Analysis
-
max time kernel
30s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
19/09/2024, 02:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ea765260c975618896c278e32ca46a18_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
ea765260c975618896c278e32ca46a18_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
ea765260c975618896c278e32ca46a18_JaffaCakes118.exe
-
Size
45KB
-
MD5
ea765260c975618896c278e32ca46a18
-
SHA1
5b57e2a51b208253c9c9c1634e08ed55995dafdc
-
SHA256
aeecf05ef9b20d0ba0ed0fed299d5c07161e4d35daab807a714372da90cee5db
-
SHA512
5b94aae419f88379fd2029292e7643cd558f897cf552cf5e9c8a2d7f0f8cb6b77b91f2e750447e99e09eb1b03b2d858653d8e3f4985b73f1762fcbf272dda2ed
-
SSDEEP
768:+DI8ys6q0TwnbyqVcxwjygB2dQ0t95h/EkkVuawz+ytXAKhhu+Bp:+Dk1zwb83gB2qsZkAVJhNp
Score
8/10
Malware Config
Signatures
-
Drops file in Drivers directory 64 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts windowsmsnlive.exe File opened for modification C:\Windows\system32\drivers\etc\hosts windowsmsnlive.exe File opened for modification C:\Windows\system32\drivers\etc\hosts windowsmsnlive.exe File opened for modification C:\Windows\system32\drivers\etc\hosts windowsmsnlive.exe File opened for modification C:\Windows\system32\drivers\etc\hosts windowsmsnlive.exe File opened for modification C:\Windows\system32\drivers\etc\hosts windowsmsnlive.exe File opened for modification C:\Windows\system32\drivers\etc\hosts windowsmsnlive.exe File opened for modification C:\Windows\system32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\system32\drivers\etc\hosts windowsmsnlive.exe File opened for modification C:\Windows\system32\drivers\etc\hosts windowsmsnlive.exe File opened for modification C:\Windows\system32\drivers\etc\hosts windowsmsnlive.exe File opened for modification C:\Windows\system32\drivers\etc\hosts windowsmsnlive.exe File opened for modification C:\Windows\system32\drivers\etc\hosts windowsmsnlive.exe File opened for modification C:\Windows\system32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\system32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\system32\drivers\etc\hosts windowsmsnlive.exe File opened for modification C:\Windows\system32\drivers\etc\hosts windowsmsnlive.exe File opened for modification C:\Windows\system32\drivers\etc\hosts windowsmsnlive.exe File opened for modification C:\Windows\system32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\system32\drivers\etc\hosts windowsmsnlive.exe File opened for modification C:\Windows\system32\drivers\etc\hosts windowsmsnlive.exe File opened for modification C:\Windows\system32\drivers\etc\hosts windowsmsnlive.exe File opened for modification C:\Windows\system32\drivers\etc\hosts windowsmsnlive.exe File opened for modification C:\Windows\system32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\system32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\system32\drivers\etc\hosts windowsmsnlive.exe File opened for modification C:\Windows\system32\drivers\etc\hosts windowsmsnlive.exe File opened for modification C:\Windows\system32\drivers\etc\hosts windowsmsnlive.exe File opened for modification C:\Windows\system32\drivers\etc\hosts windowsmsnlive.exe File opened for modification C:\Windows\system32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\system32\drivers\etc\hosts windowsmsnlive.exe File opened for modification C:\Windows\system32\drivers\etc\hosts windowsmsnlive.exe File opened for modification C:\Windows\system32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\system32\drivers\etc\hosts windowsmsnlive.exe File opened for modification C:\Windows\system32\drivers\etc\hosts windowsmsnlive.exe File opened for modification C:\Windows\system32\drivers\etc\hosts windowsmsnlive.exe File opened for modification C:\Windows\system32\drivers\etc\hosts windowsmsnlive.exe File opened for modification C:\Windows\system32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\system32\drivers\etc\hosts windowsmsnlive.exe File opened for modification C:\Windows\system32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\system32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\system32\drivers\etc\hosts windowsmsnlive.exe File opened for modification C:\Windows\system32\drivers\etc\hosts windowsmsnlive.exe File opened for modification C:\Windows\system32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\system32\drivers\etc\hosts windowsmsnlive.exe File opened for modification C:\Windows\system32\drivers\etc\hosts windowsmsnlive.exe File opened for modification C:\Windows\system32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\system32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\system32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\system32\drivers\etc\hosts windowsmsnlive.exe File opened for modification C:\Windows\system32\drivers\etc\hosts windowsmsnlive.exe File opened for modification C:\Windows\system32\drivers\etc\hosts windowsmsnlive.exe File opened for modification C:\Windows\system32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\system32\drivers\etc\hosts windowsmsnlive.exe File opened for modification C:\Windows\system32\drivers\etc\hosts windowsmsnlive.exe File opened for modification C:\Windows\system32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\system32\drivers\etc\hosts windowsmsnlive.exe File opened for modification C:\Windows\system32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\system32\drivers\etc\hosts windowsmsnlive.exe File opened for modification C:\Windows\system32\drivers\etc\hosts windowsmsnlive.exe File opened for modification C:\Windows\system32\drivers\etc\hosts windowsmsnlive.exe File opened for modification C:\Windows\system32\drivers\etc\hosts windowsmsnlive.exe File opened for modification C:\Windows\system32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\system32\drivers\etc\hosts windowsmsnlive.exe -
Deletes itself 1 IoCs
pid Process 2956 cmd.exe -
Executes dropped EXE 64 IoCs
pid Process 2832 windowsmsnlive.exe 2840 windowsmsnlive.exe 2224 windowsmsnlive.exe 2380 windowsmsnlive.exe 2400 windowsmsnlive.exe 1432 windowsmsnlive.exe 1152 windowsmsnlive.exe 1808 windowsmsnlive.exe 1692 windowsmsnlive.exe 2988 windowsmsnlive.exe 1032 windowsmsnlive.exe 2772 windowsmsnlive.exe 1328 windowsmsnlive.exe 2552 windowsmsnlive.exe 1384 windowsmsnlive.exe 1920 windowsmsnlive.exe 2884 windowsmsnlive.exe 1360 windowsmsnlive.exe 1624 windowsmsnlive.exe 1984 windowsmsnlive.exe 2860 windowsmsnlive.exe 2776 windowsmsnlive.exe 2956 windowsmsnlive.exe 2800 windowsmsnlive.exe 2968 windowsmsnlive.exe 660 windowsmsnlive.exe 2132 windowsmsnlive.exe 1584 windowsmsnlive.exe 1540 windowsmsnlive.exe 1688 windowsmsnlive.exe 2336 windowsmsnlive.exe 1036 windowsmsnlive.exe 2108 windowsmsnlive.exe 2768 windowsmsnlive.exe 2372 windowsmsnlive.exe 2068 windowsmsnlive.exe 1384 windowsmsnlive.exe 1368 windowsmsnlive.exe 2780 windowsmsnlive.exe 2652 windowsmsnlive.exe 2396 windowsmsnlive.exe 2908 windowsmsnlive.exe 1248 windowsmsnlive.exe 2012 windowsmsnlive.exe 2692 windowsmsnlive.exe 2644 windowsmsnlive.exe 2932 windowsmsnlive.exe 908 windowsmsnlive.exe 2252 windowsmsnlive.exe 2892 windowsmsnlive.exe 464 windowsmsnlive.exe 1588 windowsmsnlive.exe 680 windowsmsnlive.exe 1980 windowsmsnlive.exe 1952 windowsmsnlive.exe 1700 windowsmsnlive.exe 1956 windowsmsnlive.exe 1696 windowsmsnlive.exe 1112 windowsmsnlive.exe 1472 windowsmsnlive.exe 2736 windowsmsnlive.exe 1028 windowsmsnlive.exe 904 windowsmsnlive.exe 2404 windowsmsnlive.exe -
Loads dropped DLL 64 IoCs
pid Process 2180 ea765260c975618896c278e32ca46a18_JaffaCakes118.exe 2180 ea765260c975618896c278e32ca46a18_JaffaCakes118.exe 2832 windowsmsnlive.exe 2840 windowsmsnlive.exe 2840 windowsmsnlive.exe 2224 windowsmsnlive.exe 2380 windowsmsnlive.exe 2380 windowsmsnlive.exe 1432 windowsmsnlive.exe 1432 windowsmsnlive.exe 1808 windowsmsnlive.exe 1808 windowsmsnlive.exe 2988 windowsmsnlive.exe 2988 windowsmsnlive.exe 2772 windowsmsnlive.exe 2772 windowsmsnlive.exe 2552 windowsmsnlive.exe 2552 windowsmsnlive.exe 1920 windowsmsnlive.exe 1920 windowsmsnlive.exe 1360 windowsmsnlive.exe 1360 windowsmsnlive.exe 1984 windowsmsnlive.exe 1984 windowsmsnlive.exe 2776 windowsmsnlive.exe 2776 windowsmsnlive.exe 2800 windowsmsnlive.exe 2800 windowsmsnlive.exe 660 windowsmsnlive.exe 660 windowsmsnlive.exe 1584 windowsmsnlive.exe 1584 windowsmsnlive.exe 1688 windowsmsnlive.exe 1688 windowsmsnlive.exe 1036 windowsmsnlive.exe 1036 windowsmsnlive.exe 2768 windowsmsnlive.exe 2768 windowsmsnlive.exe 2068 windowsmsnlive.exe 2068 windowsmsnlive.exe 1368 windowsmsnlive.exe 1368 windowsmsnlive.exe 2652 windowsmsnlive.exe 2652 windowsmsnlive.exe 2908 windowsmsnlive.exe 2908 windowsmsnlive.exe 2012 windowsmsnlive.exe 2012 windowsmsnlive.exe 2644 windowsmsnlive.exe 2644 windowsmsnlive.exe 908 windowsmsnlive.exe 908 windowsmsnlive.exe 2892 windowsmsnlive.exe 2892 windowsmsnlive.exe 1588 windowsmsnlive.exe 1588 windowsmsnlive.exe 1980 windowsmsnlive.exe 1980 windowsmsnlive.exe 1700 windowsmsnlive.exe 1700 windowsmsnlive.exe 1696 windowsmsnlive.exe 1696 windowsmsnlive.exe 1472 windowsmsnlive.exe 1472 windowsmsnlive.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" windowsmsnlive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" windowsmsnlive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" windowsmsnlive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" windowsmsnlive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" windowsmsnlive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" windowsmsnlive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" windowsmsnlive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" windowsmsnlive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" windowsmsnlive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" windowsmsnlive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" windowsmsnlive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" windowsmsnlive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" windowsmsnlive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" windowsmsnlive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" windowsmsnlive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" windowsmsnlive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" windowsmsnlive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" windowsmsnlive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" windowsmsnlive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" windowsmsnlive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" windowsmsnlive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" windowsmsnlive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" windowsmsnlive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" windowsmsnlive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" windowsmsnlive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" windowsmsnlive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" windowsmsnlive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" windowsmsnlive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" windowsmsnlive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" windowsmsnlive