blackshades | 889b75846fe4c693e2fda9740bfff552a8ee27382a6f8b012939e23a7abf334f

Analysis

max time kernel
148s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
31/03/2025, 06:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe
Size

340KB
MD5

996e057529b5c7f5a5967eb80ecabe32
SHA1

1acf03131730d3ad618edde6888e42548195e1ca
SHA256

889b75846fe4c693e2fda9740bfff552a8ee27382a6f8b012939e23a7abf334f
SHA512

532fdf9bb18df8e43c54924f38221c9fad7cae333ab48ed081b3b2b0be4c0e814d8c153f6ac7914c756026e00dadfb2013277531a160c5f90146150b0f3d0e03
SSDEEP

6144:OpNJjbYmuIpEAxUrGaWOqax3Yp6mbQf7YML+xZ2KEJ9TJ:OJj8mTpEAGp/2pkcHxQK

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 21 IoCs

resource	yara_rule
behavioral2/memory/3884-2-0x0000000000400000-0x000000000044F000-memory.dmp	family_blackshades
behavioral2/memory/3884-4-0x0000000000400000-0x000000000044F000-memory.dmp	family_blackshades
behavioral2/memory/3884-8-0x0000000000400000-0x000000000044F000-memory.dmp	family_blackshades
behavioral2/memory/3884-9-0x0000000000400000-0x000000000044F000-memory.dmp	family_blackshades
behavioral2/memory/3884-10-0x0000000000400000-0x000000000044F000-memory.dmp	family_blackshades
behavioral2/memory/5416-28-0x0000000000400000-0x000000000044F000-memory.dmp	family_blackshades
behavioral2/memory/5292-36-0x0000000000400000-0x000000000044F000-memory.dmp	family_blackshades
behavioral2/memory/2044-53-0x0000000000400000-0x000000000044F000-memory.dmp	family_blackshades
behavioral2/memory/5224-59-0x0000000000400000-0x000000000044F000-memory.dmp	family_blackshades
behavioral2/memory/3884-64-0x0000000000400000-0x000000000044F000-memory.dmp	family_blackshades
behavioral2/memory/5868-81-0x0000000000400000-0x000000000044F000-memory.dmp	family_blackshades
behavioral2/memory/4316-79-0x0000000000400000-0x000000000044F000-memory.dmp	family_blackshades
behavioral2/memory/3884-83-0x0000000000400000-0x000000000044F000-memory.dmp	family_blackshades
behavioral2/memory/4428-105-0x0000000000400000-0x000000000044F000-memory.dmp	family_blackshades
behavioral2/memory/3656-107-0x0000000000400000-0x000000000044F000-memory.dmp	family_blackshades
behavioral2/memory/4700-127-0x0000000000400000-0x000000000044F000-memory.dmp	family_blackshades
behavioral2/memory/1068-129-0x0000000000400000-0x000000000044F000-memory.dmp	family_blackshades
behavioral2/memory/856-147-0x0000000000400000-0x000000000044F000-memory.dmp	family_blackshades
behavioral2/memory/1800-151-0x0000000000400000-0x000000000044F000-memory.dmp	family_blackshades
behavioral2/memory/3740-176-0x0000000000400000-0x000000000044F000-memory.dmp	family_blackshades
behavioral2/memory/436-174-0x0000000000400000-0x000000000044F000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\WinDefender.exe = "C:\\Users\\Admin\\AppData\\Roaming\\WinDefender.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\av = "C:\\Users\\Admin\\AppData\\Roaming\\WinDefender.exe"	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DEF900E-FEBF-B96B-ECDB-C6FFEA0EB4BC}	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DEF900E-FEBF-B96B-ECDB-C6FFEA0EB4BC}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\WinDefender.exe"	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{5DEF900E-FEBF-B96B-ECDB-C6FFEA0EB4BC}	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{5DEF900E-FEBF-B96B-ECDB-C6FFEA0EB4BC}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\WinDefender.exe"	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe

Executes dropped EXE 64 IoCs

pid	Process
1236	WinDefender.exe
1756	WinDefender.exe
5416	WinDefender.exe
5292	WinDefender.exe
4364	WinDefender.exe
4252	WinDefender.exe
2044	WinDefender.exe
5224	WinDefender.exe
3228	WinDefender.exe
2364	WinDefender.exe
4316	WinDefender.exe
5868	WinDefender.exe
2072	WinDefender.exe
764	WinDefender.exe
4428	WinDefender.exe
3656	WinDefender.exe
2288	WinDefender.exe
4988	WinDefender.exe
4700	WinDefender.exe
1068	WinDefender.exe
920	WinDefender.exe
2956	WinDefender.exe
856	WinDefender.exe
1800	WinDefender.exe
1224	WinDefender.exe
3180	WinDefender.exe
3740	WinDefender.exe
436	WinDefender.exe
4504	WinDefender.exe
1004	WinDefender.exe
5500	WinDefender.exe
5288	WinDefender.exe
5236	WinDefender.exe
4364	WinDefender.exe
4536	WinDefender.exe
4540	WinDefender.exe
6076	WinDefender.exe
6092	WinDefender.exe
4880	WinDefender.exe
4248	WinDefender.exe
1700	WinDefender.exe
5240	WinDefender.exe
5256	WinDefender.exe
5652	WinDefender.exe
5436	WinDefender.exe
2984	WinDefender.exe
2492	WinDefender.exe
216	WinDefender.exe
4504	WinDefender.exe
5168	WinDefender.exe
592	WinDefender.exe
3532	WinDefender.exe
4204	WinDefender.exe
5612	WinDefender.exe
3500	WinDefender.exe
5280	WinDefender.exe
4792	WinDefender.exe
5424	WinDefender.exe
3292	WinDefender.exe
3680	WinDefender.exe
4628	WinDefender.exe
2688	WinDefender.exe
3952	WinDefender.exe
3300	WinDefender.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\av = "C:\\Users\\Admin\\AppData\\Roaming\\WinDefender.exe"	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\av = "C:\\Users\\Admin\\AppData\\Roaming\\WinDefender.exe"	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 784 set thread context of 3884	784	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe	86
PID 1236 set thread context of 5416	1236	WinDefender.exe	105
PID 1756 set thread context of 5292	1756	WinDefender.exe	106
PID 4364 set thread context of 2044	4364	WinDefender.exe	119
PID 4252 set thread context of 5224	4252	WinDefender.exe	120
PID 3228 set thread context of 4316	3228	WinDefender.exe	130
PID 2364 set thread context of 5868	2364	WinDefender.exe	131
PID 764 set thread context of 4428	764	WinDefender.exe	140
PID 2072 set thread context of 3656	2072	WinDefender.exe	141
PID 2288 set thread context of 4700	2288	WinDefender.exe	148
PID 4988 set thread context of 1068	4988	WinDefender.exe	149
PID 920 set thread context of 856	920	WinDefender.exe	156
PID 2956 set thread context of 1800	2956	WinDefender.exe	157
PID 3180 set thread context of 3740	3180	WinDefender.exe	164
PID 1224 set thread context of 436	1224	WinDefender.exe	165
PID 1004 set thread context of 5500	1004	WinDefender.exe	172
PID 4504 set thread context of 5288	4504	WinDefender.exe	173
PID 5236 set thread context of 4536	5236	WinDefender.exe	180
