Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13/10/2024, 03:55
Behavioral task
behavioral1
Sample
3da86fd13899e91e13bdee1162e43ac8_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
General
-
Target
3da86fd13899e91e13bdee1162e43ac8_JaffaCakes118.exe
-
Size
290KB
-
MD5
3da86fd13899e91e13bdee1162e43ac8
-
SHA1
ae77cf55c182518d78cad2e55c718aa0b4758f84
-
SHA256
05abae643e4253d4876cda3f9d1c5e9360d5282423d1642b5c317aa97c0e2db3
-
SHA512
4cebbfc1ac78f3bef60564cb32eebcf1c15d3908b5f5be30351cd7ad78cf91bf3fe53dca7e70c105bb05564c9310788db1117e32967b9ed65c75f9354d5f3c28
-
SSDEEP
6144:HcO6Ztntb5VHHMdDhqzVIJYoISLJNcC6jJ3F8CnihXQed/TIc:Hx6pbjMjcVmZ43iCiB51H
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 2308 msiexec16.exe 3044 msiexec16.exe 2780 msiexec16.exe 2624 msiexec16.exe 2716 msiexec16.exe 2672 msiexec16.exe 2432 msiexec16.exe 560 msiexec16.exe 2392 msiexec16.exe 1680 msiexec16.exe 2988 msiexec16.exe 2984 msiexec16.exe 2036 msiexec16.exe 1940 msiexec16.exe 2012 msiexec16.exe 476 msiexec16.exe 2816 msiexec16.exe 2460 msiexec16.exe 1932 msiexec16.exe 1740 msiexec16.exe 2532 msiexec16.exe 1528 msiexec16.exe 1632 msiexec16.exe 2092 msiexec16.exe 1960 msiexec16.exe 2356 msiexec16.exe 2564 msiexec16.exe 540 msiexec16.exe 2068 msiexec16.exe 2188 msiexec16.exe 1588 msiexec16.exe 2224 msiexec16.exe 2380 msiexec16.exe 3036 msiexec16.exe 2752 msiexec16.exe 2900 msiexec16.exe 2968 msiexec16.exe 2604 msiexec16.exe 2616 msiexec16.exe 2664 msiexec16.exe 2332 msiexec16.exe 2252 msiexec16.exe 2240 msiexec16.exe 2108 msiexec16.exe 2300 msiexec16.exe 3000 msiexec16.exe 2856 msiexec16.exe 2940 msiexec16.exe 1228 msiexec16.exe 3004 msiexec16.exe 492 msiexec16.exe 1916 msiexec16.exe 372 msiexec16.exe 380 msiexec16.exe 584 msiexec16.exe 2296 msiexec16.exe 2584 msiexec16.exe 2816 msiexec16.exe 2180 msiexec16.exe 1260 msiexec16.exe 1932 msiexec16.exe 1676 msiexec16.exe 1780 msiexec16.exe 1664 msiexec16.exe -
Loads dropped DLL 64 IoCs
pid Process 2256 3da86fd13899e91e13bdee1162e43ac8_JaffaCakes118.exe 2256 3da86fd13899e91e13bdee1162e43ac8_JaffaCakes118.exe 2308 msiexec16.exe 2308 msiexec16.exe 3044 msiexec16.exe 3044 msiexec16.exe 2780 msiexec16.exe 2780 msiexec16.exe 2624 msiexec16.exe 2624 msiexec16.exe 2716 msiexec16.exe 2716 msiexec16.exe 2672 msiexec16.exe 2672 msiexec16.exe 2432 msiexec16.exe 2432 msiexec16.exe 560 msiexec16.exe 560 msiexec16.exe 2392 msiexec16.exe 2392 msiexec16.exe 1680 msiexec16.exe 1680 msiexec16.exe 2988 msiexec16.exe 2988 msiexec16.exe 2984 msiexec16.exe 2984 msiexec16.exe 2036 msiexec16.exe 2036 msiexec16.exe 1940 msiexec16.exe 1940 msiexec16.exe 2012 msiexec16.exe 2012 msiexec16.exe 476 msiexec16.exe 476 msiexec16.exe 2816 msiexec16.exe 2816 msiexec16.exe 2460 msiexec16.exe 2460 msiexec16.exe 1932 msiexec16.exe 1932 msiexec16.exe 1740 msiexec16.exe 1740 msiexec16.exe 2532 msiexec16.exe 2532 msiexec16.exe 1528 msiexec16.exe 1528 msiexec16.exe 1632 msiexec16.exe 1632 msiexec16.exe 2092 msiexec16.exe 2092 msiexec16.exe 1960 msiexec16.exe 1960 msiexec16.exe 2356 msiexec16.exe 2356 msiexec16.exe 2564 msiexec16.exe 2564 msiexec16.exe 540 msiexec16.exe 540 msiexec16.exe 2068 msiexec16.exe 2068 msiexec16.exe 2188 msiexec16.exe 2188 msiexec16.exe 1588 msiexec16.exe 1588 msiexec16.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe Process not Found File created \??\c:\windows\SysWOW64\msiexec16.exe Process not Found File created \??\c:\windows\SysWOW64\msiexec16.exe Process not Found File created \??\c:\windows\SysWOW64\msiexec16.exe Process not Found File created \??\c:\windows\SysWOW64\msiexec16.exe Process not Found File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe Process not Found File created \??\c:\windows\SysWOW64\msiexec16.exe Process not Found File created \??\c:\windows\SysWOW64\msiexec16.exe Process not Found File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe Process not Found File created \??\c:\windows\SysWOW64\msiexec16.exe Process not Found File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe Process not Found File created \??\c:\windows\SysWOW64\msiexec16.exe Process not Found File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe Process not Found File created \??\c:\windows\SysWOW64\msiexec16.exe Process not Found File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe Process not Found File created \??\c:\windows\SysWOW64\msiexec16.exe Process not Found File created \??\c:\windows\SysWOW64\msiexec16.exe Process not Found File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe Process not Found File created \??\c:\windows\SysWOW64\msiexec16.exe Process not Found File created \??\c:\windows\SysWOW64\msiexec16.exe Process not Found File created \??\c:\windows\SysWOW64\msiexec16.exe Process not Found File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe Process not Found File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe Process not Found File created \??\c:\windows\SysWOW64\msiexec16.exe Process not Found File created \??\c:\windows\SysWOW64\msiexec16.exe Process not Found File created \??\c:\windows\SysWOW64\msiexec16.exe Process not Found File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe Process not Found File created \??\c:\windows\SysWOW64\msiexec16.exe Process not Found File created \??\c:\windows\SysWOW64\msiexec16.exe Process not Found File created \??\c:\windows\SysWOW64\msiexec16.exe Process not Found File created \??\c:\windows\SysWOW64\msiexec16.exe Process not Found File created \??\c:\windows\SysWOW64\msiexec16.exe Process not Found File created \??\c:\windows\SysWOW64\msiexec16.exe Process not Found File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe Process not Found File created \??\c:\windows\SysWOW64\msiexec16.exe Process not Found File created \??\c:\windows\SysWOW64\msiexec16.exe Process not Found File created \??\c:\windows\SysWOW64\msiexec16.exe Process not Found File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe Process not Found File created \??\c:\windows\SysWOW64\msiexec16.exe Process not Found File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe Process not Found File created \??\c:\windows\SysWOW64\msiexec16.exe Process not Found -
resource yara_rule behavioral1/memory/2256-0-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/files/0x000a00000001225c-3.dat upx behavioral1/memory/2308-10-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2256-12-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/3044-17-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2308-20-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2780-24-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/3044-27-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2780-32-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2624-36-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2716-41-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2432-45-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2672-47-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2432-52-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/560-57-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2392-62-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2988-66-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/1680-68-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2988-73-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2036-77-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2984-79-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2036-84-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2012-88-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/1940-90-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2012-95-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/476-100-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2816-105-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2460-110-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/1932-115-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/1740-120-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2532-122-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/1528-124-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/1632-126-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2092-128-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/1960-130-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2356-132-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2564-134-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/540-135-0x0000000003490000-0x000000000354E000-memory.dmp upx behavioral1/memory/540-137-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2068-141-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2188-144-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/1588-145-0x0000000002130000-0x00000000021EE000-memory.dmp upx behavioral1/memory/1588-147-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2224-149-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2380-152-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/3036-154-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2752-157-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2968-158-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2900-160-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2968-162-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2604-164-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2616-166-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2664-168-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2332-170-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2252-172-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2240-174-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2108-176-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2300-178-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/3000-179-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2856-180-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2940-181-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/1228-182-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/3004-183-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/492-184-0x0000000000400000-0x00000000004BE000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2256 3da86fd13899e91e13bdee1162e43ac8_JaffaCakes118.exe 2308 msiexec16.exe 3044 msiexec16.exe 3044 msiexec16.exe 2780 msiexec16.exe 2624 msiexec16.exe 2716 msiexec16.exe 2716 msiexec16.exe 2672 msiexec16.exe 2672 msiexec16.exe 2432 msiexec16.exe 560 msiexec16.exe 560 msiexec16.exe 2392 msiexec16.exe 1680 msiexec16.exe 2988 msiexec16.exe 2984 msiexec16.exe 2984 msiexec16.exe 2036 msiexec16.exe 1940 msiexec16.exe 2012 msiexec16.exe 476 msiexec16.exe 2816 msiexec16.exe 2460 msiexec16.exe 2460 msiexec16.exe 1932 msiexec16.exe 1932 msiexec16.exe 1740 msiexec16.exe 1740 msiexec16.exe 2532 msiexec16.exe 2532 msiexec16.exe 1528 msiexec16.exe 1528 msiexec16.exe 1632 msiexec16.exe 1632 msiexec16.exe 2092 msiexec16.exe 2092 msiexec16.exe 1960 msiexec16.exe 1960 msiexec16.exe 2356 msiexec16.exe 2356 msiexec16.exe 2564 msiexec16.exe 2564 msiexec16.exe 540 msiexec16.exe 540 msiexec16.exe 2068 msiexec16.exe 2068 msiexec16.exe 2188 msiexec16.exe 2188 msiexec16.exe 1588 msiexec16.exe 1588 msiexec16.exe 2224 msiexec16.exe 2224 msiexec16.exe 2380 msiexec16.exe 2380 msiexec16.exe 3036 msiexec16.exe 3036 msiexec16.exe 2752 msiexec16.exe 2752 msiexec16.exe 2900 msiexec16.exe 2900 msiexec16.exe 2968 msiexec16.exe 2968 msiexec16.exe 2604 msiexec16.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2256 3da86fd13899e91e13bdee1162e43ac8_JaffaCakes118.exe Token: SeDebugPrivilege 2256 3da86fd13899e91e13bdee1162e43ac8_JaffaCakes118.exe Token: SeDebugPrivilege 2308 msiexec16.exe Token: SeDebugPrivilege 2308 msiexec16.exe Token: SeDebugPrivilege 3044 msiexec16.exe Token: SeDebugPrivilege 3044 msiexec16.exe Token: SeDebugPrivilege 2780 msiexec16.exe Token: SeDebugPrivilege 2780 msiexec16.exe Token: SeDebugPrivilege 2624 msiexec16.exe Token: SeDebugPrivilege 2624 msiexec16.exe Token: SeDebugPrivilege 2716 msiexec16.exe Token: SeDebugPrivilege 2716 msiexec16.exe Token: SeDebugPrivilege 2672 msiexec16.exe Token: SeDebugPrivilege 2672 msiexec16.exe Token: SeDebugPrivilege 2432 msiexec16.exe Token: SeDebugPrivilege 2432 msiexec16.exe Token: SeDebugPrivilege 560 msiexec16.exe Token: SeDebugPrivilege 560 msiexec16.exe Token: SeDebugPrivilege 2392 msiexec16.exe Token: SeDebugPrivilege 2392 msiexec16.exe Token: SeDebugPrivilege 1680 msiexec16.exe Token: SeDebugPrivilege 1680 msiexec16.exe Token: SeDebugPrivilege 2988 msiexec16.exe Token: SeDebugPrivilege 2988 msiexec16.exe Token: SeDebugPrivilege 2984 msiexec16.exe Token: SeDebugPrivilege 2984 msiexec16.exe Token: SeDebugPrivilege 2036 msiexec16.exe Token: SeDebugPrivilege 2036 msiexec16.exe Token: SeDebugPrivilege 1940 msiexec16.exe Token: SeDebugPrivilege 1940 msiexec16.exe Token: SeDebugPrivilege 2012 msiexec16.exe Token: SeDebugPrivilege 2012 msiexec16.exe Token: SeDebugPrivilege 476 msiexec16.exe Token: SeDebugPrivilege 476 msiexec16.exe Token: SeDebugPrivilege 2816 msiexec16.exe Token: SeDebugPrivilege 2816 msiexec16.exe Token: SeDebugPrivilege 2460 msiexec16.exe Token: SeDebugPrivilege 2460 msiexec16.exe Token: SeDebugPrivilege 1932 msiexec16.exe Token: SeDebugPrivilege 1932 msiexec16.exe Token: SeDebugPrivilege 1740 msiexec16.exe Token: SeDebugPrivilege 1740 msiexec16.exe Token: SeDebugPrivilege 2532 msiexec16.exe Token: SeDebugPrivilege 2532 msiexec16.exe Token: SeDebugPrivilege 1528 msiexec16.exe Token: SeDebugPrivilege 1528 msiexec16.exe Token: SeDebugPrivilege 1632 msiexec16.exe Token: SeDebugPrivilege 1632 msiexec16.exe Token: SeDebugPrivilege 2092 msiexec16.exe Token: SeDebugPrivilege 2092 msiexec16.exe Token: SeDebugPrivilege 1960 msiexec16.exe Token: SeDebugPrivilege 1960 msiexec16.exe Token: SeDebugPrivilege 2356 msiexec16.exe Token: SeDebugPrivilege 2356 msiexec16.exe Token: SeDebugPrivilege 2564 msiexec16.exe Token: SeDebugPrivilege 2564 msiexec16.exe Token: SeDebugPrivilege 540 msiexec16.exe Token: SeDebugPrivilege 540 msiexec16.exe Token: SeDebugPrivilege 2068 msiexec16.exe Token: SeDebugPrivilege 2068 msiexec16.exe Token: SeDebugPrivilege 2188 msiexec16.exe Token: SeDebugPrivilege 2188 msiexec16.exe Token: SeDebugPrivilege 1588 msiexec16.exe Token: SeDebugPrivilege 1588 msiexec16.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2256 wrote to memory of 2308 2256 3da86fd13899e91e13bdee1162e43ac8_JaffaCakes118.exe 30 PID 2256 wrote to memory of 2308 2256 3da86fd13899e91e13bdee1162e43ac8_JaffaCakes118.exe 30 PID 2256 wrote to memory of 2308 2256 3da86fd13899e91e13bdee1162e43ac8_JaffaCakes118.exe 30 PID 2256 wrote to memory of 2308 2256 3da86fd13899e91e13bdee1162e43ac8_JaffaCakes118.exe 30 PID 2308 wrote to memory of 3044 2308 msiexec16.exe 31 PID 2308 wrote to memory of 3044 2308 msiexec16.exe 31 PID 2308 wrote to memory of 3044 2308 msiexec16.exe 31 PID 2308 wrote to memory of 3044 2308 msiexec16.exe 31 PID 3044 wrote to memory of 2780 3044 msiexec16.exe 32 PID 3044 wrote to memory of 2780 3044 msiexec16.exe 32 PID 3044 wrote to memory of 2780 3044 msiexec16.exe 32 PID 3044 wrote to memory of 2780 3044 msiexec16.exe 32 PID 2780 wrote to memory of 2624 2780 msiexec16.exe 33 PID 2780 wrote to memory of 2624 2780 msiexec16.exe 33 PID 2780 wrote to memory of 2624 2780 msiexec16.exe 33 PID 2780 wrote to memory of 2624 2780 msiexec16.exe 33 PID 2624 wrote to memory of 2716 2624 msiexec16.exe 34 PID 2624 wrote to memory of 2716 2624 msiexec16.exe 34 PID 2624 wrote to memory of 2716 2624 msiexec16.exe 34 PID 2624 wrote to memory of 2716 2624 msiexec16.exe 34 PID 2716 wrote to memory of 2672 2716 msiexec16.exe 35 PID 2716 wrote to memory of 2672 2716 msiexec16.exe 35 PID 2716 wrote to memory of 2672 2716 msiexec16.exe 35 PID 2716 wrote to memory of 2672 2716 msiexec16.exe 35 PID 2672 wrote to memory of 2432 2672 msiexec16.exe 36 PID 2672 wrote to memory of 2432 2672 msiexec16.exe 36 PID 2672 wrote to memory of 2432 2672 msiexec16.exe 36 PID 2672 wrote to memory of 2432 2672 msiexec16.exe 36 PID 2432 wrote to memory of 560 2432 msiexec16.exe 37 PID 2432 wrote to memory of 560 2432 msiexec16.exe 37 PID 2432 wrote to memory of 560 2432 msiexec16.exe 37 PID 2432 wrote to memory of 560 2432 msiexec16.exe 37 PID 560 wrote to memory of 2392 560 msiexec16.exe 38 PID 560 wrote to memory of 2392 560 msiexec16.exe 38 PID 560 wrote to memory of 2392 560 msiexec16.exe 38 PID 560 wrote to memory of 2392 560 msiexec16.exe 38 PID 2392 wrote to memory of 1680 2392 msiexec16.exe 39 PID 2392 wrote to memory of 1680 2392 msiexec16.exe 39 PID 2392 wrote to memory of 1680 2392 msiexec16.exe 39 PID 2392 wrote to memory of 1680 2392 msiexec16.exe 39 PID 1680 wrote to memory of 2988 1680 msiexec16.exe 40 PID 1680 wrote to memory of 2988 1680 msiexec16.exe 40 PID 1680 wrote to memory of 2988 1680 msiexec16.exe 40 PID 1680 wrote to memory of 2988 1680 msiexec16.exe 40 PID 2988 wrote to memory of 2984 2988 msiexec16.exe 41 PID 2988 wrote to memory of 2984 2988 msiexec16.exe 41 PID 2988 wrote to memory of 2984 2988 msiexec16.exe 41 PID 2988 wrote to memory of 2984 2988 msiexec16.exe 41 PID 2984 wrote to memory of 2036 2984 msiexec16.exe 42 PID 2984 wrote to memory of 2036 2984 msiexec16.exe 42 PID 2984 wrote to memory of 2036 2984 msiexec16.exe 42 PID 2984 wrote to memory of 2036 2984 msiexec16.exe 42 PID 2036 wrote to memory of 1940 2036 msiexec16.exe 43 PID 2036 wrote to memory of 1940 2036 msiexec16.exe 43 PID 2036 wrote to memory of 1940 2036 msiexec16.exe 43 PID 2036 wrote to memory of 1940 2036 msiexec16.exe 43 PID 1940 wrote to memory of 2012 1940 msiexec16.exe 44 PID 1940 wrote to memory of 2012 1940 msiexec16.exe 44 PID 1940 wrote to memory of 2012 1940 msiexec16.exe 44 PID 1940 wrote to memory of 2012 1940 msiexec16.exe 44 PID 2012 wrote to memory of 476 2012 msiexec16.exe 45 PID 2012 wrote to memory of 476 2012 msiexec16.exe 45 PID 2012 wrote to memory of 476 2012 msiexec16.exe 45 PID 2012 wrote to memory of 476 2012 msiexec16.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\3da86fd13899e91e13bdee1162e43ac8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3da86fd13899e91e13bdee1162e43ac8_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:560 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:476 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"18⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2460 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"20⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1932 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"22⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2532 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1528 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"24⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2092 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"26⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1960 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2356 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2564 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:540 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"30⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2068 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2188 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"32⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1588 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"33⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2224 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"34⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2380 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"35⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3036 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"36⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2752 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"37⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2900 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"38⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2968 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"39⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2604 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"40⤵
- Executes dropped EXE
PID:2616 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"41⤵
- Executes dropped EXE
PID:2664 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"42⤵
- Executes dropped EXE
PID:2332 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2252 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"44⤵
- Executes dropped EXE
PID:2240 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"45⤵
- Executes dropped EXE
PID:2108 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"46⤵
- Executes dropped EXE
PID:2300 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3000 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"48⤵
- Executes dropped EXE
PID:2856 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"49⤵
- Executes dropped EXE
PID:2940 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"50⤵
- Executes dropped EXE
PID:1228 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"51⤵
- Executes dropped EXE
PID:3004 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:492 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"53⤵
- Executes dropped EXE
PID:1916 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"54⤵
- Executes dropped EXE
PID:372 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"55⤵
- Executes dropped EXE
PID:380 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"56⤵
- Executes dropped EXE
PID:584 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"57⤵
- Executes dropped EXE
PID:2296 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"58⤵
- Executes dropped EXE
PID:2584 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"59⤵
- Executes dropped EXE
PID:2816 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2180 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"61⤵
- Executes dropped EXE
PID:1260 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"62⤵
- Executes dropped EXE
PID:1932 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1676 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"64⤵
- Executes dropped EXE
PID:1780 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"65⤵
- Executes dropped EXE
PID:1664 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"66⤵PID:912
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"67⤵PID:1720
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"68⤵PID:2092
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"69⤵PID:1712
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"70⤵PID:292
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"71⤵PID:344
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"72⤵PID:2412
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"73⤵PID:1620
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"74⤵PID:2068
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"75⤵PID:2548
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"76⤵PID:1596
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"77⤵PID:2792
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"78⤵PID:2824
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"79⤵PID:2812
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"80⤵PID:2720
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"81⤵PID:2928
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"82⤵PID:1956
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"83⤵
- Drops file in System32 directory
PID:2852 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"84⤵PID:2944
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"85⤵PID:1996
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"86⤵PID:1808
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"87⤵PID:2676
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"88⤵PID:2332
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"89⤵PID:2452
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"90⤵PID:1624
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"91⤵PID:2588
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"92⤵PID:2848
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"93⤵
- Drops file in System32 directory
PID:2892 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"94⤵PID:2172
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"95⤵PID:2868
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"96⤵PID:2980
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"97⤵PID:1296
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"98⤵PID:1292
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"99⤵PID:2100
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"100⤵PID:532
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"101⤵PID:1672
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"102⤵PID:3064
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"103⤵PID:2220
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"104⤵PID:2476
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"105⤵PID:2232
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"106⤵PID:952
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"107⤵PID:2396
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"108⤵PID:2160
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"109⤵PID:2576
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"110⤵PID:956
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"111⤵PID:1988
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"112⤵PID:1536
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"113⤵PID:1952
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"114⤵PID:2076
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"115⤵PID:1484
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"116⤵PID:1572
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"117⤵PID:1284
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"118⤵PID:1692
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"119⤵PID:3024
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"120⤵PID:1796
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"121⤵PID:2748
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-