Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
42s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
13/10/2024, 12:54
Behavioral task
behavioral1
Sample
3ff7965a2969e79dbe794fcb40c4872a_JaffaCakes118.exe
Resource
win7-20241010-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
3ff7965a2969e79dbe794fcb40c4872a_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
3ff7965a2969e79dbe794fcb40c4872a_JaffaCakes118.exe
-
Size
83KB
-
MD5
3ff7965a2969e79dbe794fcb40c4872a
-
SHA1
834ce35cbdb28944fea1cb11ede45410cdfb52ec
-
SHA256
d8b13bc5e2e45119b95f015503d6b43c4aebd22845e398f19b5fff77d960555f
-
SHA512
7e726dc846898c853b6f17b5f495da85d30237707980c9085d47c749417aeff3bbe383b7cce816d02444ad4d18d5b84bd6300250a693390595b733b75fd1281c
-
SSDEEP
1536:UKleE1ogL6gxNmmciUb7DMZPv5sq8L36lMKnjgPrASGwyXDBfqCje3NqHN0VS7m:UKlvLHNGNvDMZ5sqFMNkLwy9qc0V6m
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2768 cmd.exe -
Executes dropped EXE 64 IoCs
pid Process 2896 msnconfig.exe 2684 msnconfig.exe 2452 msnconfig.exe 2968 msnconfig.exe 1352 msnconfig.exe 2536 msnconfig.exe 1704 msnconfig.exe 964 msnconfig.exe 3064 msnconfig.exe 1472 msnconfig.exe 2528 msnconfig.exe 1168 msnconfig.exe 2984 msnconfig.exe 2128 msnconfig.exe 1724 msnconfig.exe 2272 msnconfig.exe 2420 msnconfig.exe 920 msnconfig.exe 1364 msnconfig.exe 2888 msnconfig.exe 2708 msnconfig.exe 2724 msnconfig.exe 1884 msnconfig.exe 2248 msnconfig.exe 548 msnconfig.exe 1688 msnconfig.exe 1380 msnconfig.exe 1672 msnconfig.exe 1644 msnconfig.exe 2188 msnconfig.exe 2524 msnconfig.exe 2924 msnconfig.exe 2528 msnconfig.exe 2348 msnconfig.exe 2372 msnconfig.exe 3048 msnconfig.exe 2304 msnconfig.exe 1016 msnconfig.exe 2420 msnconfig.exe 3012 msnconfig.exe 2960 msnconfig.exe 536 msnconfig.exe 2676 msnconfig.exe 2896 msnconfig.exe 1292 msnconfig.exe 3028 msnconfig.exe 2196 msnconfig.exe 1604 msnconfig.exe 1712 msnconfig.exe 2008 msnconfig.exe 2148 msnconfig.exe 2948 msnconfig.exe 2480 msnconfig.exe 2208 msnconfig.exe 1728 msnconfig.exe 928 msnconfig.exe 1884 msnconfig.exe 2316 msnconfig.exe 1328 msnconfig.exe 2764 msnconfig.exe 1600 msnconfig.exe 944 msnconfig.exe 2712 msnconfig.exe 2132 msnconfig.exe -
Loads dropped DLL 64 IoCs
pid Process 2600 3ff7965a2969e79dbe794fcb40c4872a_JaffaCakes118.exe 2600 3ff7965a2969e79dbe794fcb40c4872a_JaffaCakes118.exe 2896 msnconfig.exe 2896 msnconfig.exe 2684 msnconfig.exe 2684 msnconfig.exe 2452 msnconfig.exe 2452 msnconfig.exe 2968 msnconfig.exe 2968 msnconfig.exe 1352 msnconfig.exe 1352 msnconfig.exe 2536 msnconfig.exe 2536 msnconfig.exe 1704 msnconfig.exe 1704 msnconfig.exe 964 msnconfig.exe 964 msnconfig.exe 3064 msnconfig.exe 3064 msnconfig.exe 1472 msnconfig.exe 1472 msnconfig.exe 2528 msnconfig.exe 2528 msnconfig.exe 1168 msnconfig.exe 1168 msnconfig.exe 2984 msnconfig.exe 2984 msnconfig.exe 2128 msnconfig.exe 2128 msnconfig.exe 1724 msnconfig.exe 1724 msnconfig.exe 2272 msnconfig.exe 2272 msnconfig.exe 2420 msnconfig.exe 2420 msnconfig.exe 920 msnconfig.exe 920 msnconfig.exe 1364 msnconfig.exe 1364 msnconfig.exe 2888 msnconfig.exe 2888 msnconfig.exe 2708 msnconfig.exe 2708 msnconfig.exe 2724 msnconfig.exe 2724 msnconfig.exe 1884 msnconfig.exe 1884 msnconfig.exe 2248 msnconfig.exe 2248 msnconfig.exe 548 msnconfig.exe 548 msnconfig.exe 1688 msnconfig.exe 1688 msnconfig.exe 1380 msnconfig.exe 1380 msnconfig.exe 1672 msnconfig.exe 1672 msnconfig.exe 1644 msnconfig.exe 1644 msnconfig.exe 2188 msnconfig.exe 2188 msnconfig.exe 2524 msnconfig.exe 2524 msnconfig.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" 3ff7965a2969e79dbe794fcb40c4872a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSN Configs = "msnconfig.exe" msnconfig.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe 3ff7965a2969e79dbe794fcb40c4872a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe File created C:\Windows\SysWOW64\msnconfig.exe msnconfig.exe -
resource yara_rule behavioral1/memory/2600-0-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/2600-1-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/files/0x0009000000012238-6.dat upx behavioral1/memory/2896-16-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/2600-19-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/2896-28-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/2452-37-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/2684-35-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/2452-45-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/2968-52-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/2536-57-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/1352-60-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/1704-66-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/2536-68-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/1704-74-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/3064-81-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/964-83-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/3064-90-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/1472-88-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/1472-98-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/2528-99-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/2528-107-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/1168-114-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/2984-119-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/2128-128-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/1724-135-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/2272-141-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/920-148-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/2420-146-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/920-151-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/2888-153-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/1364-154-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/2888-157-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/2708-162-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/2724-161-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/2724-166-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/1884-169-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/2248-172-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/548-176-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/1688-180-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/1672-182-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/1380-184-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/1672-188-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/1644-191-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/2188-192-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/2188-195-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/2524-196-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/2524-200-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/2924-205-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/2528-204-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/2528-209-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/2348-214-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/2372-212-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/2372-219-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/2304-223-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/3048-225-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/2304-229-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/1016-231-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/2420-238-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/3012-242-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/536-245-0x0000000000400000-0x0000000000432000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ff7965a2969e79dbe794fcb40c4872a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2600 3ff7965a2969e79dbe794fcb40c4872a_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2896 msnconfig.exe Token: SeIncBasePriorityPrivilege 2684 msnconfig.exe Token: SeIncBasePriorityPrivilege 2452 msnconfig.exe Token: SeIncBasePriorityPrivilege 2968 msnconfig.exe Token: SeIncBasePriorityPrivilege 1352 msnconfig.exe Token: SeIncBasePriorityPrivilege 2536 msnconfig.exe Token: SeIncBasePriorityPrivilege 1704 msnconfig.exe Token: SeIncBasePriorityPrivilege 964 msnconfig.exe Token: SeIncBasePriorityPrivilege 3064 msnconfig.exe Token: SeIncBasePriorityPrivilege 1472 msnconfig.exe Token: SeIncBasePriorityPrivilege 2528 msnconfig.exe Token: SeIncBasePriorityPrivilege 1168 msnconfig.exe Token: SeIncBasePriorityPrivilege 2984 msnconfig.exe Token: SeIncBasePriorityPrivilege 2128 msnconfig.exe Token: SeIncBasePriorityPrivilege 1724 msnconfig.exe Token: SeIncBasePriorityPrivilege 2272 msnconfig.exe Token: SeIncBasePriorityPrivilege 2420 msnconfig.exe Token: SeIncBasePriorityPrivilege 920 msnconfig.exe Token: SeIncBasePriorityPrivilege 1364 msnconfig.exe Token: SeIncBasePriorityPrivilege 2888 msnconfig.exe Token: SeIncBasePriorityPrivilege 2708 msnconfig.exe Token: SeIncBasePriorityPrivilege 2724 msnconfig.exe Token: SeIncBasePriorityPrivilege 1884 msnconfig.exe Token: SeIncBasePriorityPrivilege 2248 msnconfig.exe Token: SeIncBasePriorityPrivilege 548 msnconfig.exe Token: SeIncBasePriorityPrivilege 1688 msnconfig.exe Token: SeIncBasePriorityPrivilege 1380 msnconfig.exe Token: SeIncBasePriorityPrivilege 1672 msnconfig.exe Token: SeIncBasePriorityPrivilege 1644 msnconfig.exe Token: SeIncBasePriorityPrivilege 2188 msnconfig.exe Token: SeIncBasePriorityPrivilege 2524 msnconfig.exe Token: SeIncBasePriorityPrivilege 2924 msnconfig.exe Token: SeIncBasePriorityPrivilege 2528 msnconfig.exe Token: SeIncBasePriorityPrivilege 2348 msnconfig.exe Token: SeIncBasePriorityPrivilege 2372 msnconfig.exe Token: SeIncBasePriorityPrivilege 3048 msnconfig.exe Token: SeIncBasePriorityPrivilege 2304 msnconfig.exe Token: SeIncBasePriorityPrivilege 1016 msnconfig.exe Token: SeIncBasePriorityPrivilege 2420 msnconfig.exe Token: SeIncBasePriorityPrivilege 3012 msnconfig.exe Token: SeIncBasePriorityPrivilege 2960 msnconfig.exe Token: SeIncBasePriorityPrivilege 536 msnconfig.exe Token: SeIncBasePriorityPrivilege 2676 msnconfig.exe Token: SeIncBasePriorityPrivilege 2896 msnconfig.exe Token: SeIncBasePriorityPrivilege 1292 msnconfig.exe Token: SeIncBasePriorityPrivilege 3028 msnconfig.exe Token: SeIncBasePriorityPrivilege 2196 msnconfig.exe Token: SeIncBasePriorityPrivilege 1604 msnconfig.exe Token: SeIncBasePriorityPrivilege 1712 msnconfig.exe Token: SeIncBasePriorityPrivilege 2008 msnconfig.exe Token: SeIncBasePriorityPrivilege 2148 msnconfig.exe Token: SeIncBasePriorityPrivilege 2948 msnconfig.exe Token: SeIncBasePriorityPrivilege 2480 msnconfig.exe Token: SeIncBasePriorityPrivilege 2208 msnconfig.exe Token: SeIncBasePriorityPrivilege 1728 msnconfig.exe Token: SeIncBasePriorityPrivilege 928 msnconfig.exe Token: SeIncBasePriorityPrivilege 1884 msnconfig.exe Token: SeIncBasePriorityPrivilege 2316 msnconfig.exe Token: SeIncBasePriorityPrivilege 1328 msnconfig.exe Token: SeIncBasePriorityPrivilege 2764 msnconfig.exe Token: SeIncBasePriorityPrivilege 1600 msnconfig.exe Token: SeIncBasePriorityPrivilege 944 msnconfig.exe Token: SeIncBasePriorityPrivilege 2712 msnconfig.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2600 wrote to memory of 2896 2600 3ff7965a2969e79dbe794fcb40c4872a_JaffaCakes118.exe 29 PID 2600 wrote to memory of 2896 2600 3ff7965a2969e79dbe794fcb40c4872a_JaffaCakes118.exe 29 PID 2600 wrote to memory of 2896 2600 3ff7965a2969e79dbe794fcb40c4872a_JaffaCakes118.exe 29 PID 2600 wrote to memory of 2896 2600 3ff7965a2969e79dbe794fcb40c4872a_JaffaCakes118.exe 29 PID 2600 wrote to memory of 2768 2600 3ff7965a2969e79dbe794fcb40c4872a_JaffaCakes118.exe 30 PID 2600 wrote to memory of 2768 2600 3ff7965a2969e79dbe794fcb40c4872a_JaffaCakes118.exe 30 PID 2600 wrote to memory of 2768 2600 3ff7965a2969e79dbe794fcb40c4872a_JaffaCakes118.exe 30 PID 2600 wrote to memory of 2768 2600 3ff7965a2969e79dbe794fcb40c4872a_JaffaCakes118.exe 30 PID 2896 wrote to memory of 2684 2896 msnconfig.exe 32 PID 2896 wrote to memory of 2684 2896 msnconfig.exe 32 PID 2896 wrote to memory of 2684 2896 msnconfig.exe 32 PID 2896 wrote to memory of 2684 2896 msnconfig.exe 32 PID 2896 wrote to memory of 1184 2896 msnconfig.exe 33 PID 2896 wrote to memory of 1184 2896 msnconfig.exe 33 PID 2896 wrote to memory of 1184 2896 msnconfig.exe 33 PID 2896 wrote to memory of 1184 2896 msnconfig.exe 33 PID 2684 wrote to memory of 2452 2684 msnconfig.exe 35 PID 2684 wrote to memory of 2452 2684 msnconfig.exe 35 PID 2684 wrote to memory of 2452 2684 msnconfig.exe 35 PID 2684 wrote to memory of 2452 2684 msnconfig.exe 35 PID 2684 wrote to memory of 1892 2684 msnconfig.exe 36 PID 2684 wrote to memory of 1892 2684 msnconfig.exe 36 PID 2684 wrote to memory of 1892 2684 msnconfig.exe 36 PID 2684 wrote to memory of 1892 2684 msnconfig.exe 36 PID 2452 wrote to memory of 2968 2452 msnconfig.exe 38 PID 2452 wrote to memory of 2968 2452 msnconfig.exe 38 PID 2452 wrote to memory of 2968 2452 msnconfig.exe 38 PID 2452 wrote to memory of 2968 2452 msnconfig.exe 38 PID 2452 wrote to memory of 2096 2452 msnconfig.exe 39 PID 2452 wrote to memory of 2096 2452 msnconfig.exe 39 PID 2452 wrote to memory of 2096 2452 msnconfig.exe 39 PID 2452 wrote to memory of 2096 2452 msnconfig.exe 39 PID 2968 wrote to memory of 1352 2968 msnconfig.exe 41 PID 2968 wrote to memory of 1352 2968 msnconfig.exe 41 PID 2968 wrote to memory of 1352 2968 msnconfig.exe 41 PID 2968 wrote to memory of 1352 2968 msnconfig.exe 41 PID 2968 wrote to memory of 1688 2968 msnconfig.exe 42 PID 2968 wrote to memory of 1688 2968 msnconfig.exe 42 PID 2968 wrote to memory of 1688 2968 msnconfig.exe 42 PID 2968 wrote to memory of 1688 2968 msnconfig.exe 42 PID 1352 wrote to memory of 2536 1352 msnconfig.exe 44 PID 1352 wrote to memory of 2536 1352 msnconfig.exe 44 PID 1352 wrote to memory of 2536 1352 msnconfig.exe 44 PID 1352 wrote to memory of 2536 1352 msnconfig.exe 44 PID 1352 wrote to memory of 2316 1352 msnconfig.exe 45 PID 1352 wrote to memory of 2316 1352 msnconfig.exe 45 PID 1352 wrote to memory of 2316 1352 msnconfig.exe 45 PID 1352 wrote to memory of 2316 1352 msnconfig.exe 45 PID 2536 wrote to memory of 1704 2536 msnconfig.exe 47 PID 2536 wrote to memory of 1704 2536 msnconfig.exe 47 PID 2536 wrote to memory of 1704 2536 msnconfig.exe 47 PID 2536 wrote to memory of 1704 2536 msnconfig.exe 47 PID 2536 wrote to memory of 1536 2536 msnconfig.exe 48 PID 2536 wrote to memory of 1536 2536 msnconfig.exe 48 PID 2536 wrote to memory of 1536 2536 msnconfig.exe 48 PID 2536 wrote to memory of 1536 2536 msnconfig.exe 48 PID 1704 wrote to memory of 964 1704 msnconfig.exe 50 PID 1704 wrote to memory of 964 1704 msnconfig.exe 50 PID 1704 wrote to memory of 964 1704 msnconfig.exe 50 PID 1704 wrote to memory of 964 1704 msnconfig.exe 50 PID 1704 wrote to memory of 1984 1704 msnconfig.exe 51 PID 1704 wrote to memory of 1984 1704 msnconfig.exe 51 PID 1704 wrote to memory of 1984 1704 msnconfig.exe 51 PID 1704 wrote to memory of 1984 1704 msnconfig.exe 51
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ff7965a2969e79dbe794fcb40c4872a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3ff7965a2969e79dbe794fcb40c4872a_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:964 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3064 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1472 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2528 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1168 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"14⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2984 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2128 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"16⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1724 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"17⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2272 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"18⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2420 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"19⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:920 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"20⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1364 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"21⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2888 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"22⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2708 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"23⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2724 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"24⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1884 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"25⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2248 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"26⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:548 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"27⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1688 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"28⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1380 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"29⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1672 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"30⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1644 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"31⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2188 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2524 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"33⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2924 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"34⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2528 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"35⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2348 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"36⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2372 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"37⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3048 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"38⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2304 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"39⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1016 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"40⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2420 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"41⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3012 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"42⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2960 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"43⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:536 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"44⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2676 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"45⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2896 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"46⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1292 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"47⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3028 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"48⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2196 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"49⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1604 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"50⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1712 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"51⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2008 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"52⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2148 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"53⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2948 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"54⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2480 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"55⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2208 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"56⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1728 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"57⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:928 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"58⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1884 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"59⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2316 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"60⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1328 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"61⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2764 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"62⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1600 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"63⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:944 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"64⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2712 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"65⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2132 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"66⤵
- Drops file in System32 directory
PID:1892 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"67⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2192 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"68⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:1680 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"69⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1532 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"70⤵
- Drops file in System32 directory
PID:1252 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"71⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1700 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"72⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2340 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"73⤵PID:2396
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"74⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2780 -
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"75⤵PID:2028
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"76⤵PID:316
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"77⤵PID:2616
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"78⤵PID:548
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"79⤵PID:1544
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"80⤵PID:1964
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"81⤵PID:1752
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"82⤵PID:1328
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"83⤵PID:668
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"84⤵PID:2680
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"85⤵PID:2864
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"86⤵PID:2688
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"87⤵PID:2516
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"88⤵PID:2348
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"89⤵PID:1244
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"90⤵PID:436
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"91⤵PID:856
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"92⤵PID:2468
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"93⤵PID:2604
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"94⤵PID:1496
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"95⤵PID:2944
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"96⤵PID:2696
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"97⤵PID:316
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"98⤵PID:840
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"99⤵PID:2500
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"100⤵PID:1956
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"101⤵PID:1216
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"102⤵PID:524
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"103⤵PID:2308
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"104⤵PID:2720
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"105⤵PID:2284
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"106⤵PID:980
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"107⤵PID:1512
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"108⤵PID:2860
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"109⤵PID:2096
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"110⤵PID:2364
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"111⤵PID:1704
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"112⤵PID:2344
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"113⤵PID:2932
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"114⤵PID:2288
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"115⤵PID:2716
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"116⤵PID:2080
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"117⤵PID:3000
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"118⤵PID:1140
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"119⤵PID:2724
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"120⤵PID:1072
-
C:\Windows\SysWOW64\msnconfig.exe"C:\Windows\system32\msnconfig.exe"121⤵PID:2424
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-