metasploit | ca0fcea9b0c53ccd48a53f54d28288c1553b837a216be00163a56a348ebd3401

Analysis

max time kernel
149s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-12-2024 17:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f51be466fe0103c6b29596054bc962ee_JaffaCakes118.exe
Size

161KB
MD5

f51be466fe0103c6b29596054bc962ee
SHA1

4a0a3ab920069f05ed889f23dce32cef92bb8b7a
SHA256

ca0fcea9b0c53ccd48a53f54d28288c1553b837a216be00163a56a348ebd3401
SHA512

f2ac31a2ec9fa858b6f43807732c5837997f1a0e0890f4f3dd3ad819c5d2ee5c5c622f9d499ca7ac73a0db4ccf17fef60bac677d94e71a0cd6d91b1416cffa05
SSDEEP

3072:HaQR1ahRGxO7yFDWenXF9fy0Gd7oT6QGlVp1304RnYDAlg/yMYE:HaQREhRGxfFDLFFyBnX3041s/jD

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Checks computer location settings 2 TTPs 37 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	MsPcClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	MsPcClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	MsPcClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	MsPcClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	MsPcClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	MsPcClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	MsPcClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	MsPcClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	MsPcClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	MsPcClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	MsPcClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	MsPcClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	MsPcClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	MsPcClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	MsPcClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	MsPcClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	MsPcClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	MsPcClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	MsPcClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	MsPcClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	MsPcClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	MsPcClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	MsPcClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	MsPcClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	MsPcClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	MsPcClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	MsPcClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	MsPcClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	MsPcClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	MsPcClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	MsPcClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	MsPcClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	MsPcClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	MsPcClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	MsPcClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	f51be466fe0103c6b29596054bc962ee_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	MsPcClient.exe

Deletes itself 1 IoCs

pid	Process
3928	MsPcClient.exe

Executes dropped EXE 64 IoCs

pid	Process
2832	MsPcClient.exe
3928	MsPcClient.exe
1940	MsPcClient.exe
3560	MsPcClient.exe
1740	MsPcClient.exe
1500	MsPcClient.exe
872	MsPcClient.exe
2256	MsPcClient.exe
4776	MsPcClient.exe
2348	MsPcClient.exe
4168	MsPcClient.exe
1320	MsPcClient.exe
2152	MsPcClient.exe
2368	MsPcClient.exe
5084	MsPcClient.exe
2840	MsPcClient.exe
3848	MsPcClient.exe
3552	MsPcClient.exe
3996	MsPcClient.exe
1848	MsPcClient.exe
3356	MsPcClient.exe
4860	MsPcClient.exe
2088	MsPcClient.exe
2636	MsPcClient.exe
2804	MsPcClient.exe
1088	MsPcClient.exe
4848	MsPcClient.exe
2904	MsPcClient.exe
1028	MsPcClient.exe
2940	MsPcClient.exe
1436	MsPcClient.exe
3688	MsPcClient.exe
4444	MsPcClient.exe
4736	MsPcClient.exe
2944	MsPcClient.exe
4760	MsPcClient.exe
2776	MsPcClient.exe
2244	MsPcClient.exe
4212	MsPcClient.exe
4912	MsPcClient.exe
952	MsPcClient.exe
1756	MsPcClient.exe
4384	MsPcClient.exe
1264	MsPcClient.exe
2328	MsPcClient.exe
4032	MsPcClient.exe
3996	MsPcClient.exe
1664	MsPcClient.exe
1484	MsPcClient.exe
4596	MsPcClient.exe
1984	MsPcClient.exe
2088	MsPcClient.exe
1184	MsPcClient.exe
1564	MsPcClient.exe
4304	MsPcClient.exe
2836	MsPcClient.exe
808	MsPcClient.exe
4424	MsPcClient.exe
4780	MsPcClient.exe
1216	MsPcClient.exe
1944	MsPcClient.exe
4164	MsPcClient.exe
3836	MsPcClient.exe
3328	MsPcClient.exe

Maps connected drives based on registry 3 TTPs 64 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	f51be466fe0103c6b29596054bc962ee_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	f51be466fe0103c6b29596054bc962ee_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	f51be466fe0103c6b29596054bc962ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	f51be466fe0103c6b29596054bc962ee_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe

Suspicious use of SetThreadContext 38 IoCs

description	pid	Process	procid_target
PID 1068 set thread context of 3608	1068	f51be466fe0103c6b29596054bc962ee_JaffaCakes118.exe	84
PID 2832 set thread context of 3928	2832	MsPcClient.exe	86
PID 1940 set thread context of 3560	1940	MsPcClient.exe	88
PID 1740 set thread context of 1500	1740	MsPcClient.exe	94
PID 872 set thread context of 2256	872	MsPcClient.exe	97
PID 4776 set thread context of 2348	4776	MsPcClient.exe	101
PID 4168 set thread context of 1320	4168	MsPcClient.exe	103
PID 2152 set thread context of 2368	2152	MsPcClient.exe	105
PID 5084 set thread context of 2840	5084	MsPcClient.exe	108
PID 3848 set thread context of 3552	3848	MsPcClient.exe	111
PID 3996 set thread context of 1848	3996	MsPcClient.exe	113
PID 3356 set thread context of 4860	3356	MsPcClient.exe	115
PID 2088 set thread context of 2636	2088	MsPcClient.exe	117
PID 2804 set thread context of 1088	2804	MsPcClient.exe	119
PID 4848 set thread context of 2904	4848	MsPcClient.exe	121
PID 1028 set thread context of 2940	1028	MsPcClient.exe	123
PID 1436 set thread context of 3688	1436	MsPcClient.exe	125
PID 4444 set thread context of 4736	4444	MsPcClient.exe	127
PID 2944 set thread context of 4760	2944	MsPcClient.exe	129
PID 2776 set thread context of 2244	2776	MsPcClient.exe	131
PID 4212 set thread context of 4912	4212	MsPcClient.exe	133
PID 952 set thread context of 1756	952	MsPcClient.exe	135
PID 4384 set thread context of 1264	4384	MsPcClient.exe	137
PID 2328 set thread context of 4032	2328	MsPcClient.exe	139
PID 3996 set thread context of 1664	3996	MsPcClient.exe	141
PID 1484 set thread context of 4596	1484	MsPcClient.exe	143
PID 1984 set thread context of 2088	1984	MsPcClient.exe	145
PID 1184 set thread context of 1564	1184	MsPcClient.exe	147
PID 4304 set thread context of 2836	4304	MsPcClient.exe	149
PID 808 set thread context of 4424	808	MsPcClient.exe	151
PID 4780 set thread context of 1216	4780	MsPcClient.exe	153
PID 1944 set thread context of 4164	1944	MsPcClient.exe	155
PID 3836 set thread context of 3328	3836	MsPcClient.exe	157
PID 3184 set thread context of 2364	3184	MsPcClient.exe	159
PID 1128 set thread context of 3412	1128	MsPcClient.exe	161
PID 2232 set thread context of 1768	2232	MsPcClient.exe	163
PID 2884 set thread context of 2452	2884	MsPcClient.exe	165
PID 2076 set thread context of 2136	2076	MsPcClient.exe	167

UPX packed file 44 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3608-0-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3608-2-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3608-3-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3608-4-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3608-38-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3928-43-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3928-44-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3928-45-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3928-49-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3560-55-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1500-62-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2256-69-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2348-75-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1320-82-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2368-93-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2840-99-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3552-105-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1848-112-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/4860-121-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2636-130-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1088-138-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2904-147-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2940-155-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3688-164-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/4736-172-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/4760-180-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2244-188-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/4912-196-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1756-205-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1264-213-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/4032-220-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1664-226-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/4596-232-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2088-238-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1564-244-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2836-250-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/4424-256-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1216-262-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/4164-268-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3328-274-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2364-280-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3412-286-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/1768-292-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2452-298-0x0000000000400000-0x000000000046B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f51be466fe0103c6b29596054bc962ee_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe

Modifies registry class 37 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	f51be466fe0103c6b29596054bc962ee_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPcClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPcClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPcClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPcClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPcClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPcClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPcClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPcClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPcClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPcClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPcClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPcClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPcClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPcClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPcClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPcClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPcClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPcClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPcClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPcClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPcClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPcClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPcClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPcClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPcClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPcClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPcClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPcClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPcClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPcClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPcClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPcClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPcClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPcClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPcClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsPcClient.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1068 wrote to memory of 3608	1068	f51be466fe0103c6b29596054bc962ee_JaffaCakes118.exe	84
PID 1068 wrote to memory of 3608	1068	f51be466fe0103c6b29596054bc962ee_JaffaCakes118.exe	84
PID 1068 wrote to memory of 3608	1068	f51be466fe0103c6b29596054bc962ee_JaffaCakes118.exe	84
PID 1068 wrote to memory of 3608	1068	f51be466fe0103c6b29596054bc962ee_JaffaCakes118.exe	84
PID 1068 wrote to memory of 3608	1068	f51be466fe0103c6b29596054bc962ee_JaffaCakes118.exe	84
PID 1068 wrote to memory of 3608	1068	f51be466fe0103c6b29596054bc962ee_JaffaCakes118.exe	84
PID 1068 wrote to memory of 3608	1068	f51be466fe0103c6b29596054bc962ee_JaffaCakes118.exe	84
PID 3608 wrote to memory of 2832	3608	f51be466fe0103c6b29596054bc962ee_JaffaCakes118.exe	85
PID 3608 wrote to memory of 2832	3608	f51be466fe0103c6b29596054bc962ee_JaffaCakes118.exe	85
PID 3608 wrote to memory of 2832	3608	f51be466fe0103c6b29596054bc962ee_JaffaCakes118.exe	85
PID 2832 wrote to memory of 3928	2832	MsPcClient.exe	86
PID 2832 wrote to memory of 3928	2832	MsPcClient.exe	86
PID 2832 wrote to memory of 3928	2832	MsPcClient.exe	86
PID 2832 wrote to memory of 3928	2832	MsPcClient.exe	86
PID 2832 wrote to memory of 3928	2832	MsPcClient.exe	86
PID 2832 wrote to memory of 3928	2832	MsPcClient.exe	86
PID 2832 wrote to memory of 3928	2832	MsPcClient.exe	86
PID 3928 wrote to memory of 1940	3928	MsPcClient.exe	87
PID 3928 wrote to memory of 1940	3928	MsPcClient.exe	87
PID 3928 wrote to memory of 1940	3928	MsPcClient.exe	87
PID 1940 wrote to memory of 3560	1940	MsPcClient.exe	88
PID 1940 wrote to memory of 3560	1940	MsPcClient.exe	88
PID 1940 wrote to memory of 3560	1940	MsPcClient.exe	88
PID 1940 wrote to memory of 3560	1940	MsPcClient.exe	88
PID 1940 wrote to memory of 3560	1940	MsPcClient.exe	88
PID 1940 wrote to memory of 3560	1940	MsPcClient.exe	88
PID 1940 wrote to memory of 3560	1940	MsPcClient.exe	88
PID 3560 wrote to memory of 1740	3560	MsPcClient.exe	93
PID 3560 wrote to memory of 1740	3560	MsPcClient.exe	93
PID 3560 wrote to memory of 1740	3560	MsPcClient.exe	93
PID 1740 wrote to memory of 1500	1740	MsPcClient.exe	94
PID 1740 wrote to memory of 1500	1740	MsPcClient.exe	94
PID 1740 wrote to memory of 1500	1740	MsPcClient.exe	94
PID 1740 wrote to memory of 1500	1740	MsPcClient.exe	94
PID 1740 wrote to memory of 1500	1740	MsPcClient.exe	94
PID 1740 wrote to memory of 1500	1740	MsPcClient.exe	94
PID 1740 wrote to memory of 1500	1740	MsPcClient.exe	94
PID 1500 wrote to memory of 872	1500	MsPcClient.exe	96
PID 1500 wrote to memory of 872	1500	MsPcClient.exe	96
PID 1500 wrote to memory of 872	1500	MsPcClient.exe	96
PID 872 wrote to memory of 2256	872	MsPcClient.exe	97
PID 872 wrote to memory of 2256	872	MsPcClient.exe	97
PID 872 wrote to memory of 2256	872	MsPcClient.exe	97
PID 872 wrote to memory of 2256	872	MsPcClient.exe	97
PID 872 wrote to memory of 2256	872	MsPcClient.exe	97
PID 872 wrote to memory of 2256	872	MsPcClient.exe	97
PID 872 wrote to memory of 2256	872	MsPcClient.exe	97
PID 2256 wrote to memory of 4776	2256	MsPcClient.exe	100
PID 2256 wrote to memory of 4776	2256	MsPcClient.exe	100
PID 2256 wrote to memory of 4776	2256	MsPcClient.exe	100
PID 4776 wrote to memory of 2348	4776	MsPcClient.exe	101
PID 4776 wrote to memory of 2348	4776	MsPcClient.exe	101
PID 4776 wrote to memory of 2348	4776	MsPcClient.exe	101
PID 4776 wrote to memory of 2348	4776	MsPcClient.exe	101
PID 4776 wrote to memory of 2348	4776	MsPcClient.exe	101
PID 4776 wrote to memory of 2348	4776	MsPcClient.exe	101
PID 4776 wrote to memory of 2348	4776	MsPcClient.exe	101
PID 2348 wrote to memory of 4168	2348	MsPcClient.exe	102
PID 2348 wrote to memory of 4168	2348	MsPcClient.exe	102
PID 2348 wrote to memory of 4168	2348	MsPcClient.exe	102
PID 4168 wrote to memory of 1320	4168	MsPcClient.exe	103
PID 4168 wrote to memory of 1320	4168	MsPcClient.exe	103
PID 4168 wrote to memory of 1320	4168	MsPcClient.exe	103
PID 4168 wrote to memory of 1320	4168	MsPcClient.exe	103

