4171de49be68064ee63937bdd560c253c9b5173c0497bc7835ec497f6d3e87e0

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19-07-2024 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d56d8d8600cdbfadaa1b66469b7a646_JaffaCakes118.exe
Size

73KB
MD5

5d56d8d8600cdbfadaa1b66469b7a646
SHA1

9369717a8dbc49452f5e1ea27a92e4eb779dbd6a
SHA256

4171de49be68064ee63937bdd560c253c9b5173c0497bc7835ec497f6d3e87e0
SHA512

296409e15338863a0c1022022ff7eb5f5bf00ea7907cb7ce37701e183ad089b751911831bb908e4f2a148637735d17b2aa9951aba38bf80bd37c3e58a4c0ef5b
SSDEEP

1536:SvVLAUfOWlydRdBhfuDolgEHVzHpjOTtOTWOT2iX:2BJf5K1flWM4QvKiX

Score

10^/10

aspackv2 persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 64 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\mesg.com"	mesg.com

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x00080000000174a8-11.dat	aspack_v212_v242
behavioral1/files/0x00080000000173de-16.dat	aspack_v212_v242

Executes dropped EXE 64 IoCs

pid	Process
2840	mesg.com
2928	mesg.com
2632	mesg.com
2620	mesg.com
1940	mesg.com
1312	mesg.com
2988	mesg.com
2108	mesg.com
1604	mesg.com
1476	mesg.com
1524	mesg.com
1000	mesg.com
2876	mesg.com
1980	mesg.com
112	mesg.com
2212	mesg.com
1804	mesg.com
2524	mesg.com
3020	mesg.com
2456	mesg.com
1284	mesg.com
2376	mesg.com
2232	mesg.com
1352	mesg.com
2884	mesg.com
904	mesg.com
1968	mesg.com
288	mesg.com
2564	mesg.com
2388	mesg.com
3056	mesg.com
2560	mesg.com
468	mesg.com
1828	mesg.com
2936	mesg.com
2056	mesg.com
2732	mesg.com
2452	mesg.com
2904	mesg.com
1280	mesg.com
2640	mesg.com
2836	mesg.com
2648	mesg.com
2616	mesg.com
2252	mesg.com
2112	mesg.com
2036	mesg.com
2944	mesg.com
2568	mesg.com
2992	mesg.com
2188	mesg.com
1912	mesg.com
1300	mesg.com
1612	mesg.com
316	mesg.com
1708	mesg.com
2816	mesg.com
2880	mesg.com
632	mesg.com
1000	mesg.com
332	mesg.com
2200	mesg.com
2540	mesg.com
2172	mesg.com

Loads dropped DLL 64 IoCs

pid	Process
1280	5d56d8d8600cdbfadaa1b66469b7a646_JaffaCakes118.exe
1280	5d56d8d8600cdbfadaa1b66469b7a646_JaffaCakes118.exe
2840	mesg.com
2840	mesg.com
2928	mesg.com
2928	mesg.com
2632	mesg.com
2632	mesg.com
2620	mesg.com
2620	mesg.com
1940	mesg.com
1940	mesg.com
1312	mesg.com
1312	mesg.com
2988	mesg.com
2988	mesg.com
2108	mesg.com
2108	mesg.com
1604	mesg.com
1604	mesg.com
1476	mesg.com
1476	mesg.com
1524	mesg.com
1524	mesg.com
1000	mesg.com
1000	mesg.com
2876	mesg.com
2876	mesg.com
1980	mesg.com
1980	mesg.com
112	mesg.com
112	mesg.com
2212	mesg.com
2212	mesg.com
1804	mesg.com
1804	mesg.com
2524	mesg.com
2524	mesg.com
3020	mesg.com
3020	mesg.com
2456	mesg.com
2456	mesg.com
1284	mesg.com
1284	mesg.com
2376	mesg.com
2376	mesg.com
2232	mesg.com
2232	mesg.com
1352	mesg.com
1352	mesg.com
2884	mesg.com
2884	mesg.com
904	mesg.com
904	mesg.com
1968	mesg.com
1968	mesg.com
288	mesg.com
288	mesg.com
2564	mesg.com
2564	mesg.com
2388	mesg.com
2388	mesg.com
3056	mesg.com
3056	mesg.com

