg.exe	36
PID 2608 wrote to memory of 2012	2608	wcoredg.exe	36
PID 2608 wrote to memory of 2012	2608	wcoredg.exe	36
PID 2608 wrote to memory of 2012	2608	wcoredg.exe	36
PID 2012 wrote to memory of 1088	2012	wcoredg.exe	38
PID 2012 wrote to memory of 1088	2012	wcoredg.exe	38
PID 2012 wrote to memory of 1088	2012	wcoredg.exe	38
PID 2012 wrote to memory of 1088	2012	wcoredg.exe	38
PID 1088 wrote to memory of 2976	1088	wcoredg.exe	39
PID 1088 wrote to memory of 2976	1088	wcoredg.exe	39
PID 1088 wrote to memory of 2976	1088	wcoredg.exe	39
PID 1088 wrote to memory of 2976	1088	wcoredg.exe	39
PID 1088 wrote to memory of 2976	1088	wcoredg.exe	39
PID 1088 wrote to memory of 2976	1088	wcoredg.exe	39
PID 1088 wrote to memory of 2976	1088	wcoredg.exe	39
PID 2976 wrote to memory of 2904	2976	wcoredg.exe	40
PID 2976 wrote to memory of 2904	2976	wcoredg.exe	40
PID 2976 wrote to memory of 2904	2976	wcoredg.exe	40
PID 2976 wrote to memory of 2904	2976	wcoredg.exe	40
PID 2904 wrote to memory of 1312	2904	wcoredg.exe	41
PID 2904 wrote to memory of 1312	2904	wcoredg.exe	41
PID 2904 wrote to memory of 1312	2904	wcoredg.exe	41
PID 2904 wrote to memory of 1312	2904	wcoredg.exe	41
PID 2904 wrote to memory of 1312	2904	wcoredg.exe	41
PID 2904 wrote to memory of 1312	2904	wcoredg.exe	41
PID 2904 wrote to memory of 1312	2904	wcoredg.exe	41
PID 1312 wrote to memory of 1760	1312	wcoredg.exe	42
PID 1312 wrote to memory of 1760	1312	wcoredg.exe	42

C:\Users\Admin\AppData\Local\Temp\a1bdbd9dd382218492ae030ac5583d5b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a1bdbd9dd382218492ae030ac5583d5b_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Users\Admin\AppData\Local\Temp\a1bdbd9dd382218492ae030ac5583d5b_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a1bdbd9dd382218492ae030ac5583d5b_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\SysWOW64\wcoredg.exe
    "C:\Windows\system32\wcoredg.exe" C:\Users\Admin\AppData\Local\Temp\A1BDBD~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Windows\SysWOW64\wcoredg.exe
      "C:\Windows\SysWOW64\wcoredg.exe" C:\Users\Admin\AppData\Local\Temp\A1BDBD~1.EXE
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2612
      - C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:3052
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:688
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1864
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1828
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1552
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3056
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1924
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1992
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1576
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1956
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2360
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2820
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2628
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2660
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2772
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1476
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:852
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        34⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2368
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1676
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        36⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1328
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        38⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2572
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2192
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        40⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1288
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1608
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        42⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1348
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2100
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        44⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2080
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:556
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        46⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1788
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        48⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1624
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        50⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2536
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2148
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        52⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1956
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        54⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2804
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3000
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        56⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2908
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        58⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2648
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2132
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        60⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1308
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1772
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        62⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1264
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        64⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1988
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2236
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2116
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        67⤵
        Suspicious use of SetThreadContext
        
        PID:764
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        68⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2900
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        69⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2496
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        70⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2100
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        71⤵
        Suspicious use of SetThreadContext
        
        PID:936
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        72⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2500
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        73⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        74⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2344
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        75⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        76⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2412
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        77⤵
        Suspicious use of SetThreadContext
        
        PID:1968
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        78⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2788
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        79⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        80⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2860
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        81⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2172
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        83⤵
        Suspicious use of SetThreadContext
        
        PID:1056
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        84⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1108
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        85⤵
        Suspicious use of SetThreadContext
        
        PID:2844
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        86⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:840
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        87⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1196
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        88⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2956
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        89⤵
        Suspicious use of SetThreadContext
        
        PID:2700
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        90⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1944
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        91⤵
        Suspicious use of SetThreadContext
        
        PID:2248
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        92⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1792
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        93⤵
        Suspicious use of SetThreadContext
        
        PID:1396
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        94⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2060
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        95⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        96⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:856
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        97⤵
        Suspicious use of SetThreadContext
        
        PID:2444
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:944
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        99⤵
        Suspicious use of SetThreadContext
        
        PID:568
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3064
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        101⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        102⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1740
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        103⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        104⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1448
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        105⤵
        Suspicious use of SetThreadContext
        
        PID:2556
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        106⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2564
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        107⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2520
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        108⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2612
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        109⤵
        Suspicious use of SetThreadContext
        
        PID:2920
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        110⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2768
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        111⤵
        Suspicious use of SetThreadContext
        
        PID:1720
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        112⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2576
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        113⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1588
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        114⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1676
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        115⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1028
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        116⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2028
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        117⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:444
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        118⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:916
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        119⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        120⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1344
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        121⤵
        Suspicious use of SetThreadContext
        
        PID:1044
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        122⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1368
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        123⤵
        Suspicious use of SetThreadContext
        
        PID:1780
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        124⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1932
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        125⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:580
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        126⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:700
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        127⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2480
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        128⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1708
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        129⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        130⤵
        Drops file in System32 directory
        
        PID:2540
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        131⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        132⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        133⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        134⤵
        Drops file in System32 directory
        
        PID:2520
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        135⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        136⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        137⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        138⤵
        Drops file in System32 directory
        
        PID:2856
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        140⤵
        Drops file in System32 directory
        
        PID:1196
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        141⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        143⤵
        
        PID:444
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        144⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        145⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        146⤵
        Drops file in System32 directory
        
        PID:2644
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        147⤵
        
        PID:672
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        148⤵
        Drops file in System32 directory
        
        PID:2548
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\system32\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        149⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\wcoredg.exe
        
        "C:\Windows\SysWOW64\wcoredg.exe" C:\Windows\SysWOW64\wcoredg.exe
        150⤵
        
        PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\wcoredg.exe

Filesize
267KB

MD5
a1bdbd9dd382218492ae030ac5583d5b

SHA1
e0a85cacf27bd38b868c23e000f35c757b2751ab

SHA256
f47cf6692d019d6858c76b9fb1876f6475bd17463ba6178472c5eec45a4caef8

SHA512
294f77494c66099d6f3d5c08e94310b5706178b172504019e084effc91cfaefcb486f461d79f4403a18f8c0fa3132a17fe28d3fd0efffaf195a86927582fba0d

Download Submit
memory/688-137-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/688-146-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/700-855-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/840-606-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/856-669-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/856-666-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/916-806-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/916-801-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/944-681-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1108-594-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1108-589-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1264-458-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1288-319-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1288-323-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1308-446-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1312-110-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1328-298-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1344-818-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1348-335-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1368-830-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1448-718-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1448-715-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1476-273-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1552-172-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1552-180-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1576-214-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1576-206-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1624-368-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1624-372-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1676-780-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1708-867-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1740-705-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1788-359-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1792-643-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1792-638-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1864-161-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1924-196-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1932-839-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1932-843-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1944-630-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1956-397-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1988-471-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1988-466-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2012-77-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2012-70-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2012-69-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2012-71-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2028-788-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2028-793-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2060-656-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2060-652-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2068-60-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2068-54-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2068-52-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2068-53-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2080-347-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2100-507-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2116-483-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2172-581-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2344-532-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2360-224-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2360-231-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2368-281-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2368-286-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2372-2-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2372-22-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2372-3-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2372-8-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2372-9-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2372-6-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2372-7-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2372-4-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2372-0-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2412-544-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2500-516-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2500-520-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2536-381-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2536-385-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2540-879-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2564-730-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2572-310-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2576-768-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2576-764-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2612-739-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2612-743-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2648-434-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2648-431-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2660-261-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2660-257-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2744-34-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2744-35-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2744-33-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2744-43-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2744-36-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2744-37-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2768-755-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2788-557-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2788-552-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2804-409-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2820-248-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2860-569-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2900-495-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2908-421-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2956-618-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2976-87-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2976-86-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2976-94-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3012-889-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3012-892-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3052-128-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3052-119-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3064-693-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download