0221bf57bfe8c18368e101d74f437c2037b443ff55dc2cb3a52e6a82c6794cd4

Analysis

max time kernel
150s
max time network
127s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09/07/2024, 01:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2e8d299b09c7189f75eab720ba7cf7f6_JaffaCakes118.exe
Size

19KB
MD5

2e8d299b09c7189f75eab720ba7cf7f6
SHA1

f1cf8efadbbccfc8e7761657080c989cf1fab4d4
SHA256

0221bf57bfe8c18368e101d74f437c2037b443ff55dc2cb3a52e6a82c6794cd4
SHA512

ba76f77a9050fac273351707751e39d8887f3ef097a452264aa0ddd796643f40b7977c490170313e3391b3f109adcee856a6b4144ad7c4fc298cc4bb7a052f2a
SSDEEP

384:jWKSeWzKJqKo8phK65/ydMLcQkgGT/V83FIy+qU:qWkZ8ps6s+tk9LWeyfU

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\KernelFaultCheck = "C:\\Windows\\system32\\msime.exe"	msime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\KernelFaultCheck = "C:\\Windows\\system32\\msime.exe"	msime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\KernelFaultCheck = "C:\\Windows\\system32\\msime.exe"	msime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\KernelFaultCheck = "C:\\Windows\\system32\\msime.exe"	msime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\KernelFaultCheck = "C:\\Windows\\system32\\msime.exe"	2e8d299b09c7189f75eab720ba7cf7f6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\KernelFaultCheck = "C:\\Windows\\system32\\msime.exe"	msime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\KernelFaultCheck = "C:\\Windows\\system32\\msime.exe"	msime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\KernelFaultCheck = "C:\\Windows\\system32\\msime.exe"	msime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\KernelFaultCheck = "C:\\Windows\\system32\\msime.exe"	msime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\KernelFaultCheck = "C:\\Windows\\system32\\msime.exe"	msime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\KernelFaultCheck = "C:\\Windows\\system32\\msime.exe"	msime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\KernelFaultCheck = "C:\\Windows\\system32\\msime.exe"	msime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\KernelFaultCheck = "C:\\Windows\\system32\\msime.exe"	msime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\KernelFaultCheck = "C:\\Windows\\system32\\msime.exe"	msime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\KernelFaultCheck = "C:\\Windows\\system32\\msime.exe"	msime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\KernelFaultCheck = "C:\\Windows\\system32\\msime.exe"	msime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\KernelFaultCheck = "C:\\Windows\\system32\\msime.exe"	msime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\KernelFaultCheck = "C:\\Windows\\system32\\msime.exe"	msime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\KernelFaultCheck = "C:\\Windows\\system32\\msime.exe"	msime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\KernelFaultCheck = "C:\\Windows\\system32\\msime.exe"	msime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\KernelFaultCheck = "C:\\Windows\\system32\\msime.exe"	msime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\KernelFaultCheck = "C:\\Windows\\system32\\msime.exe"	msime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\KernelFaultCheck = "C:\\Windows\\system32\\msime.exe"	msime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\KernelFaultCheck = "C:\\Windows\\system32\\msime.exe"	msime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\KernelFaultCheck = "C:\\Windows\\system32\\msime.exe"	msime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\KernelFaultCheck = "C:\\Windows\\system32\\msime.exe"	msime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\KernelFaultCheck = "C:\\Windows\\system32\\msime.exe"	msime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\KernelFaultCheck = "C:\\Windows\\system32\\msime.exe"	msime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\KernelFaultCheck = "C:\\Windows\\system32\\msime.exe"	msime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\KernelFaultCheck = "C:\\Windows\\system32\\msime.exe"	msime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\KernelFaultCheck = "C:\\Windows\\system32\\msime.exe"	msime.exe

Executes dropped EXE 64 IoCs

pid	Process
2316	msime.exe
2904	msime.exe
2652	msime.exe
2744	msime.exe
2732	msime.exe
2520	msime.exe
2916	msime.exe
2548	msime.exe
1560	msime.exe
2676	msime.exe
2508	msime.exe
1376	msime.exe
3052	msime.exe
2052	msime.exe
788	msime.exe
1740	msime.exe
568	msime.exe
1732	msime.exe
1416	msime.exe
1704	msime.exe
2256	msime.exe
944	msime.exe
1912	msime.exe
2012	msime.exe
472	msime.exe
432	msime.exe
2336	msime.exe
2940	msime.exe
2600	msime.exe
2812	msime.exe
2100	msime.exe
3064	msime.exe
832	msime.exe
844	msime.exe
1720	msime.exe
1996	msime.exe
1980	msime.exe
2028	msime.exe
2780	msime.exe
1244	msime.exe
1012	msime.exe
1180	msime.exe
280	msime.exe
2160	msime.exe
2824	msime.exe
1144	msime.exe
1536	msime.exe
1460	msime.exe
1552	msime.exe
1540	msime.exe
1712	msime.exe
2236	msime.exe
2400	msime.exe
2404	msime.exe
2232	msime.exe
2284	msime.exe
2040	msime.exe
3036	msime.exe
1764	msime.exe
924	msime.exe
2320	msime.exe
2452	msime.exe
1600	msime.exe
1592	msime.exe

Loads dropped DLL 64 IoCs

pid	Process
2436	2e8d299b09c7189f75eab720ba7cf7f6_JaffaCakes118.exe
2436	2e8d299b09c7189f75eab720ba7cf7f6_JaffaCakes118.exe
2316	msime.exe
2316	msime.exe
2904	msime.exe
2904	msime.exe
2652	msime.exe
2652	msime.exe
2744	msime.exe
2744	msime.exe
2732	msime.exe
2732	msime.exe
2520	msime.exe
2520	msime.exe
2916	msime.exe
2916	msime.exe
2548	msime.exe
2548	msime.exe
1560	msime.exe
1560	msime.exe
2676	msime.exe
2676	msime.exe
2508	msime.exe
2508	msime.exe
1376	msime.exe
1376	msime.exe
3052	msime.exe
3052	msime.exe
2052	msime.exe
2052	msime.exe
788	msime.exe
788	msime.exe
1740	msime.exe
1740	msime.exe
568	msime.exe
568	msime.exe
1732	msime.exe
1732	msime.exe
1416	msime.exe
1416	msime.exe
1704	msime.exe
1704	msime.exe
2256	msime.exe
2256	msime.exe
944	msime.exe
944	msime.exe
1912	msime.exe
1912	msime.exe
2012	msime.exe
2012	msime.exe
472	msime.exe
472	msime.exe
432	msime.exe
432	msime.exe
2336	msime.exe
2336	msime.exe
2940	msime.exe
2940	msime.exe
2600	msime.exe
2600	msime.exe
2812	msime.exe
2812	msime.exe
2100	msime.exe
2100	msime.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File created	C:\Windows\SysWOW64\msime.exe	msime.exe
File created	C:\Windows\SysWOW64\msime.exe	msime.exe
File created	C:\Windows\SysWOW64\msime.exe	msime.exe
File created	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File created	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File created	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File created	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File created	C:\Windows\SysWOW64\msime.exe	msime.exe
File created	C:\Windows\SysWOW64\msime.exe	msime.exe
File created	C:\Windows\SysWOW64\msime.exe	2e8d299b09c7189f75eab720ba7cf7f6_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File created	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File created	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File created	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File created	C:\Windows\SysWOW64\msime.exe	msime.exe
File created	C:\Windows\SysWOW64\msime.exe	msime.exe
File created	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File created	C:\Windows\SysWOW64\msime.exe	msime.exe
File created	C:\Windows\SysWOW64\msime.exe	msime.exe
File created	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File created	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File created	C:\Windows\SysWOW64\msime.exe	msime.exe
File created	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File created	C:\Windows\SysWOW64\msime.exe	msime.exe
File created	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File created	C:\Windows\SysWOW64\msime.exe	msime.exe
File created	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File created	C:\Windows\SysWOW64\msime.exe	msime.exe
File created	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File created	C:\Windows\SysWOW64\msime.exe	msime.exe
File created	C:\Windows\SysWOW64\msime.exe	msime.exe
File created	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File created	C:\Windows\SysWOW64\msime.exe	msime.exe
File opened for modification	C:\Windows\SysWOW64\msime.exe	msime.exe
File created	C:\Windows\SysWOW64\msime.exe	msime.exe
File created	C:\Windows\SysWOW64\msime.exe	msime.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2436	2e8d299b09c7189f75eab720ba7cf7f6_JaffaCakes118.exe
2436	2e8d299b09c7189f75eab720ba7cf7f6_JaffaCakes118.exe
2316	msime.exe
2316	msime.exe
2316	msime.exe
2904	msime.exe
2904	msime.exe
2904	msime.exe
2652	msime.exe
2652	msime.exe
2652	msime.exe
2744	msime.exe
2744	msime.exe
2744	msime.exe
2732	msime.exe
2732	msime.exe
2732	msime.exe
2520	msime.exe
2520	msime.exe
2520	msime.exe
2916	msime.exe
2916	msime.exe
2916	msime.exe
2548	msime.exe
2548	msime.exe
2548	msime.exe
1560	msime.exe
1560	msime.exe
1560	msime.exe
2676	msime.exe
2676	msime.exe
2676	msime.exe
2508	msime.exe
2508	msime.exe
2508	msime.exe
1376	msime.exe
1376	msime.exe
1376	msime.exe
3052	msime.exe
3052	msime.exe
3052	msime.exe
2052	msime.exe
2052	msime.exe
2052	msime.exe
788	msime.exe
788	msime.exe
788	msime.exe
1740	msime.exe
1740	msime.exe
1740	msime.exe
568	msime.exe
568	msime.exe
568	msime.exe
1732	msime.exe
1732	msime.exe
1732	msime.exe
1416	msime.exe
1416	msime.exe
1416	msime.exe
1704	msime.exe
1704	msime.exe
1704	msime.exe
2256	msime.exe
2256	msime.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2436	2e8d299b09c7189f75eab720ba7cf7f6_JaffaCakes118.exe
Token: SeDebugPrivilege	2316	msime.exe
Token: SeDebugPrivilege	2904	msime.exe
Token: SeDebugPrivilege	2652	msime.exe
Token: SeDebugPrivilege	2744	msime.exe
Token: SeDebugPrivilege	2732	msime.exe
Token: SeDebugPrivilege	2520	msime.exe
Token: SeDebugPrivilege	2916	msime.exe
Token: SeDebugPrivilege	2548	msime.exe
Token: SeDebugPrivilege	1560	msime.exe
Token: SeDebugPrivilege	2676	msime.exe
Token: SeDebugPrivilege	2508	msime.exe
Token: SeDebugPrivilege	1376	msime.exe
Token: SeDebugPrivilege	3052	msime.exe
Token: SeDebugPrivilege	2052	msime.exe
Token: SeDebugPrivilege	788	msime.exe
Token: SeDebugPrivilege	1740	msime.exe
Token: SeDebugPrivilege	568	msime.exe
Token: SeDebugPrivilege	1732	msime.exe
Token: SeDebugPrivilege	1416	msime.exe
Token: SeDebugPrivilege	1704	msime.exe
Token: SeDebugPrivilege	2256	msime.exe
Token: SeDebugPrivilege	944	msime.exe
Token: SeDebugPrivilege	1912	msime.exe
Token: SeDebugPrivilege	2012	msime.exe
Token: SeDebugPrivilege	472	msime.exe
Token: SeDebugPrivilege	432	msime.exe
Token: SeDebugPrivilege	2336	msime.exe
Token: SeDebugPrivilege	2940	msime.exe
Token: SeDebugPrivilege	2600	msime.exe
Token: SeDebugPrivilege	2812	msime.exe
Token: SeDebugPrivilege	2100	msime.exe
Token: SeDebugPrivilege	3064	msime.exe
Token: SeDebugPrivilege	832	msime.exe
Token: SeDebugPrivilege	844	msime.exe
Token: SeDebugPrivilege	1720	msime.exe
Token: SeDebugPrivilege	1996	msime.exe
Token: SeDebugPrivilege	1980	msime.exe
Token: SeDebugPrivilege	2028	msime.exe
Token: SeDebugPrivilege	2780	msime.exe
Token: SeDebugPrivilege	1244	msime.exe
Token: SeDebugPrivilege	1012	msime.exe
Token: SeDebugPrivilege	1180	msime.exe
Token: SeDebugPrivilege	280	msime.exe
Token: SeDebugPrivilege	2160	msime.exe
Token: SeDebugPrivilege	2824	msime.exe
Token: SeDebugPrivilege	1144	msime.exe
Token: SeDebugPrivilege	1536	msime.exe
Token: SeDebugPrivilege	1460	msime.exe
Token: SeDebugPrivilege	1552	msime.exe
Token: SeDebugPrivilege	1540	msime.exe
Token: SeDebugPrivilege	1712	msime.exe
Token: SeDebugPrivilege	2236	msime.exe
Token: SeDebugPrivilege	2400	msime.exe
Token: SeDebugPrivilege	2404	msime.exe
Token: SeDebugPrivilege	2232	msime.exe
Token: SeDebugPrivilege	2284	msime.exe
Token: SeDebugPrivilege	2040	msime.exe
Token: SeDebugPrivilege	3036	msime.exe
Token: SeDebugPrivilege	1764	msime.exe
Token: SeDebugPrivilege	924	msime.exe
Token: SeDebugPrivilege	2320	msime.exe
Token: SeDebugPrivilege	2452	msime.exe
Token: SeDebugPrivilege	1600	msime.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 2316	2436	2e8d299b09c7189f75eab720ba7cf7f6_JaffaCakes118.exe	30
PID 2436 wrote to memory of 2316	2436	2e8d299b09c7189f75eab720ba7cf7f6_JaffaCakes118.exe	30
PID 2436 wrote to memory of 2316	2436	2e8d299b09c7189f75eab720ba7cf7f6_JaffaCakes118.exe	30
PID 2436 wrote to memory of 2316	2436	2e8d299b09c7189f75eab720ba7cf7f6_JaffaCakes118.exe	30
PID 2316 wrote to memory of 2904	2316	msime.exe	31
PID 2316 wrote to memory of 2904	2316	msime.exe	31
PID 2316 wrote to memory of 2904	2316	msime.exe	31
PID 2316 wrote to memory of 2904	2316	msime.exe	31
PID 2904 wrote to memory of 2652	2904	msime.exe	32
PID 2904 wrote to memory of 2652	2904	msime.exe	32
PID 2904 wrote to memory of 2652	2904	msime.exe	32
PID 2904 wrote to memory of 2652	2904	msime.exe	32
PID 2652 wrote to memory of 2744	2652	msime.exe	33
PID 2652 wrote to memory of 2744	2652	msime.exe	33
PID 2652 wrote to memory of 2744	2652	msime.exe	33
PID 2652 wrote to memory of 2744	2652	msime.exe	33
PID 2744 wrote to memory of 2732	2744	msime.exe	34
PID 2744 wrote to memory of 2732	2744	msime.exe	34
PID 2744 wrote to memory of 2732	2744	msime.exe	34
PID 2744 wrote to memory of 2732	2744	msime.exe	34
PID 2732 wrote to memory of 2520	2732	msime.exe	35
PID 2732 wrote to memory of 2520	2732	msime.exe	35
PID 2732 wrote to memory of 2520	2732	msime.exe	35
PID 2732 wrote to memory of 2520	2732	msime.exe	35
PID 2520 wrote to memory of 2916	2520	msime.exe	36
PID 2520 wrote to memory of 2916	2520	msime.exe	36
PID 2520 wrote to memory of 2916	2520	msime.exe	36
PID 2520 wrote to memory of 2916	2520	msime.exe	36
PID 2916 wrote to memory of 2548	2916	msime.exe	37
PID 2916 wrote to memory of 2548	2916	msime.exe	37
PID 2916 wrote to memory of 2548	2916	msime.exe	37
PID 2916 wrote to memory of 2548	2916	msime.exe	37
PID 2548 wrote to memory of 1560	2548	msime.exe	38
PID 2548 wrote to memory of 1560	2548	msime.exe	38
PID 2548 wrote to memory of 1560	2548	msime.exe	38
PID 2548 wrote to memory of 1560	2548	msime.exe	38
PID 1560 wrote to memory of 2676	1560	msime.exe	39
PID 1560 wrote to memory of 2676	1560	msime.exe	39
PID 1560 wrote to memory of 2676	1560	msime.exe	39
PID 1560 wrote to memory of 2676	1560	msime.exe	39
PID 2676 wrote to memory of 2508	2676	msime.exe	40
PID 2676 wrote to memory of 2508	2676	msime.exe	40
PID 2676 wrote to memory of 2508	2676	msime.exe	40
PID 2676 wrote to memory of 2508	2676	msime.exe	40
PID 2508 wrote to memory of 1376	2508	msime.exe	41
PID 2508 wrote to memory of 1376	2508	msime.exe	41
PID 2508 wrote to memory of 1376	2508	msime.exe	41
PID 2508 wrote to memory of 1376	2508	msime.exe	41
PID 1376 wrote to memory of 3052	1376	msime.exe	42
PID 1376 wrote to memory of 3052	1376	msime.exe	42
PID 1376 wrote to memory of 3052	1376	msime.exe	42
PID 1376 wrote to memory of 3052	1376	msime.exe	42
PID 3052 wrote to memory of 2052	3052	msime.exe	43
PID 3052 wrote to memory of 2052	3052	msime.exe	43
PID 3052 wrote to memory of 2052	3052	msime.exe	43
PID 3052 wrote to memory of 2052	3052	msime.exe	43
PID 2052 wrote to memory of 788	2052	msime.exe	44
PID 2052 wrote to memory of 788	2052	msime.exe	44
PID 2052 wrote to memory of 788	2052	msime.exe	44
PID 2052 wrote to memory of 788	2052	msime.exe	44
PID 788 wrote to memory of 1740	788	msime.exe	45
PID 788 wrote to memory of 1740	788	msime.exe	45
PID 788 wrote to memory of 1740	788	msime.exe	45
PID 788 wrote to memory of 1740	788	msime.exe	45

C:\Users\Admin\AppData\Local\Temp\2e8d299b09c7189f75eab720ba7cf7f6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2e8d299b09c7189f75eab720ba7cf7f6_JaffaCakes118.exe"
1⤵
- Adds policy Run key to start application
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Windows\SysWOW64\msime.exe
  C:\Windows\system32\msime.exe "C:\Users\Admin\AppData\Local\Temp\2e8d299b09c7189f75eab720ba7cf7f6_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\SysWOW64\msime.exe
    C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
    3⤵
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Windows\SysWOW64\msime.exe
      C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
      4⤵
      Adds policy Run key to start application
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2652
    - - C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        5⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2744
      - C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        6⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        11⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        12⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:788
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:568
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1416
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        23⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:944
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        25⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:472
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:432
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        30⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        32⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:832
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:844
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        36⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        38⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        39⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        40⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        41⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1244
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        42⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1012
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1180
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:280
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1144
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        48⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1460
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        50⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1552
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        52⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        53⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        55⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        56⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        59⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:924
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        62⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        64⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        65⤵
        Executes dropped EXE
        
        PID:1592
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        66⤵
        Adds policy Run key to start application
        
        PID:2440
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        67⤵
        Drops file in System32 directory
        
        PID:2456
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        68⤵
        Drops file in System32 directory
        
        PID:2668
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        69⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        70⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        71⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        72⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        73⤵
        Adds policy Run key to start application
        
        PID:2712
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        74⤵
        Drops file in System32 directory
        
        PID:2672
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        75⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        76⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        77⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        78⤵
        Drops file in System32 directory
        
        PID:2548
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        79⤵
        Adds policy Run key to start application
        Drops file in System32 directory
        
        PID:2512
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        80⤵
        Adds policy Run key to start application
        
        PID:2532
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        81⤵
        Drops file in System32 directory
        
        PID:2564
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        82⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        83⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        84⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        85⤵
        Drops file in System32 directory
        
        PID:2492
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        86⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        87⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        88⤵
        Drops file in System32 directory
        
        PID:2840
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        89⤵
        
        PID:576
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        90⤵
        
        PID:628
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        91⤵
        
        PID:652
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        92⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        93⤵
        Drops file in System32 directory
        
        PID:2872
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        94⤵
        
        PID:272
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        95⤵
        Adds policy Run key to start application
        
        PID:1724
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        96⤵
        Drops file in System32 directory
        
        PID:2056
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        97⤵
        Adds policy Run key to start application
        
        PID:2020
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        98⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        99⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        100⤵
        Adds policy Run key to start application
        
        PID:944
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        101⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        102⤵
        Drops file in System32 directory
        
        PID:2104
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        103⤵
        Drops file in System32 directory
        
        PID:332
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        104⤵
        
        PID:432
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        105⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        106⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        107⤵
        Drops file in System32 directory
        
        PID:1192
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        108⤵
        Adds policy Run key to start application
        
        PID:328
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        109⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        110⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        111⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        112⤵
        Adds policy Run key to start application
        
        PID:1628
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        113⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        114⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        115⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        116⤵
        Adds policy Run key to start application
        
        PID:976
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        117⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        118⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        119⤵
        Adds policy Run key to start application
        
        PID:2896
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        120⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        121⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        122⤵
        Adds policy Run key to start application
        
        PID:2956
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        123⤵
        
        PID:872
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        124⤵
        Adds policy Run key to start application
        Drops file in System32 directory
        
        PID:2844
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        125⤵
        Drops file in System32 directory
        
        PID:1832
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        126⤵
        
        PID:756
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        127⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        128⤵
        Adds policy Run key to start application
        
        PID:1292
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        129⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        130⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        131⤵
        Drops file in System32 directory
        
        PID:2468
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        132⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        133⤵
        Adds policy Run key to start application
        
        PID:2004
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        134⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        135⤵
        Drops file in System32 directory
        
        PID:2040
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        136⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        137⤵
        Adds policy Run key to start application
        
        PID:1764
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        138⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        139⤵
        Adds policy Run key to start application
        Drops file in System32 directory
        
        PID:2328
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        140⤵
        Drops file in System32 directory
        
        PID:1572
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        141⤵
        Drops file in System32 directory
        
        PID:1684
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        142⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        143⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        144⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        145⤵
        Drops file in System32 directory
        
        PID:2140
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        146⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        147⤵
        Adds policy Run key to start application
        
        PID:2604
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        148⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        149⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        150⤵
        Adds policy Run key to start application
        
        PID:2740
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        151⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        152⤵
        Adds policy Run key to start application
        Drops file in System32 directory
        
        PID:2664
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        153⤵
        Adds policy Run key to start application
        
        PID:2988
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        154⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        155⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        156⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        157⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        158⤵
        Adds policy Run key to start application
        
        PID:1784
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        159⤵
        Drops file in System32 directory
        
        PID:2532
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        160⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        161⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        162⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        163⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        164⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        165⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        166⤵
        
        PID:920
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        167⤵
        Adds policy Run key to start application
        
        PID:2888
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        168⤵
        Drops file in System32 directory
        
        PID:2768
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        169⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        170⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        171⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        172⤵
        
        PID:272
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        173⤵
        Adds policy Run key to start application
        
        PID:1700
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        174⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        175⤵
        Drops file in System32 directory
        
        PID:2348
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        176⤵
        Drops file in System32 directory
        
        PID:1756
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        177⤵
        Drops file in System32 directory
        
        PID:952
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        178⤵
        Drops file in System32 directory
        
        PID:1912
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        179⤵
        Adds policy Run key to start application
        
        PID:1088
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        180⤵
        Drops file in System32 directory
        
        PID:1952
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        181⤵
        Adds policy Run key to start application
        
        PID:2428
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        182⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        183⤵
        Adds policy Run key to start application
        Drops file in System32 directory
        
        PID:2260
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        184⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        185⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        186⤵
        Adds policy Run key to start application
        
        PID:2220
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        187⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        188⤵
        Adds policy Run key to start application
        Drops file in System32 directory
        
        PID:1568
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        189⤵
        
        PID:832
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        190⤵
        
        PID:844
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        191⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        192⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        193⤵
        
        PID:824
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        194⤵
        Adds policy Run key to start application
        
        PID:932
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        195⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        196⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        197⤵
        Drops file in System32 directory
        
        PID:1980
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        198⤵
        
        PID:896
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        199⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        200⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        201⤵
        Drops file in System32 directory
        
        PID:1768
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        202⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        203⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        204⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        205⤵
        Adds policy Run key to start application
        
        PID:1536
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        206⤵
        Adds policy Run key to start application
        
        PID:1688
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        207⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        208⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        209⤵
        Adds policy Run key to start application
        
        PID:1540
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        210⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        211⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        212⤵
        Adds policy Run key to start application
        
        PID:2308
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        213⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        214⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        215⤵
        Adds policy Run key to start application
        Drops file in System32 directory
        
        PID:1208
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        216⤵
        Adds policy Run key to start application
        Drops file in System32 directory
        
        PID:2076
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        217⤵
        Adds policy Run key to start application
        Drops file in System32 directory
        
        PID:1264
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        218⤵
        Drops file in System32 directory
        
        PID:3036
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        219⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        220⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        221⤵
        Adds policy Run key to start application
        
        PID:2984
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        222⤵
        Drops file in System32 directory
        
        PID:2452
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        223⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        224⤵
        Adds policy Run key to start application
        
        PID:1728
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        225⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        226⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        227⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        228⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        229⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        230⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        231⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        232⤵
        Adds policy Run key to start application
        Drops file in System32 directory
        
        PID:2616
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        233⤵
        Adds policy Run key to start application
        
        PID:1716
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        234⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        235⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        236⤵
        Adds policy Run key to start application
        
        PID:2716
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        237⤵
        Drops file in System32 directory
        
        PID:1560
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        238⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        239⤵
        Drops file in System32 directory
        
        PID:2648
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        240⤵
        Adds policy Run key to start application
        
        PID:2548
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        241⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        242⤵
        Adds policy Run key to start application
        
        PID:2532
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        243⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        244⤵
        Drops file in System32 directory
        
        PID:3016
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        245⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        246⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        247⤵
        Adds policy Run key to start application
        
        PID:2492
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        248⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        249⤵
        
        PID:916
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        250⤵
        Adds policy Run key to start application
        Drops file in System32 directory
        
        PID:264
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        251⤵
        
        PID:652
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        252⤵
        Drops file in System32 directory
        
        PID:2768
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        253⤵
        Drops file in System32 directory
        
        PID:1604
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        254⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        255⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        256⤵
        Drops file in System32 directory
        
        PID:3052
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        257⤵
        Adds policy Run key to start application
        
        PID:1072
        
        C:\Windows\SysWOW64\msime.exe
        
        C:\Windows\system32\msime.exe "C:\Windows\SysWOW64\msime.exe"
        258⤵
        
        PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\msime.exe

Filesize
19KB

MD5
2e8d299b09c7189f75eab720ba7cf7f6

SHA1
f1cf8efadbbccfc8e7761657080c989cf1fab4d4

SHA256
0221bf57bfe8c18368e101d74f437c2037b443ff55dc2cb3a52e6a82c6794cd4

SHA512
ba76f77a9050fac273351707751e39d8887f3ef097a452264aa0ddd796643f40b7977c490170313e3391b3f109adcee856a6b4144ad7c4fc298cc4bb7a052f2a

Download Submit