blackshades | 04a5385ca5be897675f249927956d9f2b35532b00741b1a354ee56e41c3dc78e

Analysis

max time kernel
149s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2025, 23:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe
Size

339KB
MD5

9d07bbb8fe17526a432d813688a1c670
SHA1

e6775c1f091248a9660a632d791f59792a6bc1c3
SHA256

04a5385ca5be897675f249927956d9f2b35532b00741b1a354ee56e41c3dc78e
SHA512

651026ae2f549cb28d13c2259f40a2af91efc17203881763513f684d447a98ff291d20a9de8c22dc3ea9f728d3c4e3356d17174c723940ad700dbd2d428c07e3
SSDEEP

6144:rLEchZLsu1AcKKIFrMg3p/UHLEhtfwjH5fc1zdLThGniSRxixV4naNiEGoZSKaU5:ciZLn1SKIFlUHLEk75UJdcniSRxuV4aB

Score

10^/10

blackshades defense_evasion discovery persistence rat trojan upx

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 32 IoCs

resource	yara_rule
behavioral1/memory/3484-5-0x0000000000400000-0x0000000000474000-memory.dmp	family_blackshades
behavioral1/memory/3484-14-0x0000000000400000-0x0000000000474000-memory.dmp	family_blackshades
behavioral1/memory/3484-15-0x0000000000400000-0x0000000000474000-memory.dmp	family_blackshades
behavioral1/memory/5468-34-0x0000000000400000-0x0000000000474000-memory.dmp	family_blackshades
behavioral1/memory/3484-36-0x0000000000400000-0x0000000000474000-memory.dmp	family_blackshades
behavioral1/memory/3484-38-0x0000000000400000-0x0000000000474000-memory.dmp	family_blackshades
behavioral1/memory/2464-51-0x0000000000400000-0x0000000000474000-memory.dmp	family_blackshades
behavioral1/memory/6116-67-0x0000000000400000-0x0000000000474000-memory.dmp	family_blackshades
behavioral1/memory/3424-85-0x0000000000400000-0x0000000000474000-memory.dmp	family_blackshades
behavioral1/memory/2608-100-0x0000000000400000-0x0000000000474000-memory.dmp	family_blackshades
behavioral1/memory/5128-116-0x0000000000400000-0x0000000000474000-memory.dmp	family_blackshades
behavioral1/memory/3484-117-0x0000000000400000-0x0000000000474000-memory.dmp	family_blackshades
behavioral1/memory/2356-134-0x0000000000400000-0x0000000000474000-memory.dmp	family_blackshades
behavioral1/memory/5452-148-0x0000000000400000-0x0000000000474000-memory.dmp	family_blackshades
behavioral1/memory/5548-164-0x0000000000400000-0x0000000000474000-memory.dmp	family_blackshades
behavioral1/memory/5988-186-0x0000000000400000-0x0000000000474000-memory.dmp	family_blackshades
behavioral1/memory/2300-202-0x0000000000400000-0x0000000000474000-memory.dmp	family_blackshades
behavioral1/memory/4288-220-0x0000000000400000-0x0000000000474000-memory.dmp	family_blackshades
behavioral1/memory/5704-240-0x0000000000400000-0x0000000000474000-memory.dmp	family_blackshades
behavioral1/memory/3748-257-0x0000000000400000-0x0000000000474000-memory.dmp	family_blackshades
behavioral1/memory/3540-276-0x0000000000400000-0x0000000000474000-memory.dmp	family_blackshades
behavioral1/memory/1104-292-0x0000000000400000-0x0000000000474000-memory.dmp	family_blackshades
behavioral1/memory/1724-309-0x0000000000400000-0x0000000000474000-memory.dmp	family_blackshades
behavioral1/memory/1184-330-0x0000000000400000-0x0000000000474000-memory.dmp	family_blackshades
behavioral1/memory/5388-347-0x0000000000400000-0x0000000000474000-memory.dmp	family_blackshades
behavioral1/memory/4896-364-0x0000000000400000-0x0000000000474000-memory.dmp	family_blackshades
behavioral1/memory/2256-385-0x0000000000400000-0x0000000000474000-memory.dmp	family_blackshades
behavioral1/memory/1484-399-0x0000000000400000-0x0000000000474000-memory.dmp	family_blackshades
behavioral1/memory/1924-412-0x0000000000400000-0x0000000000474000-memory.dmp	family_blackshades
behavioral1/memory/2136-429-0x0000000000400000-0x0000000000474000-memory.dmp	family_blackshades
behavioral1/memory/3000-443-0x0000000000400000-0x0000000000474000-memory.dmp	family_blackshades
behavioral1/memory/2588-457-0x0000000000400000-0x0000000000474000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\msnmsngerr.exe = "C:\\Users\\Admin\\AppData\\Roaming\\msnmsngerr.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\system32 = "C:\\Users\\Admin\\AppData\\Roaming\\msnmsngerr.exe"	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA3DA14A-5ACA-F84F-7F69-7263DCF1FFCA}	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA3DA14A-5ACA-F84F-7F69-7263DCF1FFCA}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\msnmsngerr.exe"	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{DA3DA14A-5ACA-F84F-7F69-7263DCF1FFCA}	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{DA3DA14A-5ACA-F84F-7F69-7263DCF1FFCA}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\msnmsngerr.exe"	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe

Executes dropped EXE 64 IoCs

pid	Process
2172	msnmsngerr.exe
1304	msnmsngerr.exe
5468	msnmsngerr.exe
264	msnmsngerr.exe
1452	msnmsngerr.exe
2464	msnmsngerr.exe
1308	msnmsngerr.exe
2868	msnmsngerr.exe
6116	msnmsngerr.exe
1672	msnmsngerr.exe
1832	msnmsngerr.exe
3424	msnmsngerr.exe
1208	msnmsngerr.exe
4716	msnmsngerr.exe
2608	msnmsngerr.exe
4036	msnmsngerr.exe
5456	msnmsngerr.exe
5128	msnmsngerr.exe
5264	msnmsngerr.exe
4484	msnmsngerr.exe
2356	msnmsngerr.exe
664	msnmsngerr.exe
3772	msnmsngerr.exe
5452	msnmsngerr.exe
3572	msnmsngerr.exe
1668	msnmsngerr.exe
5548	msnmsngerr.exe
5660	msnmsngerr.exe
1808	msnmsngerr.exe
5988	msnmsngerr.exe
3404	msnmsngerr.exe
540	msnmsngerr.exe
2300	msnmsngerr.exe
4784	msnmsngerr.exe
2796	msnmsngerr.exe
4288	msnmsngerr.exe
4884	msnmsngerr.exe
2256	msnmsngerr.exe
5704	msnmsngerr.exe
3104	msnmsngerr.exe
4812	msnmsngerr.exe
3748	msnmsngerr.exe
2388	msnmsngerr.exe
5340	msnmsngerr.exe
3540	msnmsngerr.exe
4368	msnmsngerr.exe
2552	msnmsngerr.exe
1104	msnmsngerr.exe
5064	msnmsngerr.exe
4956	msnmsngerr.exe
1724	msnmsngerr.exe
5376	msnmsngerr.exe
5736	msnmsngerr.exe
1184	msnmsngerr.exe
2460	msnmsngerr.exe
4660	msnmsngerr.exe
5388	msnmsngerr.exe
2840	msnmsngerr.exe
1508	msnmsngerr.exe
4896	msnmsngerr.exe
2784	msnmsngerr.exe
4536	msnmsngerr.exe
2256	msnmsngerr.exe
1144	msnmsngerr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system32 = "C:\\Users\\Admin\\AppData\\Roaming\\msnmsngerr.exe"	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system32 = "C:\\Users\\Admin\\AppData\\Roaming\\msnmsngerr.exe"	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe

Checks whether UAC is enabled 1 TTPs 64 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsngerr.exe

Suspicious use of SetThreadContext 44 IoCs

description	pid	Process	procid_target
PID 5496 set thread context of 3484	5496	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe	91
PID 2172 set thread context of 5468	2172	msnmsngerr.exe	111
PID 1452 set thread context of 2464	1452	msnmsngerr.exe	122
PID 1308 set thread context of 6116	1308	msnmsngerr.exe	130
PID 1672 set thread context of 3424	1672	msnmsngerr.exe	139
PID 1208 set thread context of 2608	1208	msnmsngerr.exe	146
PID 5456 set thread context of 5128	5456	msnmsngerr.exe	153
PID 4484 set thread context of 2356	4484	msnmsngerr.exe	160
PID 664 set thread context of 5452	664	msnmsngerr.exe	167
PID 1668 set thread context of 5548	1668	msnmsngerr.exe	175
PID 5660 set thread context of 5988	5660	msnmsngerr.exe	182
PID 540 set thread context of 2300	540	msnmsngerr.exe	191
PID 4784 set thread context of 4288	4784	msnmsngerr.exe	203
PID 4884 set thread context of 5704	4884	msnmsngerr.exe	210
PID 3104 set thread context of 3748	3104	msnmsngerr.exe	217
PID 2388 set thread context of 3540	2388	msnmsngerr.exe	224
PID 2552 set thread context of 1104	2552	msnmsngerr.exe	231
PID 5064 set thread context of 1724	5064	msnmsngerr.exe	238
PID 5736 set thread context of 1184	5736	msnmsngerr.exe	245
PID 2460 set thread context of 5388	2460	msnmsngerr.exe	252
PID 2840 set thread context of 4896	2840	msnmsngerr.exe	259
PID 4536 set thread context of 2256	4536	msnmsngerr.exe	266
PID 1144 set thread context of 1484	1144	msnmsngerr.exe	274
PID 4068 set thread context of 1924	4068	msnmsngerr.exe	281
PID 1448 set thread context of 2136	1448	msnmsngerr.exe	288
PID 5596 set thread context of 3000	5596	msnmsngerr.exe	295
PID 1016 set thread context of 2588	1016	msnmsngerr.exe	302
PID 5092 set thread context of 4060	5092	msnmsngerr.exe	309
PID 1120 set thread context of 1880	1120	msnmsngerr.exe	316
PID 5168 set thread context of 5292	5168	msnmsngerr.exe	323
PID 1208 set thread context of 4900	1208	msnmsngerr.exe	330
PID 3696 set thread context of 996	3696	msnmsngerr.exe	337
PID 2792 set thread context of 5492	2792	msnmsngerr.exe	344
PID 5572 set thread context of 3772	5572	msnmsngerr.exe	351
PID 2404 set thread context of 4548	2404	msnmsngerr.exe	358
PID 2324 set thread context of 1792	2324	msnmsngerr.exe	365
PID 1068 set thread context of 2276	1068	msnmsngerr.exe	372
PID 2516 set thread context of 5236	2516	msnmsngerr.exe	379
PID 4728 set thread context of 2480	4728	msnmsngerr.exe	386
PID 2420 set thread context of 4660	2420	msnmsngerr.exe	393
PID 2128 set thread context of 628	2128	msnmsngerr.exe	400
PID 768 set thread context of 1604	768	msnmsngerr.exe	407
PID 740 set thread context of 3140	740	msnmsngerr.exe	414
PID 4968 set thread context of 1088	4968	msnmsngerr.exe	421

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/5496-0-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral1/memory/3484-1-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral1/memory/3484-3-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral1/memory/3484-5-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral1/memory/5496-8-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral1/memory/3484-14-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral1/memory/3484-15-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral1/files/0x0010000000011959-17.dat	upx
behavioral1/memory/1304-21-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral1/memory/1304-22-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral1/memory/2172-31-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral1/memory/5468-34-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral1/memory/3484-36-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral1/memory/3484-38-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral1/memory/264-39-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral1/memory/1452-47-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral1/memory/2464-51-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral1/memory/2868-54-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral1/memory/2868-56-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral1/memory/1308-64-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral1/memory/6116-67-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral1/memory/1832-73-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral1/memory/1672-82-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral1/memory/3424-85-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral1/memory/4716-88-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral1/memory/4716-89-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral1/memory/1208-97-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral1/memory/2608-100-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral1/memory/5456-103-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral1/memory/4036-104-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral1/memory/5456-111-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral1/memory/5128-116-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral1/memory/3484-117-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral1/memory/4484-122-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral1/memory/5264-123-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral1/memory/4484-131-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral1/memory/2356-134-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral1/memory/3772-137-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral1/memory/664-146-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral1/memory/5452-148-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral1/memory/1668-151-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral1/memory/3572-152-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral1/memory/1668-159-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral1/memory/5548-164-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral1/memory/1808-172-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral1/memory/1808-174-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral1/memory/5660-183-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral1/memory/5988-186-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral1/memory/3404-190-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral1/memory/540-199-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral1/memory/2300-202-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral1/memory/2796-206-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral1/memory/4784-205-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral1/memory/2796-208-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral1/memory/4784-217-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral1/memory/4288-220-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral1/memory/2256-227-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral1/memory/5704-232-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral1/memory/4884-237-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral1/memory/5704-240-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral1/memory/4812-243-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral1/memory/4812-245-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral1/memory/3104-253-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral1/memory/3748-257-0x0000000000400000-0x0000000000474000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsngerr.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
220	reg.exe
116	reg.exe
5512	reg.exe
3992	reg.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: 1	3484	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe
Token: SeCreateTokenPrivilege	3484	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe
Token: SeAssignPrimaryTokenPrivilege	3484	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe
Token: SeLockMemoryPrivilege	3484	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe
Token: SeIncreaseQuotaPrivilege	3484	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe
Token: SeMachineAccountPrivilege	3484	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe
Token: SeTcbPrivilege	3484	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe
Token: SeSecurityPrivilege	3484	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe
Token: SeTakeOwnershipPrivilege	3484	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe
Token: SeLoadDriverPrivilege	3484	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe
Token: SeSystemProfilePrivilege	3484	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe
Token: SeSystemtimePrivilege	3484	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe
Token: SeProfSingleProcessPrivilege	3484	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe
Token: SeIncBasePriorityPrivilege	3484	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe
Token: SeCreatePagefilePrivilege	3484	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe
Token: SeCreatePermanentPrivilege	3484	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe
Token: SeBackupPrivilege	3484	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe
Token: SeRestorePrivilege	3484	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe
Token: SeShutdownPrivilege	3484	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe
Token: SeDebugPrivilege	3484	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe
Token: SeAuditPrivilege	3484	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe
Token: SeSystemEnvironmentPrivilege	3484	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe
Token: SeChangeNotifyPrivilege	3484	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe
Token: SeRemoteShutdownPrivilege	3484	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe
Token: SeUndockPrivilege	3484	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe
Token: SeSyncAgentPrivilege	3484	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe
Token: SeEnableDelegationPrivilege	3484	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe
Token: SeManageVolumePrivilege	3484	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe
Token: SeImpersonatePrivilege	3484	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe
Token: SeCreateGlobalPrivilege	3484	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe
Token: 31	3484	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe
Token: 32	3484	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe
Token: 33	3484	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe
Token: 34	3484	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe
Token: 35	3484	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe
Token: SeDebugPrivilege	3484	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3484	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe
3484	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe
5468	msnmsngerr.exe
5468	msnmsngerr.exe
2464	msnmsngerr.exe
2464	msnmsngerr.exe
6116	msnmsngerr.exe
6116	msnmsngerr.exe
3424	msnmsngerr.exe
3424	msnmsngerr.exe
2608	msnmsngerr.exe
2608	msnmsngerr.exe
5128	msnmsngerr.exe
5128	msnmsngerr.exe
2356	msnmsngerr.exe
2356	msnmsngerr.exe
5452	msnmsngerr.exe
5452	msnmsngerr.exe
5548	msnmsngerr.exe
5548	msnmsngerr.exe
5988	msnmsngerr.exe
5988	msnmsngerr.exe
2300	msnmsngerr.exe
2300	msnmsngerr.exe
4288	msnmsngerr.exe
4288	msnmsngerr.exe
5704	msnmsngerr.exe
5704	msnmsngerr.exe
3748	msnmsngerr.exe
3748	msnmsngerr.exe
3540	msnmsngerr.exe
3540	msnmsngerr.exe
1104	msnmsngerr.exe
1104	msnmsngerr.exe
1724	msnmsngerr.exe
1724	msnmsngerr.exe
1184	msnmsngerr.exe
1184	msnmsngerr.exe
5388	msnmsngerr.exe
5388	msnmsngerr.exe
4896	msnmsngerr.exe
4896	msnmsngerr.exe
2256	msnmsngerr.exe
2256	msnmsngerr.exe
1484	msnmsngerr.exe
1484	msnmsngerr.exe
1924	msnmsngerr.exe
1924	msnmsngerr.exe
2136	msnmsngerr.exe
2136	msnmsngerr.exe
3000	msnmsngerr.exe
3000	msnmsngerr.exe
2588	msnmsngerr.exe
2588	msnmsngerr.exe
4060	msnmsngerr.exe
4060	msnmsngerr.exe
1880	msnmsngerr.exe
1880	msnmsngerr.exe
5292	msnmsngerr.exe
5292	msnmsngerr.exe
4900	msnmsngerr.exe
4900	msnmsngerr.exe
996	msnmsngerr.exe
996	msnmsngerr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5496 wrote to memory of 3484	5496	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe	91
PID 5496 wrote to memory of 3484	5496	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe	91
PID 5496 wrote to memory of 3484	5496	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe	91
PID 5496 wrote to memory of 3484	5496	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe	91
PID 5496 wrote to memory of 3484	5496	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe	91
PID 5496 wrote to memory of 3484	5496	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe	91
PID 5496 wrote to memory of 3484	5496	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe	91
PID 5496 wrote to memory of 3484	5496	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe	91
PID 5496 wrote to memory of 3484	5496	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe	91
PID 5496 wrote to memory of 3484	5496	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe	91
PID 3484 wrote to memory of 324	3484	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe	92
PID 3484 wrote to memory of 324	3484	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe	92
PID 3484 wrote to memory of 324	3484	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe	92
PID 3484 wrote to memory of 1484	3484	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe	93
PID 3484 wrote to memory of 1484	3484	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe	93
PID 3484 wrote to memory of 1484	3484	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe	93
PID 3484 wrote to memory of 3084	3484	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe	94
PID 3484 wrote to memory of 3084	3484	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe	94
PID 3484 wrote to memory of 3084	3484	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe	94
PID 3484 wrote to memory of 1992	3484	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe	95
PID 3484 wrote to memory of 1992	3484	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe	95
PID 3484 wrote to memory of 1992	3484	JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe	95
PID 3084 wrote to memory of 220	3084	cmd.exe	104
PID 3084 wrote to memory of 220	3084	cmd.exe	104
PID 3084 wrote to memory of 220	3084	cmd.exe	104
PID 1992 wrote to memory of 116	1992	cmd.exe	105
PID 1992 wrote to memory of 116	1992	cmd.exe	105
PID 1992 wrote to memory of 116	1992	cmd.exe	105
PID 1484 wrote to memory of 5512	1484	cmd.exe	107
PID 1484 wrote to memory of 5512	1484	cmd.exe	107
PID 1484 wrote to memory of 5512	1484	cmd.exe	107
PID 3160 wrote to memory of 2172	3160	cmd.exe	108
PID 3160 wrote to memory of 2172	3160	cmd.exe	108
PID 3160 wrote to memory of 2172	3160	cmd.exe	108
PID 3572 wrote to memory of 1304	3572	cmd.exe	109
PID 3572 wrote to memory of 1304	3572	cmd.exe	109
PID 3572 wrote to memory of 1304	3572	cmd.exe	109
PID 324 wrote to memory of 3992	324	cmd.exe	110
PID 324 wrote to memory of 3992	324	cmd.exe	110
PID 324 wrote to memory of 3992	324	cmd.exe	110
PID 2172 wrote to memory of 5468	2172	msnmsngerr.exe	111
PID 2172 wrote to memory of 5468	2172	msnmsngerr.exe	111
PID 2172 wrote to memory of 5468	2172	msnmsngerr.exe	111
PID 2172 wrote to memory of 5468	2172	msnmsngerr.exe	111
PID 2172 wrote to memory of 5468	2172	msnmsngerr.exe	111
PID 2172 wrote to memory of 5468	2172	msnmsngerr.exe	111
PID 2172 wrote to memory of 5468	2172	msnmsngerr.exe	111
PID 2172 wrote to memory of 5468	2172	msnmsngerr.exe	111
PID 2172 wrote to memory of 5468	2172	msnmsngerr.exe	111
PID 2172 wrote to memory of 5468	2172	msnmsngerr.exe	111
PID 2336 wrote to memory of 264	2336	cmd.exe	118
PID 2336 wrote to memory of 264	2336	cmd.exe	118
PID 2336 wrote to memory of 264	2336	cmd.exe	118
PID 2408 wrote to memory of 1452	2408	cmd.exe	119
PID 2408 wrote to memory of 1452	2408	cmd.exe	119
PID 2408 wrote to memory of 1452	2408	cmd.exe	119
PID 1452 wrote to memory of 2464	1452	msnmsngerr.exe	122
PID 1452 wrote to memory of 2464	1452	msnmsngerr.exe	122
PID 1452 wrote to memory of 2464	1452	msnmsngerr.exe	122
PID 1452 wrote to memory of 2464	1452	msnmsngerr.exe	122
PID 1452 wrote to memory of 2464	1452	msnmsngerr.exe	122
PID 1452 wrote to memory of 2464	1452	msnmsngerr.exe	122
PID 1452 wrote to memory of 2464	1452	msnmsngerr.exe	122
PID 1452 wrote to memory of 2464	1452	msnmsngerr.exe	122

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5496
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe"
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3484
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:324
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3992
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1484
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9d07bbb8fe17526a432d813688a1c670.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:5512
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3084
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:220
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\msnmsngerr.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\msnmsngerr.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1992
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\msnmsngerr.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\msnmsngerr.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3160
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3572
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Executes dropped EXE
  PID:1304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  PID:264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:636
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:1308
- - C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:6116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:5376
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  PID:2868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:5092
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  PID:1672
- - C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:5372
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Executes dropped EXE
  PID:1832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:4960
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  PID:4716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:756
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  PID:1208
- - C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:3696
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:5456
- - C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:3324
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  PID:4036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:5572
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  PID:4484
- - C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:64
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  PID:5264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:3104
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  PID:3772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:3760
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:664
- - C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:3708
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  PID:3572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:4488
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  PID:1668
- - C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:4104
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  PID:1808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:2336
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  PID:5660
- - C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:4612
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  PID:3404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:404
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:540
- - C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:2432
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Executes dropped EXE
  PID:2796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:2044
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  PID:4784
- - C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:4136
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  PID:2256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:2400
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  PID:4884
- - C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:5572
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:3104
- - C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:212
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Executes dropped EXE
  PID:4812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:3488
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:5312
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2388
- - C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:5656
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:2552
- - C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:1496
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  PID:4368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:2884
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:5064
- - C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:1452
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:1192
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:5736
- - C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:3492
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  PID:5376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:3528
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:2460
- - C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:2952
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  PID:4660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:5592
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  PID:2840
- - C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:5752
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  PID:1508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:5864
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4536
- - C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:4056
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  PID:2784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:4720
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1144
- - C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:3600
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Checks whether UAC is enabled
  PID:5512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:6112
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4068
- - C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:3772
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  PID:3708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:2800
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  PID:4176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:2236
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:1448
- - C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:2292
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:5596
- - C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:3000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:1808
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  PID:2600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:4632
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Checks whether UAC is enabled
  PID:3952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:2516
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:1016
- - C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:4048
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  PID:4436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:820
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  PID:5092
- - C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:4148
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  PID:2952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:2140
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:1120
- - C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:5288
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  PID:1320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:5096
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  PID:5168
- - C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:5292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:4116
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  PID:1208
- - C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:4900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:5276
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  PID:2920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:5564
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Checks whether UAC is enabled
  PID:740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:1828
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  PID:3696
- - C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:220
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:1844
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:2792
- - C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    3⤵
    PID:5492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:1144
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  PID:3816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:1028
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  PID:5572
- - C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:664
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Checks whether UAC is enabled
  PID:4176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:1780
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  PID:2404
- - C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    3⤵
    PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:2916
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  PID:952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:324
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:2324
- - C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    3⤵
    PID:1792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:5160
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  PID:3372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:5460
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:1068
- - C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    3⤵
    PID:2276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:3640
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:2396
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:2516
- - C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:5376
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  PID:4728
- - C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:3720
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Checks whether UAC is enabled
  PID:5216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:5464
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  PID:2420
- - C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    3⤵
    PID:4660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:6136
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Checks whether UAC is enabled
  PID:1392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:5672
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:2128
- - C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    3⤵
    PID:628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:1408
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  PID:4456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:3528
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:768
- - C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:2284
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Checks whether UAC is enabled
  PID:4784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:552
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:740
- - C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:4116
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Checks whether UAC is enabled
  PID:2044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:4572
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Checks whether UAC is enabled
  PID:5876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
1⤵
PID:5864
- C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
  2⤵
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  PID:4968
- - C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    C:\Users\Admin\AppData\Roaming\msnmsngerr.exe
    3⤵
    PID:1088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\data.dat

Filesize
33B

MD5
dcd1cc9ea016096c2de9e1dca6c5190b

SHA1
e51bbbbd2314eec2ebb78a095fb02901305dc8bc

SHA256
ff4646261bdcdcf66094732ab32728418f6cf4106d23fb4fbc5668153d4b66fa

SHA512
7cc3b6e82345db15ec418573a4acd1d79c07b6e7bb702ec87f1020be41a7116a0804a07ea4dc120762ceba4086ef4b9aac4a8f8958aeacba2caebf7a4b5bf6fd

Download Submit
C:\Users\Admin\AppData\Roaming\msnmsngerr.exe

Filesize
339KB

MD5
9d07bbb8fe17526a432d813688a1c670

SHA1
e6775c1f091248a9660a632d791f59792a6bc1c3

SHA256
04a5385ca5be897675f249927956d9f2b35532b00741b1a354ee56e41c3dc78e

SHA512
651026ae2f549cb28d13c2259f40a2af91efc17203881763513f684d447a98ff291d20a9de8c22dc3ea9f728d3c4e3356d17174c723940ad700dbd2d428c07e3

Download Submit
memory/264-39-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/540-199-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/664-146-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1016-454-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1104-292-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1144-396-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1184-330-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1208-97-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1304-21-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1304-22-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1308-64-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1448-425-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1448-416-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1452-47-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1484-399-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1508-352-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1508-350-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1668-151-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1668-159-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1672-82-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1724-309-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1808-174-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1808-172-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1832-73-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1924-412-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2136-429-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2172-31-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2256-227-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2256-385-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2300-202-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2356-134-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2388-273-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2460-344-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2464-51-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2552-289-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2588-457-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2600-430-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2600-432-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2608-100-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2784-370-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2784-373-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2796-206-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2796-208-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2840-361-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2868-54-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2868-56-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3000-443-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3104-253-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3404-190-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3424-85-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3484-117-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3484-38-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3484-15-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3484-1-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3484-3-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3484-14-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3484-5-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3484-36-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3540-276-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3572-152-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3708-401-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3748-257-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3772-137-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3952-446-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3952-444-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4036-104-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4068-409-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4176-418-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4288-220-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4368-280-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4436-464-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4484-122-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4484-131-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4536-371-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4536-382-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4660-335-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4660-333-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4716-89-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4716-88-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4784-205-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4784-217-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4812-243-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4812-245-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4884-237-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4896-364-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4956-295-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4956-297-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/5064-306-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/5092-462-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/5128-116-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/5264-123-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/5340-261-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/5376-315-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/5388-347-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/5452-148-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/5456-111-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/5456-103-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/5468-32-0x0000000000480000-0x0000000000549000-memory.dmp

Filesize
804KB

Download
memory/5468-34-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/5496-8-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/5496-0-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/5512-386-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/5512-388-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/5548-164-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/5596-440-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/5660-183-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/5704-240-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/5704-232-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/5736-326-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/5736-312-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/5988-186-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/6116-67-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads