metasploit | e67bd969561c76c94f277dce717a048bde9f3b22ee6c22b6c4d65decf1446dba

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-12-2024 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dbc3829eb9edf84754aec2e921b121db_JaffaCakes118.exe
Size

158KB
MD5

dbc3829eb9edf84754aec2e921b121db
SHA1

3c456e58346bd6765a6fa59d851d944f5e8c58fc
SHA256

e67bd969561c76c94f277dce717a048bde9f3b22ee6c22b6c4d65decf1446dba
SHA512

a934509925b2b8a29101f09236fcedb90d4c717eabde5268b1da62357a6a72319dfcc9de462c710c2b1725c813016cfacb9ec112a054a8d5690ca5589f363453
SSDEEP

3072:RUe7bPQSaI3zHILBLfovfuMVOgwKQLBhq+j5cqdIEPAGuclQ:B7USSBLgunh98+j5/IEPHucQ

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Checks computer location settings 2 TTPs 40 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	dbc3829eb9edf84754aec2e921b121db_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MsDbClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MsDbClient.exe

Deletes itself 1 IoCs

pid	Process
2188	MsDbClient.exe

Executes dropped EXE 64 IoCs

pid	Process
2020	MsDbClient.exe
2188	MsDbClient.exe
324	MsDbClient.exe
440	MsDbClient.exe
4644	MsDbClient.exe
2956	MsDbClient.exe
3632	MsDbClient.exe
4068	MsDbClient.exe
4700	MsDbClient.exe
1180	MsDbClient.exe
2664	MsDbClient.exe
1128	MsDbClient.exe
4268	MsDbClient.exe
4760	MsDbClient.exe
4060	MsDbClient.exe
436	MsDbClient.exe
2772	MsDbClient.exe
2756	MsDbClient.exe
2652	MsDbClient.exe
5012	MsDbClient.exe
1004	MsDbClient.exe
3432	MsDbClient.exe
3468	MsDbClient.exe
3484	MsDbClient.exe
2984	MsDbClient.exe
1696	MsDbClient.exe
2540	MsDbClient.exe
1400	MsDbClient.exe
756	MsDbClient.exe
3148	MsDbClient.exe
2236	MsDbClient.exe
2444	MsDbClient.exe
2624	MsDbClient.exe
1348	MsDbClient.exe
1520	MsDbClient.exe
4140	MsDbClient.exe
4284	MsDbClient.exe
4464	MsDbClient.exe
3704	MsDbClient.exe
3208	MsDbClient.exe
1592	MsDbClient.exe
400	MsDbClient.exe
3616	MsDbClient.exe
2460	MsDbClient.exe
3840	MsDbClient.exe
544	MsDbClient.exe
1308	MsDbClient.exe
1964	MsDbClient.exe
5068	MsDbClient.exe
3468	MsDbClient.exe
2584	MsDbClient.exe
752	MsDbClient.exe
2164	MsDbClient.exe
648	MsDbClient.exe
2328	MsDbClient.exe
4004	MsDbClient.exe
1104	MsDbClient.exe
1912	MsDbClient.exe
2908	MsDbClient.exe
4844	MsDbClient.exe
5044	MsDbClient.exe
2356	MsDbClient.exe
4340	MsDbClient.exe
3292	MsDbClient.exe

Maps connected drives based on registry 3 TTPs 64 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	dbc3829eb9edf84754aec2e921b121db_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	dbc3829eb9edf84754aec2e921b121db_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	dbc3829eb9edf84754aec2e921b121db_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	dbc3829eb9edf84754aec2e921b121db_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File opened for modification	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe
File created	C:\Windows\SysWOW64\MsDbClient.exe	MsDbClient.exe

