metasploit | 9f336e98af84d2d1d8368371bd318515efdad7649416c1ae12cdc4a3052f3b8e

Analysis

max time kernel
105s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2025, 10:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b9b2fb1adbb9dfb171bf51986ffe3615.exe
Size

123KB
MD5

b9b2fb1adbb9dfb171bf51986ffe3615
SHA1

7596693efb330a26b8cdac271075d6e7b9c266f9
SHA256

9f336e98af84d2d1d8368371bd318515efdad7649416c1ae12cdc4a3052f3b8e
SHA512

fd6a4d046773c214c637d1ae4bd06b2b6121d93df96512d3b55e95f2892e05ae6547aa426dc7c4722ca75965e4ffe4d3a6ca5e5ade98a35ecf882e0079cff8bf
SSDEEP

1536:eEqja03dxWScn3fMzWqFP9IroQfyGCW9BIS2DJ456tK1U0yUmozcoKjFZ+p5PDFm:+X36ScnPMCqFurzf3BzH6Wxlcts3Q

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Deletes itself 1 IoCs

pid	Process
3792	msddll.exe

Executes dropped EXE 60 IoCs

pid	Process
2264	msddll.exe
4704	msddll.exe
3488	msddll.exe
2880	msddll.exe
776	msddll.exe
2572	msddll.exe
2304	msddll.exe
3792	msddll.exe
752	msddll.exe
1436	msddll.exe
4752	msddll.exe
1492	msddll.exe
5048	msddll.exe
2380	msddll.exe
3520	msddll.exe
5020	msddll.exe
916	msddll.exe
3824	msddll.exe
3612	msddll.exe
1340	msddll.exe
4876	msddll.exe
4528	msddll.exe
3120	msddll.exe
3728	msddll.exe
3732	msddll.exe
4388	msddll.exe
4648	msddll.exe
3784	msddll.exe
4460	msddll.exe
4228	msddll.exe
1672	msddll.exe
4684	msddll.exe
4232	msddll.exe
3956	msddll.exe
2132	msddll.exe
1640	msddll.exe
4564	msddll.exe
3292	msddll.exe
1240	msddll.exe
736	msddll.exe
2952	msddll.exe
1936	msddll.exe
1620	msddll.exe
4896	msddll.exe
912	msddll.exe
4692	msddll.exe
4308	msddll.exe
3320	msddll.exe
3228	msddll.exe
432	msddll.exe
4276	msddll.exe
4700	msddll.exe
584	msddll.exe
2620	msddll.exe
2868	msddll.exe
208	msddll.exe
1468	msddll.exe
4072	msddll.exe
5060	msddll.exe
2184	msddll.exe

Suspicious use of SetThreadContext 31 IoCs

description	pid	Process	procid_target
PID 4276 set thread context of 4556	4276	JaffaCakes118_b9b2fb1adbb9dfb171bf51986ffe3615.exe	87
PID 2264 set thread context of 4704	2264	msddll.exe	90
PID 3488 set thread context of 2880	3488	msddll.exe	93
PID 776 set thread context of 2572	776	msddll.exe	95
PID 2304 set thread context of 3792	2304	msddll.exe	97
PID 752 set thread context of 1436	752	msddll.exe	99
PID 4752 set thread context of 1492	4752	msddll.exe	101
PID 5048 set thread context of 2380	5048	msddll.exe	103
PID 3520 set thread context of 5020	3520	msddll.exe	105
PID 916 set thread context of 3824	916	msddll.exe	107
PID 3612 set thread context of 1340	3612	msddll.exe	109
PID 4876 set thread context of 4528	4876	msddll.exe	111
PID 3120 set thread context of 3728	3120	msddll.exe	113
PID 3732 set thread context of 4388	3732	msddll.exe	115
PID 4648 set thread context of 3784	4648	msddll.exe	117
PID 4460 set thread context of 4228	4460	msddll.exe	121
PID 1672 set thread context of 4684	1672	msddll.exe	123
PID 4232 set thread context of 3956	4232	msddll.exe	125
PID 2132 set thread context of 1640	2132	msddll.exe	127
PID 4564 set thread context of 3292	4564	msddll.exe	129
PID 1240 set thread context of 736	1240	msddll.exe	131
PID 2952 set thread context of 1936	2952	msddll.exe	133
PID 1620 set thread context of 4896	1620	msddll.exe	135
PID 912 set thread context of 4692	912	msddll.exe	137
PID 4308 set thread context of 3320	4308	msddll.exe	139
PID 3228 set thread context of 432	3228	msddll.exe	141
PID 4276 set thread context of 4700	4276	msddll.exe	143
PID 584 set thread context of 2620	584	msddll.exe	145
PID 2868 set thread context of 208	2868	msddll.exe	147
PID 1468 set thread context of 4072	1468	msddll.exe	149
PID 5060 set thread context of 2184	5060	msddll.exe	151

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system\msddll.exe	JaffaCakes118_b9b2fb1adbb9dfb171bf51986ffe3615.exe
File opened for modification	C:\Windows\system\msddll.exe	JaffaCakes118_b9b2fb1adbb9dfb171bf51986ffe3615.exe

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b9b2fb1adbb9dfb171bf51986ffe3615.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe

Suspicious use of SetWindowsHookEx 31 IoCs

pid	Process
4276	JaffaCakes118_b9b2fb1adbb9dfb171bf51986ffe3615.exe
2264	msddll.exe
3488	msddll.exe
776	msddll.exe
2304	msddll.exe
752	msddll.exe
4752	msddll.exe
5048	msddll.exe
3520	msddll.exe
916	msddll.exe
3612	msddll.exe
4876	msddll.exe
3120	msddll.exe
3732	msddll.exe
4648	msddll.exe
4460	msddll.exe
1672	msddll.exe
4232	msddll.exe
2132	msddll.exe
4564	msddll.exe
1240	msddll.exe
2952	msddll.exe
1620	msddll.exe
912	msddll.exe
4308	msddll.exe
3228	msddll.exe
4276	msddll.exe
584	msddll.exe
2868	msddll.exe
1468	msddll.exe
5060	msddll.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4276 wrote to memory of 4556	4276	JaffaCakes118_b9b2fb1adbb9dfb171bf51986ffe3615.exe	87
PID 4276 wrote to memory of 4556	4276	JaffaCakes118_b9b2fb1adbb9dfb171bf51986ffe3615.exe	87
PID 4276 wrote to memory of 4556	4276	JaffaCakes118_b9b2fb1adbb9dfb171bf51986ffe3615.exe	87
PID 4276 wrote to memory of 4556	4276	JaffaCakes118_b9b2fb1adbb9dfb171bf51986ffe3615.exe	87
PID 4276 wrote to memory of 4556	4276	JaffaCakes118_b9b2fb1adbb9dfb171bf51986ffe3615.exe	87
PID 4276 wrote to memory of 4556	4276	JaffaCakes118_b9b2fb1adbb9dfb171bf51986ffe3615.exe	87
PID 4276 wrote to memory of 4556	4276	JaffaCakes118_b9b2fb1adbb9dfb171bf51986ffe3615.exe	87
PID 4276 wrote to memory of 4556	4276	JaffaCakes118_b9b2fb1adbb9dfb171bf51986ffe3615.exe	87
PID 4276 wrote to memory of 4556	4276	JaffaCakes118_b9b2fb1adbb9dfb171bf51986ffe3615.exe	87
PID 4276 wrote to memory of 4556	4276	JaffaCakes118_b9b2fb1adbb9dfb171bf51986ffe3615.exe	87
PID 4276 wrote to memory of 4556	4276	JaffaCakes118_b9b2fb1adbb9dfb171bf51986ffe3615.exe	87
PID 2264 wrote to memory of 4704	2264	msddll.exe	90
PID 2264 wrote to memory of 4704	2264	msddll.exe	90
PID 2264 wrote to memory of 4704	2264	msddll.exe	90
PID 2264 wrote to memory of 4704	2264	msddll.exe	90
PID 2264 wrote to memory of 4704	2264	msddll.exe	90
PID 2264 wrote to memory of 4704	2264	msddll.exe	90
PID 2264 wrote to memory of 4704	2264	msddll.exe	90
PID 2264 wrote to memory of 4704	2264	msddll.exe	90
PID 2264 wrote to memory of 4704	2264	msddll.exe	90
PID 2264 wrote to memory of 4704	2264	msddll.exe	90
PID 2264 wrote to memory of 4704	2264	msddll.exe	90
PID 3488 wrote to memory of 2880	3488	msddll.exe	93
PID 3488 wrote to memory of 2880	3488	msddll.exe	93
PID 3488 wrote to memory of 2880	3488	msddll.exe	93
PID 3488 wrote to memory of 2880	3488	msddll.exe	93
PID 3488 wrote to memory of 2880	3488	msddll.exe	93
PID 3488 wrote to memory of 2880	3488	msddll.exe	93
PID 3488 wrote to memory of 2880	3488	msddll.exe	93
PID 3488 wrote to memory of 2880	3488	msddll.exe	93
PID 3488 wrote to memory of 2880	3488	msddll.exe	93
PID 3488 wrote to memory of 2880	3488	msddll.exe	93
PID 3488 wrote to memory of 2880	3488	msddll.exe	93
PID 776 wrote to memory of 2572	776	msddll.exe	95
PID 776 wrote to memory of 2572	776	msddll.exe	95
PID 776 wrote to memory of 2572	776	msddll.exe	95
PID 776 wrote to memory of 2572	776	msddll.exe	95
PID 776 wrote to memory of 2572	776	msddll.exe	95
PID 776 wrote to memory of 2572	776	msddll.exe	95
PID 776 wrote to memory of 2572	776	msddll.exe	95
PID 776 wrote to memory of 2572	776	msddll.exe	95
PID 776 wrote to memory of 2572	776	msddll.exe	95
PID 776 wrote to memory of 2572	776	msddll.exe	95
PID 776 wrote to memory of 2572	776	msddll.exe	95
PID 2304 wrote to memory of 3792	2304	msddll.exe	97
PID 2304 wrote to memory of 3792	2304	msddll.exe	97
PID 2304 wrote to memory of 3792	2304	msddll.exe	97
PID 2304 wrote to memory of 3792	2304	msddll.exe	97
PID 2304 wrote to memory of 3792	2304	msddll.exe	97
PID 2304 wrote to memory of 3792	2304	msddll.exe	97
PID 2304 wrote to memory of 3792	2304	msddll.exe	97
PID 2304 wrote to memory of 3792	2304	msddll.exe	97
PID 2304 wrote to memory of 3792	2304	msddll.exe	97
PID 2304 wrote to memory of 3792	2304	msddll.exe	97
PID 2304 wrote to memory of 3792	2304	msddll.exe	97
PID 752 wrote to memory of 1436	752	msddll.exe	99
PID 752 wrote to memory of 1436	752	msddll.exe	99
PID 752 wrote to memory of 1436	752	msddll.exe	99
PID 752 wrote to memory of 1436	752	msddll.exe	99
PID 752 wrote to memory of 1436	752	msddll.exe	99
PID 752 wrote to memory of 1436	752	msddll.exe	99
PID 752 wrote to memory of 1436	752	msddll.exe	99
PID 752 wrote to memory of 1436	752	msddll.exe	99
PID 752 wrote to memory of 1436	752	msddll.exe	99

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9b2fb1adbb9dfb171bf51986ffe3615.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9b2fb1adbb9dfb171bf51986ffe3615.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4276
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9b2fb1adbb9dfb171bf51986ffe3615.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9b2fb1adbb9dfb171bf51986ffe3615
  2⤵
  - Drops file in Windows directory
  PID:4556

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:4704

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3488
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:2880

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:776
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:2572

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:3792

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:752
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:1436

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4752
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:1492

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5048
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:2380

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3520
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:5020

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:916
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:3824

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3612
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:1340

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4876
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:4528

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3120
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:3728

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3732
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:4388

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4648
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:3784

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4460
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:4228

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1672
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:4684

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4232
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:3956

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2132
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:1640

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4564
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:3292

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1240
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:736

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2952
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:1936

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1620
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:4896

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:912
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:4692

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4308
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:3320

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3228
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:432

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4276
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:4700

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:584
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:2620

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2868
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:208

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1468
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:4072

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5060
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:2184

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\msddll.exe

Filesize
123KB

MD5
b9b2fb1adbb9dfb171bf51986ffe3615

SHA1
7596693efb330a26b8cdac271075d6e7b9c266f9

SHA256
9f336e98af84d2d1d8368371bd318515efdad7649416c1ae12cdc4a3052f3b8e

SHA512
fd6a4d046773c214c637d1ae4bd06b2b6121d93df96512d3b55e95f2892e05ae6547aa426dc7c4722ca75965e4ffe4d3a6ca5e5ade98a35ecf882e0079cff8bf

Download Submit
memory/2572-74-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2880-59-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2880-45-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3792-78-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3792-75-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4556-10-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4556-6-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4556-30-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4556-2-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4556-5-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4556-3-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4556-4-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4556-7-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4704-27-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download