metasploit | 9f336e98af84d2d1d8368371bd318515efdad7649416c1ae12cdc4a3052f3b8e

Analysis

max time kernel
103s
max time network
105s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
15/04/2025, 10:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b9b2fb1adbb9dfb171bf51986ffe3615.exe
Size

123KB
MD5

b9b2fb1adbb9dfb171bf51986ffe3615
SHA1

7596693efb330a26b8cdac271075d6e7b9c266f9
SHA256

9f336e98af84d2d1d8368371bd318515efdad7649416c1ae12cdc4a3052f3b8e
SHA512

fd6a4d046773c214c637d1ae4bd06b2b6121d93df96512d3b55e95f2892e05ae6547aa426dc7c4722ca75965e4ffe4d3a6ca5e5ade98a35ecf882e0079cff8bf
SSDEEP

1536:eEqja03dxWScn3fMzWqFP9IroQfyGCW9BIS2DJ456tK1U0yUmozcoKjFZ+p5PDFm:+X36ScnPMCqFurzf3BzH6Wxlcts3Q

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Deletes itself 1 IoCs

pid	Process
2904	msddll.exe

Executes dropped EXE 64 IoCs

pid	Process
5680	msddll.exe
1964	msddll.exe
4464	msddll.exe
4312	msddll.exe
1080	msddll.exe
2904	msddll.exe
4872	msddll.exe
4956	msddll.exe
5092	msddll.exe
4768	msddll.exe
4596	msddll.exe
2300	msddll.exe
4704	msddll.exe
2372	msddll.exe
2548	msddll.exe
3760	msddll.exe
4820	msddll.exe
1896	msddll.exe
1948	msddll.exe
1704	msddll.exe
5408	msddll.exe
4924	msddll.exe
6032	msddll.exe
5780	msddll.exe
4716	msddll.exe
2760	msddll.exe
3908	msddll.exe
5296	msddll.exe
5924	msddll.exe
4780	msddll.exe
1420	msddll.exe
988	msddll.exe
2748	msddll.exe
2476	msddll.exe
5368	msddll.exe
2280	msddll.exe
792	msddll.exe
6040	msddll.exe
6036	msddll.exe
4684	msddll.exe
1020	msddll.exe
1344	msddll.exe
5516	msddll.exe
2784	msddll.exe
788	msddll.exe
1712	msddll.exe
3096	msddll.exe
6112	msddll.exe
3840	msddll.exe
2332	msddll.exe
4972	msddll.exe
5192	msddll.exe
2576	msddll.exe
1108	msddll.exe
4908	msddll.exe
5032	msddll.exe
4216	msddll.exe
5000	msddll.exe
3616	msddll.exe
1372	msddll.exe
4584	msddll.exe
540	msddll.exe
2472	msddll.exe
4560	msddll.exe

Suspicious use of SetThreadContext 44 IoCs

description	pid	Process	procid_target
PID 5840 set thread context of 3032	5840	JaffaCakes118_b9b2fb1adbb9dfb171bf51986ffe3615.exe	78
PID 5680 set thread context of 1964	5680	msddll.exe	80
PID 4464 set thread context of 4312	4464	msddll.exe	82
PID 1080 set thread context of 2904	1080	msddll.exe	84
PID 4872 set thread context of 4956	4872	msddll.exe	86
PID 5092 set thread context of 4768	5092	msddll.exe	88
PID 4596 set thread context of 2300	4596	msddll.exe	90
PID 4704 set thread context of 2372	4704	msddll.exe	92
PID 2548 set thread context of 3760	2548	msddll.exe	94
PID 4820 set thread context of 1896	4820	msddll.exe	96
PID 1948 set thread context of 1704	1948	msddll.exe	98
PID 5408 set thread context of 4924	5408	msddll.exe	100
PID 6032 set thread context of 5780	6032	msddll.exe	102
PID 4716 set thread context of 2760	4716	msddll.exe	104
PID 3908 set thread context of 5296	3908	msddll.exe	106
PID 5924 set thread context of 4780	5924	msddll.exe	108
PID 1420 set thread context of 988	1420	msddll.exe	110
PID 2748 set thread context of 2476	2748	msddll.exe	112
PID 5368 set thread context of 2280	5368	msddll.exe	114
PID 792 set thread context of 6040	792	msddll.exe	116
PID 6036 set thread context of 4684	6036	msddll.exe	118
PID 1020 set thread context of 1344	1020	msddll.exe	120
PID 5516 set thread context of 2784	5516	msddll.exe	122
PID 788 set thread context of 1712	788	msddll.exe	124
PID 3096 set thread context of 6112	3096	msddll.exe	126
PID 3840 set thread context of 2332	3840	msddll.exe	128
PID 4972 set thread context of 5192	4972	msddll.exe	130
PID 2576 set thread context of 1108	2576	msddll.exe	132
PID 4908 set thread context of 5032	4908	msddll.exe	134
PID 4216 set thread context of 5000	4216	msddll.exe	136
PID 3616 set thread context of 1372	3616	msddll.exe	138
PID 4584 set thread context of 540	4584	msddll.exe	140
PID 2472 set thread context of 4560	2472	msddll.exe	142
PID 2112 set thread context of 2808	2112	msddll.exe	144
PID 1328 set thread context of 3312	1328	msddll.exe	146
PID 6104 set thread context of 1932	6104	msddll.exe	148
PID 5180 set thread context of 4644	5180	msddll.exe	150
PID 1880 set thread context of 5480	1880	msddll.exe	152
PID 1516 set thread context of 3776	1516	msddll.exe	154
PID 1888 set thread context of 1944	1888	msddll.exe	156
PID 5808 set thread context of 4688	5808	msddll.exe	158
PID 5144 set thread context of 244	5144	msddll.exe	160
PID 4136 set thread context of 3912	4136	msddll.exe	162
PID 804 set thread context of 5248	804	msddll.exe	164

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system\msddll.exe	JaffaCakes118_b9b2fb1adbb9dfb171bf51986ffe3615.exe
File opened for modification	C:\Windows\system\msddll.exe	JaffaCakes118_b9b2fb1adbb9dfb171bf51986ffe3615.exe

System Location Discovery: System Language Discovery 1 TTPs 44 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b9b2fb1adbb9dfb171bf51986ffe3615.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msddll.exe

Suspicious use of SetWindowsHookEx 44 IoCs

pid	Process
5840	JaffaCakes118_b9b2fb1adbb9dfb171bf51986ffe3615.exe
5680	msddll.exe
4464	msddll.exe
1080	msddll.exe
4872	msddll.exe
5092	msddll.exe
4596	msddll.exe
4704	msddll.exe
2548	msddll.exe
4820	msddll.exe
1948	msddll.exe
5408	msddll.exe
6032	msddll.exe
4716	msddll.exe
3908	msddll.exe
5924	msddll.exe
1420	msddll.exe
2748	msddll.exe
5368	msddll.exe
792	msddll.exe
6036	msddll.exe
1020	msddll.exe
5516	msddll.exe
788	msddll.exe
3096	msddll.exe
3840	msddll.exe
4972	msddll.exe
2576	msddll.exe
4908	msddll.exe
4216	msddll.exe
3616	msddll.exe
4584	msddll.exe
2472	msddll.exe
2112	msddll.exe
1328	msddll.exe
6104	msddll.exe
5180	msddll.exe
1880	msddll.exe
1516	msddll.exe
1888	msddll.exe
5808	msddll.exe
5144	msddll.exe
4136	msddll.exe
804	msddll.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5840 wrote to memory of 3032	5840	JaffaCakes118_b9b2fb1adbb9dfb171bf51986ffe3615.exe	78
PID 5840 wrote to memory of 3032	5840	JaffaCakes118_b9b2fb1adbb9dfb171bf51986ffe3615.exe	78
PID 5840 wrote to memory of 3032	5840	JaffaCakes118_b9b2fb1adbb9dfb171bf51986ffe3615.exe	78
PID 5840 wrote to memory of 3032	5840	JaffaCakes118_b9b2fb1adbb9dfb171bf51986ffe3615.exe	78
PID 5840 wrote to memory of 3032	5840	JaffaCakes118_b9b2fb1adbb9dfb171bf51986ffe3615.exe	78
PID 5840 wrote to memory of 3032	5840	JaffaCakes118_b9b2fb1adbb9dfb171bf51986ffe3615.exe	78
PID 5840 wrote to memory of 3032	5840	JaffaCakes118_b9b2fb1adbb9dfb171bf51986ffe3615.exe	78
PID 5840 wrote to memory of 3032	5840	JaffaCakes118_b9b2fb1adbb9dfb171bf51986ffe3615.exe	78
PID 5840 wrote to memory of 3032	5840	JaffaCakes118_b9b2fb1adbb9dfb171bf51986ffe3615.exe	78
PID 5840 wrote to memory of 3032	5840	JaffaCakes118_b9b2fb1adbb9dfb171bf51986ffe3615.exe	78
PID 5840 wrote to memory of 3032	5840	JaffaCakes118_b9b2fb1adbb9dfb171bf51986ffe3615.exe	78
PID 5680 wrote to memory of 1964	5680	msddll.exe	80
PID 5680 wrote to memory of 1964	5680	msddll.exe	80
PID 5680 wrote to memory of 1964	5680	msddll.exe	80
PID 5680 wrote to memory of 1964	5680	msddll.exe	80
PID 5680 wrote to memory of 1964	5680	msddll.exe	80
PID 5680 wrote to memory of 1964	5680	msddll.exe	80
PID 5680 wrote to memory of 1964	5680	msddll.exe	80
PID 5680 wrote to memory of 1964	5680	msddll.exe	80
PID 5680 wrote to memory of 1964	5680	msddll.exe	80
PID 5680 wrote to memory of 1964	5680	msddll.exe	80
PID 5680 wrote to memory of 1964	5680	msddll.exe	80
PID 4464 wrote to memory of 4312	4464	msddll.exe	82
PID 4464 wrote to memory of 4312	4464	msddll.exe	82
PID 4464 wrote to memory of 4312	4464	msddll.exe	82
PID 4464 wrote to memory of 4312	4464	msddll.exe	82
PID 4464 wrote to memory of 4312	4464	msddll.exe	82
PID 4464 wrote to memory of 4312	4464	msddll.exe	82
PID 4464 wrote to memory of 4312	4464	msddll.exe	82
PID 4464 wrote to memory of 4312	4464	msddll.exe	82
PID 4464 wrote to memory of 4312	4464	msddll.exe	82
PID 4464 wrote to memory of 4312	4464	msddll.exe	82
PID 4464 wrote to memory of 4312	4464	msddll.exe	82
PID 1080 wrote to memory of 2904	1080	msddll.exe	84
PID 1080 wrote to memory of 2904	1080	msddll.exe	84
PID 1080 wrote to memory of 2904	1080	msddll.exe	84
PID 1080 wrote to memory of 2904	1080	msddll.exe	84
PID 1080 wrote to memory of 2904	1080	msddll.exe	84
PID 1080 wrote to memory of 2904	1080	msddll.exe	84
PID 1080 wrote to memory of 2904	1080	msddll.exe	84
PID 1080 wrote to memory of 2904	1080	msddll.exe	84
PID 1080 wrote to memory of 2904	1080	msddll.exe	84
PID 1080 wrote to memory of 2904	1080	msddll.exe	84
PID 1080 wrote to memory of 2904	1080	msddll.exe	84
PID 4872 wrote to memory of 4956	4872	msddll.exe	86
PID 4872 wrote to memory of 4956	4872	msddll.exe	86
PID 4872 wrote to memory of 4956	4872	msddll.exe	86
PID 4872 wrote to memory of 4956	4872	msddll.exe	86
PID 4872 wrote to memory of 4956	4872	msddll.exe	86
PID 4872 wrote to memory of 4956	4872	msddll.exe	86
PID 4872 wrote to memory of 4956	4872	msddll.exe	86
PID 4872 wrote to memory of 4956	4872	msddll.exe	86
PID 4872 wrote to memory of 4956	4872	msddll.exe	86
PID 4872 wrote to memory of 4956	4872	msddll.exe	86
PID 4872 wrote to memory of 4956	4872	msddll.exe	86
PID 5092 wrote to memory of 4768	5092	msddll.exe	88
PID 5092 wrote to memory of 4768	5092	msddll.exe	88
PID 5092 wrote to memory of 4768	5092	msddll.exe	88
PID 5092 wrote to memory of 4768	5092	msddll.exe	88
PID 5092 wrote to memory of 4768	5092	msddll.exe	88
PID 5092 wrote to memory of 4768	5092	msddll.exe	88
PID 5092 wrote to memory of 4768	5092	msddll.exe	88
PID 5092 wrote to memory of 4768	5092	msddll.exe	88
PID 5092 wrote to memory of 4768	5092	msddll.exe	88

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9b2fb1adbb9dfb171bf51986ffe3615.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9b2fb1adbb9dfb171bf51986ffe3615.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5840
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9b2fb1adbb9dfb171bf51986ffe3615.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9b2fb1adbb9dfb171bf51986ffe3615
  2⤵
  - Drops file in Windows directory
  PID:3032

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5680
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:1964

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4464
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:4312

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2904

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:4956

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:4768

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4596
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:2300

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4704
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:2372

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2548
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:3760

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4820
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:1896

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1948
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:1704

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5408
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:4924

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6032
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:5780

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4716
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:2760

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3908
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:5296

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5924
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:4780

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1420
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:988

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2748
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:2476

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5368
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:2280

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:792
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:6040

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6036
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:4684

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1020
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:1344

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5516
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:2784

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:788
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:1712

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3096
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:6112

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3840
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:2332

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4972
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:5192

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2576
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:1108

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4908
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:5032

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4216
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:5000

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3616
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:1372

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4584
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:540

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2472
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  - Executes dropped EXE
  PID:4560

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2112
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  PID:2808

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1328
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  PID:3312

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6104
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  PID:1932

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5180
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  PID:4644

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1880
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  PID:5480

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1516
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  PID:3776

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1888
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  PID:1944

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5808
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  PID:4688

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5144
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  PID:244

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4136
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  PID:3912

C:\Windows\system\msddll.exe
"C:\Windows\system\msddll.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:804
- C:\Windows\system\msddll.exe
  C:\Windows\system\msddll
  2⤵
  PID:5248

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\msddll.exe

Filesize
123KB

MD5
b9b2fb1adbb9dfb171bf51986ffe3615

SHA1
7596693efb330a26b8cdac271075d6e7b9c266f9

SHA256
9f336e98af84d2d1d8368371bd318515efdad7649416c1ae12cdc4a3052f3b8e

SHA512
fd6a4d046773c214c637d1ae4bd06b2b6121d93df96512d3b55e95f2892e05ae6547aa426dc7c4722ca75965e4ffe4d3a6ca5e5ade98a35ecf882e0079cff8bf

Download Submit
memory/1964-43-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2904-65-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2904-63-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2904-62-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3032-10-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3032-4-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3032-2-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3032-27-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3032-3-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3032-6-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3032-5-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3032-7-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4312-42-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4956-82-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download