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" windowsmsnlive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" windowsmsnlive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" windowsmsnlive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" windowsmsnlive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" windowsmsnlive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" windowsmsnlive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" windowsmsnlive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" windowsmsnlive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" windowsmsnlive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" windowsmsnlive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" windowsmsnlive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" windowsmsnlive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" windowsmsnlive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowsmsnlive.exe" windowsmsnlive.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\windowsmsnlive.exe Process not Found File created C:\Windows\SysWOW64\windowsmsnlive.exe Process not Found File created C:\Windows\SysWOW64\windowsmsnlive.exe windowsmsnlive.exe File created C:\Windows\SysWOW64\windowsmsnlive.exe windowsmsnlive.exe File created C:\Windows\SysWOW64\windowsmsnlive.exe windowsmsnlive.exe File created C:\Windows\SysWOW64\windowsmsnlive.exe windowsmsnlive.exe File opened for modification C:\Windows\SysWOW64\windowsmsnlive.exe windowsmsnlive.exe File created C:\Windows\SysWOW64\windowsmsnlive.exe windowsmsnlive.exe File created C:\Windows\SysWOW64\windowsmsnlive.exe Process not Found File opened for modification C:\Windows\SysWOW64\windowsmsnlive.exe Process not Found File opened for modification C:\Windows\SysWOW64\windowsmsnlive.exe windowsmsnlive.exe File created C:\Windows\SysWOW64\windowsmsnlive.exe windowsmsnlive.exe File opened for modification C:\Windows\SysWOW64\windowsmsnlive.exe windowsmsnlive.exe File created C:\Windows\SysWOW64\windowsmsnlive.exe windowsmsnlive.exe File created C:\Windows\SysWOW64\windowsmsnlive.exe windowsmsnlive.exe File created C:\Windows\SysWOW64\windowsmsnlive.exe windowsmsnlive.exe File created C:\Windows\SysWOW64\windowsmsnlive.exe Process not Found File opened for modification C:\Windows\SysWOW64\windowsmsnlive.exe Process not Found File opened for modification C:\Windows\SysWOW64\windowsmsnlive.exe windowsmsnlive.exe File opened for modification C:\Windows\SysWOW64\windowsmsnlive.exe windowsmsnlive.exe File opened for modification C:\Windows\SysWOW64\windowsmsnlive.exe windowsmsnlive.exe File created C:\Windows\SysWOW64\windowsmsnlive.exe windowsmsnlive.exe File created C:\Windows\SysWOW64\windowsmsnlive.exe windowsmsnlive.exe File created C:\Windows\SysWOW64\windowsmsnlive.exe windowsmsnlive.exe File created C:\Windows\SysWOW64\windowsmsnlive.exe Process not Found File opened for modification C:\Windows\SysWOW64\windowsmsnlive.exe Process not Found File opened for modification C:\Windows\SysWOW64\windowsmsnlive.exe windowsmsnlive.exe File created C:\Windows\SysWOW64\windowsmsnlive.exe windowsmsnlive.exe File opened for modification C:\Windows\SysWOW64\windowsmsnlive.exe Process not Found File created C:\Windows\SysWOW64\windowsmsnlive.exe windowsmsnlive.exe File created C:\Windows\SysWOW64\windowsmsnlive.exe windowsmsnlive.exe File created C:\Windows\SysWOW64\windowsmsnlive.exe windowsmsnlive.exe File created C:\Windows\SysWOW64\windowsmsnlive.exe windowsmsnlive.exe File created C:\Windows\SysWOW64\windowsmsnlive.exe windowsmsnlive.exe File opened for modification C:\Windows\SysWOW64\windowsmsnlive.exe windowsmsnlive.exe File created C:\Windows\SysWOW64\windowsmsnlive.exe windowsmsnlive.exe File created C:\Windows\SysWOW64\windowsmsnlive.exe windowsmsnlive.exe File opened for modification C:\Windows\SysWOW64\windowsmsnlive.exe windowsmsnlive.exe File opened for modification C:\Windows\SysWOW64\windowsmsnlive.exe windowsmsnlive.exe File opened for modification C:\Windows\SysWOW64\windowsmsnlive.exe windowsmsnlive.exe File opened for modification C:\Windows\SysWOW64\windowsmsnlive.exe Process not Found File opened for modification C:\Windows\SysWOW64\windowsmsnlive.exe windowsmsnlive.exe File opened for modification C:\Windows\SysWOW64\windowsmsnlive.exe Process not Found File created C:\Windows\SysWOW64\windowsmsnlive.exe Process not Found File opened for modification C:\Windows\SysWOW64\windowsmsnlive.exe Process not Found File opened for modification C:\Windows\SysWOW64\windowsmsnlive.exe windowsmsnlive.exe File created C:\Windows\SysWOW64\windowsmsnlive.exe windowsmsnlive.exe File opened for modification C:\Windows\SysWOW64\windowsmsnlive.exe windowsmsnlive.exe File opened for modification C:\Windows\SysWOW64\windowsmsnlive.exe windowsmsnlive.exe File created C:\Windows\SysWOW64\windowsmsnlive.exe windowsmsnlive.exe File opened for modification C:\Windows\SysWOW64\windowsmsnlive.exe windowsmsnlive.exe File created C:\Windows\SysWOW64\windowsmsnlive.exe Process not Found File created C:\Windows\SysWOW64\windowsmsnlive.exe windowsmsnlive.exe File created C:\Windows\SysWOW64\windowsmsnlive.exe windowsmsnlive.exe File opened for modification C:\Windows\SysWOW64\windowsmsnlive.exe windowsmsnlive.exe File opened for modification C:\Windows\SysWOW64\windowsmsnlive.exe windowsmsnlive.exe File opened for modification C:\Windows\SysWOW64\windowsmsnlive.exe windowsmsnlive.exe File opened for modification C:\Windows\SysWOW64\windowsmsnlive.exe Process not Found File created C:\Windows\SysWOW64\windowsmsnlive.exe ea765260c975618896c278e32ca46a18_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\windowsmsnlive.exe windowsmsnlive.exe File opened for modification C:\Windows\SysWOW64\windowsmsnlive.exe windowsmsnlive.exe File opened for modification C:\Windows\SysWOW64\windowsmsnlive.exe Process not Found File created C:\Windows\SysWOW64\windowsmsnlive.exe windowsmsnlive.exe File opened for modification C:\Windows\SysWOW64\windowsmsnlive.exe windowsmsnlive.exe -
Suspicious use of SetThreadContext 64 IoCs
description pid Process procid_target PID 2080 set thread context of 2180 2080 ea765260c975618896c278e32ca46a18_JaffaCakes118.exe 30 PID 2832 set thread context of 2840 2832 windowsmsnlive.exe 37 PID 2224 set thread context of 2380 2224 windowsmsnlive.exe 49 PID 2400 set thread context of 1432 2400 windowsmsnlive.exe 59 PID 1152 set thread context of 1808 1152 windowsmsnlive.exe 73 PID 1692 set thread context of 2988 1692 windowsmsnlive.exe 86 PID 1032 set thread context of 2772 1032 windowsmsnlive.exe 100 PID 1328 set thread context of 2552 1328 windowsmsnlive.exe 327 PID 1384 set thread context of 1920 1384 windowsmsnlive.exe 120 PID 2884 set thread context of 1360 2884 windowsmsnlive.exe 136 PID 1624 set thread context of 1984 1624 windowsmsnlive.exe 146 PID 2860 set thread context of 2776 2860 windowsmsnlive.exe 161 PID 2956 set thread context of 2800 2956 windowsmsnlive.exe 173 PID 2968 set thread context of 660 2968 windowsmsnlive.exe 185 PID 2132 set thread context of 1584 2132 windowsmsnlive.exe 337 PID 1540 set thread context of 1688 1540 windowsmsnlive.exe 678 PID 2336 set thread context of 1036 2336 windowsmsnlive.exe 895 PID 2108 set thread context of 2768 2108 windowsmsnlive.exe 371 PID 2372 set thread context of 2068 2372 windowsmsnlive.exe 243 PID 1384 set thread context of 1368 1384 windowsmsnlive.exe 255 PID 2780 set thread context of 2652 2780 windowsmsnlive.exe 1088 PID 2396 set thread context of 2908 2396 windowsmsnlive.exe 616 PID 1248 set thread context of 2012 1248 windowsmsnlive.exe 1240 PID 2692 set thread context of 2644 2692 windowsmsnlive.exe 304 PID 2932 set thread context of 908 2932 windowsmsnlive.exe 1398 PID 2252 set thread context of 2892 2252 windowsmsnlive.exe 1512 PID 464 set thread context of 1588 464 windowsmsnlive.exe 1463 PID 680 set thread context of 1980 680 windowsmsnlive.exe 350 PID 1952 set thread context of 1700 1952 windowsmsnlive.exe 1265 PID 1956 set thread context of 1696 1956 windowsmsnlive.exe 965 PID 1112 set thread context of 1472 1112 windowsmsnlive.exe 1799 PID 2736 set thread context of 1028 2736 windowsmsnlive.exe 982 PID 904 set thread context of 2404 904 windowsmsnlive.exe 1421 PID 1060 set thread context of 2720 1060 windowsmsnlive.exe 1746 PID 1552 set thread context of 1104 1552 windowsmsnlive.exe 434 PID 2812 set thread context of 2920 2812 windowsmsnlive.exe 446 PID 1384 set thread context of 2628 1384 windowsmsnlive.exe 1857 PID 1636 set thread context of 2056 1636 windowsmsnlive.exe 781 PID 2508 set thread context of 756 2508 windowsmsnlive.exe 485 PID 3044 set thread context of 2580 3044 windowsmsnlive.exe 1938 PID 2392 set thread context of 1640 2392 windowsmsnlive.exe 2396 PID 1556 set thread context of 3016 1556 windowsmsnlive.exe 2228 PID 1916 set thread context of 2224 1916 windowsmsnlive.exe 1313 PID 904 set thread context of 236 904 windowsmsnlive.exe 1042 PID 1604 set thread context of 2676 1604 windowsmsnlive.exe 2673 PID 2316 set thread context of 2848 2316 windowsmsnlive.exe 569 PID 2288 set thread context of 1608 2288 windowsmsnlive.exe 2510 PID 1468 set thread context of 2844 1468 windowsmsnlive.exe 590 PID 2936 set thread context of 2652 2936 windowsmsnlive.exe 2778 PID 3060 set thread context of 2320 3060 windowsmsnlive.exe 3049 PID 1784 set thread context of 2432 1784 windowsmsnlive.exe 628 PID 788 set thread context of 944 788 windowsmsnlive.exe 638 PID 3040 set thread context of 2076 3040 windowsmsnlive.exe 651 PID 3020 set thread context of 2148 3020 windowsmsnlive.exe 2177 PID 2648 set thread context of 1828 2648 windowsmsnlive.exe 676 PID 1248 set thread context of 2900 1248 windowsmsnlive.exe 688 PID 1984 set thread context of 2392 1984 windowsmsnlive.exe 3177 PID 1008 set thread context of 2272 1008 windowsmsnlive.exe 3266 PID 2756 set thread context of 2968 2756 windowsmsnlive.exe 725 PID 2200 set thread context of 1724 2200 windowsmsnlive.exe 735 PID 1336 set thread context of 2600 1336 windowsmsnlive.exe 749 PID 1928 set thread context of 2760 1928 windowsmsnlive.exe 759 PID 2424 set thread context of 1660 2424 windowsmsnlive.exe 773 PID 1664 set thread context of 2056 1664 windowsmsnlive.exe 781 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language windowsmsnlive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CMD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CMD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CMD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CMD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CMD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CMD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CMD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language windowsmsnlive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CMD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CMD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CMD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language windowsmsnlive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language windowsmsnlive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language windowsmsnlive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CMD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CMD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CMD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CMD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CMD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language windowsmsnlive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language windowsmsnlive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language windowsmsnlive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CMD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language windowsmsnlive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CMD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CMD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CMD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CMD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language windowsmsnlive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CMD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language windowsmsnlive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CMD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language windowsmsnlive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CMD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CMD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CMD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language windowsmsnlive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CMD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language windowsmsnlive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CMD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CMD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language windowsmsnlive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language windowsmsnlive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language windowsmsnlive.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2180 ea765260c975618896c278e32ca46a18_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2840 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 2380 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 1432 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 1808 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 2988 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 2772 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 2552 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 1920 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 1360 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 1984 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 2776 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 2800 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 660 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 1584 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 1688 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 1036 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 2768 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 2068 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 1368 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 2652 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 2908 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 2012 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 2644 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 908 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 2892 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 1588 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 1980 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 1700 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 1696 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 1472 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 1028 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 2404 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 2720 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 1104 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 2920 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 2628 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 2056 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 756 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 2580 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 1640 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 3016 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 2224 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 236 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 2676 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 2848 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 1608 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 2844 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 2652 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 2320 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 2432 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 944 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 2076 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 2148 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 1828 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 2900 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 2392 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 2272 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 2968 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 1724 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 2600 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 2760 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 1660 windowsmsnlive.exe Token: SeIncBasePriorityPrivilege 2056 windowsmsnlive.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2080 wrote to memory of 2180 2080 ea765260c975618896c278e32ca46a18_JaffaCakes118.exe 30 PID 2080 wrote to memory of 2180 2080 ea765260c975618896c278e32ca46a18_JaffaCakes118.exe 30 PID 2080 wrote to memory of 2180 2080 ea765260c975618896c278e32ca46a18_JaffaCakes118.exe 30 PID 2080 wrote to memory of 2180 2080 ea765260c975618896c278e32ca46a18_JaffaCakes118.exe 30 PID 2080 wrote to memory of 2180 2080 ea765260c975618896c278e32ca46a18_JaffaCakes118.exe 30 PID 2080 wrote to memory of 2180 2080 ea765260c975618896c278e32ca46a18_JaffaCakes118.exe 30 PID 2080 wrote to memory of 2180 2080 ea765260c975618896c278e32ca46a18_JaffaCakes118.exe 30 PID 2080 wrote to memory of 2180 2080 ea765260c975618896c278e32ca46a18_JaffaCakes118.exe 30 PID 2080 wrote to memory of 2180 2080 ea765260c975618896c278e32ca46a18_JaffaCakes118.exe 30 PID 2080 wrote to memory of 2180 2080 ea765260c975618896c278e32ca46a18_JaffaCakes118.exe 30 PID 2180 wrote to memory of 2832 2180 ea765260c975618896c278e32ca46a18_JaffaCakes118.exe 31 PID 2180 wrote to memory of 2832 2180 ea765260c975618896c278e32ca46a18_JaffaCakes118.exe 31 PID 2180 wrote to memory of 2832 2180 ea765260c975618896c278e32ca46a18_JaffaCakes118.exe 31 PID 2180 wrote to memory of 2832 2180 ea765260c975618896c278e32ca46a18_JaffaCakes118.exe 31 PID 2180 wrote to memory of 2828 2180 ea765260c975618896c278e32ca46a18_JaffaCakes118.exe 32 PID 2180 wrote to memory of 2828 2180 ea765260c975618896c278e32ca46a18_JaffaCakes118.exe 32 PID 2180 wrote to memory of 2828 2180 ea765260c975618896c278e32ca46a18_JaffaCakes118.exe 32 PID 2180 wrote to memory of 2828 2180 ea765260c975618896c278e32ca46a18_JaffaCakes118.exe 32 PID 2180 wrote to memory of 2864 2180 ea765260c975618896c278e32ca46a18_JaffaCakes118.exe 33 PID 2180 wrote to memory of 2864 2180 ea765260c975618896c278e32ca46a18_JaffaCakes118.exe 33 PID 2180 wrote to memory of 2864 2180 ea765260c975618896c278e32ca46a18_JaffaCakes118.exe 33 PID 2180 wrote to memory of 2864 2180 ea765260c975618896c278e32ca46a18_JaffaCakes118.exe 33 PID 2180 wrote to memory of 2992 2180 ea765260c975618896c278e32ca46a18_JaffaCakes118.exe 35 PID 2180 wrote to memory of 2992 2180 ea765260c975618896c278e32ca46a18_JaffaCakes118.exe 35 PID 2180 wrote to memory of 2992 2180 ea765260c975618896c278e32ca46a18_JaffaCakes118.exe 35 PID 2180 wrote to memory of 2992 2180 ea765260c975618896c278e32ca46a18_JaffaCakes118.exe 35 PID 2180 wrote to memory of 2852 2180 ea765260c975618896c278e32ca46a18_JaffaCakes118.exe 36 PID 2180 wrote to memory of 2852 2180 ea765260c975618896c278e32ca46a18_JaffaCakes118.exe 36 PID 2180 wrote to memory of 2852 2180 ea765260c975618896c278e32ca46a18_JaffaCakes118.exe 36 PID 2180 wrote to memory of 2852 2180 ea765260c975618896c278e32ca46a18_JaffaCakes118.exe 36 PID 2832 wrote to memory of 2840 2832 windowsmsnlive.exe 37 PID 2832 wrote to memory of 2840 2832 windowsmsnlive.exe 37 PID 2832 wrote to memory of 2840 2832 windowsmsnlive.exe 37 PID 2832 wrote to memory of 2840 2832 windowsmsnlive.exe 37 PID 2180 wrote to memory of 2956 2180 ea765260c975618896c278e32ca46a18_JaffaCakes118.exe 38 PID 2180 wrote to memory of 2956 2180 ea765260c975618896c278e32ca46a18_JaffaCakes118.exe 38 PID 2180 wrote to memory of 2956 2180 ea765260c975618896c278e32ca46a18_JaffaCakes118.exe 38 PID 2180 wrote to memory of 2956 2180 ea765260c975618896c278e32ca46a18_JaffaCakes118.exe 38 PID 2832 wrote to memory of 2840 2832 windowsmsnlive.exe 37 PID 2832 wrote to memory of 2840 2832 windowsmsnlive.exe 37 PID 2832 wrote to memory of 2840 2832 windowsmsnlive.exe 37 PID 2832 wrote to memory of 2840 2832 windowsmsnlive.exe 37 PID 2832 wrote to memory of 2840 2832 windowsmsnlive.exe 37 PID 2832 wrote to memory of 2840 2832 windowsmsnlive.exe 37 PID 2840 wrote to memory of 2224 2840 windowsmsnlive.exe 42 PID 2840 wrote to memory of 2224 2840 windowsmsnlive.exe 42 PID 2840 wrote to memory of 2224 2840 windowsmsnlive.exe 42 PID 2840 wrote to memory of 2224 2840 windowsmsnlive.exe 42 PID 2840 wrote to memory of 1112 2840 windowsmsnlive.exe 43 PID 2840 wrote to memory of 1112 2840 windowsmsnlive.exe 43 PID 2840 wrote to memory of 1112 2840 windowsmsnlive.exe 43 PID 2840 wrote to memory of 1112 2840 windowsmsnlive.exe 43 PID 2840 wrote to memory of 1732 2840 windowsmsnlive.exe 119 PID 2840 wrote to memory of 1732 2840 windowsmsnlive.exe 119 PID 2840 wrote to memory of 1732 2840 windowsmsnlive.exe 119 PID 2840 wrote to memory of 1732 2840 windowsmsnlive.exe 119 PID 2840 wrote to memory of 1640 2840 windowsmsnlive.exe 45 PID 2840 wrote to memory of 1640 2840 windowsmsnlive.exe 45 PID 2840 wrote to memory of 1640 2840 windowsmsnlive.exe 45 PID 2840 wrote to memory of 1640 2840 windowsmsnlive.exe 45 PID 2840 wrote to memory of 2804 2840 windowsmsnlive.exe 117 PID 2840 wrote to memory of 2804 2840 windowsmsnlive.exe 117 PID 2840 wrote to memory of 2804 2840 windowsmsnlive.exe 117 PID 2840 wrote to memory of 2804 2840 windowsmsnlive.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea765260c975618896c278e32ca46a18_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ea765260c975618896c278e32ca46a18_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Users\Admin\AppData\Local\Temp\ea765260c975618896c278e32ca46a18_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ea765260c975618896c278e32ca46a18_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2224 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2380 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2400 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1432 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1152 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"10⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1808 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1692 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2988 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1032 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"14⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2772 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1328 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"16⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2552 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1384 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"18⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1920 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2884 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"20⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1360 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1624 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"22⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1984 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2860 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2776 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2956 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"26⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2800 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2968 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"28⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:660 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2132 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"30⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1584 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1540 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"32⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1688 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2336 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"34⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1036 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2108 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"36⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2768 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2372 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"38⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2068 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1384 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"40⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1368 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"42⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2652 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2396 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"44⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2908 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1248 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"46⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2012 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2692 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"48⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2644 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2932 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"50⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:908 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2252 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"52⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2892 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:464 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"54⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1588 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:680 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"56⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1980 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1952 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"58⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1700 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1956 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"60⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1696 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1112 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"62⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1472 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"63⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2736 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"64⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1028 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"65⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:904 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"66⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2404 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"67⤵
- Suspicious use of SetThreadContext
PID:1060 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"68⤵
- Suspicious use of AdjustPrivilegeToken
PID:2720 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"69⤵
- Suspicious use of SetThreadContext
PID:1552 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"70⤵
- Suspicious use of AdjustPrivilegeToken
PID:1104 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"71⤵
- Suspicious use of SetThreadContext
PID:2812 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"72⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2920 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"73⤵
- Suspicious use of SetThreadContext
PID:1384 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"74⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
PID:2628 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"75⤵
- Suspicious use of SetThreadContext
PID:1636 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"76⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2056 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"77⤵
- Suspicious use of SetThreadContext
PID:2508 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"78⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:756 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"79⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3044 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"80⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
PID:2580 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"81⤵
- Suspicious use of SetThreadContext
PID:2392 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"82⤵
- Suspicious use of AdjustPrivilegeToken
PID:1640 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"83⤵
- Suspicious use of SetThreadContext
PID:1556 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"84⤵
- Suspicious use of AdjustPrivilegeToken
PID:3016 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"85⤵
- Suspicious use of SetThreadContext
PID:1916 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"86⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2224 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"87⤵
- Suspicious use of SetThreadContext
PID:904 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"88⤵
- Suspicious use of AdjustPrivilegeToken
PID:236 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"89⤵
- Suspicious use of SetThreadContext
PID:1604 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"90⤵
- Suspicious use of AdjustPrivilegeToken
PID:2676 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"91⤵
- Suspicious use of SetThreadContext
PID:2316 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"92⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2848 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"93⤵
- Suspicious use of SetThreadContext
PID:2288 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"94⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1608 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"95⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1468 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"96⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2844 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"97⤵
- Suspicious use of SetThreadContext
PID:2936 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"98⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
PID:2652 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"99⤵
- Suspicious use of SetThreadContext
PID:3060 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"100⤵
- Suspicious use of AdjustPrivilegeToken
PID:2320 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"101⤵
- Suspicious use of SetThreadContext
PID:1784 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"102⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2432 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"103⤵
- Suspicious use of SetThreadContext
PID:788 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"104⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:944 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"105⤵
- Suspicious use of SetThreadContext
PID:3040 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"106⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2076 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"107⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3020 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"108⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2148 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"109⤵
- Suspicious use of SetThreadContext
PID:2648 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"110⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1828 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"111⤵
- Suspicious use of SetThreadContext
PID:1248 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"112⤵
- Suspicious use of AdjustPrivilegeToken
PID:2900 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"113⤵
- Suspicious use of SetThreadContext
PID:1984 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"114⤵
- Drops file in Drivers directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2392 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"115⤵
- Suspicious use of SetThreadContext
PID:1008 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"116⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2272 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"117⤵
- Suspicious use of SetThreadContext
PID:2756 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"118⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2968 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"119⤵
- Suspicious use of SetThreadContext
PID:2200 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\SysWOW64\windowsmsnlive.exe"120⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1724 -
C:\Windows\SysWOW64\windowsmsnlive.exe"C:\Windows\system32\windowsmsnlive.exe"121⤵
- Suspicious use of SetThreadContext
PID:1336
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-