Suspicious use of SetThreadContext 40 IoCs

description	pid	Process	procid_target
PID 3456 set thread context of 636	3456	dbc3829eb9edf84754aec2e921b121db_JaffaCakes118.exe	83
PID 2020 set thread context of 2188	2020	MsDbClient.exe	86
PID 324 set thread context of 440	324	MsDbClient.exe	93
PID 4644 set thread context of 2956	4644	MsDbClient.exe	97
PID 3632 set thread context of 4068	3632	MsDbClient.exe	103
PID 4700 set thread context of 1180	4700	MsDbClient.exe	105
PID 2664 set thread context of 1128	2664	MsDbClient.exe	107
PID 4268 set thread context of 4760	4268	MsDbClient.exe	109
PID 4060 set thread context of 436	4060	MsDbClient.exe	113
PID 2772 set thread context of 2756	2772	MsDbClient.exe	116
PID 2652 set thread context of 5012	2652	MsDbClient.exe	118
PID 1004 set thread context of 3432	1004	MsDbClient.exe	120
PID 3468 set thread context of 3484	3468	MsDbClient.exe	122
PID 2984 set thread context of 1696	2984	MsDbClient.exe	124
PID 2540 set thread context of 1400	2540	MsDbClient.exe	126
PID 756 set thread context of 3148	756	MsDbClient.exe	128
PID 2236 set thread context of 2444	2236	MsDbClient.exe	130
PID 2624 set thread context of 1348	2624	MsDbClient.exe	133
PID 1520 set thread context of 4140	1520	MsDbClient.exe	135
PID 4284 set thread context of 4464	4284	MsDbClient.exe	137
PID 3704 set thread context of 3208	3704	MsDbClient.exe	139
PID 1592 set thread context of 400	1592	MsDbClient.exe	141
PID 3616 set thread context of 2460	3616	MsDbClient.exe	143
PID 3840 set thread context of 544	3840	MsDbClient.exe	145
PID 1308 set thread context of 1964	1308	MsDbClient.exe	147
PID 5068 set thread context of 3468	5068	MsDbClient.exe	149
PID 2584 set thread context of 752	2584	MsDbClient.exe	151
PID 2164 set thread context of 648	2164	MsDbClient.exe	153
PID 2328 set thread context of 4004	2328	MsDbClient.exe	155
PID 1104 set thread context of 1912	1104	MsDbClient.exe	157
PID 2908 set thread context of 4844	2908	MsDbClient.exe	159
PID 5044 set thread context of 2356	5044	MsDbClient.exe	161
PID 4340 set thread context of 3292	4340	MsDbClient.exe	163
PID 1660 set thread context of 3400	1660	MsDbClient.exe	165
PID 4276 set thread context of 2380	4276	MsDbClient.exe	167
PID 2440 set thread context of 1756	2440	MsDbClient.exe	169
PID 4880 set thread context of 1544	4880	MsDbClient.exe	171
PID 2504 set thread context of 3640	2504	MsDbClient.exe	173
PID 3616 set thread context of 1652	3616	MsDbClient.exe	175
PID 2256 set thread context of 4680	2256	MsDbClient.exe	177

UPX packed file 48 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/636-0-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/636-2-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/636-3-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/636-4-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/636-38-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2188-45-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2188-44-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2188-43-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2188-47-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/440-54-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2956-60-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4068-69-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1180-77-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1128-84-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4760-91-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/436-97-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2756-102-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2756-103-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2756-106-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/5012-113-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3432-120-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3484-129-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1696-137-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1400-145-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3148-154-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2444-162-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1348-170-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4140-178-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4464-186-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3208-194-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/400-202-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2460-210-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/544-217-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1964-223-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3468-229-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/752-235-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/648-241-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4004-247-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1912-253-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4844-259-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2356-265-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3292-271-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3400-277-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2380-283-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1756-289-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1544-295-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3640-301-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1652-307-0x0000000000400000-0x000000000046C000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbc3829eb9edf84754aec2e921b121db_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsDbClient.exe

Modifies registry class 40 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	dbc3829eb9edf84754aec2e921b121db_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsDbClient.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
636	dbc3829eb9edf84754aec2e921b121db_JaffaCakes118.exe
636	dbc3829eb9edf84754aec2e921b121db_JaffaCakes118.exe
2188	MsDbClient.exe
2188	MsDbClient.exe
440	MsDbClient.exe
440	MsDbClient.exe
2956	MsDbClient.exe
2956	MsDbClient.exe
4068	MsDbClient.exe
4068	MsDbClient.exe
1180	MsDbClient.exe
1180	MsDbClient.exe
1128	MsDbClient.exe
1128	MsDbClient.exe
4760	MsDbClient.exe
4760	MsDbClient.exe
436	MsDbClient.exe
436	MsDbClient.exe
2756	MsDbClient.exe
2756	MsDbClient.exe
5012	MsDbClient.exe
5012	MsDbClient.exe
3432	MsDbClient.exe
3432	MsDbClient.exe
3484	MsDbClient.exe
3484	MsDbClient.exe
1696	MsDbClient.exe
1696	MsDbClient.exe
1400	MsDbClient.exe
1400	MsDbClient.exe
3148	MsDbClient.exe
3148	MsDbClient.exe
2444	MsDbClient.exe
2444	MsDbClient.exe
1348	MsDbClient.exe
1348	MsDbClient.exe
4140	MsDbClient.exe
4140	MsDbClient.exe
4464	MsDbClient.exe
4464	MsDbClient.exe
3208	MsDbClient.exe
3208	MsDbClient.exe
400	MsDbClient.exe
400	MsDbClient.exe
2460	MsDbClient.exe
2460	MsDbClient.exe
544	MsDbClient.exe
544	MsDbClient.exe
1964	MsDbClient.exe
1964	MsDbClient.exe
3468	MsDbClient.exe
3468	MsDbClient.exe
752	MsDbClient.exe
752	MsDbClient.exe
648	MsDbClient.exe
648	MsDbClient.exe
4004	MsDbClient.exe
4004	MsDbClient.exe
1912	MsDbClient.exe
1912	MsDbClient.exe
4844	MsDbClient.exe
4844	MsDbClient.exe
2356	MsDbClient.exe
2356	MsDbClient.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3456 wrote to memory of 636	3456	dbc3829eb9edf84754aec2e921b121db_JaffaCakes118.exe	83
PID 3456 wrote to memory of 636	3456	dbc3829eb9edf84754aec2e921b121db_JaffaCakes118.exe	83
PID 3456 wrote to memory of 636	3456	dbc3829eb9edf84754aec2e921b121db_JaffaCakes118.exe	83
PID 3456 wrote to memory of 636	3456	dbc3829eb9edf84754aec2e921b121db_JaffaCakes118.exe	83
PID 3456 wrote to memory of 636	3456	dbc3829eb9edf84754aec2e921b121db_JaffaCakes118.exe	83
PID 3456 wrote to memory of 636	3456	dbc3829eb9edf84754aec2e921b121db_JaffaCakes118.exe	83
PID 3456 wrote to memory of 636	3456	dbc3829eb9edf84754aec2e921b121db_JaffaCakes118.exe	83
PID 636 wrote to memory of 2020	636	dbc3829eb9edf84754aec2e921b121db_JaffaCakes118.exe	85
PID 636 wrote to memory of 2020	636	dbc3829eb9edf84754aec2e921b121db_JaffaCakes118.exe	85
PID 636 wrote to memory of 2020	636	dbc3829eb9edf84754aec2e921b121db_JaffaCakes118.exe	85
PID 2020 wrote to memory of 2188	2020	MsDbClient.exe	86
PID 2020 wrote to memory of 2188	2020	MsDbClient.exe	86
PID 2020 wrote to memory of 2188	2020	MsDbClient.exe	86
PID 2020 wrote to memory of 2188	2020	MsDbClient.exe	86
PID 2020 wrote to memory of 2188	2020	MsDbClient.exe	86
PID 2020 wrote to memory of 2188	2020	MsDbClient.exe	86
PID 2020 wrote to memory of 2188	2020	MsDbClient.exe	86
PID 2188 wrote to memory of 324	2188	MsDbClient.exe	89
PID 2188 wrote to memory of 324	2188	MsDbClient.exe	89
PID 2188 wrote to memory of 324	2188	MsDbClient.exe	89
PID 324 wrote to memory of 440	324	MsDbClient.exe	93
PID 324 wrote to memory of 440	324	MsDbClient.exe	93
PID 324 wrote to memory of 440	324	MsDbClient.exe	93
PID 324 wrote to memory of 440	324	MsDbClient.exe	93
PID 324 wrote to memory of 440	324	MsDbClient.exe	93
PID 324 wrote to memory of 440	324	MsDbClient.exe	93
PID 324 wrote to memory of 440	324	MsDbClient.exe	93
PID 440 wrote to memory of 4644	440	MsDbClient.exe	96
PID 440 wrote to memory of 4644	440	MsDbClient.exe	96
PID 440 wrote to memory of 4644	440	MsDbClient.exe	96
PID 4644 wrote to memory of 2956	4644	MsDbClient.exe	97
PID 4644 wrote to memory of 2956	4644	MsDbClient.exe	97
PID 4644 wrote to memory of 2956	4644	MsDbClient.exe	97
PID 4644 wrote to memory of 2956	4644	MsDbClient.exe	97
PID 4644 wrote to memory of 2956	4644	MsDbClient.exe	97
PID 4644 wrote to memory of 2956	4644	MsDbClient.exe	97
PID 4644 wrote to memory of 2956	4644	MsDbClient.exe	97
PID 2956 wrote to memory of 3632	2956	MsDbClient.exe	102
PID 2956 wrote to memory of 3632	2956	MsDbClient.exe	102
PID 2956 wrote to memory of 3632	2956	MsDbClient.exe	102
PID 3632 wrote to memory of 4068	3632	MsDbClient.exe	103
PID 3632 wrote to memory of 4068	3632	MsDbClient.exe	103
PID 3632 wrote to memory of 4068	3632	MsDbClient.exe	103
PID 3632 wrote to memory of 4068	3632	MsDbClient.exe	103
PID 3632 wrote to memory of 4068	3632	MsDbClient.exe	103
PID 3632 wrote to memory of 4068	3632	MsDbClient.exe	103
PID 3632 wrote to memory of 4068	3632	MsDbClient.exe	103
PID 4068 wrote to memory of 4700	4068	MsDbClient.exe	104
PID 4068 wrote to memory of 4700	4068	MsDbClient.exe	104
PID 4068 wrote to memory of 4700	4068	MsDbClient.exe	104
PID 4700 wrote to memory of 1180	4700	MsDbClient.exe	105
PID 4700 wrote to memory of 1180	4700	MsDbClient.exe	105
PID 4700 wrote to memory of 1180	4700	MsDbClient.exe	105
PID 4700 wrote to memory of 1180	4700	MsDbClient.exe	105
PID 4700 wrote to memory of 1180	4700	MsDbClient.exe	105
PID 4700 wrote to memory of 1180	4700	MsDbClient.exe	105
PID 4700 wrote to memory of 1180	4700	MsDbClient.exe	105
PID 1180 wrote to memory of 2664	1180	MsDbClient.exe	106
PID 1180 wrote to memory of 2664	1180	MsDbClient.exe	106
PID 1180 wrote to memory of 2664	1180	MsDbClient.exe	106
PID 2664 wrote to memory of 1128	2664	MsDbClient.exe	107
PID 2664 wrote to memory of 1128	2664	MsDbClient.exe	107
PID 2664 wrote to memory of 1128	2664	MsDbClient.exe	107
PID 2664 wrote to memory of 1128	2664	MsDbClient.exe	107

C:\Users\Admin\AppData\Local\Temp\dbc3829eb9edf84754aec2e921b121db_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dbc3829eb9edf84754aec2e921b121db_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3456
- C:\Users\Admin\AppData\Local\Temp\dbc3829eb9edf84754aec2e921b121db_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\dbc3829eb9edf84754aec2e921b121db_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Windows\SysWOW64\MsDbClient.exe
    "C:\Windows\system32\MsDbClient.exe" C:\Users\Admin\AppData\Local\Temp\DBC382~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2020
  - - C:\Windows\SysWOW64\MsDbClient.exe
      "C:\Windows\SysWOW64\MsDbClient.exe" C:\Users\Admin\AppData\Local\Temp\DBC382~1.EXE
      4⤵
      Checks computer location settings
      Deletes itself
      Executes dropped EXE
      Maps connected drives based on registry
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2188
    - - C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:324
      - C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4644
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1128
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4268
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4760
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4060
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:436
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2756
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2652
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:5012
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1004
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3432
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3468
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3484
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1696
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1400
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:756
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3148
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2236
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2444
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1348
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1520
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4140
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4284
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4464
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3704
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3208
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:400
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3616
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2460
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3840
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:544
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1308
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1964
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5068
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3468
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:752
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:648
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2328
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4004
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1104
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        60⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1912
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2908
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4844
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5044
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2356
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        66⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3292
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        67⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1660
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        68⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3400
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        69⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4276
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        70⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        71⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2440
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        72⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        73⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        74⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        75⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        76⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        77⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3616
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        78⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\system32\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        79⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Windows\SysWOW64\MsDbClient.exe
        
        "C:\Windows\SysWOW64\MsDbClient.exe" C:\Windows\SysWOW64\MSDBCL~1.EXE
        80⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\MsDbClient.exe

Filesize
158KB

MD5
dbc3829eb9edf84754aec2e921b121db

SHA1
3c456e58346bd6765a6fa59d851d944f5e8c58fc

SHA256
e67bd969561c76c94f277dce717a048bde9f3b22ee6c22b6c4d65decf1446dba

SHA512
a934509925b2b8a29101f09236fcedb90d4c717eabde5268b1da62357a6a72319dfcc9de462c710c2b1725c813016cfacb9ec112a054a8d5690ca5589f363453

Download Submit
memory/400-202-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/436-97-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/440-54-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/544-217-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/636-38-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/636-0-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/636-2-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/636-3-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/636-4-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/648-241-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/752-235-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1128-84-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1180-77-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1348-170-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1400-145-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1544-295-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1652-307-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1696-137-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1756-289-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1912-253-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1964-223-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2188-44-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2188-45-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2188-47-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2188-43-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2356-265-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2380-283-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2444-162-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2460-210-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2756-103-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2756-106-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2756-102-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2956-60-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3148-154-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3208-194-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3292-271-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3400-277-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3432-120-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3468-229-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3484-129-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3640-301-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4004-247-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4068-69-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4140-178-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4464-186-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4760-91-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4844-259-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5012-113-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download