C:\Users\Admin\AppData\Local\Temp\f51be466fe0103c6b29596054bc962ee_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f51be466fe0103c6b29596054bc962ee_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Users\Admin\AppData\Local\Temp\f51be466fe0103c6b29596054bc962ee_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f51be466fe0103c6b29596054bc962ee_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3608
- - C:\Windows\SysWOW64\MsPcClient.exe
    "C:\Windows\system32\MsPcClient.exe" C:\Users\Admin\AppData\Local\Temp\F51BE4~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\SysWOW64\MsPcClient.exe
      "C:\Windows\SysWOW64\MsPcClient.exe" C:\Users\Admin\AppData\Local\Temp\F51BE4~1.EXE
      4⤵
      Checks computer location settings
      Deletes itself
      Executes dropped EXE
      Maps connected drives based on registry
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3928
    - - C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1940
      - C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3560
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1320
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5084
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3848
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:3552
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3996
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3356
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2088
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1088
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4848
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1028
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1436
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3688
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4444
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4212
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:952
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4384
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1264
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4032
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3996
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1984
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1184
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4304
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:2836
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:808
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        60⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4780
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4164
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3836
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        66⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3328
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        67⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3184
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        68⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        69⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1128
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        70⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3412
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        71⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        72⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        73⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        74⤵
        Checks computer location settings
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        75⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        76⤵
        
        PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\MsPcClient.exe

Filesize
161KB

MD5
f51be466fe0103c6b29596054bc962ee

SHA1
4a0a3ab920069f05ed889f23dce32cef92bb8b7a

SHA256
ca0fcea9b0c53ccd48a53f54d28288c1553b837a216be00163a56a348ebd3401

SHA512
f2ac31a2ec9fa858b6f43807732c5837997f1a0e0890f4f3dd3ad819c5d2ee5c5c622f9d499ca7ac73a0db4ccf17fef60bac677d94e71a0cd6d91b1416cffa05

Download Submit
memory/1088-138-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1216-262-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1264-213-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1320-82-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1500-62-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1564-244-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1664-226-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1756-205-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1768-292-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1848-112-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2088-238-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2244-188-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2256-69-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2348-75-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2364-280-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2368-93-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2452-298-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2636-130-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2836-250-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2840-99-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2904-147-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2940-155-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3328-274-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3412-286-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3552-105-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3560-55-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3608-4-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3608-2-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3608-38-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3608-0-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3608-3-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3688-164-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3928-44-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3928-43-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3928-49-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3928-45-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4032-220-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4164-268-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4424-256-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4596-232-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4736-172-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4760-180-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4860-121-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4912-196-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads