Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13/10/2024, 12:54
Behavioral task
behavioral1
Sample
3ff7965a2969e79dbe794fcb40c4872a_JaffaCakes118.exe
Resource
win7-20241010-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
3ff7965a2969e79dbe794fcb40c4872a_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
3ff7965a2969e79dbe794fcb40c4872a_JaffaCakes118.exe
-
Size
83KB
-
MD5
3ff7965a2969e79dbe794fcb40c4872a
-
SHA1
834ce35cbdb28944fea1cb11ede45410cdfb52ec
-
SHA256
d8b13bc5e2e45119b95f015503d6b43c4aebd22845e398f19b5fff77d960555f
-
SHA512
7e726dc846898c853b6f17b5f495da85d30237707980c9085d47c749417aeff3bbe383b7cce816d02444ad4d18d5b84bd6300250a693390595b733b75fd1281c
-
SSDEEP
1536:UKleE1ogL6gxNmmciUb7DMZPv5sq8L36lMKnjgPrASGwyXDBfqCje3NqHN0VS7m:UKlvLHNGNvDMZ5sqFMNkLwy9qc0V6m
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msnconfig.exe -
Executes dropped EXE 64 IoCs
pid Process 3436 msnconfig.exe 1360 msnconfig.exe 3652 msnconfig.exe 4636 msnconfig.exe 3056 msnconfig.exe 1912 msnconfig.exe 2424 msnconfig.exe 116 msnconfig.exe 3992 msnconfig.exe 3764 msnconfig.exe 3540 msnconfig.exe 896 msnconfig.exe 4016 msnconfig.exe 4596 msnconfig.exe 1560 msnconfig.exe 3120 msnconfig.exe 3444 msnconfig.exe 1164 msnconfig.exe 2696 msnconfig.exe 112 msnconfig.exe 2276 msnconfig.exe 3576 msnconfig.exe 1544 msnconfig.exe 4588 msnconfig.exe 4204 msnconfig.exe 5016 msnconfig.exe 5028 msnconfig.exe 3552 msnconfig.exe 4128 msnconfig.exe 2368 msnconfig.exe 3848 msnconfig.exe 2536 msnconfig.exe 896 msnconfig.exe 1544 msnconfig.exe 4588 msnconfig.exe 4204 msnconfig.exe 3516 msnconfig.exe 3100 msnconfig.exe 2344 msnconfig.exe 4748 msnconfig.exe 2352 msnconfig.exe 1384 msnconfig.exe 4816 msnconfig.exe 2020 msnconfig.exe 936 msnconfig.exe 2660 msnconfig.exe 372 msnconfig.exe 4120 msnconfig.exe 1844 msnconfig.exe 5072 msnconfig.exe 1860 msnconfig.exe 3420 msnconfig.exe 2472 msnconfig.exe 2888 msnconfig.exe 4876 msnconfig.exe 1052 msnconfig.exe 3456 msnconfig.exe 1180 msnconfig.exe 3156 msnconfig.exe 4484 msnconfig.exe 2744 msnconfig.exe 4188 msnconfig.exe 212 msnconfig.exe 2148 msnconfig.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe -
resource yara_rule behavioral2/memory/4132-0-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/4132-1-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/files/0x000b000000023cb6-7.dat upx behavioral2/memory/4132-39-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/3436-38-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/1360-43-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/3436-42-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/1360-47-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/4636-52-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/3652-51-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/4636-56-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/3056-60-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/1912-61-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/2424-66-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/1912-65-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/116-69-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/2424-71-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/116-75-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/3992-76-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/3992-80-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/3764-81-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/3764-85-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/3540-89-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/896-93-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/4596-99-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/4016-98-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/4596-103-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/1560-104-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/1560-108-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/3120-112-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/3444-116-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/1164-120-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/112-125-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/2696-124-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/2276-130-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/112-129-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/2276-134-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/3576-138-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/1544-142-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/4588-146-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/5016-151-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/4204-150-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/5016-155-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/5028-159-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/3552-163-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/4128-167-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/2368-171-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/3848-175-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/896-181-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/2536-180-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/896-185-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/1544-188-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/4588-191-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/4204-194-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/3516-197-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/3100-200-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/2344-203-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/4748-206-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/1384-208-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/2352-210-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/1384-213-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/4816-216-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/2020-217-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/2020-220-0x0000000000400000-0x0000000000432000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 3ff7965a2969e79dbe794fcb40c4872a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msnconfig.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4132 3ff7965a2969e79dbe794fcb40c4872a_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 3436 msnconfig.exe Token: SeIncBasePriorityPrivilege 1360 msnconfig.exe Token: SeIncBasePriorityPrivilege 3652 msnconfig.exe Token: SeIncBasePriorityPrivilege 4636 msnconfig.exe Token: SeIncBasePriorityPrivilege 3056 msnconfig.exe Token: SeIncBasePriorityPrivilege 1912 msnconfig.exe Token: SeIncBasePriorityPrivilege 2424 msnconfig.exe Token: SeIncBasePriorityPrivilege 116 msnconfig.exe Token: SeIncBasePriorityPrivilege 3992 msnconfig.exe Token: SeIncBasePriorityPrivilege 3764 msnconfig.exe Token: SeIncBasePriorityPrivilege 3540 msnconfig.exe Token: SeIncBasePriorityPrivilege 896 msnconfig.exe Token: SeIncBasePriorityPrivilege 4016 msnconfig.exe Token: SeIncBasePriorityPrivilege 4596 msnconfig.exe Token: SeIncBasePriorityPrivilege 1560 msnconfig.exe Token: SeIncBasePriorityPrivilege 3120 msnconfig.exe Token: SeIncBasePriorityPrivilege 3444 msnconfig.exe Token: SeIncBasePriorityPrivilege 1164 msnconfig.exe Token: SeIncBasePriorityPrivilege 2696 msnconfig.exe Token: SeIncBasePriorityPrivilege 112 msnconfig.exe Token: SeIncBasePriorityPrivilege 2276 msnconfig.exe Token: SeIncBasePriorityPrivilege 3576 msnconfig.exe Token: SeIncBasePriorityPrivilege 1544 msnconfig.exe Token: SeIncBasePriorityPrivilege 4588 msnconfig.exe Token: SeIncBasePriorityPrivilege 4204 msnconfig.exe Token: SeIncBasePriorityPrivilege 5016 msnconfig.exe Token: SeIncBasePriorityPrivilege 5028 msnconfig.exe Token: SeIncBasePriorityPrivilege 3552 msnconfig.exe Token: SeIncBasePriorityPrivilege 4128 msnconfig.exe Token: SeIncBasePriorityPrivilege 2368 msnconfig.exe Token: SeIncBasePriorityPrivilege 3848 msnconfig.exe Token: SeIncBasePriorityPrivilege 2536 msnconfig.exe Token: SeIncBasePriorityPrivilege 896 msnconfig.exe Token: SeIncBasePriorityPrivilege 1544 msnconfig.exe Token: SeIncBasePriorityPrivilege 4588 msnconfig.exe Token: SeIncBasePriorityPrivilege 4204 msnconfig.exe Token: SeIncBasePriorityPrivilege 3516 msnconfig.exe Token: SeIncBasePriorityPrivilege 3100 msnconfig.exe Token: SeIncBasePriorityPrivilege 2344 msnconfig.exe Token: SeIncBasePriorityPrivilege 4748 msnconfig.exe Token: SeIncBasePriorityPrivilege 2352 msnconfig.exe Token: SeIncBasePriorityPrivilege 1384 msnconfig.exe Token: SeIncBasePriorityPrivilege 4816 msnconfig.exe Token: SeIncBasePriorityPrivilege 2020 msnconfig.exe Token: SeIncBasePriorityPrivilege 936 msnconfig.exe Token: SeIncBasePriorityPrivilege 2660 msnconfig.exe Token: SeIncBasePriorityPrivilege 372 msnconfig.exe Token: SeIncBasePriorityPrivilege 4120 msnconfig.exe Token: SeIncBasePriorityPrivilege 1844 msnconfig.exe Token: SeIncBasePriorityPrivilege 5072 msnconfig.exe Token: SeIncBasePriorityPrivilege 1860 msnconfig.exe Token: SeIncBasePriorityPrivilege 3420 msnconfig.exe Token: SeIncBasePriorityPrivilege 2472 msnconfig.exe Token: SeIncBasePriorityPrivilege 2888 msnconfig.exe Token: SeIncBasePriorityPrivilege 4876 msnconfig.exe Token: SeIncBasePriorityPrivilege 1052 msnconfig.exe Token: SeIncBasePriorityPrivilege 3456 msnconfig.exe Token: SeIncBasePriorityPrivilege 3156 msnconfig.exe Token: SeIncBasePriorityPrivilege 4484 msnconfig.exe Token: SeIncBasePriorityPrivilege 2744 msnconfig.exe Token: SeIncBasePriorityPrivilege 4188 msnconfig.exe Token: SeIncBasePriorityPrivilege 212 msnconfig.exe Token: SeIncBasePriorityPrivilege 2148 msnconfig.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4132 wrote to memory of 3436 4132 3ff7965a2969e79dbe794fcb40c4872a_JaffaCakes118.exe 86 PID 4132 wrote to memory of 3436 4132 3ff7965a2969e79dbe794fcb40c4872a_JaffaCakes118.exe 86 PID 4132 wrote to memory of 3436 4132 3ff7965a2969e79dbe794fcb40c4872a_JaffaCakes118.exe 86 PID 4132 wrote to memory of 5100 4132 3ff7965a2969e79dbe794fcb40c4872a_JaffaCakes118.exe 87 PID 4132 wrote to memory of 5100 4132 3ff7965a2969e79dbe794fcb40c4872a_JaffaCakes118.exe 87 PID 4132 wrote to memory of 5100 4132 3ff7965a2969e79dbe794fcb40c4872a_JaffaCakes118.exe 87 PID 3436 wrote to memory of 1360 3436 msnconfig.exe 89 PID 3436 wrote to memory of 1360 3436 msnconfig.exe 89 PID 3436 wrote to memory of 1360 3436 msnconfig.exe 89 PID 3436 wrote to memory of 3576 3436 msnconfig.exe 90 PID 3436 wrote to memory of 3576 3436 msnconfig.exe 90 PID 3436 wrote to memory of 3576 3436 msnconfig.exe 90 PID 1360 wrote to memory of 3652 1360 msnconfig.exe 92 PID 1360 wrote to memory of 3652 1360 msnconfig.exe 92 PID 1360 wrote to memory of 3652 1360 msnconfig.exe 92 PID 1360 wrote to memory of 2188 1360 msnconfig.exe 93 PID 1360 wrote to memory of 2188 1360 msnconfig.exe 93 PID 1360 wrote to memory of 2188 1360 msnconfig.exe 93 PID 3652 wrote to memory of 4636 3652 msnconfig.exe 95 PID 3652 wrote to memory of 4636 3652 msnconfig.exe 95 PID 3652 wrote to memory of 4636 3652 msnconfig.exe 95 PID 3652 wrote to memory of 4876 3652 msnconfig.exe 96 PID 3652 wrote to memory of 4876 3652 msnconfig.exe 96 PID 3652 wrote to memory of 4876 3652 msnconfig.exe 96 PID 4636 wrote to memory of 3056 4636 msnconfig.exe 98 PID 4636 wrote to memory of 3056 4636 msnconfig.exe 98 PID 4636 wrote to memory of 3056 4636 msnconfig.exe 98 PID 4636 wrote to memory of 4312 4636 msnconfig.exe 99 PID 4636 wrote to memory of 4312 4636 msnconfig.exe 99 PID 4636 wrote to memory of 4312 4636 msnconfig.exe 99 PID 3056 wrote to memory of 1912 3056 msnconfig.exe 101 PID 3056 wrote to memory of 1912 3056 msnconfig.exe 101 PID 3056 wrote to memory of 1912 3056 msnconfig.exe 101 PID 3056 wrote to memory of 4584 3056 msnconfig.exe 102 PID 3056 wrote to memory of 4584 3056 msnconfig.exe 102 PID 3056 wrote to memory of 4584 3056 msnconfig.exe 102 PID 1912 wrote to memory of 2424 1912 msnconfig.exe 104 PID 1912 wrote to memory of 2424 1912 msnconfig.exe 104 PID 1912 wrote to memory of 2424 1912 msnconfig.exe 104 PID 1912 wrote to memory of 5084 1912 msnconfig.exe 105 PID 1912 wrote to memory of 5084 1912 msnconfig.exe 105 PID 1912 wrote to memory of 5084 1912 msnconfig.exe 105 PID 2424 wrote to memory of 116 2424 msnconfig.exe 107 PID 2424 wrote to memory of 116 2424 msnconfig.exe 107 PID 2424 wrote to memory of 116 2424 msnconfig.exe 107 PID 2424 wrote to memory of 1584 2424 msnconfig.exe 108 PID 2424 wrote to memory of 1584 2424 msnconfig.exe 108 PID 2424 wrote to memory of 1584 2424 msnconfig.exe 108 PID 116 wrote to memory of 3992 116 msnconfig.exe 110 PID 116 wrote to memory of 3992 116 msnconfig.exe 110 PID 116 wrote to memory of 3992 116 msnconfig.exe 110 PID 116 wrote to memory of 1160 116 msnconfig.exe 111 PID 116 wrote to memory of 1160 116 msnconfig.exe 111 PID 116 wrote to memory of 1160 116 msnconfig.exe 111 PID 3992 wrote to memory of 3764 3992 msnconfig.exe 113 PID 3992 wrote to memory of 3764 3992 msnconfig.exe 113 PID 3992 wrote to memory of 3764 3992 msnconfig.exe 113 PID 3992 wrote to memory of 3388 3992 msnconfig.exe 114 PID 3992 wrote to memory of 3388 3992 msnconfig.exe 114 PID 3992 wrote to memory of 3388 3992 msnconfig.exe 114 PID 3764 wrote to memory of 3540 3764 msnconfig.exe 116 PID 3764 wrote to memory of 3540 3764 msnconfig.exe 116 PID 3764 wrote to memory of 3540 3764 msnconfig.exe 116 PID 3764 wrote to memory of 32 3764 msnconfig.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ff7965a2969e79dbe794fcb40c4872a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3ff7965a2969e79dbe794fcb40c4872a_JaffaCakes118.exe"1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"10⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"11⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3540 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:896 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4016 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"15⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4596 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1560 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3120 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3444 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"19⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1164 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2696 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"21⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:112 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2276 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3576 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"24⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1544 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"25⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4588 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4204 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5016 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"28⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5028 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"29⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3552 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4128 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"31⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2368 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"32⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3848 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"33⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2536 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"34⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:896 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"35⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1544 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"36⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4588 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"37⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4204 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"38⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3516 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"39⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3100 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"40⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2344 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4748 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"42⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2352 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1384 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"44⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4816 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"45⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2020 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"46⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:936 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"47⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2660 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"48⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:372 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"49⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4120 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"50⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1844 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"51⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5072 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1860 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"53⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3420 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"54⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2472 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"55⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2888 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"56⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4876 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"57⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1052 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"58⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3456 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"59⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1180 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"60⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3156 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"61⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4484 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"62⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2744 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"63⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4188 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"64⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:212 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"65⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2148 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"66⤵
- Drops file in System32 directory
PID:2316 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"67⤵
- Drops file in System32 directory
PID:624 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"68⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:716 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"69⤵
- Adds Run key to start application
PID:4056 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"70⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1368 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"71⤵
- Checks computer location settings
PID:1360 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"72⤵
- Modifies registry class
PID:4164 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"73⤵
- Modifies registry class
PID:1080 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"74⤵
- Checks computer location settings
- Modifies registry class
PID:2356 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"75⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3988 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"76⤵
- Drops file in System32 directory
PID:2148 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"77⤵
- Drops file in System32 directory
- Modifies registry class
PID:4672 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"78⤵
- Checks computer location settings
- Modifies registry class
PID:3516 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"79⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:3200 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"80⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:1844 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"81⤵
- Checks computer location settings
- Drops file in System32 directory
PID:1368 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"82⤵
- Checks computer location settings
PID:1360 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"83⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2188 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"84⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2020 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"85⤵
- Checks computer location settings
- Drops file in System32 directory
PID:2932 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"86⤵
- Drops file in System32 directory
PID:1088 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"87⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
PID:1788 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"88⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1052 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"89⤵
- Adds Run key to start application
- Modifies registry class
PID:3448 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"90⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4296 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"91⤵PID:1916
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"92⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:4900 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"93⤵PID:4072
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"94⤵PID:4428
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"95⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2876 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"96⤵
- Adds Run key to start application
PID:5116 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"97⤵
- Checks computer location settings
PID:3396 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"98⤵
- Checks computer location settings
- Adds Run key to start application
PID:1608 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"99⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:404 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"100⤵
- Drops file in System32 directory
- Modifies registry class
PID:4792 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"101⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3156 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"102⤵PID:4748
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"103⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:636 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"104⤵
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:4816 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"105⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:3776 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"106⤵
- Adds Run key to start application
PID:1688 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"107⤵
- Adds Run key to start application
- Modifies registry class
PID:3940 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"108⤵PID:5084
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"109⤵
- Modifies registry class
PID:380 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"110⤵
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"111⤵
- System Location Discovery: System Language Discovery
PID:2716 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"112⤵
- Drops file in System32 directory
PID:4032 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"113⤵
- Drops file in System32 directory
- Modifies registry class
PID:1364 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"114⤵
- Adds Run key to start application
PID:2744 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"115⤵
- Checks computer location settings
- Adds Run key to start application
PID:4072 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"116⤵
- Modifies registry class
PID:3976 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"117⤵
- Checks computer location settings
- Modifies registry class
PID:1168 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"118⤵PID:3988
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"119⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:4392 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"120⤵PID:4740
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"121⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3444
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-