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mesg.com	mesg.com
File created	C:\Windows\SysWOW64\mesg.com	mesg.com
File opened for modification	C:\Windows\SysWOW64\mesg.exe	mesg.com
File opened for modification	C:\Windows\SysWOW64\mesg.exe	mesg.com
File created	C:\Windows\SysWOW64\mesg.com	mesg.com
File created	C:\Windows\SysWOW64\mesg.com	mesg.com
File opened for modification	C:\Windows\SysWOW64\mesg.exe	mesg.com
File created	C:\Windows\SysWOW64\mesg.com	mesg.com
File opened for modification	C:\Windows\SysWOW64\mesg.exe	mesg.com
File opened for modification	C:\Windows\SysWOW64\mesg.exe	mesg.com
File opened for modification	C:\Windows\SysWOW64\mesg.exe	mesg.com
File created	C:\Windows\SysWOW64\mesg.com	5d56d8d8600cdbfadaa1b66469b7a646_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mesg.com	mesg.com
File created	C:\Windows\SysWOW64\mesg.com	mesg.com
File created	C:\Windows\SysWOW64\mesg.com	mesg.com
File created	C:\Windows\SysWOW64\mesg.com	mesg.com
File opened for modification	C:\Windows\SysWOW64\mesg.exe	mesg.com
File created	C:\Windows\SysWOW64\mesg.com	mesg.com
File created	C:\Windows\SysWOW64\mesg.com	mesg.com
File opened for modification	C:\Windows\SysWOW64\mesg.exe	mesg.com
File opened for modification	C:\Windows\SysWOW64\mesg.exe	mesg.com
File created	C:\Windows\SysWOW64\mesg.com	mesg.com
File opened for modification	C:\Windows\SysWOW64\mesg.exe	mesg.com
File opened for modification	C:\Windows\SysWOW64\mesg.exe	mesg.com
File opened for modification	C:\Windows\SysWOW64\mesg.exe	mesg.com
File opened for modification	C:\Windows\SysWOW64\mesg.exe	mesg.com
File created	C:\Windows\SysWOW64\mesg.com	mesg.com
File opened for modification	C:\Windows\SysWOW64\mesg.exe	mesg.com
File created	C:\Windows\SysWOW64\mesg.com	mesg.com
File created	C:\Windows\SysWOW64\mesg.com	mesg.com
File opened for modification	C:\Windows\SysWOW64\mesg.exe	mesg.com
File created	C:\Windows\SysWOW64\mesg.com	mesg.com
File opened for modification	C:\Windows\SysWOW64\mesg.exe	mesg.com
File created	C:\Windows\SysWOW64\mesg.com	mesg.com
File created	C:\Windows\SysWOW64\mesg.com	mesg.com
File created	C:\Windows\SysWOW64\mesg.com	mesg.com
File created	C:\Windows\SysWOW64\mesg.com	mesg.com
File opened for modification	C:\Windows\SysWOW64\mesg.exe	mesg.com
File created	C:\Windows\SysWOW64\mesg.com	mesg.com
File opened for modification	C:\Windows\SysWOW64\mesg.exe	mesg.com
File opened for modification	C:\Windows\SysWOW64\mesg.exe	mesg.com
File opened for modification	C:\Windows\SysWOW64\mesg.exe	mesg.com
File opened for modification	C:\Windows\SysWOW64\mesg.exe	mesg.com
File created	C:\Windows\SysWOW64\mesg.com	mesg.com
File created	C:\Windows\SysWOW64\mesg.com	mesg.com
File created	C:\Windows\SysWOW64\mesg.com	mesg.com
File created	C:\Windows\SysWOW64\mesg.com	mesg.com
File created	C:\Windows\SysWOW64\mesg.com	mesg.com
File opened for modification	C:\Windows\SysWOW64\mesg.exe	mesg.com
File opened for modification	C:\Windows\SysWOW64\mesg.exe	mesg.com
File opened for modification	C:\Windows\SysWOW64\mesg.exe	mesg.com
File opened for modification	C:\Windows\SysWOW64\mesg.exe	mesg.com
File created	C:\Windows\SysWOW64\mesg.com	mesg.com
File created	C:\Windows\SysWOW64\mesg.com	mesg.com
File created	C:\Windows\SysWOW64\mesg.com	mesg.com
File created	C:\Windows\SysWOW64\mesg.com	mesg.com
File created	C:\Windows\SysWOW64\mesg.com	mesg.com
File created	C:\Windows\SysWOW64\mesg.com	mesg.com
File created	C:\Windows\SysWOW64\mesg.com	mesg.com
File opened for modification	C:\Windows\SysWOW64\mesg.exe	mesg.com
File opened for modification	C:\Windows\SysWOW64\mesg.exe	mesg.com
File opened for modification	C:\Windows\SysWOW64\mesg.exe	mesg.com
File created	C:\Windows\SysWOW64\mesg.com	mesg.com
File opened for modification	C:\Windows\SysWOW64\mesg.exe	mesg.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com
File opened for modification	C:\Windows\get.exe	mesg.com

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1280	5d56d8d8600cdbfadaa1b66469b7a646_JaffaCakes118.exe
2840	mesg.com
2928	mesg.com
2632	mesg.com
2620	mesg.com
1940	mesg.com
1312	mesg.com
2988	mesg.com
2108	mesg.com
1604	mesg.com
1476	mesg.com
1524	mesg.com
1000	mesg.com
2876	mesg.com
1980	mesg.com
112	mesg.com
2212	mesg.com
1804	mesg.com
2524	mesg.com
3020	mesg.com
2456	mesg.com
1284	mesg.com
2376	mesg.com
2232	mesg.com
1352	mesg.com
2884	mesg.com
904	mesg.com
1968	mesg.com
288	mesg.com
2564	mesg.com
2388	mesg.com
3056	mesg.com
2560	mesg.com
468	mesg.com
1828	mesg.com
2936	mesg.com
2056	mesg.com
2732	mesg.com
2452	mesg.com
2904	mesg.com
1280	mesg.com
2640	mesg.com
2836	mesg.com
2648	mesg.com
2616	mesg.com
2252	mesg.com
2112	mesg.com
2036	mesg.com
2944	mesg.com
2568	mesg.com
2992	mesg.com
2188	mesg.com
1912	mesg.com
1300	mesg.com
1612	mesg.com
316	mesg.com
1708	mesg.com
2816	mesg.com
2880	mesg.com
632	mesg.com
1000	mesg.com
332	mesg.com
2200	mesg.com
2540	mesg.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 2840	1280	5d56d8d8600cdbfadaa1b66469b7a646_JaffaCakes118.exe	31
PID 1280 wrote to memory of 2840	1280	5d56d8d8600cdbfadaa1b66469b7a646_JaffaCakes118.exe	31
PID 1280 wrote to memory of 2840	1280	5d56d8d8600cdbfadaa1b66469b7a646_JaffaCakes118.exe	31
PID 1280 wrote to memory of 2840	1280	5d56d8d8600cdbfadaa1b66469b7a646_JaffaCakes118.exe	31
PID 2840 wrote to memory of 2928	2840	mesg.com	32
PID 2840 wrote to memory of 2928	2840	mesg.com	32
PID 2840 wrote to memory of 2928	2840	mesg.com	32
PID 2840 wrote to memory of 2928	2840	mesg.com	32
PID 2928 wrote to memory of 2632	2928	mesg.com	33
PID 2928 wrote to memory of 2632	2928	mesg.com	33
PID 2928 wrote to memory of 2632	2928	mesg.com	33
PID 2928 wrote to memory of 2632	2928	mesg.com	33
PID 2632 wrote to memory of 2620	2632	mesg.com	34
PID 2632 wrote to memory of 2620	2632	mesg.com	34
PID 2632 wrote to memory of 2620	2632	mesg.com	34
PID 2632 wrote to memory of 2620	2632	mesg.com	34
PID 2620 wrote to memory of 1940	2620	mesg.com	35
PID 2620 wrote to memory of 1940	2620	mesg.com	35
PID 2620 wrote to memory of 1940	2620	mesg.com	35
PID 2620 wrote to memory of 1940	2620	mesg.com	35
PID 1940 wrote to memory of 1312	1940	mesg.com	36
PID 1940 wrote to memory of 1312	1940	mesg.com	36
PID 1940 wrote to memory of 1312	1940	mesg.com	36
PID 1940 wrote to memory of 1312	1940	mesg.com	36
PID 1312 wrote to memory of 2988	1312	mesg.com	37
PID 1312 wrote to memory of 2988	1312	mesg.com	37
PID 1312 wrote to memory of 2988	1312	mesg.com	37
PID 1312 wrote to memory of 2988	1312	mesg.com	37
PID 2988 wrote to memory of 2108	2988	mesg.com	38
PID 2988 wrote to memory of 2108	2988	mesg.com	38
PID 2988 wrote to memory of 2108	2988	mesg.com	38
PID 2988 wrote to memory of 2108	2988	mesg.com	38
PID 2108 wrote to memory of 1604	2108	mesg.com	39
PID 2108 wrote to memory of 1604	2108	mesg.com	39
PID 2108 wrote to memory of 1604	2108	mesg.com	39
PID 2108 wrote to memory of 1604	2108	mesg.com	39
PID 1604 wrote to memory of 1476	1604	mesg.com	40
PID 1604 wrote to memory of 1476	1604	mesg.com	40
PID 1604 wrote to memory of 1476	1604	mesg.com	40
PID 1604 wrote to memory of 1476	1604	mesg.com	40
PID 1476 wrote to memory of 1524	1476	mesg.com	41
PID 1476 wrote to memory of 1524	1476	mesg.com	41
PID 1476 wrote to memory of 1524	1476	mesg.com	41
PID 1476 wrote to memory of 1524	1476	mesg.com	41
PID 1524 wrote to memory of 1000	1524	mesg.com	42
PID 1524 wrote to memory of 1000	1524	mesg.com	42
PID 1524 wrote to memory of 1000	1524	mesg.com	42
PID 1524 wrote to memory of 1000	1524	mesg.com	42
PID 1000 wrote to memory of 2876	1000	mesg.com	43
PID 1000 wrote to memory of 2876	1000	mesg.com	43
PID 1000 wrote to memory of 2876	1000	mesg.com	43
PID 1000 wrote to memory of 2876	1000	mesg.com	43
PID 2876 wrote to memory of 1980	2876	mesg.com	44
PID 2876 wrote to memory of 1980	2876	mesg.com	44
PID 2876 wrote to memory of 1980	2876	mesg.com	44
PID 2876 wrote to memory of 1980	2876	mesg.com	44
PID 1980 wrote to memory of 112	1980	mesg.com	45
PID 1980 wrote to memory of 112	1980	mesg.com	45
PID 1980 wrote to memory of 112	1980	mesg.com	45
PID 1980 wrote to memory of 112	1980	mesg.com	45
PID 112 wrote to memory of 2212	112	mesg.com	46
PID 112 wrote to memory of 2212	112	mesg.com	46
PID 112 wrote to memory of 2212	112	mesg.com	46
PID 112 wrote to memory of 2212	112	mesg.com	46

C:\Users\Admin\AppData\Local\Temp\5d56d8d8600cdbfadaa1b66469b7a646_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5d56d8d8600cdbfadaa1b66469b7a646_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Windows\SysWOW64\mesg.com
  C:\Windows\system32\mesg.com
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\SysWOW64\mesg.com
    C:\Windows\system32\mesg.com
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Windows\SysWOW64\mesg.com
      C:\Windows\system32\mesg.com
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2620
      - C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        7⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        8⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        10⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:112
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2212
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1804
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2524
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        20⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3020
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2456
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1284
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2376
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2232
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1352
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        26⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2884
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        27⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:904
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        28⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1968
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:288
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2564
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        31⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2388
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        32⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3056
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        33⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2560
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        34⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:468
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        35⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1828
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        36⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2936
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        37⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2056
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        38⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2732
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2452
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        40⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2904
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1280
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2640
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        43⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2836
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        44⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2648
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        45⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2616
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        46⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2252
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        47⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2112
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        48⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2036
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        49⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2944
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        50⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2568
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        51⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2992
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        52⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2188
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1912
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        54⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1300
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1612
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:316
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1708
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        58⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2816
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        59⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2880
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        60⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:632
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        61⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1000
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:332
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        63⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2200
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        64⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2540
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        65⤵
        Executes dropped EXE
        
        PID:2172
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        66⤵
        
        PID:112
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        67⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        68⤵
        Modifies WinLogon for persistence
        
        PID:2512
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        69⤵
        Modifies WinLogon for persistence
        
        PID:1592
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        70⤵
        Drops file in Windows directory
        
        PID:1240
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        71⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        
        PID:2304
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        72⤵
        
        PID:408
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        73⤵
        Drops file in System32 directory
        
        PID:2376
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        74⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        75⤵
        Drops file in System32 directory
        
        PID:896
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        76⤵
        Modifies WinLogon for persistence
        
        PID:1816
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        77⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        78⤵
        Drops file in System32 directory
        
        PID:2528
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        79⤵
        Modifies WinLogon for persistence
        
        PID:1144
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        80⤵
        Drops file in Windows directory
        
        PID:692
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        81⤵
        Modifies WinLogon for persistence
        
        PID:2004
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        82⤵
        Drops file in System32 directory
        
        PID:2508
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        83⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        84⤵
        
        PID:984
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        85⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:268
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        86⤵
        Modifies WinLogon for persistence
        Drops file in Windows directory
        
        PID:1688
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        87⤵
        Drops file in System32 directory
        
        PID:2276
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        88⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        89⤵
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:1576
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        90⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        91⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        92⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        93⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        94⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        95⤵
        Drops file in System32 directory
        
        PID:2024
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        96⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        97⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        98⤵
        Drops file in Windows directory
        
        PID:2196
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        99⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        100⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        101⤵
        Modifies WinLogon for persistence
        
        PID:2036
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        102⤵
        Modifies WinLogon for persistence
        
        PID:2704
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        103⤵
        Drops file in System32 directory
        
        PID:1148
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        104⤵
        Modifies WinLogon for persistence
        
        PID:2848
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        105⤵
        Drops file in Windows directory
        
        PID:2656
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        106⤵
        Drops file in Windows directory
        
        PID:2108
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        107⤵
        
        PID:376
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        108⤵
        Modifies WinLogon for persistence
        
        PID:980
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        109⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        110⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        111⤵
        Modifies WinLogon for persistence
        
        PID:1364
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        112⤵
        Drops file in Windows directory
        
        PID:1768
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        113⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        114⤵
        
        PID:344
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        115⤵
        
        PID:668
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        116⤵
        Drops file in Windows directory
        
        PID:1980
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        117⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        118⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        119⤵
        Drops file in System32 directory
        
        PID:2312
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        120⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        121⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        122⤵
        Drops file in Windows directory
        
        PID:2512
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        123⤵
        Drops file in System32 directory
        
        PID:856
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        124⤵
        Modifies WinLogon for persistence
        
        PID:1860
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        125⤵
        
        PID:772
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        126⤵
        Drops file in System32 directory
        
        PID:2948
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        127⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        128⤵
        Drops file in System32 directory
        
        PID:2692
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        129⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        130⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        131⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        132⤵
        Drops file in System32 directory
        
        PID:1500
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        133⤵
        Drops file in Windows directory
        
        PID:2168
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        134⤵
        Drops file in System32 directory
        
        PID:692
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        135⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        136⤵
        
        PID:776
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        137⤵
        
        PID:852
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        138⤵
        Modifies WinLogon for persistence
        
        PID:1744
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        139⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        140⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        141⤵
        Modifies WinLogon for persistence
        
        PID:2072
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        142⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        143⤵
        Drops file in System32 directory
        
        PID:1584
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        144⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        145⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        146⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        147⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        148⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        149⤵
        Drops file in System32 directory
        
        PID:2148
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        150⤵
        Drops file in System32 directory
        
        PID:2608
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        151⤵
        Drops file in System32 directory
        
        PID:884
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        152⤵
        Modifies WinLogon for persistence
        
        PID:2960
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        153⤵
        Drops file in Windows directory
        
        PID:2272
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        154⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        155⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        156⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        
        PID:2992
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        157⤵
        Drops file in Windows directory
        
        PID:2188
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        158⤵
        Drops file in Windows directory
        
        PID:2988
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        159⤵
        Drops file in Windows directory
        
        PID:1604
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        160⤵
        Modifies WinLogon for persistence
        
        PID:376
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        161⤵
        Drops file in Windows directory
        
        PID:980
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        162⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        163⤵
        
        PID:800
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        164⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        165⤵
        Drops file in System32 directory
        
        PID:2672
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        166⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:1136
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        167⤵
        Drops file in Windows directory
        
        PID:1784
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        168⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        169⤵
        Modifies WinLogon for persistence
        Drops file in Windows directory
        
        PID:2584
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        170⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        171⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        172⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        
        PID:1080
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        173⤵
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:2152
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        174⤵
        
        PID:292
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        175⤵
        Modifies WinLogon for persistence
        
        PID:3036
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        176⤵
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:1592
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        177⤵
        Drops file in Windows directory
        
        PID:2512
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        178⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        179⤵
        Modifies WinLogon for persistence
        Drops file in Windows directory
        
        PID:856
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        180⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        181⤵
        
        PID:772
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        182⤵
        Modifies WinLogon for persistence
        Drops file in Windows directory
        
        PID:2572
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        183⤵
        Drops file in Windows directory
        
        PID:3044
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        184⤵
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:1536
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        185⤵
        
        PID:952
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        186⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        187⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        188⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        189⤵
        Drops file in System32 directory
        
        PID:2688
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        190⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        191⤵
        Modifies WinLogon for persistence
        
        PID:992
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        192⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        
        PID:1244
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        193⤵
        
        PID:468
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        194⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        195⤵
        Modifies WinLogon for persistence
        Drops file in Windows directory
        
        PID:880
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        196⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        197⤵
        Modifies WinLogon for persistence
        
        PID:2500
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        198⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        199⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        200⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        201⤵
        Drops file in System32 directory
        
        PID:2824
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        202⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        203⤵
        Modifies WinLogon for persistence
        Drops file in Windows directory
        
        PID:2676
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        204⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        205⤵
        Drops file in Windows directory
        
        PID:2908
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        206⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        207⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        208⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        209⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        
        PID:2156
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        210⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        211⤵
        Drops file in System32 directory
        
        PID:2568
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        212⤵
        Drops file in System32 directory
        
        PID:2060
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        213⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        
        PID:2984
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        214⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        215⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        216⤵
        Drops file in Windows directory
        
        PID:2108
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        217⤵
        Drops file in System32 directory
        
        PID:1272
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        218⤵
        
        PID:380
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        219⤵
        
        PID:108
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        220⤵
        Drops file in Windows directory
        
        PID:2040
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        221⤵
        Drops file in Windows directory
        
        PID:1740
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        222⤵
        
        PID:572
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        223⤵
        Drops file in Windows directory
        
        PID:1696
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        224⤵
        Drops file in System32 directory
        
        PID:892
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        225⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        226⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        227⤵
        Modifies WinLogon for persistence
        Drops file in Windows directory
        
        PID:768
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        228⤵
        Modifies WinLogon for persistence
        
        PID:344
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        229⤵
        Drops file in Windows directory
        
        PID:2068
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        230⤵
        Drops file in System32 directory
        
        PID:2540
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        231⤵
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:1092
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        232⤵
        Modifies WinLogon for persistence
        Drops file in Windows directory
        
        PID:1812
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        233⤵
        Modifies WinLogon for persistence
        Drops file in Windows directory
        
        PID:1844
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        234⤵
        Drops file in System32 directory
        
        PID:1080
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        235⤵
        Drops file in Windows directory
        
        PID:2788
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        236⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        237⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        238⤵
        Drops file in System32 directory
        
        PID:2436
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        239⤵
        
        PID:448
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        240⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        241⤵
        Modifies WinLogon for persistence
        
        PID:2336
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        242⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        243⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        244⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        245⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        246⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        
        PID:1360
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        247⤵
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:684
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        248⤵
        Modifies WinLogon for persistence
        
        PID:952
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        249⤵
        Modifies WinLogon for persistence
        Drops file in Windows directory
        
        PID:1720
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        250⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        251⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        252⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        253⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        254⤵
        
        PID:776
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        255⤵
        Drops file in Windows directory
        
        PID:2560
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        256⤵
        
        PID:984
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        257⤵
        Drops file in System32 directory
        
        PID:1780
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        258⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        259⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        260⤵
        Drops file in Windows directory
        
        PID:1588
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        261⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        262⤵
        Drops file in System32 directory
        
        PID:3024
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        263⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        264⤵
        Drops file in Windows directory
        
        PID:2772
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        265⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        266⤵
        Drops file in Windows directory
        
        PID:2728
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        267⤵
        Drops file in System32 directory
        
        PID:2680
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        268⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        269⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        270⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        271⤵
        Modifies WinLogon for persistence
        
        PID:2980
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        272⤵
        Modifies WinLogon for persistence
        
        PID:2220
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        273⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        274⤵
        Drops file in System32 directory
        
        PID:2780
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        275⤵
        Modifies WinLogon for persistence
        
        PID:3068
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        276⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        277⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\mesg.com
        
        C:\Windows\system32\mesg.com
        278⤵
        Modifies WinLogon for persistence
        Drops file in Windows directory
        
        PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\mesg.com

Filesize
73KB

MD5
5d56d8d8600cdbfadaa1b66469b7a646

SHA1
9369717a8dbc49452f5e1ea27a92e4eb779dbd6a

SHA256
4171de49be68064ee63937bdd560c253c9b5173c0497bc7835ec497f6d3e87e0

SHA512
296409e15338863a0c1022022ff7eb5f5bf00ea7907cb7ce37701e183ad089b751911831bb908e4f2a148637735d17b2aa9951aba38bf80bd37c3e58a4c0ef5b

Download Submit
C:\Windows\get.exe

Filesize
16KB

MD5
2365f6ffff36ba7cc428914a10132faf

SHA1
9e83429c1ec0e512c49aa239dc5823ef62954e0a

SHA256
fba83311dcf0f7980b4eaef2d4896ce4e1104b7e01bd30dd59fcb3f066a3810a

SHA512
feffddd01ce52427a9b62a044484a6d617a47c55fc910c5b185b2a4f046ed758156ac2dbf60046f46ea8e7963d8b8fe8441650422886c888e93d7b5675f8d74d

Download Submit
C:\Windows\get.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/112-162-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/112-427-0x0000000000320000-0x000000000034B000-memory.dmp

Filesize
172KB

Download
memory/288-232-0x00000000003C0000-0x00000000003EB000-memory.dmp

Filesize
172KB

Download
memory/288-233-0x00000000003C0000-0x00000000003EB000-memory.dmp

Filesize
172KB

Download
memory/288-230-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/332-402-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/904-218-0x00000000025C0000-0x00000000025EB000-memory.dmp

Filesize
172KB

Download
memory/904-219-0x00000000025C0000-0x00000000025EB000-memory.dmp

Filesize
172KB

Download
memory/904-213-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/904-224-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1000-130-0x0000000000290000-0x00000000002BB000-memory.dmp

Filesize
172KB

Download
memory/1000-399-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1000-135-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1000-121-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1280-19-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1280-13-0x00000000005C0000-0x00000000005EB000-memory.dmp

Filesize
172KB

Download
memory/1280-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1280-12-0x00000000005C0000-0x00000000005EB000-memory.dmp

Filesize
172KB

Download
memory/1284-185-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1300-371-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1312-65-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1352-208-0x00000000003D0000-0x00000000003FB000-memory.dmp

Filesize
172KB

Download
memory/1352-204-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1352-207-0x00000000003D0000-0x00000000003FB000-memory.dmp

Filesize
172KB

Download
memory/1352-212-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1476-111-0x00000000002B0000-0x00000000002DB000-memory.dmp

Filesize
172KB

Download
memory/1476-116-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1524-120-0x0000000000500000-0x000000000052B000-memory.dmp

Filesize
172KB

Download
memory/1604-107-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1604-102-0x00000000005E0000-0x000000000060B000-memory.dmp

Filesize
172KB

Download
memory/1612-377-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1612-369-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1612-372-0x0000000000520000-0x000000000054B000-memory.dmp

Filesize
172KB

Download
memory/1708-382-0x00000000003B0000-0x00000000003DB000-memory.dmp

Filesize
172KB

Download
memory/1708-386-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1804-174-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1828-268-0x00000000003C0000-0x00000000003EB000-memory.dmp

Filesize
172KB

Download
memory/1940-64-0x00000000004D0000-0x00000000004FB000-memory.dmp

Filesize
172KB

Download
memory/1940-70-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1968-229-0x0000000000290000-0x00000000002BB000-memory.dmp

Filesize
172KB

Download
memory/1968-228-0x0000000000290000-0x00000000002BB000-memory.dmp

Filesize
172KB

Download
memory/1980-155-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1980-149-0x00000000004B0000-0x00000000004DB000-memory.dmp

Filesize
172KB

Download
memory/1980-150-0x00000000004B0000-0x00000000004DB000-memory.dmp

Filesize
172KB

Download
memory/2036-336-0x0000000000510000-0x000000000053B000-memory.dmp

Filesize
172KB

Download
memory/2056-278-0x00000000003A0000-0x00000000003CB000-memory.dmp

Filesize
172KB

Download
memory/2108-92-0x00000000003D0000-0x00000000003FB000-memory.dmp

Filesize
172KB

Download
memory/2108-82-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2108-98-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2112-335-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2172-424-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2188-362-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2200-407-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2212-168-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2212-431-0x00000000005D0000-0x00000000005FB000-memory.dmp

Filesize
172KB

Download
memory/2212-163-0x0000000001BE0000-0x0000000001C0B000-memory.dmp

Filesize
172KB

Download
memory/2212-428-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2212-164-0x0000000001BE0000-0x0000000001C0B000-memory.dmp

Filesize
172KB

Download
memory/2232-202-0x0000000000380000-0x00000000003AB000-memory.dmp

Filesize
172KB

Download
memory/2232-201-0x0000000000380000-0x00000000003AB000-memory.dmp

Filesize
172KB

Download
memory/2252-320-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2252-327-0x00000000003C0000-0x00000000003EB000-memory.dmp

Filesize
172KB

Download
memory/2252-326-0x00000000003C0000-0x00000000003EB000-memory.dmp

Filesize
172KB

Download
memory/2376-194-0x0000000000750000-0x000000000077B000-memory.dmp

Filesize
172KB

Download
memory/2376-199-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2388-245-0x0000000002290000-0x00000000022BB000-memory.dmp

Filesize
172KB

Download
memory/2388-246-0x0000000002290000-0x00000000022BB000-memory.dmp

Filesize
172KB

Download
memory/2388-240-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2452-293-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2452-288-0x00000000002A0000-0x00000000002CB000-memory.dmp

Filesize
172KB

Download
memory/2456-189-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2524-180-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2524-175-0x00000000023F0000-0x000000000241B000-memory.dmp

Filesize
172KB

Download
memory/2524-172-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2560-258-0x00000000002F0000-0x000000000031B000-memory.dmp

Filesize
172KB

Download
memory/2560-263-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2564-238-0x00000000024D0000-0x00000000024FB000-memory.dmp

Filesize
172KB

Download
memory/2564-239-0x00000000024D0000-0x00000000024FB000-memory.dmp

Filesize
172KB

Download
memory/2568-352-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2568-347-0x0000000000430000-0x000000000045B000-memory.dmp

Filesize
172KB

Download
memory/2616-319-0x00000000002C0000-0x00000000002EB000-memory.dmp

Filesize
172KB

Download
memory/2616-324-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2620-60-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2620-54-0x0000000000450000-0x000000000047B000-memory.dmp

Filesize
172KB

Download
memory/2632-35-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2632-50-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2632-44-0x0000000000290000-0x00000000002BB000-memory.dmp

Filesize
172KB

Download
memory/2640-304-0x00000000004B0000-0x00000000004DB000-memory.dmp

Filesize
172KB

Download
memory/2640-309-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2648-314-0x0000000001C70000-0x0000000001C9B000-memory.dmp

Filesize
172KB

Download
memory/2732-287-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2816-389-0x0000000000290000-0x00000000002BB000-memory.dmp

Filesize
172KB

Download
memory/2836-313-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2836-305-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2840-23-0x00000000003A0000-0x00000000003CB000-memory.dmp

Filesize
172KB

Download
memory/2840-29-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2876-139-0x00000000005E0000-0x000000000060B000-memory.dmp

Filesize
172KB

Download
memory/2876-145-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2876-140-0x00000000005E0000-0x000000000060B000-memory.dmp

Filesize
172KB

Download
memory/2880-390-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2884-217-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2904-294-0x00000000003B0000-0x00000000003DB000-memory.dmp

Filesize
172KB

Download
memory/2904-299-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2928-34-0x00000000003A0000-0x00000000003CB000-memory.dmp

Filesize
172KB

Download
memory/2928-41-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2928-33-0x00000000003A0000-0x00000000003CB000-memory.dmp

Filesize
172KB

Download
memory/2936-273-0x0000000000390000-0x00000000003BB000-memory.dmp

Filesize
172KB

Download
memory/2944-346-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2944-341-0x0000000002580000-0x00000000025AB000-memory.dmp

Filesize
172KB

Download
memory/2944-342-0x0000000002580000-0x00000000025AB000-memory.dmp

Filesize
172KB

Download
memory/2988-88-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2992-354-0x00000000002D0000-0x00000000002FB000-memory.dmp

Filesize
172KB

Download
memory/2992-353-0x00000000002D0000-0x00000000002FB000-memory.dmp

Filesize
172KB

Download
memory/3056-257-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3056-252-0x00000000024E0000-0x000000000250B000-memory.dmp

Filesize
172KB

Download
memory/3056-247-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads