Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
18/08/2024, 04:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a5712f8112f633c57a233814bb3923f9_JaffaCakes118.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
a5712f8112f633c57a233814bb3923f9_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
a5712f8112f633c57a233814bb3923f9_JaffaCakes118.exe
-
Size
171KB
-
MD5
a5712f8112f633c57a233814bb3923f9
-
SHA1
275494bcf3cde45f981c9d93c373f7642811b260
-
SHA256
192a9a72f08373b3f16996fe7bbcddb9f7ef0a04cdb846220812a36e5bfd906b
-
SHA512
30186c153c1eb38994544a7bd4b1d4d28d93579a1783303f38888d54cdd79d0dd2992b44ec3b01c57765b260b92fce963d03333be0770d6c027b61341e373832
-
SSDEEP
3072:9bCX8UaFPmgRMNlPTGQQm6ytwZEsrYkK4d9hFap/QroKP:i898gWNlPTGQQm6agrd7HW4UK
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe -
Deletes itself 1 IoCs
pid Process 4968 cmd.exe -
Executes dropped EXE 64 IoCs
pid Process 2716 msvce32.exe 2320 msvce32.exe 2896 msvce32.exe 2692 msvce32.exe 1120 msvce32.exe 2516 msvce32.exe 2624 msvce32.exe 1636 msvce32.exe 1048 msvce32.exe 1728 msvce32.exe 584 msvce32.exe 1448 msvce32.exe 2428 msvce32.exe 3020 msvce32.exe 1104 msvce32.exe 672 msvce32.exe 2604 msvce32.exe 2844 msvce32.exe 1680 msvce32.exe 2348 msvce32.exe 1620 msvce32.exe 1968 msvce32.exe 320 msvce32.exe 1228 msvce32.exe 2340 msvce32.exe 1496 msvce32.exe 1484 msvce32.exe 2148 msvce32.exe 1876 msvce32.exe 1580 msvce32.exe 2092 msvce32.exe 2168 msvce32.exe 1032 msvce32.exe 2108 msvce32.exe 2160 msvce32.exe 2180 msvce32.exe 2068 msvce32.exe 836 msvce32.exe 2300 msvce32.exe 1584 msvce32.exe 2284 msvce32.exe 1240 msvce32.exe 288 msvce32.exe 1904 msvce32.exe 2344 msvce32.exe 1732 msvce32.exe 376 msvce32.exe 1788 msvce32.exe 1988 msvce32.exe 1444 msvce32.exe 1324 msvce32.exe 3028 msvce32.exe 1100 msvce32.exe 1072 msvce32.exe 1820 msvce32.exe 2352 msvce32.exe 1912 msvce32.exe 2416 msvce32.exe 1900 msvce32.exe 2232 msvce32.exe 2272 msvce32.exe 1824 msvce32.exe 2584 msvce32.exe 2404 msvce32.exe -
Loads dropped DLL 64 IoCs
pid Process 1548 a5712f8112f633c57a233814bb3923f9_JaffaCakes118.exe 1548 a5712f8112f633c57a233814bb3923f9_JaffaCakes118.exe 2716 msvce32.exe 2716 msvce32.exe 2320 msvce32.exe 2320 msvce32.exe 2896 msvce32.exe 2896 msvce32.exe 2692 msvce32.exe 2692 msvce32.exe 1120 msvce32.exe 1120 msvce32.exe 2516 msvce32.exe 2516 msvce32.exe 2624 msvce32.exe 2624 msvce32.exe 1636 msvce32.exe 1636 msvce32.exe 1048 msvce32.exe 1048 msvce32.exe 1728 msvce32.exe 1728 msvce32.exe 584 msvce32.exe 584 msvce32.exe 1448 msvce32.exe 1448 msvce32.exe 2428 msvce32.exe 2428 msvce32.exe 3020 msvce32.exe 3020 msvce32.exe 1104 msvce32.exe 1104 msvce32.exe 672 msvce32.exe 672 msvce32.exe 2604 msvce32.exe 2604 msvce32.exe 2844 msvce32.exe 2844 msvce32.exe 1680 msvce32.exe 1680 msvce32.exe 2348 msvce32.exe 2348 msvce32.exe 1620 msvce32.exe 1620 msvce32.exe 1968 msvce32.exe 1968 msvce32.exe 320 msvce32.exe 320 msvce32.exe 1228 msvce32.exe 1228 msvce32.exe 2340 msvce32.exe 2340 msvce32.exe 1496 msvce32.exe 1496 msvce32.exe 1484 msvce32.exe 1484 msvce32.exe 2148 msvce32.exe 2148 msvce32.exe 1876 msvce32.exe 1876 msvce32.exe 1580 msvce32.exe 1580 msvce32.exe 2092 msvce32.exe 2092 msvce32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 64 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe File opened for modification \??\PhysicalDrive0 msvce32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File opened for modification C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File opened for modification C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File created C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File opened for modification C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File opened for modification C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File opened for modification C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File opened for modification C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File opened for modification C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File opened for modification C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File opened for modification C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File opened for modification C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File opened for modification C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File created C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File opened for modification C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File opened for modification C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File opened for modification C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File opened for modification C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File opened for modification C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File opened for modification C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1548 wrote to memory of 2716 1548 a5712f8112f633c57a233814bb3923f9_JaffaCakes118.exe 30 PID 1548 wrote to memory of 2716 1548 a5712f8112f633c57a233814bb3923f9_JaffaCakes118.exe 30 PID 1548 wrote to memory of 2716 1548 a5712f8112f633c57a233814bb3923f9_JaffaCakes118.exe 30 PID 1548 wrote to memory of 2716 1548 a5712f8112f633c57a233814bb3923f9_JaffaCakes118.exe 30 PID 2716 wrote to memory of 2320 2716 msvce32.exe 31 PID 2716 wrote to memory of 2320 2716 msvce32.exe 31 PID 2716 wrote to memory of 2320 2716 msvce32.exe 31 PID 2716 wrote to memory of 2320 2716 msvce32.exe 31 PID 2320 wrote to memory of 2896 2320 msvce32.exe 32 PID 2320 wrote to memory of 2896 2320 msvce32.exe 32 PID 2320 wrote to memory of 2896 2320 msvce32.exe 32 PID 2320 wrote to memory of 2896 2320 msvce32.exe 32 PID 2896 wrote to memory of 2692 2896 msvce32.exe 33 PID 2896 wrote to memory of 2692 2896 msvce32.exe 33 PID 2896 wrote to memory of 2692 2896 msvce32.exe 33 PID 2896 wrote to memory of 2692 2896 msvce32.exe 33 PID 2692 wrote to memory of 1120 2692 msvce32.exe 34 PID 2692 wrote to memory of 1120 2692 msvce32.exe 34 PID 2692 wrote to memory of 1120 2692 msvce32.exe 34 PID 2692 wrote to memory of 1120 2692 msvce32.exe 34 PID 1120 wrote to memory of 2516 1120 msvce32.exe 35 PID 1120 wrote to memory of 2516 1120 msvce32.exe 35 PID 1120 wrote to memory of 2516 1120 msvce32.exe 35 PID 1120 wrote to memory of 2516 1120 msvce32.exe 35 PID 2516 wrote to memory of 2624 2516 msvce32.exe 36 PID 2516 wrote to memory of 2624 2516 msvce32.exe 36 PID 2516 wrote to memory of 2624 2516 msvce32.exe 36 PID 2516 wrote to memory of 2624 2516 msvce32.exe 36 PID 2624 wrote to memory of 1636 2624 msvce32.exe 37 PID 2624 wrote to memory of 1636 2624 msvce32.exe 37 PID 2624 wrote to memory of 1636 2624 msvce32.exe 37 PID 2624 wrote to memory of 1636 2624 msvce32.exe 37 PID 1636 wrote to memory of 1048 1636 msvce32.exe 38 PID 1636 wrote to memory of 1048 1636 msvce32.exe 38 PID 1636 wrote to memory of 1048 1636 msvce32.exe 38 PID 1636 wrote to memory of 1048 1636 msvce32.exe 38 PID 1048 wrote to memory of 1728 1048 msvce32.exe 39 PID 1048 wrote to memory of 1728 1048 msvce32.exe 39 PID 1048 wrote to memory of 1728 1048 msvce32.exe 39 PID 1048 wrote to memory of 1728 1048 msvce32.exe 39 PID 1728 wrote to memory of 584 1728 msvce32.exe 40 PID 1728 wrote to memory of 584 1728 msvce32.exe 40 PID 1728 wrote to memory of 584 1728 msvce32.exe 40 PID 1728 wrote to memory of 584 1728 msvce32.exe 40 PID 584 wrote to memory of 1448 584 msvce32.exe 41 PID 584 wrote to memory of 1448 584 msvce32.exe 41 PID 584 wrote to memory of 1448 584 msvce32.exe 41 PID 584 wrote to memory of 1448 584 msvce32.exe 41 PID 1448 wrote to memory of 2428 1448 msvce32.exe 42 PID 1448 wrote to memory of 2428 1448 msvce32.exe 42 PID 1448 wrote to memory of 2428 1448 msvce32.exe 42 PID 1448 wrote to memory of 2428 1448 msvce32.exe 42 PID 2428 wrote to memory of 3020 2428 msvce32.exe 43 PID 2428 wrote to memory of 3020 2428 msvce32.exe 43 PID 2428 wrote to memory of 3020 2428 msvce32.exe 43 PID 2428 wrote to memory of 3020 2428 msvce32.exe 43 PID 3020 wrote to memory of 1104 3020 msvce32.exe 44 PID 3020 wrote to memory of 1104 3020 msvce32.exe 44 PID 3020 wrote to memory of 1104 3020 msvce32.exe 44 PID 3020 wrote to memory of 1104 3020 msvce32.exe 44 PID 1104 wrote to memory of 672 1104 msvce32.exe 45 PID 1104 wrote to memory of 672 1104 msvce32.exe 45 PID 1104 wrote to memory of 672 1104 msvce32.exe 45 PID 1104 wrote to memory of 672 1104 msvce32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\a5712f8112f633c57a233814bb3923f9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a5712f8112f633c57a233814bb3923f9_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe10⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe11⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe13⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe17⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
PID:672 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2604 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2844 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1680 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2348 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1620 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe23⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
PID:1968 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:320 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1228 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2340 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1496 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1484 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2148 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1876 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1580 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2092 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2168 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe34⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe35⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2108 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe36⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe37⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe38⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe39⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe40⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops file in System32 directory
PID:2300 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe41⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2284 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe43⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe44⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:288 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe45⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:1904 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe46⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1732 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:376 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe49⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe50⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe51⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe52⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:1324 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe53⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:3028 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe54⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe55⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe56⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe57⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2352 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe58⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe59⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe60⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1900 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe61⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2272 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe63⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe64⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops file in System32 directory
PID:2584 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe65⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe66⤵PID:3008
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe67⤵
- System Location Discovery: System Language Discovery
PID:1532 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe68⤵PID:2696
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe69⤵
- Writes to the Master Boot Record (MBR)
PID:344 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe70⤵PID:1716
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe71⤵PID:2268
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe72⤵PID:2944
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe73⤵PID:2596
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe74⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:1220 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe75⤵PID:2240
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe76⤵PID:2024
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe77⤵
- Writes to the Master Boot Record (MBR)
PID:2188 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe78⤵
- Drops file in System32 directory
PID:2720 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe79⤵PID:2700
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe80⤵PID:1568
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe81⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2708 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe82⤵
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1592 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe83⤵PID:2984
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe84⤵
- Writes to the Master Boot Record (MBR)
PID:2628 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe85⤵PID:2972
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe86⤵PID:2792
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe87⤵PID:2176
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe88⤵PID:2664
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe89⤵PID:2540
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe90⤵
- Modifies WinLogon for persistence
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe91⤵PID:2652
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe92⤵
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:864 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe93⤵
- Modifies WinLogon for persistence
PID:2676 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe94⤵PID:2524
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe95⤵PID:2576
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe96⤵
- Drops file in System32 directory
PID:3048 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe97⤵PID:2556
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe98⤵PID:2192
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe99⤵PID:3052
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe100⤵
- Modifies WinLogon for persistence
PID:2920 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe101⤵
- Writes to the Master Boot Record (MBR)
PID:2760 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe102⤵
- System Location Discovery: System Language Discovery
PID:748 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe103⤵
- Writes to the Master Boot Record (MBR)
PID:1528 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe104⤵PID:1440
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe105⤵
- Modifies WinLogon for persistence
PID:2260 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe106⤵
- Modifies WinLogon for persistence
PID:2484 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe107⤵PID:3004
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe108⤵
- System Location Discovery: System Language Discovery
PID:2196 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe109⤵
- Drops file in System32 directory
PID:2224 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe110⤵
- Drops file in System32 directory
PID:1872 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe111⤵PID:1628
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe112⤵PID:2860
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe113⤵
- Drops file in System32 directory
PID:2836 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe114⤵
- Modifies WinLogon for persistence
- Writes to the Master Boot Record (MBR)
PID:2592 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe115⤵PID:2368
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe116⤵PID:2460
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe117⤵
- Writes to the Master Boot Record (MBR)
PID:1012 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe118⤵PID:2772
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe119⤵
- Modifies WinLogon for persistence
- Writes to the Master Boot Record (MBR)
PID:1144 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe120⤵PID:540
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe121⤵PID:2276
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-