Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
01-11-2024 08:03
Behavioral task
behavioral1
Sample
844aa6db07a6fc9429af86787e6c4c39_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
844aa6db07a6fc9429af86787e6c4c39_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
844aa6db07a6fc9429af86787e6c4c39_JaffaCakes118.exe
-
Size
798KB
-
MD5
844aa6db07a6fc9429af86787e6c4c39
-
SHA1
95037249c76ead25eb0d899ec8e637f18dfc3742
-
SHA256
05cfa24e67e93f7b6aaa36c06fb11d1dbaaf244041adcb6a67e6b6c51d4b3a9b
-
SHA512
5a0a4166160f5ad30dd5810c1e2e831c2051de870027f0c0140246d293a7390c92e573c786a837690b6e80e2afb28808ee7695f0a915cb28e6726766456cb53f
-
SSDEEP
24576:ZCr/aUntOcE5k3W7kc49Wdc0OcZS/9vAh:ZE7EH2Qdc0Oc4/9vW
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 64 IoCs
Processes:
resource yara_rule behavioral1/files/0x0007000000019547-2.dat modiloader_stage2 behavioral1/memory/2536-9-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/2444-14-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/2784-18-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/2732-22-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/2708-26-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/2848-30-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/2332-34-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/2704-38-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/2604-42-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/2712-46-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/2824-50-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/2572-54-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/1840-58-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/396-62-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/3008-66-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/2228-70-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/2844-74-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/1956-78-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/2396-82-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/1380-86-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/340-90-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/2144-91-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/2304-92-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/800-93-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/588-94-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/2212-95-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/2088-96-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/1216-97-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/2084-98-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/1412-99-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/2420-100-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/2292-101-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/2356-102-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/2120-103-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/1808-104-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/1368-105-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/2176-106-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/980-107-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/2480-108-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/1536-109-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/1724-110-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/2156-111-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/2004-112-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/2208-113-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/1472-114-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/1528-115-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/1508-116-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/2840-117-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/1848-118-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/1604-119-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/2080-120-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/1248-121-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/3000-122-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/2528-123-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/1676-124-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/2060-125-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/2964-126-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/2676-127-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/880-128-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/1996-129-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/2516-130-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/1584-131-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral1/memory/1756-132-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 -
Executes dropped EXE 64 IoCs
Processes:
Win Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exepid Process 2444 Win Const.exe 2784 Win Const.exe 2732 Win Const.exe 2708 Win Const.exe 2848 Win Const.exe 2332 Win Const.exe 2704 Win Const.exe 2604 Win Const.exe 2712 Win Const.exe 2824 Win Const.exe 2572 Win Const.exe 1840 Win Const.exe 396 Win Const.exe 3008 Win Const.exe 2228 Win Const.exe 2844 Win Const.exe 1956 Win Const.exe 2396 Win Const.exe 1380 Win Const.exe 340 Win Const.exe 2144 Win Const.exe 2304 Win Const.exe 800 Win Const.exe 588 Win Const.exe 2212 Win Const.exe 2088 Win Const.exe 1216 Win Const.exe 2084 Win Const.exe 1412 Win Const.exe 2420 Win Const.exe 2292 Win Const.exe 2356 Win Const.exe 2120 Win Const.exe 1808 Win Const.exe 1368 Win Const.exe 2176 Win Const.exe 980 Win Const.exe 2480 Win Const.exe 1536 Win Const.exe 1724 Win Const.exe 2156 Win Const.exe 2004 Win Const.exe 2208 Win Const.exe 1472 Win Const.exe 1528 Win Const.exe 1508 Win Const.exe 2840 Win Const.exe 1848 Win Const.exe 1604 Win Const.exe 2080 Win Const.exe 1248 Win Const.exe 3000 Win Const.exe 2528 Win Const.exe 1676 Win Const.exe 2060 Win Const.exe 2964 Win Const.exe 2676 Win Const.exe 880 Win Const.exe 1996 Win Const.exe 2516 Win Const.exe 1584 Win Const.exe 1756 Win Const.exe 2316 Win Const.exe 2448 Win Const.exe -
Loads dropped DLL 64 IoCs
Processes:
844aa6db07a6fc9429af86787e6c4c39_JaffaCakes118.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exepid Process 2536 844aa6db07a6fc9429af86787e6c4c39_JaffaCakes118.exe 2536 844aa6db07a6fc9429af86787e6c4c39_JaffaCakes118.exe 2444 Win Const.exe 2444 Win Const.exe 2784 Win Const.exe 2784 Win Const.exe 2732 Win Const.exe 2732 Win Const.exe 2708 Win Const.exe 2708 Win Const.exe 2848 Win Const.exe 2848 Win Const.exe 2332 Win Const.exe 2332 Win Const.exe 2704 Win Const.exe 2704 Win Const.exe 2604 Win Const.exe 2604 Win Const.exe 2712 Win Const.exe 2712 Win Const.exe 2824 Win Const.exe 2824 Win Const.exe 2572 Win Const.exe 2572 Win Const.exe 1840 Win Const.exe 1840 Win Const.exe 396 Win Const.exe 396 Win Const.exe 3008 Win Const.exe 3008 Win Const.exe 2228 Win Const.exe 2228 Win Const.exe 2844 Win Const.exe 2844 Win Const.exe 1956 Win Const.exe 1956 Win Const.exe 2396 Win Const.exe 2396 Win Const.exe 1380 Win Const.exe 1380 Win Const.exe 340 Win Const.exe 340 Win Const.exe 2144 Win Const.exe 2144 Win Const.exe 2304 Win Const.exe 2304 Win Const.exe 800 Win Const.exe 800 Win Const.exe 588 Win Const.exe 588 Win Const.exe 2212 Win Const.exe 2212 Win Const.exe 2088 Win Const.exe 2088 Win Const.exe 1216 Win Const.exe 1216 Win Const.exe 2084 Win Const.exe 2084 Win Const.exe 1412 Win Const.exe 1412 Win Const.exe 2420 Win Const.exe 2420 Win Const.exe 2292 Win Const.exe 2292 Win Const.exe -
Drops file in System32 directory 3 IoCs
Processes:
844aa6db07a6fc9429af86787e6c4c39_JaffaCakes118.exedescription ioc Process File created C:\Windows\SysWOW64\Win Types\1.mzp 844aa6db07a6fc9429af86787e6c4c39_JaffaCakes118.exe File created C:\Windows\SysWOW64\Win Types\Win Const.exe 844aa6db07a6fc9429af86787e6c4c39_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Win Types\Win Const.exe 844aa6db07a6fc9429af86787e6c4c39_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Win Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exe844aa6db07a6fc9429af86787e6c4c39_JaffaCakes118.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 844aa6db07a6fc9429af86787e6c4c39_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
844aa6db07a6fc9429af86787e6c4c39_JaffaCakes118.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exedescription pid Process Token: SeDebugPrivilege 2536 844aa6db07a6fc9429af86787e6c4c39_JaffaCakes118.exe Token: SeDebugPrivilege 2444 Win Const.exe Token: SeDebugPrivilege 2784 Win Const.exe Token: SeDebugPrivilege 2732 Win Const.exe Token: SeDebugPrivilege 2708 Win Const.exe Token: SeDebugPrivilege 2848 Win Const.exe Token: SeDebugPrivilege 2332 Win Const.exe Token: SeDebugPrivilege 2704 Win Const.exe Token: SeDebugPrivilege 2604 Win Const.exe Token: SeDebugPrivilege 2712 Win Const.exe Token: SeDebugPrivilege 2824 Win Const.exe Token: SeDebugPrivilege 2572 Win Const.exe Token: SeDebugPrivilege 1840 Win Const.exe Token: SeDebugPrivilege 396 Win Const.exe Token: SeDebugPrivilege 3008 Win Const.exe Token: SeDebugPrivilege 2228 Win Const.exe Token: SeDebugPrivilege 2844 Win Const.exe Token: SeDebugPrivilege 1956 Win Const.exe Token: SeDebugPrivilege 2396 Win Const.exe Token: SeDebugPrivilege 1380 Win Const.exe Token: SeDebugPrivilege 340 Win Const.exe Token: SeDebugPrivilege 2144 Win Const.exe Token: SeDebugPrivilege 2304 Win Const.exe Token: SeDebugPrivilege 800 Win Const.exe Token: SeDebugPrivilege 588 Win Const.exe Token: SeDebugPrivilege 2212 Win Const.exe Token: SeDebugPrivilege 2088 Win Const.exe Token: SeDebugPrivilege 1216 Win Const.exe Token: SeDebugPrivilege 2084 Win Const.exe Token: SeDebugPrivilege 1412 Win Const.exe Token: SeDebugPrivilege 2420 Win Const.exe Token: SeDebugPrivilege 2292 Win Const.exe Token: SeDebugPrivilege 2356 Win Const.exe Token: SeDebugPrivilege 2120 Win Const.exe Token: SeDebugPrivilege 1808 Win Const.exe Token: SeDebugPrivilege 1368 Win Const.exe Token: SeDebugPrivilege 2176 Win Const.exe Token: SeDebugPrivilege 980 Win Const.exe Token: SeDebugPrivilege 2480 Win Const.exe Token: SeDebugPrivilege 1536 Win Const.exe Token: SeDebugPrivilege 1724 Win Const.exe Token: SeDebugPrivilege 2156 Win Const.exe Token: SeDebugPrivilege 2004 Win Const.exe Token: SeDebugPrivilege 2208 Win Const.exe Token: SeDebugPrivilege 1472 Win Const.exe Token: SeDebugPrivilege 1528 Win Const.exe Token: SeDebugPrivilege 1508 Win Const.exe Token: SeDebugPrivilege 2840 Win Const.exe Token: SeDebugPrivilege 1848 Win Const.exe Token: SeDebugPrivilege 1604 Win Const.exe Token: SeDebugPrivilege 2080 Win Const.exe Token: SeDebugPrivilege 1248 Win Const.exe Token: SeDebugPrivilege 3000 Win Const.exe Token: SeDebugPrivilege 2528 Win Const.exe Token: SeDebugPrivilege 1676 Win Const.exe Token: SeDebugPrivilege 2060 Win Const.exe Token: SeDebugPrivilege 2964 Win Const.exe Token: SeDebugPrivilege 2676 Win Const.exe Token: SeDebugPrivilege 880 Win Const.exe Token: SeDebugPrivilege 1996 Win Const.exe Token: SeDebugPrivilege 2516 Win Const.exe Token: SeDebugPrivilege 1584 Win Const.exe Token: SeDebugPrivilege 1756 Win Const.exe Token: SeDebugPrivilege 2316 Win Const.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
844aa6db07a6fc9429af86787e6c4c39_JaffaCakes118.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exedescription pid Process procid_target PID 2536 wrote to memory of 2444 2536 844aa6db07a6fc9429af86787e6c4c39_JaffaCakes118.exe 30 PID 2536 wrote to memory of 2444 2536 844aa6db07a6fc9429af86787e6c4c39_JaffaCakes118.exe 30 PID 2536 wrote to memory of 2444 2536 844aa6db07a6fc9429af86787e6c4c39_JaffaCakes118.exe 30 PID 2536 wrote to memory of 2444 2536 844aa6db07a6fc9429af86787e6c4c39_JaffaCakes118.exe 30 PID 2444 wrote to memory of 2784 2444 Win Const.exe 31 PID 2444 wrote to memory of 2784 2444 Win Const.exe 31 PID 2444 wrote to memory of 2784 2444 Win Const.exe 31 PID 2444 wrote to memory of 2784 2444 Win Const.exe 31 PID 2784 wrote to memory of 2732 2784 Win Const.exe 32 PID 2784 wrote to memory of 2732 2784 Win Const.exe 32 PID 2784 wrote to memory of 2732 2784 Win Const.exe 32 PID 2784 wrote to memory of 2732 2784 Win Const.exe 32 PID 2732 wrote to memory of 2708 2732 Win Const.exe 33 PID 2732 wrote to memory of 2708 2732 Win Const.exe 33 PID 2732 wrote to memory of 2708 2732 Win Const.exe 33 PID 2732 wrote to memory of 2708 2732 Win Const.exe 33 PID 2708 wrote to memory of 2848 2708 Win Const.exe 34 PID 2708 wrote to memory of 2848 2708 Win Const.exe 34 PID 2708 wrote to memory of 2848 2708 Win Const.exe 34 PID 2708 wrote to memory of 2848 2708 Win Const.exe 34 PID 2848 wrote to memory of 2332 2848 Win Const.exe 35 PID 2848 wrote to memory of 2332 2848 Win Const.exe 35 PID 2848 wrote to memory of 2332 2848 Win Const.exe 35 PID 2848 wrote to memory of 2332 2848 Win Const.exe 35 PID 2332 wrote to memory of 2704 2332 Win Const.exe 36 PID 2332 wrote to memory of 2704 2332 Win Const.exe 36 PID 2332 wrote to memory of 2704 2332 Win Const.exe 36 PID 2332 wrote to memory of 2704 2332 Win Const.exe 36 PID 2704 wrote to memory of 2604 2704 Win Const.exe 37 PID 2704 wrote to memory of 2604 2704 Win Const.exe 37 PID 2704 wrote to memory of 2604 2704 Win Const.exe 37 PID 2704 wrote to memory of 2604 2704 Win Const.exe 37 PID 2604 wrote to memory of 2712 2604 Win Const.exe 38 PID 2604 wrote to memory of 2712 2604 Win Const.exe 38 PID 2604 wrote to memory of 2712 2604 Win Const.exe 38 PID 2604 wrote to memory of 2712 2604 Win Const.exe 38 PID 2712 wrote to memory of 2824 2712 Win Const.exe 39 PID 2712 wrote to memory of 2824 2712 Win Const.exe 39 PID 2712 wrote to memory of 2824 2712 Win Const.exe 39 PID 2712 wrote to memory of 2824 2712 Win Const.exe 39 PID 2824 wrote to memory of 2572 2824 Win Const.exe 40 PID 2824 wrote to memory of 2572 2824 Win Const.exe 40 PID 2824 wrote to memory of 2572 2824 Win Const.exe 40 PID 2824 wrote to memory of 2572 2824 Win Const.exe 40 PID 2572 wrote to memory of 1840 2572 Win Const.exe 41 PID 2572 wrote to memory of 1840 2572 Win Const.exe 41 PID 2572 wrote to memory of 1840 2572 Win Const.exe 41 PID 2572 wrote to memory of 1840 2572 Win Const.exe 41 PID 1840 wrote to memory of 396 1840 Win Const.exe 42 PID 1840 wrote to memory of 396 1840 Win Const.exe 42 PID 1840 wrote to memory of 396 1840 Win Const.exe 42 PID 1840 wrote to memory of 396 1840 Win Const.exe 42 PID 396 wrote to memory of 3008 396 Win Const.exe 43 PID 396 wrote to memory of 3008 396 Win Const.exe 43 PID 396 wrote to memory of 3008 396 Win Const.exe 43 PID 396 wrote to memory of 3008 396 Win Const.exe 43 PID 3008 wrote to memory of 2228 3008 Win Const.exe 44 PID 3008 wrote to memory of 2228 3008 Win Const.exe 44 PID 3008 wrote to memory of 2228 3008 Win Const.exe 44 PID 3008 wrote to memory of 2228 3008 Win Const.exe 44 PID 2228 wrote to memory of 2844 2228 Win Const.exe 45 PID 2228 wrote to memory of 2844 2228 Win Const.exe 45 PID 2228 wrote to memory of 2844 2228 Win Const.exe 45 PID 2228 wrote to memory of 2844 2228 Win Const.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\844aa6db07a6fc9429af86787e6c4c39_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\844aa6db07a6fc9429af86787e6c4c39_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2844 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"18⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1956 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2396 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"20⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1380 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:340 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"22⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2144 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2304 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:800 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:588 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"26⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2212 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2088 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"28⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1216 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2084 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"30⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1412 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2420 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2292 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"33⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2356 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"34⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2120 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1808 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1368 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2176 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"38⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:980 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2480 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"40⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1536 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"41⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1724 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"42⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2156 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2004 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"44⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2208 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1472 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"46⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1528 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"47⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1508 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2840 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"49⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1848 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"50⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1604 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2080 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"52⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1248 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"53⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3000 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"54⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2528 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"55⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1676 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"56⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2060 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"57⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2964 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"58⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2676 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:880 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"60⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1996 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2516 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"62⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1584 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1756 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2316 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2448 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"66⤵PID:2700
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"67⤵PID:2812
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"68⤵
- System Location Discovery: System Language Discovery
PID:2788 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"69⤵PID:2976
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"70⤵
- System Location Discovery: System Language Discovery
PID:2868 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"71⤵PID:2752
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"72⤵
- System Location Discovery: System Language Discovery
PID:2692 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"73⤵PID:2616
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"74⤵
- System Location Discovery: System Language Discovery
PID:2052 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"75⤵
- System Location Discovery: System Language Discovery
PID:2764 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"76⤵PID:2636
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"77⤵PID:2664
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"78⤵
- System Location Discovery: System Language Discovery
PID:2608 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"79⤵
- System Location Discovery: System Language Discovery
PID:3060 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"80⤵
- System Location Discovery: System Language Discovery
PID:3064 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"81⤵PID:3056
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"82⤵
- System Location Discovery: System Language Discovery
PID:2688 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"83⤵PID:1296
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"84⤵
- System Location Discovery: System Language Discovery
PID:2948 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"85⤵
- System Location Discovery: System Language Discovery
PID:772 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"86⤵PID:1028
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"87⤵PID:552
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"88⤵PID:2392
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"89⤵PID:2680
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"90⤵PID:2044
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"91⤵
- System Location Discovery: System Language Discovery
PID:2396 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"92⤵
- System Location Discovery: System Language Discovery
PID:2768 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"93⤵PID:860
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"94⤵
- System Location Discovery: System Language Discovery
PID:2956 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"95⤵PID:1688
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"96⤵
- System Location Discovery: System Language Discovery
PID:2144 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"97⤵
- System Location Discovery: System Language Discovery
PID:2304 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"98⤵PID:800
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"99⤵
- System Location Discovery: System Language Discovery
PID:588 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"100⤵
- System Location Discovery: System Language Discovery
PID:1732 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"101⤵
- System Location Discovery: System Language Discovery
PID:2088 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"102⤵PID:2116
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"103⤵PID:2196
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"104⤵PID:1412
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"105⤵PID:2104
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"106⤵PID:2328
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"107⤵PID:2356
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"108⤵
- System Location Discovery: System Language Discovery
PID:2120 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"109⤵PID:1808
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"110⤵
- System Location Discovery: System Language Discovery
PID:2020 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"111⤵
- System Location Discovery: System Language Discovery
PID:2176 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"112⤵
- System Location Discovery: System Language Discovery
PID:980 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"113⤵PID:1788
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"114⤵
- System Location Discovery: System Language Discovery
PID:2480 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"115⤵PID:1536
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"116⤵
- System Location Discovery: System Language Discovery
PID:280 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"117⤵
- System Location Discovery: System Language Discovery
PID:1908 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"118⤵
- System Location Discovery: System Language Discovery
PID:1920 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"119⤵
- System Location Discovery: System Language Discovery
PID:1292 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"120⤵PID:1548
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"121⤵PID:1528
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"122⤵
- System Location Discovery: System Language Discovery
PID:1964
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-