PID 4364 set thread context of 4540	4364	WinDefender.exe	181
PID 6092 set thread context of 4880	6092	WinDefender.exe	189
PID 6076 set thread context of 4248	6076	WinDefender.exe	190
PID 5240 set thread context of 5256	5240	WinDefender.exe	198
PID 1700 set thread context of 5652	1700	WinDefender.exe	199
PID 2984 set thread context of 2492	2984	WinDefender.exe	213
PID 5436 set thread context of 216	5436	WinDefender.exe	214
PID 4504 set thread context of 592	4504	WinDefender.exe	221
PID 5168 set thread context of 3532	5168	WinDefender.exe	222
PID 4204 set thread context of 3500	4204	WinDefender.exe	229
PID 5612 set thread context of 5280	5612	WinDefender.exe	230
PID 5424 set thread context of 3292	5424	WinDefender.exe	237
PID 4792 set thread context of 3680	4792	WinDefender.exe	238
PID 2688 set thread context of 3952	2688	WinDefender.exe	245
PID 4628 set thread context of 3300	4628	WinDefender.exe	246
PID 1828 set thread context of 1908	1828	WinDefender.exe	254
PID 5268 set thread context of 3568	5268	WinDefender.exe	253
PID 6044 set thread context of 2236	6044	WinDefender.exe	261
PID 3940 set thread context of 4988	3940	WinDefender.exe	262
PID 920 set thread context of 3780	920	WinDefender.exe	269
PID 2244 set thread context of 5320	2244	WinDefender.exe	270
PID 4108 set thread context of 5436	4108	WinDefender.exe	277
PID 1416 set thread context of 2132	1416	WinDefender.exe	278
PID 852 set thread context of 3864	852	WinDefender.exe	286
PID 4912 set thread context of 3836	4912	WinDefender.exe	287
PID 4456 set thread context of 5976	4456	WinDefender.exe	294
PID 3708 set thread context of 5596	3708	WinDefender.exe	295
PID 5152 set thread context of 2588	5152	WinDefender.exe	302
PID 5680 set thread context of 4660	5680	WinDefender.exe	303
PID 6020 set thread context of 1752	6020	WinDefender.exe	310
PID 1444 set thread context of 6048	1444	WinDefender.exe	311
PID 3196 set thread context of 1544	3196	WinDefender.exe	318
PID 4444 set thread context of 1276	4444	WinDefender.exe	319
PID 3940 set thread context of 448	3940	WinDefender.exe	326
PID 1696 set thread context of 4012	1696	WinDefender.exe	327
PID 3928 set thread context of 2876	3928	WinDefender.exe	334
PID 5924 set thread context of 4968	5924	WinDefender.exe	335
PID 2008 set thread context of 2984	2008	WinDefender.exe	342
PID 312 set thread context of 5036	312	WinDefender.exe	343
PID 1692 set thread context of 4188	1692	WinDefender.exe	350
PID 3208 set thread context of 2960	3208	WinDefender.exe	351
PID 4608 set thread context of 5288	4608	WinDefender.exe	359
PID 4612 set thread context of 3448	4612	WinDefender.exe	358
PID 1232 set thread context of 1936	1232	WinDefender.exe	366
PID 1108 set thread context of 3400	1108	WinDefender.exe	367
PID 1588 set thread context of 4568	1588	WinDefender.exe	374

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
4216	reg.exe
2700	reg.exe
1472	reg.exe
1464	reg.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: 1	3884	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe
Token: SeCreateTokenPrivilege	3884	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe
Token: SeAssignPrimaryTokenPrivilege	3884	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe
Token: SeLockMemoryPrivilege	3884	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe
Token: SeIncreaseQuotaPrivilege	3884	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe
Token: SeMachineAccountPrivilege	3884	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe
Token: SeTcbPrivilege	3884	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe
Token: SeSecurityPrivilege	3884	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe
Token: SeTakeOwnershipPrivilege	3884	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe
Token: SeLoadDriverPrivilege	3884	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe
Token: SeSystemProfilePrivilege	3884	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe
Token: SeSystemtimePrivilege	3884	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe
Token: SeProfSingleProcessPrivilege	3884	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe
Token: SeIncBasePriorityPrivilege	3884	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe
Token: SeCreatePagefilePrivilege	3884	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe
Token: SeCreatePermanentPrivilege	3884	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe
Token: SeBackupPrivilege	3884	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe
Token: SeRestorePrivilege	3884	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe
Token: SeShutdownPrivilege	3884	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe
Token: SeDebugPrivilege	3884	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe
Token: SeAuditPrivilege	3884	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe
Token: SeSystemEnvironmentPrivilege	3884	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe
Token: SeChangeNotifyPrivilege	3884	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe
Token: SeRemoteShutdownPrivilege	3884	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe
Token: SeUndockPrivilege	3884	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe
Token: SeSyncAgentPrivilege	3884	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe
Token: SeEnableDelegationPrivilege	3884	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe
Token: SeManageVolumePrivilege	3884	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe
Token: SeImpersonatePrivilege	3884	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe
Token: SeCreateGlobalPrivilege	3884	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe
Token: 31	3884	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe
Token: 32	3884	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe
Token: 33	3884	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe
Token: 34	3884	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe
Token: 35	3884	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe
Token: SeDebugPrivilege	3884	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
784	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe
3884	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe
3884	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe
3884	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe
1236	WinDefender.exe
1756	WinDefender.exe
5416	WinDefender.exe
5416	WinDefender.exe
5292	WinDefender.exe
5292	WinDefender.exe
4252	WinDefender.exe
4364	WinDefender.exe
2044	WinDefender.exe
2044	WinDefender.exe
5224	WinDefender.exe
5224	WinDefender.exe
3228	WinDefender.exe
2364	WinDefender.exe
4316	WinDefender.exe
4316	WinDefender.exe
5868	WinDefender.exe
5868	WinDefender.exe
2072	WinDefender.exe
764	WinDefender.exe
4428	WinDefender.exe
4428	WinDefender.exe
3656	WinDefender.exe
3656	WinDefender.exe
2288	WinDefender.exe
4988	WinDefender.exe
4700	WinDefender.exe
1068	WinDefender.exe
4700	WinDefender.exe
1068	WinDefender.exe
920	WinDefender.exe
2956	WinDefender.exe
856	WinDefender.exe
856	WinDefender.exe
1800	WinDefender.exe
1800	WinDefender.exe
3180	WinDefender.exe
1224	WinDefender.exe
436	WinDefender.exe
3740	WinDefender.exe
436	WinDefender.exe
3740	WinDefender.exe
1004	WinDefender.exe
4504	WinDefender.exe
5500	WinDefender.exe
5500	WinDefender.exe
5288	WinDefender.exe
5288	WinDefender.exe
5236	WinDefender.exe
4364	WinDefender.exe
4536	WinDefender.exe
4540	WinDefender.exe
4536	WinDefender.exe
4540	WinDefender.exe
6076	WinDefender.exe
6092	WinDefender.exe
4880	WinDefender.exe
4248	WinDefender.exe
4880	WinDefender.exe
4248	WinDefender.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 784 wrote to memory of 3884	784	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe	86
PID 784 wrote to memory of 3884	784	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe	86
PID 784 wrote to memory of 3884	784	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe	86
PID 784 wrote to memory of 3884	784	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe	86
PID 784 wrote to memory of 3884	784	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe	86
PID 784 wrote to memory of 3884	784	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe	86
PID 784 wrote to memory of 3884	784	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe	86
PID 784 wrote to memory of 3884	784	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe	86
PID 3884 wrote to memory of 2876	3884	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe	87
PID 3884 wrote to memory of 2876	3884	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe	87
PID 3884 wrote to memory of 2876	3884	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe	87
PID 3884 wrote to memory of 5232	3884	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe	88
PID 3884 wrote to memory of 5232	3884	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe	88
PID 3884 wrote to memory of 5232	3884	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe	88
PID 3884 wrote to memory of 3188	3884	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe	89
PID 3884 wrote to memory of 3188	3884	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe	89
PID 3884 wrote to memory of 3188	3884	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe	89
PID 3884 wrote to memory of 1224	3884	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe	90
PID 3884 wrote to memory of 1224	3884	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe	90
PID 3884 wrote to memory of 1224	3884	JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe	90
PID 2876 wrote to memory of 4216	2876	cmd.exe	99
PID 2876 wrote to memory of 4216	2876	cmd.exe	99
PID 2876 wrote to memory of 4216	2876	cmd.exe	99
PID 3188 wrote to memory of 2700	3188	cmd.exe	100
PID 3188 wrote to memory of 2700	3188	cmd.exe	100
PID 3188 wrote to memory of 2700	3188	cmd.exe	100
PID 5232 wrote to memory of 1472	5232	cmd.exe	101
PID 5232 wrote to memory of 1472	5232	cmd.exe	101
PID 5232 wrote to memory of 1472	5232	cmd.exe	101
PID 1224 wrote to memory of 1464	1224	cmd.exe	102
PID 1224 wrote to memory of 1464	1224	cmd.exe	102
PID 1224 wrote to memory of 1464	1224	cmd.exe	102
PID 216 wrote to memory of 1236	216	cmd.exe	103
PID 116 wrote to memory of 1756	116	cmd.exe	104
PID 216 wrote to memory of 1236	216	cmd.exe	103
PID 216 wrote to memory of 1236	216	cmd.exe	103
PID 116 wrote to memory of 1756	116	cmd.exe	104
PID 116 wrote to memory of 1756	116	cmd.exe	104
PID 1236 wrote to memory of 5416	1236	WinDefender.exe	105
PID 1236 wrote to memory of 5416	1236	WinDefender.exe	105
PID 1236 wrote to memory of 5416	1236	WinDefender.exe	105
PID 1236 wrote to memory of 5416	1236	WinDefender.exe	105
PID 1236 wrote to memory of 5416	1236	WinDefender.exe	105
PID 1236 wrote to memory of 5416	1236	WinDefender.exe	105
PID 1236 wrote to memory of 5416	1236	WinDefender.exe	105
PID 1236 wrote to memory of 5416	1236	WinDefender.exe	105
PID 1756 wrote to memory of 5292	1756	WinDefender.exe	106
PID 1756 wrote to memory of 5292	1756	WinDefender.exe	106
PID 1756 wrote to memory of 5292	1756	WinDefender.exe	106
PID 1756 wrote to memory of 5292	1756	WinDefender.exe	106
PID 1756 wrote to memory of 5292	1756	WinDefender.exe	106
PID 1756 wrote to memory of 5292	1756	WinDefender.exe	106
PID 1756 wrote to memory of 5292	1756	WinDefender.exe	106
PID 1756 wrote to memory of 5292	1756	WinDefender.exe	106
PID 2616 wrote to memory of 4364	2616	cmd.exe	117
PID 2616 wrote to memory of 4364	2616	cmd.exe	117
PID 2616 wrote to memory of 4364	2616	cmd.exe	117
PID 4656 wrote to memory of 4252	4656	cmd.exe	118
PID 4656 wrote to memory of 4252	4656	cmd.exe	118
PID 4656 wrote to memory of 4252	4656	cmd.exe	118
PID 4364 wrote to memory of 2044	4364	WinDefender.exe	119
PID 4364 wrote to memory of 2044	4364	WinDefender.exe	119
PID 4364 wrote to memory of 2044	4364	WinDefender.exe	119
PID 4364 wrote to memory of 2044	4364	WinDefender.exe	119

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:784
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe"
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3884
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4216
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5232
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_996e057529b5c7f5a5967eb80ecabe32.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:1472
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3188
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\WinDefender.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WinDefender.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1224
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\WinDefender.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WinDefender.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:1464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:116
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:216
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1236
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4364
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4252
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:2744
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2364
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:5164
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3228
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:1616
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2072
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:5872
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  PID:764
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:4140
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4988
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:2172
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  PID:2288
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:5928
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:920
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:540
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2956
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:5232
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3180
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:5064
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  PID:1224
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:592
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  PID:1004
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:2068
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4504
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:5212
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  PID:5236
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:880
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  PID:4364
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:5316
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  PID:6076
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:2648
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  PID:6092
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:5420
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1700
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:1316
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5240
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:1244
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2984
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    - Executes dropped EXE
    PID:2492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:3208
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5436
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    - Executes dropped EXE
    PID:216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:4576
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4504
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    - Executes dropped EXE
    PID:592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:3836
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5168
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    - Executes dropped EXE
    PID:3532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:5572
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5612
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    - Executes dropped EXE
    PID:5280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:1048
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4204
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:2828
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4792
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    - Executes dropped EXE
    PID:3680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:5780
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:5424
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    - Executes dropped EXE
    PID:3292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:1820
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2688
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    - Executes dropped EXE
    PID:3952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:2648
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4628
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    - Executes dropped EXE
    PID:3300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:1316
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:1828
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    PID:1908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:1096
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:5268
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    PID:3568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:5088
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:3940
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:4148
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:6044
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    PID:2236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:3188
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:920
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    PID:3780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:3924
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:2244
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    PID:5320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:840
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:4108
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    PID:5436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:1692
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:1416
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:4604
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:852
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    PID:3864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:3100
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:4912
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:2372
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:3708
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    PID:5596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:4984
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:4456
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    PID:5976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:5828
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:5680
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    PID:4660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:1016
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:5152
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:1620
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:1444
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    PID:6048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:2748
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:6020
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    PID:1752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:1652
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:3196
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:2160
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4444
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    PID:1276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:3140
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:1696
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    PID:4012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:4900
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:3940
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    PID:448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:1356
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:3928
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:5156
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:5924
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:5296
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:2008
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    PID:2984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:5532
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:312
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    PID:5036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:3888
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:3208
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    PID:2960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:372
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:1692
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:4800
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:4608
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:1100
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:4612
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    PID:3448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:4520
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:1232
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    PID:1936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:1872
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:1108
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:5260
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  PID:5596
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    PID:3216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:3392
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:1588
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:1020
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1736
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    PID:5228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:6076
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1832
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    PID:2152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:5240
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1620
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:2688
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4628
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    PID:5200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:4460
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2160
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    PID:4132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:3104
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  PID:4392
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:5312
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  PID:3868
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:2192
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4588
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    PID:2244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:6112
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4748
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:6116
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2524
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    PID:3504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:1944
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  PID:1884
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    PID:6108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:3248
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6064
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    PID:1368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:3144
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4876
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:3776
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  PID:5784
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    PID:1088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:3864
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  PID:1552
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    PID:5600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:2004
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  PID:6004
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:880
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  PID:732
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:5216
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  PID:4620
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:5236
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  PID:3228
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    PID:1736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:4760
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  PID:5412
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    PID:2648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:3068
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  PID:1312
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:956
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  PID:4752
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    "C:\Users\Admin\AppData\Roaming\WinDefender.exe"
    3⤵
    PID:3148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinDefender.exe

Filesize
340KB

MD5
996e057529b5c7f5a5967eb80ecabe32

SHA1
1acf03131730d3ad618edde6888e42548195e1ca

SHA256
889b75846fe4c693e2fda9740bfff552a8ee27382a6f8b012939e23a7abf334f

SHA512
532fdf9bb18df8e43c54924f38221c9fad7cae333ab48ed081b3b2b0be4c0e814d8c153f6ac7914c756026e00dadfb2013277531a160c5f90146150b0f3d0e03

Download Submit
memory/436-174-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/856-147-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1068-129-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1800-151-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2044-53-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3656-107-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3740-176-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3884-83-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3884-9-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3884-64-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3884-4-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3884-8-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3884-10-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3884-2-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4316-79-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4428-105-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4700-127-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/5224-59-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/5292-36-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/5416-28-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/5868-81-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads