54efa98d0bc33a94b0c3938a9b7c519e3849a5a3f25de33d3fcacc6bdf08a45f

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25/03/2024, 10:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddd6daba856440eaf953b11fdbdab612.exe
Size

994KB
MD5

ddd6daba856440eaf953b11fdbdab612
SHA1

be6e81928db1d3a6bb7f630a88b973a9f5abb541
SHA256

54efa98d0bc33a94b0c3938a9b7c519e3849a5a3f25de33d3fcacc6bdf08a45f
SHA512

9790580b46a7a2e19112d8f547227837ee33571187a3216d2404df05fce396ae60b61d01857a54e022cf12a42af8b43a26e6889a8f6e172ba3cf00cb37bcd48c
SSDEEP

24576:QnyUxKy79rIuhwQQN2K3yWds0JkKyVTqhInl9S5Sz:+yg7ZIuhlFadsLYh8nlz

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe restart"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe restart"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe restart"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe restart"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe restart"	msn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe restart"	msn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	msn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe restart"	msn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe restart"	msn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	msn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	ddd6daba856440eaf953b11fdbdab612.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe restart"	msn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	msn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe restart"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe restart"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe restart"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe restart"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe restart"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe restart"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe restart"	msn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	msn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\msn\\msn.exe restart"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe restart"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe restart"	msn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe restart"	msn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	msn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	msn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	msn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\msn\\msn.exe restart"	ddd6daba856440eaf953b11fdbdab612.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe restart"	msn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	msn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	msn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	msn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	msn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	msn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	msn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe restart"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe restart"	msn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	msn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe restart"	msn.exe

Executes dropped EXE 46 IoCs

pid	Process
3740	msn.exe
3064	msn.exe
3196	msn.exe
3840	msn.exe
3460	msn.exe
824	msn.exe
1236	msn.exe
1076	msn.exe
3060	msn.exe
828	msn.exe
5024	msn.exe
3992	msn.exe
1020	msn.exe
4196	msn.exe
1072	msn.exe
3008	msn.exe
1100	msn.exe
5036	msn.exe
4888	msn.exe
1156	msn.exe
4196	msn.exe
1076	msn.exe
5036	msn.exe
4836	msn.exe
3880	msn.exe
1164	msn.exe
4048	msn.exe
4576	msn.exe
4956	msn.exe
1040	msn.exe
708	msn.exe
2832	msn.exe
3188	msn.exe
3232	msn.exe
2360	msn.exe
1792	msn.exe
3188	msn.exe
1036	msn.exe
3228	msn.exe
4164	msn.exe
684	msn.exe
1276	msn.exe
1132	msn.exe
1040	msn.exe
2272	msn.exe
1304	msn.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4780-4-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/4780-5-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/4780-6-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/4780-9-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/4780-10-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/4780-11-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/1376-14-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/4780-15-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/4780-16-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/3064-29-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/3064-30-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/3064-31-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/3064-33-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/3064-34-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/3840-51-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/3840-52-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/824-69-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/824-70-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/1076-87-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/1076-88-0x0000000010000000-0x000000001031C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\msn\\msn.exe"	ddd6daba856440eaf953b11fdbdab612.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ddd6daba856440eaf953b11fdbdab612.exe"	ddd6daba856440eaf953b11fdbdab612.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\msn\\msn.exe"	ddd6daba856440eaf953b11fdbdab612.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\msn\\msn.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\msn\\msn.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
3460	msn.exe
1020	msn.exe
4196	msn.exe
3880	msn.exe
708	msn.exe
3188	msn.exe
2360	msn.exe
3228	msn.exe

Suspicious use of SetThreadContext 24 IoCs

description	pid	Process	procid_target
PID 1072 set thread context of 4780	1072	ddd6daba856440eaf953b11fdbdab612.exe	91
PID 3740 set thread context of 3064	3740	msn.exe	102
PID 3196 set thread context of 3840	3196	msn.exe	109
PID 3460 set thread context of 824	3460	msn.exe	113
PID 1236 set thread context of 1076	1236	msn.exe	117
PID 3060 set thread context of 828	3060	msn.exe	122
PID 5024 set thread context of 3992	5024	msn.exe	126
PID 1020 set thread context of 4196	1020	msn.exe	131
PID 1072 set thread context of 3008	1072	msn.exe	143
PID 1100 set thread context of 5036	1100	msn.exe	147
PID 4888 set thread context of 1156	4888	msn.exe	151
PID 4196 set thread context of 1076	4196	msn.exe	155
PID 5036 set thread context of 4836	5036	msn.exe	159
PID 3880 set thread context of 1164	3880	msn.exe	163
PID 4048 set thread context of 4576	4048	msn.exe	168
PID 4956 set thread context of 1040	4956	msn.exe	172
PID 708 set thread context of 2832	708	msn.exe	176
PID 3188 set thread context of 3232	3188	msn.exe	180
PID 2360 set thread context of 1792	2360	msn.exe	184
PID 3188 set thread context of 1036	3188	msn.exe	188
PID 3228 set thread context of 4164	3228	msn.exe	192
PID 684 set thread context of 1276	684	msn.exe	196
PID 1132 set thread context of 1040	1132	msn.exe	200
PID 2272 set thread context of 1304	2272	msn.exe	204

Drops file in Windows directory 25 IoCs

description	ioc	Process
File created	C:\Windows\msn\msn.exe	msn.exe
File opened for modification	C:\Windows\msn\msn.exe	ddd6daba856440eaf953b11fdbdab612.exe
File created	C:\Windows\msn\msn.exe	msn.exe
File created	C:\Windows\msn\msn.exe	msn.exe
File created	C:\Windows\msn\msn.exe	msn.exe
File created	C:\Windows\msn\msn.exe	msn.exe
File created	C:\Windows\msn\msn.exe	msn.exe
File created	C:\Windows\msn\msn.exe	msn.exe
File created	C:\Windows\msn\msn.exe	msn.exe
File created	C:\Windows\msn\msn.exe	msn.exe
File created	C:\Windows\msn\msn.exe	ddd6daba856440eaf953b11fdbdab612.exe
File created	C:\Windows\msn\msn.exe	msn.exe
File created	C:\Windows\msn\msn.exe	msn.exe
File created	C:\Windows\msn\msn.exe	msn.exe
File created	C:\Windows\msn\msn.exe	msn.exe
File created	C:\Windows\msn\msn.exe	msn.exe
File created	C:\Windows\msn\msn.exe	msn.exe
File created	C:\Windows\msn\msn.exe	msn.exe
File created	C:\Windows\msn\msn.exe	msn.exe
File created	C:\Windows\msn\msn.exe	msn.exe
File created	C:\Windows\msn\msn.exe	msn.exe
File created	C:\Windows\msn\msn.exe	msn.exe
File created	C:\Windows\msn\msn.exe	msn.exe
File created	C:\Windows\msn\msn.exe	msn.exe
File created	C:\Windows\msn\msn.exe	msn.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	msn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	msn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	msn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	msn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	msn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	msn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	msn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	msn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	msn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	msn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	msn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	msn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	msn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	msn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	msn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	msn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	msn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	msn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	msn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	msn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	msn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	msn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	ddd6daba856440eaf953b11fdbdab612.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	msn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	msn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	msn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	msn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	msn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	msn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	msn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	msn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	msn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	msn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	msn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	msn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	ddd6daba856440eaf953b11fdbdab612.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	msn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	msn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	msn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	msn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	msn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	ddd6daba856440eaf953b11fdbdab612.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	msn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	msn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	ddd6daba856440eaf953b11fdbdab612.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	msn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	msn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	msn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	msn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	msn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	msn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	msn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	msn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	msn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	msn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	msn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	msn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	msn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	msn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	msn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	msn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	msn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	msn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	msn.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
1072	ddd6daba856440eaf953b11fdbdab612.exe
1072	ddd6daba856440eaf953b11fdbdab612.exe
3740	msn.exe
3740	msn.exe
3196	msn.exe
3196	msn.exe
3460	msn.exe
3460	msn.exe
1236	msn.exe
1236	msn.exe
3060	msn.exe
3060	msn.exe
5024	msn.exe
5024	msn.exe
1020	msn.exe
1020	msn.exe
1072	msn.exe
1072	msn.exe
1100	msn.exe
1100	msn.exe
4888	msn.exe
4888	msn.exe
4196	msn.exe
4196	msn.exe
5036	msn.exe
5036	msn.exe
3880	msn.exe
3880	msn.exe
4048	msn.exe
4048	msn.exe
4956	msn.exe
4956	msn.exe
708	msn.exe
708	msn.exe
3188	msn.exe
3188	msn.exe
2360	msn.exe
2360	msn.exe
3188	msn.exe
3188	msn.exe
3228	msn.exe
3228	msn.exe
684	msn.exe
684	msn.exe
1132	msn.exe
1132	msn.exe
2272	msn.exe
2272	msn.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
1072	ddd6daba856440eaf953b11fdbdab612.exe
4780	ddd6daba856440eaf953b11fdbdab612.exe
3740	msn.exe
3064	msn.exe
3196	msn.exe
3840	msn.exe
3460	msn.exe
824	msn.exe
1236	msn.exe
1076	msn.exe
3060	msn.exe
828	msn.exe
5024	msn.exe
3992	msn.exe
1020	msn.exe
4196	msn.exe
1072	msn.exe
3008	msn.exe
1100	msn.exe
5036	msn.exe
4888	msn.exe
1156	msn.exe
4196	msn.exe
1076	msn.exe
5036	msn.exe
4836	msn.exe
3880	msn.exe
1164	msn.exe
4048	msn.exe
4576	msn.exe
4956	msn.exe
1040	msn.exe
708	msn.exe
2832	msn.exe
3188	msn.exe
3232	msn.exe
2360	msn.exe
1792	msn.exe
3188	msn.exe
1036	msn.exe
3228	msn.exe
4164	msn.exe
684	msn.exe
1276	msn.exe
1132	msn.exe
1040	msn.exe
2272	msn.exe
1304	msn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 2260	1072	ddd6daba856440eaf953b11fdbdab612.exe	89
PID 1072 wrote to memory of 2260	1072	ddd6daba856440eaf953b11fdbdab612.exe	89
PID 1072 wrote to memory of 2260	1072	ddd6daba856440eaf953b11fdbdab612.exe	89
PID 1072 wrote to memory of 2260	1072	ddd6daba856440eaf953b11fdbdab612.exe	89
PID 1072 wrote to memory of 2260	1072	ddd6daba856440eaf953b11fdbdab612.exe	89
PID 1072 wrote to memory of 2260	1072	ddd6daba856440eaf953b11fdbdab612.exe	89
PID 1072 wrote to memory of 2312	1072	ddd6daba856440eaf953b11fdbdab612.exe	90
PID 1072 wrote to memory of 2312	1072	ddd6daba856440eaf953b11fdbdab612.exe	90
PID 1072 wrote to memory of 2312	1072	ddd6daba856440eaf953b11fdbdab612.exe	90
PID 1072 wrote to memory of 2312	1072	ddd6daba856440eaf953b11fdbdab612.exe	90
PID 1072 wrote to memory of 2312	1072	ddd6daba856440eaf953b11fdbdab612.exe	90
PID 1072 wrote to memory of 2312	1072	ddd6daba856440eaf953b11fdbdab612.exe	90
PID 1072 wrote to memory of 4780	1072	ddd6daba856440eaf953b11fdbdab612.exe	91
PID 1072 wrote to memory of 4780	1072	ddd6daba856440eaf953b11fdbdab612.exe	91
PID 1072 wrote to memory of 4780	1072	ddd6daba856440eaf953b11fdbdab612.exe	91
PID 1072 wrote to memory of 4780	1072	ddd6daba856440eaf953b11fdbdab612.exe	91
PID 1072 wrote to memory of 4780	1072	ddd6daba856440eaf953b11fdbdab612.exe	91
PID 1072 wrote to memory of 4780	1072	ddd6daba856440eaf953b11fdbdab612.exe	91
PID 1072 wrote to memory of 4780	1072	ddd6daba856440eaf953b11fdbdab612.exe	91
PID 1072 wrote to memory of 4780	1072	ddd6daba856440eaf953b11fdbdab612.exe	91
PID 4780 wrote to memory of 1376	4780	ddd6daba856440eaf953b11fdbdab612.exe	94
PID 4780 wrote to memory of 1376	4780	ddd6daba856440eaf953b11fdbdab612.exe	94
PID 4780 wrote to memory of 1376	4780	ddd6daba856440eaf953b11fdbdab612.exe	94
PID 4780 wrote to memory of 1376	4780	ddd6daba856440eaf953b11fdbdab612.exe	94
PID 1376 wrote to memory of 3740	1376	svchost.exe	99
PID 1376 wrote to memory of 3740	1376	svchost.exe	99
PID 1376 wrote to memory of 3740	1376	svchost.exe	99
PID 3740 wrote to memory of 1140	3740	msn.exe	100
PID 3740 wrote to memory of 1140	3740	msn.exe	100
PID 3740 wrote to memory of 1140	3740	msn.exe	100
PID 3740 wrote to memory of 1140	3740	msn.exe	100
PID 3740 wrote to memory of 1140	3740	msn.exe	100
PID 3740 wrote to memory of 1140	3740	msn.exe	100
PID 3740 wrote to memory of 1408	3740	msn.exe	101
PID 3740 wrote to memory of 1408	3740	msn.exe	101
PID 3740 wrote to memory of 1408	3740	msn.exe	101
PID 3740 wrote to memory of 1408	3740	msn.exe	101
PID 3740 wrote to memory of 1408	3740	msn.exe	101
PID 3740 wrote to memory of 1408	3740	msn.exe	101
PID 3740 wrote to memory of 3064	3740	msn.exe	102
PID 3740 wrote to memory of 3064	3740	msn.exe	102
PID 3740 wrote to memory of 3064	3740	msn.exe	102
PID 3740 wrote to memory of 3064	3740	msn.exe	102
PID 3740 wrote to memory of 3064	3740	msn.exe	102
PID 3740 wrote to memory of 3064	3740	msn.exe	102
PID 3740 wrote to memory of 3064	3740	msn.exe	102
PID 3740 wrote to memory of 3064	3740	msn.exe	102
PID 1376 wrote to memory of 3196	1376	svchost.exe	106
PID 1376 wrote to memory of 3196	1376	svchost.exe	106
PID 1376 wrote to memory of 3196	1376	svchost.exe	106
PID 3196 wrote to memory of 2572	3196	msn.exe	107
PID 3196 wrote to memory of 2572	3196	msn.exe	107
PID 3196 wrote to memory of 2572	3196	msn.exe	107
PID 3196 wrote to memory of 2572	3196	msn.exe	107
PID 3196 wrote to memory of 2572	3196	msn.exe	107
PID 3196 wrote to memory of 2572	3196	msn.exe	107
PID 3196 wrote to memory of 2104	3196	msn.exe	108
PID 3196 wrote to memory of 2104	3196	msn.exe	108
PID 3196 wrote to memory of 2104	3196	msn.exe	108
PID 3196 wrote to memory of 2104	3196	msn.exe	108
PID 3196 wrote to memory of 2104	3196	msn.exe	108
PID 3196 wrote to memory of 2104	3196	msn.exe	108
PID 3196 wrote to memory of 3840	3196	msn.exe	109
PID 3196 wrote to memory of 3840	3196	msn.exe	109

C:\Users\Admin\AppData\Local\Temp\ddd6daba856440eaf953b11fdbdab612.exe
"C:\Users\Admin\AppData\Local\Temp\ddd6daba856440eaf953b11fdbdab612.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:2260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:2312
- C:\Users\Admin\AppData\Local\Temp\ddd6daba856440eaf953b11fdbdab612.exe
  C:\Users\Admin\AppData\Local\Temp\ddd6daba856440eaf953b11fdbdab612.exe
  2⤵
  - Modifies Installed Components in the registry
  - Adds Run key to start application
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Modifies Installed Components in the registry
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1376
  - - C:\Windows\msn\msn.exe
      "C:\Windows\msn\msn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3740
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:1140
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:1408
    - - C:\Windows\msn\msn.exe
        
        C:\Windows\msn\msn.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:3064
  - - C:\Windows\msn\msn.exe
      "C:\Windows\msn\msn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3196
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2572
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2104
    - - C:\Windows\msn\msn.exe
        
        C:\Windows\msn\msn.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:3840
  - - C:\Windows\msn\msn.exe
      "C:\Windows\msn\msn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:3460
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:460
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:1980
    - - C:\Windows\msn\msn.exe
        
        C:\Windows\msn\msn.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:824
  - - C:\Windows\msn\msn.exe
      "C:\Windows\msn\msn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1236
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4072
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2580
    - - C:\Windows\msn\msn.exe
        
        C:\Windows\msn\msn.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:1076
  - - C:\Windows\msn\msn.exe
      "C:\Windows\msn\msn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:3060
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4912
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2516
    - - C:\Windows\msn\msn.exe
        
        C:\Windows\msn\msn.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:828
  - - C:\Windows\msn\msn.exe
      "C:\Windows\msn\msn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:5024
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2408
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4428
    - - C:\Windows\msn\msn.exe
        
        C:\Windows\msn\msn.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:3992
  - - C:\Windows\msn\msn.exe
      "C:\Windows\msn\msn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1020
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2852
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:1828
    - - C:\Windows\msn\msn.exe
        
        C:\Windows\msn\msn.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:4196
  - - C:\Windows\msn\msn.exe
      "C:\Windows\msn\msn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1072
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:912
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:1632
    - - C:\Windows\msn\msn.exe
        
        C:\Windows\msn\msn.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:3008
  - - C:\Windows\msn\msn.exe
      "C:\Windows\msn\msn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1100
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3224
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3740
    - - C:\Windows\msn\msn.exe
        
        C:\Windows\msn\msn.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:5036
  - - C:\Windows\msn\msn.exe
      "C:\Windows\msn\msn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:4888
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4648
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:924
    - - C:\Windows\msn\msn.exe
        
        C:\Windows\msn\msn.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:1156
  - - C:\Windows\msn\msn.exe
      "C:\Windows\msn\msn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:4196
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:560
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4952
    - - C:\Windows\msn\msn.exe
        
        C:\Windows\msn\msn.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:1076
  - - C:\Windows\msn\msn.exe
      "C:\Windows\msn\msn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:5036
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4480
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4000
    - - C:\Windows\msn\msn.exe
        
        C:\Windows\msn\msn.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:4836
  - - C:\Windows\msn\msn.exe
      "C:\Windows\msn\msn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:3880
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:1016
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3924
    - - C:\Windows\msn\msn.exe
        
        C:\Windows\msn\msn.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:1164
  - - C:\Windows\msn\msn.exe
      "C:\Windows\msn\msn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:4048
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:212
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2112
    - - C:\Windows\msn\msn.exe
        
        C:\Windows\msn\msn.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:4576
  - - C:\Windows\msn\msn.exe
      "C:\Windows\msn\msn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:4956
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4836
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2216
    - - C:\Windows\msn\msn.exe
        
        C:\Windows\msn\msn.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:1040
  - - C:\Windows\msn\msn.exe
      "C:\Windows\msn\msn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:708
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:448
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3992
    - - C:\Windows\msn\msn.exe
        
        C:\Windows\msn\msn.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:2832
  - - C:\Windows\msn\msn.exe
      "C:\Windows\msn\msn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:3188
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4048
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3156
    - - C:\Windows\msn\msn.exe
        
        C:\Windows\msn\msn.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:3232
  - - C:\Windows\msn\msn.exe
      "C:\Windows\msn\msn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2360
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4552
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:1656
    - - C:\Windows\msn\msn.exe
        
        C:\Windows\msn\msn.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:1792
  - - C:\Windows\msn\msn.exe
      "C:\Windows\msn\msn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:3188
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4548
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4024
    - - C:\Windows\msn\msn.exe
        
        C:\Windows\msn\msn.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:1036
  - - C:\Windows\msn\msn.exe
      "C:\Windows\msn\msn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:3228
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:8
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4676
    - - C:\Windows\msn\msn.exe
        
        C:\Windows\msn\msn.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:4164
  - - C:\Windows\msn\msn.exe
      "C:\Windows\msn\msn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:684
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:804
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3916
    - - C:\Windows\msn\msn.exe
        
        C:\Windows\msn\msn.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:1276
  - - C:\Windows\msn\msn.exe
      "C:\Windows\msn\msn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1132
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4704
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3528
    - - C:\Windows\msn\msn.exe
        
        C:\Windows\msn\msn.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:1040
  - - C:\Windows\msn\msn.exe
      "C:\Windows\msn\msn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2272
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3232
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:424
    - - C:\Windows\msn\msn.exe
        
        C:\Windows\msn\msn.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:1304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\msn\msn.exe

Filesize
704KB

MD5
02c218c0c34bc1e874a15a74860b3d3e

SHA1
8ad25af08b55d869dc13b5e6752b0501a850b953

SHA256
16d14329f56b50cccd5045be0eb9fc23de21feb88ced6ddc7f5de1eacf5d74b8

SHA512
6130210e4bd8e84b5e8dacb353739d45b8239bf3d6bab13338cc8da2a8cf5e1fcc20fef5d9a7faebee80741a541abfabb0cf11fb989ef191ffb5c54c66b2fb36

Download Submit
C:\Windows\msn\msn.exe

Filesize
994KB

MD5
ddd6daba856440eaf953b11fdbdab612

SHA1
be6e81928db1d3a6bb7f630a88b973a9f5abb541

SHA256
54efa98d0bc33a94b0c3938a9b7c519e3849a5a3f25de33d3fcacc6bdf08a45f

SHA512
9790580b46a7a2e19112d8f547227837ee33571187a3216d2404df05fce396ae60b61d01857a54e022cf12a42af8b43a26e6889a8f6e172ba3cf00cb37bcd48c

Download Submit
C:\Windows\msn\msn.exe

Filesize
49KB

MD5
d159c94a5317d00b2908976e14dd2958

SHA1
e662c1fd1671e1f20d36838a6e7579bcc07774bc

SHA256
b46ca68ef266e3b59d04feb407d206d14db668978cb7e73edb57a6a3eec31aa0

SHA512
bfafe264ea85d0e1d78490f63753cc6be2806016b18921f10638b0c5ba1d03dc917de5d5f4d1075684a5ee09ecd12ef5a46c3e60c19e43ff1c17f62e6d4c6a79

Download Submit
C:\Windows\msn\msn.exe

Filesize
979KB

MD5
e53b0de6a7139f24d4800c675a9967a1

SHA1
f6b0baf28307f312160fc9b1eafd343d89aecc95

SHA256
ff7b69c715ee58bc2d8efe6dc3720f43bafc8c884b8426bfefd26b91aab7b988

SHA512
0ebf0cd089a9b135a53496332b1c3ce599fa297a950fd012738353afd8bdc2a94781cee8a9ce2ecb27fca60564202bd8b3ad08a14efef6c8af44bd6bea79aa21

Download Submit
\??\c:\users\admin\appdata\local\temp\80EB2F5C

Filesize
14B

MD5
accc1ed0da93eaa818fb0fe82dc31d67

SHA1
65d25ebf711aeb766b8a7e002e75eb05afa68f29

SHA256
56ebacf2c9b1aa637b00d999a04664591f4c1bbdc20d7d85d467b5f4a512060e

SHA512
ce3f57102206242b65a0a34287ac0a4dc57db7d08a71d74fc9ff94675493d0462988cd61a0c83ec0883e2ea93debaf9020616101a15459de1c0c02af94b80d94

Download Submit
memory/684-375-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/708-303-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/824-70-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/824-69-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/1020-128-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/1020-139-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/1072-0-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/1072-1-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/1072-2-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/1072-8-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/1072-147-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/1072-157-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/1076-87-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/1076-88-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/1100-175-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/1132-388-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/1236-81-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/1236-73-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/1376-14-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2272-395-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/2272-404-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/2360-333-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/2360-324-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/3060-99-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/3060-91-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/3064-29-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/3064-34-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/3064-30-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/3064-31-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/3064-33-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/3188-318-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/3188-347-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/3196-45-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/3196-37-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/3228-361-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/3460-55-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/3460-63-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/3740-28-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/3740-20-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/3740-19-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/3840-51-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/3840-52-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/3880-238-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/3880-249-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/4048-267-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/4196-212-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/4780-10-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/4780-15-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/4780-11-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/4780-16-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/4780-9-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/4780-6-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/4780-5-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/4780-4-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/4888-195-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/4956-285-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/5024-120-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/5024-109-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/5036-229-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download