darkcomet | 281ebfa11ff288d6883a5000f0b497e5b952f6fbd20af7188ecd2fb7092a7106

Analysis

max time kernel
46s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2025, 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_96e1bddee639ba2a8e6516bb349d4aca.exe
Size

714KB
MD5

96e1bddee639ba2a8e6516bb349d4aca
SHA1

e5b88cfb14e67fc78fb8f07a404be1806b956af0
SHA256

281ebfa11ff288d6883a5000f0b497e5b952f6fbd20af7188ecd2fb7092a7106
SHA512

a2ec8e6e8d716f76877ffe7e29206bec9e327396ae17450a8a5d92362b859c53ca63597bc378e35c74b380c6eb030bf6c7653dcdd04934a81b3e78f82a1dfc88
SSDEEP

12288:ArN7nUD7w+y5TlRMk0SuDxH9DS/Q/17dGm9JhdMkH0XkV7cxoHqalOv:elUfM4vfSo/+43dMD1oHqa

Score

10^/10

darkcomet n0$ crypter discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

N0$ Crypter

dxoop590.no-ip.biz:81

Mutex

DC_MUTEX-4KV014K

Attributes

gencode
LV�Wwt%%LPN=
install
false
offline_keylogger
true
password
poidog
persistence
false

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	AppLaunch.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	AppLaunch.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	JaffaCakes118_96e1bddee639ba2a8e6516bb349d4aca.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	msgrap.exe

Executes dropped EXE 64 IoCs

pid	Process
4508	msgrap.exe
392	MpAsDes.exe
5108	msgrap.exe
2904	msgrap.exe
4872	msgrap.exe
4952	msgrap.exe
996	msgrap.exe
1924	msgrap.exe
1680	msgrap.exe
3468	msgrap.exe
1864	msgrap.exe
3168	msgrap.exe
2816	msgrap.exe
4520	msgrap.exe
4380	msgrap.exe
4712	msgrap.exe
3004	msgrap.exe
5252	msgrap.exe
5440	msgrap.exe
5668	msgrap.exe
5700	msgrap.exe
5692	msgrap.exe
6044	msgrap.exe
6272	msgrap.exe
6292	msgrap.exe
14108	msgrap.exe
13272	msgrap.exe
13124	msgrap.exe
8	msgrap.exe
13216	msgrap.exe
13232	msgrap.exe
13208	msgrap.exe
9752	msgrap.exe
8780	msgrap.exe
12024	msgrap.exe
14112	msgrap.exe
9236	msgrap.exe
7600	msgrap.exe
8448	msgrap.exe
7872	msgrap.exe
9096	msgrap.exe
12044	msgrap.exe
11792	msgrap.exe
9132	msgrap.exe
8284	msgrap.exe
13524	msgrap.exe
7796	msgrap.exe
10288	msgrap.exe
7896	msgrap.exe
8600	msgrap.exe
9212	msgrap.exe
9460	msgrap.exe
8368	msgrap.exe
8588	msgrap.exe
8256	msgrap.exe
8840	msgrap.exe
8464	msgrap.exe
12564	msgrap.exe
10832	msgrap.exe
12072	msgrap.exe
7972	msgrap.exe
12548	msgrap.exe
13384	msgrap.exe
12072	msgrap.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger Protocol Handler Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\msgrap.exe"	msgrap.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1644 set thread context of 2436	1644	JaffaCakes118_96e1bddee639ba2a8e6516bb349d4aca.exe	88
PID 392 set thread context of 648	392	MpAsDes.exe	95

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	dw20.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 16 IoCs

pid	pid_target	Process	procid_target
13956	7068	Process not Found
14820	12136	Process not Found
14792	6828	Process not Found
5940	10044	Process not Found
2900	5644	Process not Found
12940	12768	Process not Found	3077
8052	13124	Process not Found	2907
13636	6328	Process not Found	3797
14144	15948	Process not Found	1807
2808	3732	Process not Found	4344
10864	10824	Process not Found	4729
12344	12172	Process not Found	5061
12820	320	Process not Found	5159
10264	16356	Process not Found	5554
9584	14248	Process not Found	572
14704	4888	Process not Found	2615

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msgrap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msgrap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msgrap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msgrap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msgrap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msgrap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msgrap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msgrap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msgrap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msgrap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msgrap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msgrap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msgrap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msgrap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msgrap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msgrap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msgrap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msgrap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msgrap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msgrap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msgrap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msgrap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msgrap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msgrap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msgrap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msgrap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msgrap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msgrap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msgrap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msgrap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msgrap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msgrap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msgrap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msgrap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msgrap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msgrap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msgrap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msgrap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msgrap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msgrap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msgrap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msgrap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msgrap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AppLaunch.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AppLaunch.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	AppLaunch.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	AppLaunch.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	AppLaunch.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AppLaunch.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Process not Found

Enumerates system info in registry 2 TTPs 42 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	AppLaunch.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1644	JaffaCakes118_96e1bddee639ba2a8e6516bb349d4aca.exe
4508	msgrap.exe
392	MpAsDes.exe
5108	msgrap.exe
1644	JaffaCakes118_96e1bddee639ba2a8e6516bb349d4aca.exe
2904	msgrap.exe
4872	msgrap.exe
4872	msgrap.exe
4508	msgrap.exe
4508	msgrap.exe
4952	msgrap.exe
4952	msgrap.exe
996	msgrap.exe
996	msgrap.exe
392	MpAsDes.exe
392	MpAsDes.exe
1924	msgrap.exe
1924	msgrap.exe
5108	msgrap.exe
5108	msgrap.exe
1680	msgrap.exe
1680	msgrap.exe
3468	msgrap.exe
3468	msgrap.exe
1644	JaffaCakes118_96e1bddee639ba2a8e6516bb349d4aca.exe
1644	JaffaCakes118_96e1bddee639ba2a8e6516bb349d4aca.exe
1864	msgrap.exe
1864	msgrap.exe
3168	msgrap.exe
3168	msgrap.exe
2904	msgrap.exe
2904	msgrap.exe
4872	msgrap.exe
4872	msgrap.exe
4508	msgrap.exe
4508	msgrap.exe
4952	msgrap.exe
4952	msgrap.exe
2816	msgrap.exe
996	msgrap.exe
996	msgrap.exe
2816	msgrap.exe
4520	msgrap.exe
4520	msgrap.exe
392	MpAsDes.exe
392	MpAsDes.exe
1924	msgrap.exe
1924	msgrap.exe
5108	msgrap.exe
5108	msgrap.exe
1680	msgrap.exe
1680	msgrap.exe
3468	msgrap.exe
3468	msgrap.exe
1864	msgrap.exe
1864	msgrap.exe
1644	JaffaCakes118_96e1bddee639ba2a8e6516bb349d4aca.exe
1644	JaffaCakes118_96e1bddee639ba2a8e6516bb349d4aca.exe
4712	msgrap.exe
4712	msgrap.exe
4380	msgrap.exe
4380	msgrap.exe
3004	msgrap.exe
3004	msgrap.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1644	JaffaCakes118_96e1bddee639ba2a8e6516bb349d4aca.exe
Token: SeIncreaseQuotaPrivilege	2436	AppLaunch.exe
Token: SeSecurityPrivilege	2436	AppLaunch.exe
Token: SeTakeOwnershipPrivilege	2436	AppLaunch.exe
Token: SeLoadDriverPrivilege	2436	AppLaunch.exe
Token: SeSystemProfilePrivilege	2436	AppLaunch.exe
Token: SeSystemtimePrivilege	2436	AppLaunch.exe
Token: SeProfSingleProcessPrivilege	2436	AppLaunch.exe
Token: SeIncBasePriorityPrivilege	2436	AppLaunch.exe
Token: SeCreatePagefilePrivilege	2436	AppLaunch.exe
Token: SeBackupPrivilege	2436	AppLaunch.exe
Token: SeRestorePrivilege	2436	AppLaunch.exe
Token: SeShutdownPrivilege	2436	AppLaunch.exe
Token: SeDebugPrivilege	2436	AppLaunch.exe
Token: SeSystemEnvironmentPrivilege	2436	AppLaunch.exe
Token: SeChangeNotifyPrivilege	2436	AppLaunch.exe
Token: SeRemoteShutdownPrivilege	2436	AppLaunch.exe
Token: SeUndockPrivilege	2436	AppLaunch.exe
Token: SeManageVolumePrivilege	2436	AppLaunch.exe
Token: SeImpersonatePrivilege	2436	AppLaunch.exe
Token: SeCreateGlobalPrivilege	2436	AppLaunch.exe
Token: 33	2436	AppLaunch.exe
Token: 34	2436	AppLaunch.exe
Token: 35	2436	AppLaunch.exe
Token: 36	2436	AppLaunch.exe
Token: SeDebugPrivilege	4508	msgrap.exe
Token: SeDebugPrivilege	392	MpAsDes.exe
Token: SeDebugPrivilege	5108	msgrap.exe
Token: SeIncreaseQuotaPrivilege	648	AppLaunch.exe
Token: SeSecurityPrivilege	648	AppLaunch.exe
Token: SeTakeOwnershipPrivilege	648	AppLaunch.exe
Token: SeLoadDriverPrivilege	648	AppLaunch.exe
Token: SeSystemProfilePrivilege	648	AppLaunch.exe
Token: SeSystemtimePrivilege	648	AppLaunch.exe
Token: SeProfSingleProcessPrivilege	648	AppLaunch.exe
Token: SeIncBasePriorityPrivilege	648	AppLaunch.exe
Token: SeCreatePagefilePrivilege	648	AppLaunch.exe
Token: SeBackupPrivilege	648	AppLaunch.exe
Token: SeRestorePrivilege	648	AppLaunch.exe
Token: SeShutdownPrivilege	648	AppLaunch.exe
Token: SeDebugPrivilege	648	AppLaunch.exe
Token: SeSystemEnvironmentPrivilege	648	AppLaunch.exe
Token: SeChangeNotifyPrivilege	648	AppLaunch.exe
Token: SeRemoteShutdownPrivilege	648	AppLaunch.exe
Token: SeUndockPrivilege	648	AppLaunch.exe
Token: SeManageVolumePrivilege	648	AppLaunch.exe
Token: SeImpersonatePrivilege	648	AppLaunch.exe
Token: SeCreateGlobalPrivilege	648	AppLaunch.exe
Token: 33	648	AppLaunch.exe
Token: 34	648	AppLaunch.exe
Token: 35	648	AppLaunch.exe
Token: 36	648	AppLaunch.exe
Token: SeDebugPrivilege	2904	msgrap.exe
Token: SeDebugPrivilege	4872	msgrap.exe
Token: SeDebugPrivilege	4952	msgrap.exe
Token: SeDebugPrivilege	996	msgrap.exe
Token: SeDebugPrivilege	1924	msgrap.exe
Token: SeDebugPrivilege	1680	msgrap.exe
Token: SeDebugPrivilege	3468	msgrap.exe
Token: SeDebugPrivilege	1864	msgrap.exe
Token: SeDebugPrivilege	3168	msgrap.exe
Token: SeDebugPrivilege	2816	msgrap.exe
Token: SeDebugPrivilege	4520	msgrap.exe
Token: SeDebugPrivilege	4712	msgrap.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2436	AppLaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 2436	1644	JaffaCakes118_96e1bddee639ba2a8e6516bb349d4aca.exe	88
PID 1644 wrote to memory of 2436	1644	JaffaCakes118_96e1bddee639ba2a8e6516bb349d4aca.exe	88
PID 1644 wrote to memory of 2436	1644	JaffaCakes118_96e1bddee639ba2a8e6516bb349d4aca.exe	88
PID 1644 wrote to memory of 2436	1644	JaffaCakes118_96e1bddee639ba2a8e6516bb349d4aca.exe	88
PID 1644 wrote to memory of 2436	1644	JaffaCakes118_96e1bddee639ba2a8e6516bb349d4aca.exe	88
PID 1644 wrote to memory of 2436	1644	JaffaCakes118_96e1bddee639ba2a8e6516bb349d4aca.exe	88
PID 1644 wrote to memory of 2436	1644	JaffaCakes118_96e1bddee639ba2a8e6516bb349d4aca.exe	88
PID 1644 wrote to memory of 2436	1644	JaffaCakes118_96e1bddee639ba2a8e6516bb349d4aca.exe	88
PID 1644 wrote to memory of 2436	1644	JaffaCakes118_96e1bddee639ba2a8e6516bb349d4aca.exe	88
PID 1644 wrote to memory of 2436	1644	JaffaCakes118_96e1bddee639ba2a8e6516bb349d4aca.exe	88
PID 1644 wrote to memory of 2436	1644	JaffaCakes118_96e1bddee639ba2a8e6516bb349d4aca.exe	88
PID 1644 wrote to memory of 2436	1644	JaffaCakes118_96e1bddee639ba2a8e6516bb349d4aca.exe	88
PID 1644 wrote to memory of 2436	1644	JaffaCakes118_96e1bddee639ba2a8e6516bb349d4aca.exe	88
PID 1644 wrote to memory of 2436	1644	JaffaCakes118_96e1bddee639ba2a8e6516bb349d4aca.exe	88
PID 1644 wrote to memory of 4508	1644	JaffaCakes118_96e1bddee639ba2a8e6516bb349d4aca.exe	90
PID 1644 wrote to memory of 4508	1644	JaffaCakes118_96e1bddee639ba2a8e6516bb349d4aca.exe	90
PID 1644 wrote to memory of 4508	1644	JaffaCakes118_96e1bddee639ba2a8e6516bb349d4aca.exe	90
PID 4508 wrote to memory of 392	4508	msgrap.exe	93
PID 4508 wrote to memory of 392	4508	msgrap.exe	93
PID 4508 wrote to memory of 392	4508	msgrap.exe	93
PID 4828 wrote to memory of 5108	4828	cmd.exe	4269
PID 4828 wrote to memory of 5108	4828	cmd.exe	4269
PID 4828 wrote to memory of 5108	4828	cmd.exe	4269
PID 392 wrote to memory of 648	392	MpAsDes.exe	95
PID 392 wrote to memory of 648	392	MpAsDes.exe	95
PID 392 wrote to memory of 648	392	MpAsDes.exe	95
PID 392 wrote to memory of 648	392	MpAsDes.exe	95
PID 392 wrote to memory of 648	392	MpAsDes.exe	95
PID 392 wrote to memory of 648	392	MpAsDes.exe	95
PID 392 wrote to memory of 648	392	MpAsDes.exe	95
PID 392 wrote to memory of 648	392	MpAsDes.exe	95
PID 392 wrote to memory of 648	392	MpAsDes.exe	95
PID 392 wrote to memory of 648	392	MpAsDes.exe	95
PID 392 wrote to memory of 648	392	MpAsDes.exe	95
PID 392 wrote to memory of 648	392	MpAsDes.exe	95
PID 392 wrote to memory of 648	392	MpAsDes.exe	95
PID 392 wrote to memory of 648	392	MpAsDes.exe	95
PID 1276 wrote to memory of 2904	1276	cmd.exe	98
PID 1276 wrote to memory of 2904	1276	cmd.exe	98
PID 1276 wrote to memory of 2904	1276	cmd.exe	98
PID 4720 wrote to memory of 4872	4720	cmd.exe	103
PID 4720 wrote to memory of 4872	4720	cmd.exe	103
PID 4720 wrote to memory of 4872	4720	cmd.exe	103
PID 2628 wrote to memory of 4952	2628	cmd.exe	105
PID 2628 wrote to memory of 4952	2628	cmd.exe	105
PID 2628 wrote to memory of 4952	2628	cmd.exe	105
PID 3700 wrote to memory of 996	3700	cmd.exe	109
PID 3700 wrote to memory of 996	3700	cmd.exe	109
PID 3700 wrote to memory of 996	3700	cmd.exe	109
PID 4356 wrote to memory of 1924	4356	cmd.exe	112
PID 4356 wrote to memory of 1924	4356	cmd.exe	112
PID 4356 wrote to memory of 1924	4356	cmd.exe	112
PID 408 wrote to memory of 1680	408	cmd.exe	117
PID 408 wrote to memory of 1680	408	cmd.exe	117
PID 408 wrote to memory of 1680	408	cmd.exe	117
PID 816 wrote to memory of 3468	816	cmd.exe	120
PID 816 wrote to memory of 3468	816	cmd.exe	120
PID 816 wrote to memory of 3468	816	cmd.exe	120
PID 2208 wrote to memory of 1864	2208	cmd.exe	121
PID 2208 wrote to memory of 1864	2208	cmd.exe	121
PID 2208 wrote to memory of 1864	2208	cmd.exe	121
PID 2460 wrote to memory of 3168	2460	cmd.exe	126
PID 2460 wrote to memory of 3168	2460	cmd.exe	126
PID 2460 wrote to memory of 3168	2460	cmd.exe	126

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_96e1bddee639ba2a8e6516bb349d4aca.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_96e1bddee639ba2a8e6516bb349d4aca.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
  2⤵
  - Checks BIOS information in registry
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2436
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  "C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4508
- - C:\Users\Admin\AppData\Local\Temp\System\MpAsDes.exe
    "C:\Users\Admin\AppData\Local\Temp\System\MpAsDes.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:392
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      4⤵
      Checks BIOS information in registry
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      PID:648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5108
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 932
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:15932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3700
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4356
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:408
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1864
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 940
    3⤵
    PID:15672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:816
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3468
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 952
    3⤵
    PID:9640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:2776
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:2844
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:4220
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  PID:5252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:1820
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:3744
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:4380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:2340
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5016
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:3004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:3996
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:1012
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:6272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:1040
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:2848
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:4884
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:6292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:3640
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:6044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5180
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:12348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5192
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:10500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5200
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:12328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5208
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:12436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5260
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:7876
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 812
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:7892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5336
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:10156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5396
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:8536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5540
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:12604
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 828
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:9628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5600
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:10316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5608
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:6412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5616
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:13712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5624
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:12984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5632
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7868
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 776
    3⤵
    PID:9700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5640
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:12064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5908
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:11004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6052
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:12440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6096
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:10128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6108
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:12620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6120
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:8500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5228
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:11488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5784
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:7956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5776
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:9704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:4788
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:13536
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 764
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:8560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5484
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6152
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:13792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6184
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:9072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6300
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:11016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6308
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:13084
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 868
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:11552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6396
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:12268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6452
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:13896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6632
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:9508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6644
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:11304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6652
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:9516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6664
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:12672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6712
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:11924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6764
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:11780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6772
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:8692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6912
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:8756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7056
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:9236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7064
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:11792
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 928
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:9144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7076
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:11064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7084
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:7732
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 940
    3⤵
    PID:13972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7108
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:8780
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 944
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:8396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7132
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:7872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7156
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  PID:8

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6392
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  PID:12044
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 756
    3⤵
    - Drops file in Windows directory
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:9020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6872
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:9752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6888
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:12024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7296
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:13272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7328
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:9352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7500
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:8448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7524
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:9096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7532
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:14112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7836
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  PID:9460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7844
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:13208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7852
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  PID:7600
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 868
    3⤵
    PID:10276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7860
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  PID:14108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8092
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  PID:8256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8312
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  PID:7896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8632
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  PID:7972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8752
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  PID:10288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9052
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:13124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9060
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  PID:10832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9104
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:7796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9172
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  PID:12548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9180
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  PID:12564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8040
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  PID:12072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9336
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:9400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9640
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  PID:8840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9648
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  PID:8600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9684
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  PID:8284
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 844
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9900
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:13216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10064
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:13384
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 936
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:15796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10072
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  PID:8464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10080
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:9132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10204
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:13232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10220
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  PID:8588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10228
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  PID:8368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10236
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:10316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9472
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  PID:9212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10560
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  PID:12072
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 840
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:12136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10576
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Executes dropped EXE
  PID:13524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10628
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:12116
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 764
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:9980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10856
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:13968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9928
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:9668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10888
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:13052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10956
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:11364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11080
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:11832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11340
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:13532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11356
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:7144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11540
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:12864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11724
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Adds Run key to start application
  PID:10848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11740
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:9612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11756
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:9400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11916
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:13692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12728
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:10528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13856
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:13972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13760
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Adds Run key to start application
  PID:9836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13768
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Adds Run key to start application
  PID:12004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13776
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Adds Run key to start application
  PID:11588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13936
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Adds Run key to start application
  PID:11524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13812
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:13408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13820
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Adds Run key to start application
  PID:11300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13944
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:11704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13260
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:7024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13444
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:11596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:14168
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:10972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:14156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13360
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:9288
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 936
    3⤵
    PID:5900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:14224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13452
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Adds Run key to start application
  PID:10120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13044
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:13688
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 924
    3⤵
    PID:10932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12200
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Adds Run key to start application
  PID:11412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6136

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 808 -p 11452 -ip 11452
1⤵
PID:10440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11676
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Adds Run key to start application
  PID:6656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10524
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Adds Run key to start application
  PID:8572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:14196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10924

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 472 -p 13136 -ip 13136
1⤵
PID:7972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9232
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:10020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10324
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Adds Run key to start application
  PID:7376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11776
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7416
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Adds Run key to start application
  PID:11028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10056
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:10200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10212
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:5380

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 12328 -ip 12328
1⤵
PID:7732

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 736 -p 10992 -ip 10992
1⤵
PID:11016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13564
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:13304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8824
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:10528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13696
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:9732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11408
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9924
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:10880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11764
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:6052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 940 -p 8840 -ip 8840
1⤵
PID:7304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 8464 -ip 8464
1⤵
PID:12848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 7972 -ip 7972
1⤵
PID:12376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13804
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Adds Run key to start application
  PID:6940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:14288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:14176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 13968 -ip 13968
1⤵
PID:13520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7352
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:11284
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 924
    3⤵
    PID:11032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10004
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:4384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12572
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:6716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7836
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:11116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12536
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:7980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12676
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:12152
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 860
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:15764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8540
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:15012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10520
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:10620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9624
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:15088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10740
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:8424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10468
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:15096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10952
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:14784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10184
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:11200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 12348 -ip 12348
1⤵
PID:8076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6812
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:7176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13192
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:15428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9920
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:10232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8156
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:15928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:14136
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:9344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:14276
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:9844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8592
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:12700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10348
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:8144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8948
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:13792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10284
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:1932
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 940
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:9024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9680
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12128
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:6780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8212
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:7192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 940 -p 7956 -ip 7956
1⤵
PID:9704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13212
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:9884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13024
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:11408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13528
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:10732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 992 -p 8536 -ip 8536
1⤵
PID:8256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10180
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:5192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11904
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:9328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 10528 -ip 10528
1⤵
PID:11636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13332
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:5732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 12864 -ip 12864
1⤵
PID:13724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11628
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:15852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10744
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:16060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7720
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:10064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8704
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:10040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8848
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9304
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:5932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10156
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:5424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6876
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:3884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9636
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:6532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12376
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:1208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5820
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9812
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:7568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6672
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:15656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6944
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6492
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:15648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6092
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:5888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:4076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6032
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10228
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Adds Run key to start application
  PID:7952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12932
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:5944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5164
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:15008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6868
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6072
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:4300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11796
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:11564
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 876
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:11152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6528
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11160
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:15768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7564
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:15948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6704
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:6572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5556
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:1576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6540
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:4396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10304
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Adds Run key to start application
  PID:8404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13856
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:15980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6320
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:3908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10428
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:12420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12568
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:2960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12352
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Adds Run key to start application
  PID:4944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12188
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:14964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5532
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:5388
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 912
    3⤵
    PID:11328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:14096
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:15220

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:9084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5176
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Adds Run key to start application
  PID:14772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6068
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:10612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:1580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6580
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  PID:9556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11028
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:13304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6988
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:13524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:14328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7152
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:10336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:1272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:14408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:14416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:14424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:14432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:14440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:14592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:14600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:14608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:14616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:14624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:14640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:14632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:14700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:14856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:14864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:14872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:14880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:14888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:14896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:14904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:14920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:14928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:14936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:14912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:14948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:14988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:15116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:15280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:15288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:15296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:15304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:15312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:14712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:14736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:15364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:15952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:15968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:15944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:16208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:16084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:16256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:16236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:16376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:16248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:15068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:15220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:15556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:15728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:15544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:15560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:15576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 8424 -ip 8424
1⤵
PID:1580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 904 -p 11116 -ip 11116
1⤵
PID:15500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:15744

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:2620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:15396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:16264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:16300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:15368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:15956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:1632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:15452
- C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
  2⤵
  - Adds Run key to start application
  PID:5364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:16372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:16356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:15192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:16320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:14416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11064
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:15800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:15236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:15916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:15252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:3796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:16364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:15720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:2332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:16268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:15120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:15284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:15232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:3540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:14960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:15520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:15264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:14696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:2788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:15660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:14860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:16136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13412

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 580 -p 9656 -ip 9656
1⤵
PID:12420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:14912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:3980

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 804 -p 10964 -ip 10964
1⤵
PID:16372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:3300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:2248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 828 -p 5192 -ip 5192
1⤵
PID:13916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 9844 -ip 9844
1⤵
PID:9360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:15100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 868 -p 3908 -ip 3908
1⤵
PID:9204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:2948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:14648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:15828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:15448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 916 -p 9328 -ip 9328
1⤵
PID:15940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 15948 -ip 15948
1⤵
PID:1456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:2560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:1160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:15816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:14880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:14416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:14660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:13248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:14532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:14448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:10148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:9068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:7988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:11628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:12052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:6392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:8780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe
1⤵
PID:5412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\System\MpAsDes.exe

Filesize
714KB

MD5
96e1bddee639ba2a8e6516bb349d4aca

SHA1
e5b88cfb14e67fc78fb8f07a404be1806b956af0

SHA256
281ebfa11ff288d6883a5000f0b497e5b952f6fbd20af7188ecd2fb7092a7106

SHA512
a2ec8e6e8d716f76877ffe7e29206bec9e327396ae17450a8a5d92362b859c53ca63597bc378e35c74b380c6eb030bf6c7653dcdd04934a81b3e78f82a1dfc88

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\msgrap.exe

Filesize
35KB

MD5
74e94e8eaa100a277d35b6c9d9b5198b

SHA1
849a335c5948699ac7568ee233365a398d87b805

SHA256
d46cfa88d0df863f1f6c55cbfe04af43cb48d603a0d976e0357a0aa9bdb67444

SHA512
c9850e0148d8c265c96fbdf267523133d96ec6a7c9eead51c0414b771712cb44d9dee0e01f94dfc0ae87b985943be7b7ba2f58fd4f18e3fedffedd5d3c917185

Download Submit
memory/320-198-0x00007FF6AE660000-0x00007FF6AE6C7000-memory.dmp

Filesize
412KB

Download
memory/648-35-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/648-34-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1644-1-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/1644-2-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/1644-0-0x0000000074882000-0x0000000074883000-memory.dmp

Filesize
4KB

Download
memory/1644-60-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/1644-58-0x0000000074882000-0x0000000074883000-memory.dmp

Filesize
4KB

Download
memory/1644-59-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/1820-211-0x00007FF6AE660000-0x00007FF6AE6C7000-memory.dmp

Filesize
412KB

Download
memory/2436-10-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2436-8-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2436-7-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2436-9-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2436-14-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2436-11-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/2436-12-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2436-13-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2788-252-0x00007FF6AE660000-0x00007FF6AE6C7000-memory.dmp

Filesize
412KB

Download
memory/3700-201-0x00007FF6AE660000-0x00007FF6AE6C7000-memory.dmp

Filesize
412KB

Download
memory/3884-205-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/4508-25-0x0000000074882000-0x0000000074883000-memory.dmp

Filesize
4KB

Download
memory/4508-193-0x0000000074F90000-0x0000000074FE2000-memory.dmp

Filesize
328KB

Download
memory/4508-62-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/4508-27-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/4508-61-0x0000000074882000-0x0000000074883000-memory.dmp

Filesize
4KB

Download
memory/4508-26-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/4508-63-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/5276-226-0x00007FF6AE660000-0x00007FF6AE6C7000-memory.dmp

Filesize
412KB

Download
memory/5380-204-0x00007FF6AE660000-0x00007FF6AE6C7000-memory.dmp

Filesize
412KB

Download
memory/5944-262-0x00007FF6AE660000-0x00007FF6AE6C7000-memory.dmp

Filesize
412KB

Download
memory/5968-298-0x00007FF6AE660000-0x00007FF6AE6C7000-memory.dmp

Filesize
412KB

Download
memory/6136-303-0x00007FF6AE660000-0x00007FF6AE6C7000-memory.dmp

Filesize
412KB

Download
memory/6316-245-0x00007FF6AE660000-0x00007FF6AE6C7000-memory.dmp

Filesize
412KB

Download
memory/6488-253-0x00007FF6AE660000-0x00007FF6AE6C7000-memory.dmp

Filesize
412KB

Download
memory/7540-103-0x00007FF6AE660000-0x00007FF6AE6C7000-memory.dmp

Filesize
412KB

Download
memory/7892-305-0x00007FF6AE660000-0x00007FF6AE6C7000-memory.dmp

Filesize
412KB

Download
memory/8740-171-0x00007FF6AE660000-0x00007FF6AE6C7000-memory.dmp

Filesize
412KB

Download
memory/9068-270-0x00007FF6AE660000-0x00007FF6AE6C7000-memory.dmp

Filesize
412KB

Download
memory/9320-111-0x00007FF6AE660000-0x00007FF6AE6C7000-memory.dmp

Filesize
412KB

Download
memory/9556-206-0x0000000075FB0000-0x0000000075FF5000-memory.dmp

Filesize
276KB

Download
memory/10232-194-0x00007FF6AE660000-0x00007FF6AE6C7000-memory.dmp

Filesize
412KB

Download
memory/10316-134-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/10332-122-0x00007FF6AE660000-0x00007FF6AE6C7000-memory.dmp

Filesize
412KB

Download
memory/10496-186-0x00007FF6AE660000-0x00007FF6AE6C7000-memory.dmp

Filesize
412KB

Download
memory/10628-170-0x00007FF6AE660000-0x00007FF6AE6C7000-memory.dmp

Filesize
412KB

Download
memory/10776-176-0x00007FF6AE660000-0x00007FF6AE6C7000-memory.dmp

Filesize
412KB

Download
memory/11172-255-0x00007FF6AE660000-0x00007FF6AE6C7000-memory.dmp

Filesize
412KB

Download
memory/11468-174-0x00007FF6AE660000-0x00007FF6AE6C7000-memory.dmp

Filesize
412KB

Download
memory/11748-202-0x00007FF6AE660000-0x00007FF6AE6C7000-memory.dmp

Filesize
412KB

Download
memory/12528-65-0x00007FF6AE660000-0x00007FF6AE6C7000-memory.dmp

Filesize
412KB

Download
memory/12828-112-0x00007FF6AE660000-0x00007FF6AE6C7000-memory.dmp

Filesize
412KB

Download
memory/13012-113-0x00007FF6AE660000-0x00007FF6AE6C7000-memory.dmp

Filesize
412KB

Download
memory/13024-136-0x00007FF6AE660000-0x00007FF6AE6C7000-memory.dmp

Filesize
412KB

Download
memory/13392-153-0x00007FF6AE660000-0x00007FF6AE6C7000-memory.dmp

Filesize
412KB

Download
memory/13416-135-0x00007FF6AE660000-0x00007FF6AE6C7000-memory.dmp

Filesize
412KB

Download
memory/13552-127-0x00007FF6AE660000-0x00007FF6AE6C7000-memory.dmp

Filesize
412KB

Download
memory/13724-304-0x00007FF6AE660000-0x00007FF6AE6C7000-memory.dmp

Filesize
412KB

Download
memory/13752-64-0x00007FF6AE660000-0x00007FF6AE6C7000-memory.dmp

Filesize
412KB

Download
memory/13968-87-0x00007FF6AE660000-0x00007FF6AE6C7000-memory.dmp

Filesize
412KB

Download
memory/14384-263-0x00007FF6AE660000-0x00007FF6AE6C7000-memory.dmp

Filesize
412KB

Download
memory/14504-302-0x00007FF6AE660000-0x00007FF6AE6C7000-memory.dmp

Filesize
412KB

Download
memory/14632-172-0x00007FF6AE660000-0x00007FF6AE6C7000-memory.dmp

Filesize
412KB

Download
memory/14712-177-0x00007FF6AE660000-0x00007FF6AE6C7000-memory.dmp

Filesize
412KB

Download
memory/14788-246-0x00007FF6AE660000-0x00007FF6AE6C7000-memory.dmp

Filesize
412KB

Download
memory/15012-254-0x00007FF6AE660000-0x00007FF6AE6C7000-memory.dmp

Filesize
412KB

Download
memory/15116-175-0x00007FF6AE660000-0x00007FF6AE6C7000-memory.dmp

Filesize
412KB

Download
memory/15132-308-0x00007FF993E50000-0x00007FF994045000-memory.dmp

Filesize
2.0MB

Download
memory/15132-306-0x00007FF6AE660000-0x00007FF6AE6C7000-memory.dmp

Filesize
412KB

Download
memory/15296-173-0x00007FF6AE660000-0x00007FF6AE6C7000-memory.dmp

Filesize
412KB

Download
memory/15396-197-0x00007FF6AE660000-0x00007FF6AE6C7000-memory.dmp

Filesize
412KB

Download
memory/15552-247-0x00007FF6AE660000-0x00007FF6AE6C7000-memory.dmp

Filesize
412KB

Download
memory/15688-299-0x00007FF6AE660000-0x00007FF6AE6C7000-memory.dmp

Filesize
412KB

Download