Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18/08/2024, 04:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a5712f8112f633c57a233814bb3923f9_JaffaCakes118.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
a5712f8112f633c57a233814bb3923f9_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
a5712f8112f633c57a233814bb3923f9_JaffaCakes118.exe
-
Size
171KB
-
MD5
a5712f8112f633c57a233814bb3923f9
-
SHA1
275494bcf3cde45f981c9d93c373f7642811b260
-
SHA256
192a9a72f08373b3f16996fe7bbcddb9f7ef0a04cdb846220812a36e5bfd906b
-
SHA512
30186c153c1eb38994544a7bd4b1d4d28d93579a1783303f38888d54cdd79d0dd2992b44ec3b01c57765b260b92fce963d03333be0770d6c027b61341e373832
-
SSDEEP
3072:9bCX8UaFPmgRMNlPTGQQm6ytwZEsrYkK4d9hFap/QroKP:i898gWNlPTGQQm6agrd7HW4UK
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\msvce32.exe" msvce32.exe -
Executes dropped EXE 64 IoCs
pid Process 4620 msvce32.exe 1004 msvce32.exe 1436 msvce32.exe 2056 msvce32.exe 3180 msvce32.exe 3992 msvce32.exe 5112 msvce32.exe 2828 msvce32.exe 3576 msvce32.exe 2640 msvce32.exe 3292 msvce32.exe 3956 msvce32.exe 4112 msvce32.exe 3628 msvce32.exe 2132 msvce32.exe 4964 msvce32.exe 1304 msvce32.exe 4880 msvce32.exe 2872 msvce32.exe 212 msvce32.exe 2564 msvce32.exe 4148 msvce32.exe 3140 msvce32.exe 4752 msvce32.exe 4980 msvce32.exe 3492 msvce32.exe 2000 msvce32.exe 3212 msvce32.exe 1224 msvce32.exe 1368 msvce32.exe 2684 msvce32.exe 4920 msvce32.exe 4216 msvce32.exe 1480 msvce32.exe 4512 msvce32.exe 264 msvce32.exe 448 msvce32.exe 4868 msvce32.exe 4364 msvce32.exe 4764 msvce32.exe 4708 msvce32.exe 4244 msvce32.exe 2544 msvce32.exe 3148 msvce32.exe 4400 msvce32.exe 3024 msvce32.exe 852 msvce32.exe 1544 msvce32.exe 3692 msvce32.exe 4676 msvce32.exe 1612 msvce32.exe 3964 msvce32.exe 4560 msvce32.exe 3052 msvce32.exe 4736 msvce32.exe 1556 msvce32.exe 2616 msvce32.exe 928 msvce32.exe 3544 msvce32.exe 3972 msvce32.exe 4720 msvce32.exe 4988 msvce32.exe 2548 msvce32.exe 668 msvce32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File opened for modification C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File opened for modification C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File opened for modification C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File opened for modification C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File opened for modification C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File opened for modification C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File opened for modification C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File opened for modification C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File opened for modification C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File opened for modification C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File opened for modification C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File opened for modification C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File opened for modification C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File opened for modification C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File opened for modification C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File opened for modification C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File opened for modification C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File opened for modification C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File opened for modification C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File opened for modification C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File opened for modification C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File opened for modification C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File opened for modification C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\Deleteme.bat a5712f8112f633c57a233814bb3923f9_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File opened for modification C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File opened for modification C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File opened for modification C:\Windows\SysWOW64\Deleteme.bat msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe File created C:\Windows\SysWOW64\msvce32.exe msvce32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msvce32.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID dwm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags dwm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags dwm.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS dwm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dwm.exe -
Modifies data under HKEY_USERS 18 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust dwm.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeCreateGlobalPrivilege 11132 dwm.exe Token: SeChangeNotifyPrivilege 11132 dwm.exe Token: 33 11132 dwm.exe Token: SeIncBasePriorityPrivilege 11132 dwm.exe Token: SeShutdownPrivilege 11132 dwm.exe Token: SeCreatePagefilePrivilege 11132 dwm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1476 wrote to memory of 4620 1476 a5712f8112f633c57a233814bb3923f9_JaffaCakes118.exe 84 PID 1476 wrote to memory of 4620 1476 a5712f8112f633c57a233814bb3923f9_JaffaCakes118.exe 84 PID 1476 wrote to memory of 4620 1476 a5712f8112f633c57a233814bb3923f9_JaffaCakes118.exe 84 PID 4620 wrote to memory of 1004 4620 msvce32.exe 85 PID 4620 wrote to memory of 1004 4620 msvce32.exe 85 PID 4620 wrote to memory of 1004 4620 msvce32.exe 85 PID 1004 wrote to memory of 1436 1004 msvce32.exe 86 PID 1004 wrote to memory of 1436 1004 msvce32.exe 86 PID 1004 wrote to memory of 1436 1004 msvce32.exe 86 PID 1436 wrote to memory of 2056 1436 msvce32.exe 88 PID 1436 wrote to memory of 2056 1436 msvce32.exe 88 PID 1436 wrote to memory of 2056 1436 msvce32.exe 88 PID 2056 wrote to memory of 3180 2056 msvce32.exe 91 PID 2056 wrote to memory of 3180 2056 msvce32.exe 91 PID 2056 wrote to memory of 3180 2056 msvce32.exe 91 PID 3180 wrote to memory of 3992 3180 msvce32.exe 92 PID 3180 wrote to memory of 3992 3180 msvce32.exe 92 PID 3180 wrote to memory of 3992 3180 msvce32.exe 92 PID 3992 wrote to memory of 5112 3992 msvce32.exe 93 PID 3992 wrote to memory of 5112 3992 msvce32.exe 93 PID 3992 wrote to memory of 5112 3992 msvce32.exe 93 PID 5112 wrote to memory of 2828 5112 msvce32.exe 94 PID 5112 wrote to memory of 2828 5112 msvce32.exe 94 PID 5112 wrote to memory of 2828 5112 msvce32.exe 94 PID 2828 wrote to memory of 3576 2828 msvce32.exe 95 PID 2828 wrote to memory of 3576 2828 msvce32.exe 95 PID 2828 wrote to memory of 3576 2828 msvce32.exe 95 PID 3576 wrote to memory of 2640 3576 msvce32.exe 96 PID 3576 wrote to memory of 2640 3576 msvce32.exe 96 PID 3576 wrote to memory of 2640 3576 msvce32.exe 96 PID 2640 wrote to memory of 3292 2640 msvce32.exe 97 PID 2640 wrote to memory of 3292 2640 msvce32.exe 97 PID 2640 wrote to memory of 3292 2640 msvce32.exe 97 PID 3292 wrote to memory of 3956 3292 msvce32.exe 98 PID 3292 wrote to memory of 3956 3292 msvce32.exe 98 PID 3292 wrote to memory of 3956 3292 msvce32.exe 98 PID 3956 wrote to memory of 4112 3956 msvce32.exe 99 PID 3956 wrote to memory of 4112 3956 msvce32.exe 99 PID 3956 wrote to memory of 4112 3956 msvce32.exe 99 PID 4112 wrote to memory of 3628 4112 msvce32.exe 100 PID 4112 wrote to memory of 3628 4112 msvce32.exe 100 PID 4112 wrote to memory of 3628 4112 msvce32.exe 100 PID 3628 wrote to memory of 2132 3628 msvce32.exe 101 PID 3628 wrote to memory of 2132 3628 msvce32.exe 101 PID 3628 wrote to memory of 2132 3628 msvce32.exe 101 PID 2132 wrote to memory of 4964 2132 msvce32.exe 102 PID 2132 wrote to memory of 4964 2132 msvce32.exe 102 PID 2132 wrote to memory of 4964 2132 msvce32.exe 102 PID 4964 wrote to memory of 1304 4964 msvce32.exe 103 PID 4964 wrote to memory of 1304 4964 msvce32.exe 103 PID 4964 wrote to memory of 1304 4964 msvce32.exe 103 PID 1304 wrote to memory of 4880 1304 msvce32.exe 104 PID 1304 wrote to memory of 4880 1304 msvce32.exe 104 PID 1304 wrote to memory of 4880 1304 msvce32.exe 104 PID 4880 wrote to memory of 2872 4880 msvce32.exe 105 PID 4880 wrote to memory of 2872 4880 msvce32.exe 105 PID 4880 wrote to memory of 2872 4880 msvce32.exe 105 PID 2872 wrote to memory of 212 2872 msvce32.exe 106 PID 2872 wrote to memory of 212 2872 msvce32.exe 106 PID 2872 wrote to memory of 212 2872 msvce32.exe 106 PID 212 wrote to memory of 2564 212 msvce32.exe 107 PID 212 wrote to memory of 2564 212 msvce32.exe 107 PID 212 wrote to memory of 2564 212 msvce32.exe 107 PID 2564 wrote to memory of 4148 2564 msvce32.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\a5712f8112f633c57a233814bb3923f9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a5712f8112f633c57a233814bb3923f9_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe13⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe16⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe18⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe23⤵
- Executes dropped EXE
PID:4148 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe24⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
PID:3140 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe25⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
PID:4752 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe26⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
PID:4980 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3492 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe28⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops file in System32 directory
PID:2000 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe29⤵
- Executes dropped EXE
PID:3212 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe30⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe31⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe32⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4920 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe34⤵
- Executes dropped EXE
PID:4216 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe35⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4512 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:264 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe38⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe39⤵
- Executes dropped EXE
PID:4868 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe40⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe41⤵
- Executes dropped EXE
PID:4764 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe42⤵
- Executes dropped EXE
PID:4708 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe43⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4244 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe44⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe45⤵
- Executes dropped EXE
PID:3148 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe46⤵
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe47⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:852 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1544 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe50⤵
- Executes dropped EXE
PID:3692 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe51⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
PID:4676 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe52⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3964 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe54⤵
- Executes dropped EXE
PID:4560 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe55⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3052 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe56⤵
- Executes dropped EXE
PID:4736 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1556 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2616 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe59⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3544 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe61⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4720 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe63⤵
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe64⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:668 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe66⤵PID:4696
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe67⤵PID:2268
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe68⤵
- Modifies WinLogon for persistence
PID:1484 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe69⤵
- Drops file in System32 directory
PID:2008 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe70⤵
- Drops file in System32 directory
PID:4892 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe71⤵PID:3016
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe72⤵PID:2952
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe73⤵PID:3320
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe74⤵PID:756
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe75⤵PID:2776
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe76⤵
- System Location Discovery: System Language Discovery
PID:1864 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe77⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:4304 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe78⤵PID:680
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe79⤵PID:4828
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe80⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
PID:2732 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe81⤵
- Drops file in System32 directory
PID:3900 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe82⤵
- Drops file in System32 directory
PID:1372 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe83⤵PID:4140
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe84⤵PID:1176
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe85⤵
- Modifies WinLogon for persistence
PID:3548 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe86⤵PID:5140
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe87⤵PID:5160
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe88⤵PID:5180
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe89⤵PID:5200
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe90⤵PID:5220
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe91⤵
- Drops file in System32 directory
PID:5240 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe92⤵
- Drops file in System32 directory
PID:5260 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe93⤵PID:5280
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe94⤵PID:5300
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe95⤵
- Modifies WinLogon for persistence
PID:5320 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe96⤵PID:5340
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe97⤵PID:5364
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe98⤵PID:5384
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe99⤵PID:5408
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe100⤵PID:5428
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe101⤵PID:5448
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe102⤵PID:5468
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe103⤵PID:5488
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe104⤵PID:5516
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe105⤵PID:5536
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe106⤵
- System Location Discovery: System Language Discovery
PID:5560 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe107⤵PID:5580
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe108⤵PID:5604
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe109⤵PID:5628
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe110⤵
- Drops file in System32 directory
PID:5656 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe111⤵PID:5680
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe112⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:5764 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe113⤵PID:5840
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe114⤵
- Modifies WinLogon for persistence
PID:5876 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe115⤵PID:5896
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe116⤵
- Modifies WinLogon for persistence
PID:5920 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe117⤵PID:5944
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe118⤵
- System Location Discovery: System Language Discovery
PID:5972 -
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe119⤵PID:5996
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe120⤵PID:6016
-
C:\Windows\SysWOW64\msvce32.exeC:\Windows\system32\msvce32.exe121⤵
- Drops file in System32 directory
PID:6040
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-