Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-10-2024 03:55
Behavioral task
behavioral1
Sample
3da86fd13899e91e13bdee1162e43ac8_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
General
-
Target
3da86fd13899e91e13bdee1162e43ac8_JaffaCakes118.exe
-
Size
290KB
-
MD5
3da86fd13899e91e13bdee1162e43ac8
-
SHA1
ae77cf55c182518d78cad2e55c718aa0b4758f84
-
SHA256
05abae643e4253d4876cda3f9d1c5e9360d5282423d1642b5c317aa97c0e2db3
-
SHA512
4cebbfc1ac78f3bef60564cb32eebcf1c15d3908b5f5be30351cd7ad78cf91bf3fe53dca7e70c105bb05564c9310788db1117e32967b9ed65c75f9354d5f3c28
-
SSDEEP
6144:HcO6Ztntb5VHHMdDhqzVIJYoISLJNcC6jJ3F8CnihXQed/TIc:Hx6pbjMjcVmZ43iCiB51H
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 2980 msiexec16.exe 980 msiexec16.exe 1328 msiexec16.exe 3236 msiexec16.exe 2124 msiexec16.exe 3944 msiexec16.exe 3624 msiexec16.exe 3368 msiexec16.exe 3256 msiexec16.exe 4308 msiexec16.exe 1956 msiexec16.exe 5020 msiexec16.exe 1000 msiexec16.exe 1948 msiexec16.exe 1532 msiexec16.exe 1080 msiexec16.exe 2820 msiexec16.exe 3680 msiexec16.exe 5088 msiexec16.exe 228 msiexec16.exe 3476 msiexec16.exe 4220 msiexec16.exe 3164 msiexec16.exe 3028 msiexec16.exe 3656 msiexec16.exe 3196 msiexec16.exe 1304 msiexec16.exe 3228 msiexec16.exe 2052 msiexec16.exe 1472 msiexec16.exe 2956 msiexec16.exe 3932 msiexec16.exe 4784 msiexec16.exe 4152 msiexec16.exe 4848 msiexec16.exe 1592 msiexec16.exe 2404 msiexec16.exe 3664 msiexec16.exe 3048 msiexec16.exe 2560 msiexec16.exe 1848 msiexec16.exe 3872 msiexec16.exe 1044 msiexec16.exe 1724 msiexec16.exe 4724 msiexec16.exe 1828 msiexec16.exe 2388 msiexec16.exe 3884 msiexec16.exe 4288 msiexec16.exe 3952 msiexec16.exe 2348 msiexec16.exe 2352 msiexec16.exe 3384 msiexec16.exe 4160 msiexec16.exe 4740 msiexec16.exe 952 msiexec16.exe 4964 msiexec16.exe 3888 msiexec16.exe 3932 msiexec16.exe 4784 msiexec16.exe 4360 msiexec16.exe 4848 msiexec16.exe 220 msiexec16.exe 2468 msiexec16.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe Process not Found File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe Process not Found File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe Process not Found File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe Process not Found File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe Process not Found File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe Process not Found File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe Process not Found File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe msiexec16.exe File created \??\c:\windows\SysWOW64\msiexec16.exe Process not Found File created \??\c:\windows\SysWOW64\msiexec16.exe Process not Found -
resource yara_rule behavioral2/memory/4536-0-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/files/0x000c000000023b43-4.dat upx behavioral2/memory/4536-8-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/2980-12-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/1328-14-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/980-17-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/1328-20-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/3236-23-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/2124-26-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/3944-29-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/3624-31-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/3368-33-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/3256-36-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/4308-39-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/1956-41-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/5020-44-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/1000-47-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/1948-50-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/1532-53-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/1080-56-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/2820-59-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/3680-62-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/5088-65-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/228-68-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/3476-71-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/4220-74-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/3164-77-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/3028-80-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/3656-83-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/3196-86-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/1304-89-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/3228-91-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/2052-94-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/1472-97-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/2956-100-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/3932-103-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/4784-106-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/4152-109-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/1592-111-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/4848-113-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/1592-116-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/2404-119-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/3664-122-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/2560-124-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/3048-126-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/2560-129-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/1848-132-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/3872-135-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/1044-138-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/1724-141-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/4724-144-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/1828-147-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/2388-150-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/3884-153-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/4288-156-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/3952-159-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/2348-162-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/2352-165-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/3384-168-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/4160-171-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/4740-174-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/952-177-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/4964-180-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/3888-183-0x0000000000400000-0x00000000004BE000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4536 3da86fd13899e91e13bdee1162e43ac8_JaffaCakes118.exe 4536 3da86fd13899e91e13bdee1162e43ac8_JaffaCakes118.exe 2980 msiexec16.exe 2980 msiexec16.exe 980 msiexec16.exe 980 msiexec16.exe 1328 msiexec16.exe 1328 msiexec16.exe 3236 msiexec16.exe 3236 msiexec16.exe 2124 msiexec16.exe 2124 msiexec16.exe 3944 msiexec16.exe 3944 msiexec16.exe 3624 msiexec16.exe 3624 msiexec16.exe 3368 msiexec16.exe 3368 msiexec16.exe 3256 msiexec16.exe 3256 msiexec16.exe 4308 msiexec16.exe 4308 msiexec16.exe 1956 msiexec16.exe 1956 msiexec16.exe 5020 msiexec16.exe 5020 msiexec16.exe 1000 msiexec16.exe 1000 msiexec16.exe 1948 msiexec16.exe 1948 msiexec16.exe 1532 msiexec16.exe 1532 msiexec16.exe 1080 msiexec16.exe 1080 msiexec16.exe 2820 msiexec16.exe 2820 msiexec16.exe 3680 msiexec16.exe 3680 msiexec16.exe 5088 msiexec16.exe 5088 msiexec16.exe 228 msiexec16.exe 228 msiexec16.exe 3476 msiexec16.exe 3476 msiexec16.exe 4220 msiexec16.exe 4220 msiexec16.exe 3164 msiexec16.exe 3164 msiexec16.exe 3028 msiexec16.exe 3028 msiexec16.exe 3656 msiexec16.exe 3656 msiexec16.exe 3196 msiexec16.exe 3196 msiexec16.exe 1304 msiexec16.exe 1304 msiexec16.exe 3228 msiexec16.exe 3228 msiexec16.exe 2052 msiexec16.exe 2052 msiexec16.exe 1472 msiexec16.exe 1472 msiexec16.exe 2956 msiexec16.exe 2956 msiexec16.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4536 3da86fd13899e91e13bdee1162e43ac8_JaffaCakes118.exe Token: SeDebugPrivilege 4536 3da86fd13899e91e13bdee1162e43ac8_JaffaCakes118.exe Token: SeDebugPrivilege 2980 msiexec16.exe Token: SeDebugPrivilege 2980 msiexec16.exe Token: SeDebugPrivilege 980 msiexec16.exe Token: SeDebugPrivilege 980 msiexec16.exe Token: SeDebugPrivilege 1328 msiexec16.exe Token: SeDebugPrivilege 1328 msiexec16.exe Token: SeDebugPrivilege 3236 msiexec16.exe Token: SeDebugPrivilege 3236 msiexec16.exe Token: SeDebugPrivilege 2124 msiexec16.exe Token: SeDebugPrivilege 2124 msiexec16.exe Token: SeDebugPrivilege 3944 msiexec16.exe Token: SeDebugPrivilege 3944 msiexec16.exe Token: SeDebugPrivilege 3624 msiexec16.exe Token: SeDebugPrivilege 3624 msiexec16.exe Token: SeDebugPrivilege 3368 msiexec16.exe Token: SeDebugPrivilege 3368 msiexec16.exe Token: SeDebugPrivilege 3256 msiexec16.exe Token: SeDebugPrivilege 3256 msiexec16.exe Token: SeDebugPrivilege 4308 msiexec16.exe Token: SeDebugPrivilege 4308 msiexec16.exe Token: SeDebugPrivilege 1956 msiexec16.exe Token: SeDebugPrivilege 1956 msiexec16.exe Token: SeDebugPrivilege 5020 msiexec16.exe Token: SeDebugPrivilege 5020 msiexec16.exe Token: SeDebugPrivilege 1000 msiexec16.exe Token: SeDebugPrivilege 1000 msiexec16.exe Token: SeDebugPrivilege 1948 msiexec16.exe Token: SeDebugPrivilege 1948 msiexec16.exe Token: SeDebugPrivilege 1532 msiexec16.exe Token: SeDebugPrivilege 1532 msiexec16.exe Token: SeDebugPrivilege 1080 msiexec16.exe Token: SeDebugPrivilege 1080 msiexec16.exe Token: SeDebugPrivilege 2820 msiexec16.exe Token: SeDebugPrivilege 2820 msiexec16.exe Token: SeDebugPrivilege 3680 msiexec16.exe Token: SeDebugPrivilege 3680 msiexec16.exe Token: SeDebugPrivilege 5088 msiexec16.exe Token: SeDebugPrivilege 5088 msiexec16.exe Token: SeDebugPrivilege 228 msiexec16.exe Token: SeDebugPrivilege 228 msiexec16.exe Token: SeDebugPrivilege 3476 msiexec16.exe Token: SeDebugPrivilege 3476 msiexec16.exe Token: SeDebugPrivilege 4220 msiexec16.exe Token: SeDebugPrivilege 4220 msiexec16.exe Token: SeDebugPrivilege 3164 msiexec16.exe Token: SeDebugPrivilege 3164 msiexec16.exe Token: SeDebugPrivilege 3028 msiexec16.exe Token: SeDebugPrivilege 3028 msiexec16.exe Token: SeDebugPrivilege 3656 msiexec16.exe Token: SeDebugPrivilege 3656 msiexec16.exe Token: SeDebugPrivilege 3196 msiexec16.exe Token: SeDebugPrivilege 3196 msiexec16.exe Token: SeDebugPrivilege 1304 msiexec16.exe Token: SeDebugPrivilege 1304 msiexec16.exe Token: SeDebugPrivilege 3228 msiexec16.exe Token: SeDebugPrivilege 3228 msiexec16.exe Token: SeDebugPrivilege 2052 msiexec16.exe Token: SeDebugPrivilege 2052 msiexec16.exe Token: SeDebugPrivilege 1472 msiexec16.exe Token: SeDebugPrivilege 1472 msiexec16.exe Token: SeDebugPrivilege 2956 msiexec16.exe Token: SeDebugPrivilege 2956 msiexec16.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4536 wrote to memory of 2980 4536 3da86fd13899e91e13bdee1162e43ac8_JaffaCakes118.exe 85 PID 4536 wrote to memory of 2980 4536 3da86fd13899e91e13bdee1162e43ac8_JaffaCakes118.exe 85 PID 4536 wrote to memory of 2980 4536 3da86fd13899e91e13bdee1162e43ac8_JaffaCakes118.exe 85 PID 2980 wrote to memory of 980 2980 msiexec16.exe 86 PID 2980 wrote to memory of 980 2980 msiexec16.exe 86 PID 2980 wrote to memory of 980 2980 msiexec16.exe 86 PID 980 wrote to memory of 1328 980 msiexec16.exe 88 PID 980 wrote to memory of 1328 980 msiexec16.exe 88 PID 980 wrote to memory of 1328 980 msiexec16.exe 88 PID 1328 wrote to memory of 3236 1328 msiexec16.exe 89 PID 1328 wrote to memory of 3236 1328 msiexec16.exe 89 PID 1328 wrote to memory of 3236 1328 msiexec16.exe 89 PID 3236 wrote to memory of 2124 3236 msiexec16.exe 173 PID 3236 wrote to memory of 2124 3236 msiexec16.exe 173 PID 3236 wrote to memory of 2124 3236 msiexec16.exe 173 PID 2124 wrote to memory of 3944 2124 msiexec16.exe 91 PID 2124 wrote to memory of 3944 2124 msiexec16.exe 91 PID 2124 wrote to memory of 3944 2124 msiexec16.exe 91 PID 3944 wrote to memory of 3624 3944 msiexec16.exe 92 PID 3944 wrote to memory of 3624 3944 msiexec16.exe 92 PID 3944 wrote to memory of 3624 3944 msiexec16.exe 92 PID 3624 wrote to memory of 3368 3624 msiexec16.exe 93 PID 3624 wrote to memory of 3368 3624 msiexec16.exe 93 PID 3624 wrote to memory of 3368 3624 msiexec16.exe 93 PID 3368 wrote to memory of 3256 3368 msiexec16.exe 94 PID 3368 wrote to memory of 3256 3368 msiexec16.exe 94 PID 3368 wrote to memory of 3256 3368 msiexec16.exe 94 PID 3256 wrote to memory of 4308 3256 msiexec16.exe 95 PID 3256 wrote to memory of 4308 3256 msiexec16.exe 95 PID 3256 wrote to memory of 4308 3256 msiexec16.exe 95 PID 4308 wrote to memory of 1956 4308 msiexec16.exe 96 PID 4308 wrote to memory of 1956 4308 msiexec16.exe 96 PID 4308 wrote to memory of 1956 4308 msiexec16.exe 96 PID 1956 wrote to memory of 5020 1956 msiexec16.exe 97 PID 1956 wrote to memory of 5020 1956 msiexec16.exe 97 PID 1956 wrote to memory of 5020 1956 msiexec16.exe 97 PID 5020 wrote to memory of 1000 5020 msiexec16.exe 98 PID 5020 wrote to memory of 1000 5020 msiexec16.exe 98 PID 5020 wrote to memory of 1000 5020 msiexec16.exe 98 PID 1000 wrote to memory of 1948 1000 msiexec16.exe 99 PID 1000 wrote to memory of 1948 1000 msiexec16.exe 99 PID 1000 wrote to memory of 1948 1000 msiexec16.exe 99 PID 1948 wrote to memory of 1532 1948 msiexec16.exe 100 PID 1948 wrote to memory of 1532 1948 msiexec16.exe 100 PID 1948 wrote to memory of 1532 1948 msiexec16.exe 100 PID 1532 wrote to memory of 1080 1532 msiexec16.exe 101 PID 1532 wrote to memory of 1080 1532 msiexec16.exe 101 PID 1532 wrote to memory of 1080 1532 msiexec16.exe 101 PID 1080 wrote to memory of 2820 1080 msiexec16.exe 156 PID 1080 wrote to memory of 2820 1080 msiexec16.exe 156 PID 1080 wrote to memory of 2820 1080 msiexec16.exe 156 PID 2820 wrote to memory of 3680 2820 msiexec16.exe 103 PID 2820 wrote to memory of 3680 2820 msiexec16.exe 103 PID 2820 wrote to memory of 3680 2820 msiexec16.exe 103 PID 3680 wrote to memory of 5088 3680 msiexec16.exe 104 PID 3680 wrote to memory of 5088 3680 msiexec16.exe 104 PID 3680 wrote to memory of 5088 3680 msiexec16.exe 104 PID 5088 wrote to memory of 228 5088 msiexec16.exe 105 PID 5088 wrote to memory of 228 5088 msiexec16.exe 105 PID 5088 wrote to memory of 228 5088 msiexec16.exe 105 PID 228 wrote to memory of 3476 228 msiexec16.exe 106 PID 228 wrote to memory of 3476 228 msiexec16.exe 106 PID 228 wrote to memory of 3476 228 msiexec16.exe 106 PID 3476 wrote to memory of 4220 3476 msiexec16.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\3da86fd13899e91e13bdee1162e43ac8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3da86fd13899e91e13bdee1162e43ac8_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4536 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:980 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1328 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3236 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3944 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3624 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3368 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3256 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4308 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5020 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1000 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1080 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3680 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5088 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:228 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3476 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4220 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3164 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3028 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3656 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3196 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"28⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1304 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"29⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3228 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"30⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2052 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"31⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1472 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2956 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"33⤵
- Executes dropped EXE
PID:3932 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"34⤵
- Executes dropped EXE
PID:4784 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"35⤵
- Executes dropped EXE
PID:4152 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"36⤵
- Executes dropped EXE
PID:4848 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"37⤵
- Executes dropped EXE
PID:1592 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"38⤵
- Executes dropped EXE
PID:2404 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"39⤵
- Executes dropped EXE
PID:3664 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"40⤵
- Executes dropped EXE
PID:3048 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"41⤵
- Executes dropped EXE
PID:2560 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"42⤵
- Executes dropped EXE
PID:1848 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"43⤵
- Executes dropped EXE
PID:3872 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"44⤵
- Executes dropped EXE
PID:1044 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"45⤵
- Executes dropped EXE
PID:1724 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"46⤵
- Executes dropped EXE
PID:4724 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"47⤵
- Executes dropped EXE
PID:1828 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"48⤵
- Executes dropped EXE
PID:2388 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"49⤵
- Executes dropped EXE
PID:3884 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"50⤵
- Executes dropped EXE
PID:4288 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"51⤵
- Executes dropped EXE
PID:3952 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"52⤵
- Executes dropped EXE
PID:2348 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"53⤵
- Executes dropped EXE
PID:2352 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"54⤵
- Executes dropped EXE
PID:3384 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"55⤵
- Executes dropped EXE
PID:4160 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"56⤵
- Executes dropped EXE
PID:4740 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"57⤵
- Executes dropped EXE
PID:952 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"58⤵
- Executes dropped EXE
PID:4964 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"59⤵
- Executes dropped EXE
PID:3888 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"60⤵
- Executes dropped EXE
PID:3932 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"61⤵
- Executes dropped EXE
PID:4784 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"62⤵
- Executes dropped EXE
PID:4360 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"63⤵
- Executes dropped EXE
PID:4848 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"64⤵
- Executes dropped EXE
PID:220 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"65⤵
- Executes dropped EXE
PID:2468 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"66⤵PID:4068
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"67⤵
- System Location Discovery: System Language Discovery
PID:2444 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"68⤵PID:4412
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"69⤵PID:2564
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"70⤵PID:4560
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"71⤵PID:672
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"72⤵
- Drops file in System32 directory
PID:2820 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"73⤵PID:4384
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"74⤵PID:4508
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"75⤵PID:1116
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"76⤵PID:1264
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"77⤵PID:5060
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"78⤵PID:4728
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"79⤵PID:3104
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"80⤵PID:4820
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"81⤵
- System Location Discovery: System Language Discovery
PID:3212 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"82⤵
- Drops file in System32 directory
PID:3672 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"83⤵PID:1960
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"84⤵PID:3216
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"85⤵PID:4240
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"86⤵PID:3228
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"87⤵PID:2068
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"88⤵PID:1408
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"89⤵PID:2124
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"90⤵
- System Location Discovery: System Language Discovery
PID:1668 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"91⤵PID:2904
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"92⤵PID:4296
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"93⤵PID:2336
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"94⤵PID:4016
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"95⤵PID:5028
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"96⤵PID:1012
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"97⤵PID:3988
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"98⤵PID:1520
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"99⤵PID:2540
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"100⤵PID:4104
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"101⤵PID:1228
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"102⤵PID:4512
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"103⤵PID:1928
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"104⤵PID:2640
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"105⤵PID:1468
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"106⤵PID:2268
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"107⤵PID:3480
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"108⤵PID:2644
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"109⤵PID:1420
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"110⤵PID:3104
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"111⤵PID:3772
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"112⤵PID:2672
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"113⤵PID:4604
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"114⤵PID:3672
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"115⤵PID:4460
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"116⤵PID:3216
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"117⤵PID:2316
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"118⤵PID:4792
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"119⤵PID:4952
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"120⤵PID:3968
-
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"121⤵PID:3516
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-