Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2024 08:03
Behavioral task
behavioral1
Sample
844aa6db07a6fc9429af86787e6c4c39_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
844aa6db07a6fc9429af86787e6c4c39_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
844aa6db07a6fc9429af86787e6c4c39_JaffaCakes118.exe
-
Size
798KB
-
MD5
844aa6db07a6fc9429af86787e6c4c39
-
SHA1
95037249c76ead25eb0d899ec8e637f18dfc3742
-
SHA256
05cfa24e67e93f7b6aaa36c06fb11d1dbaaf244041adcb6a67e6b6c51d4b3a9b
-
SHA512
5a0a4166160f5ad30dd5810c1e2e831c2051de870027f0c0140246d293a7390c92e573c786a837690b6e80e2afb28808ee7695f0a915cb28e6726766456cb53f
-
SSDEEP
24576:ZCr/aUntOcE5k3W7kc49Wdc0OcZS/9vAh:ZE7EH2Qdc0Oc4/9vW
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 64 IoCs
Processes:
resource yara_rule behavioral2/files/0x000a000000023b72-3.dat modiloader_stage2 behavioral2/memory/4272-5-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/3964-7-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/3224-9-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/1932-11-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/1576-13-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/2296-15-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/5016-17-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/5068-19-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/932-21-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/2328-23-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/1816-25-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/4012-27-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/3520-29-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/5116-31-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/228-33-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/3324-35-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/1532-37-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/1460-39-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/4380-41-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/2456-43-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/3292-45-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/1924-47-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/4836-49-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/3280-51-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/1084-53-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/4016-55-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/3320-57-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/4160-59-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/1812-61-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/4744-63-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/2024-65-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/3936-67-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/2404-69-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/1340-71-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/4808-73-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/1580-75-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/2256-77-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/656-79-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/3472-81-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/2908-83-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/1816-85-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/612-87-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/4916-89-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/3680-91-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/4068-93-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/4444-95-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/4992-97-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/2348-99-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/1448-101-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/4612-103-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/228-105-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/3324-107-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/1312-109-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/3020-111-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/3944-113-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/4988-115-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/4232-117-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/4404-119-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/4448-121-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/4052-123-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/1952-125-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/224-127-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 behavioral2/memory/3840-129-0x0000000013140000-0x0000000013151000-memory.dmp modiloader_stage2 -
Executes dropped EXE 64 IoCs
Processes:
Win Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exepid Process 3964 Win Const.exe 3224 Win Const.exe 1932 Win Const.exe 1576 Win Const.exe 2296 Win Const.exe 5016 Win Const.exe 5068 Win Const.exe 932 Win Const.exe 2328 Win Const.exe 1816 Win Const.exe 4012 Win Const.exe 3520 Win Const.exe 5116 Win Const.exe 228 Win Const.exe 3324 Win Const.exe 1532 Win Const.exe 1460 Win Const.exe 4380 Win Const.exe 2456 Win Const.exe 3292 Win Const.exe 1924 Win Const.exe 4836 Win Const.exe 3280 Win Const.exe 1084 Win Const.exe 4016 Win Const.exe 3320 Win Const.exe 4160 Win Const.exe 1812 Win Const.exe 4744 Win Const.exe 2024 Win Const.exe 3936 Win Const.exe 2404 Win Const.exe 1340 Win Const.exe 4808 Win Const.exe 1580 Win Const.exe 2256 Win Const.exe 656 Win Const.exe 3472 Win Const.exe 2908 Win Const.exe 1816 Win Const.exe 612 Win Const.exe 4916 Win Const.exe 3680 Win Const.exe 4068 Win Const.exe 4444 Win Const.exe 4992 Win Const.exe 2348 Win Const.exe 1448 Win Const.exe 4612 Win Const.exe 228 Win Const.exe 3324 Win Const.exe 1312 Win Const.exe 3020 Win Const.exe 3944 Win Const.exe 4988 Win Const.exe 4232 Win Const.exe 4404 Win Const.exe 4448 Win Const.exe 4052 Win Const.exe 1952 Win Const.exe 224 Win Const.exe 3840 Win Const.exe 4928 Win Const.exe 3260 Win Const.exe -
Drops file in System32 directory 3 IoCs
Processes:
844aa6db07a6fc9429af86787e6c4c39_JaffaCakes118.exedescription ioc Process File created C:\Windows\SysWOW64\Win Types\1.mzp 844aa6db07a6fc9429af86787e6c4c39_JaffaCakes118.exe File created C:\Windows\SysWOW64\Win Types\Win Const.exe 844aa6db07a6fc9429af86787e6c4c39_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Win Types\Win Const.exe 844aa6db07a6fc9429af86787e6c4c39_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Win Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win Const.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
844aa6db07a6fc9429af86787e6c4c39_JaffaCakes118.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exedescription pid Process Token: SeDebugPrivilege 4272 844aa6db07a6fc9429af86787e6c4c39_JaffaCakes118.exe Token: SeDebugPrivilege 3964 Win Const.exe Token: SeDebugPrivilege 3224 Win Const.exe Token: SeDebugPrivilege 1932 Win Const.exe Token: SeDebugPrivilege 1576 Win Const.exe Token: SeDebugPrivilege 2296 Win Const.exe Token: SeDebugPrivilege 5016 Win Const.exe Token: SeDebugPrivilege 5068 Win Const.exe Token: SeDebugPrivilege 932 Win Const.exe Token: SeDebugPrivilege 2328 Win Const.exe Token: SeDebugPrivilege 1816 Win Const.exe Token: SeDebugPrivilege 4012 Win Const.exe Token: SeDebugPrivilege 3520 Win Const.exe Token: SeDebugPrivilege 5116 Win Const.exe Token: SeDebugPrivilege 228 Win Const.exe Token: SeDebugPrivilege 3324 Win Const.exe Token: SeDebugPrivilege 1532 Win Const.exe Token: SeDebugPrivilege 1460 Win Const.exe Token: SeDebugPrivilege 4380 Win Const.exe Token: SeDebugPrivilege 2456 Win Const.exe Token: SeDebugPrivilege 3292 Win Const.exe Token: SeDebugPrivilege 1924 Win Const.exe Token: SeDebugPrivilege 4836 Win Const.exe Token: SeDebugPrivilege 3280 Win Const.exe Token: SeDebugPrivilege 1084 Win Const.exe Token: SeDebugPrivilege 4016 Win Const.exe Token: SeDebugPrivilege 3320 Win Const.exe Token: SeDebugPrivilege 4160 Win Const.exe Token: SeDebugPrivilege 1812 Win Const.exe Token: SeDebugPrivilege 4744 Win Const.exe Token: SeDebugPrivilege 2024 Win Const.exe Token: SeDebugPrivilege 3936 Win Const.exe Token: SeDebugPrivilege 2404 Win Const.exe Token: SeDebugPrivilege 1340 Win Const.exe Token: SeDebugPrivilege 4808 Win Const.exe Token: SeDebugPrivilege 1580 Win Const.exe Token: SeDebugPrivilege 2256 Win Const.exe Token: SeDebugPrivilege 656 Win Const.exe Token: SeDebugPrivilege 3472 Win Const.exe Token: SeDebugPrivilege 2908 Win Const.exe Token: SeDebugPrivilege 1816 Win Const.exe Token: SeDebugPrivilege 612 Win Const.exe Token: SeDebugPrivilege 4916 Win Const.exe Token: SeDebugPrivilege 3680 Win Const.exe Token: SeDebugPrivilege 4068 Win Const.exe Token: SeDebugPrivilege 4444 Win Const.exe Token: SeDebugPrivilege 4992 Win Const.exe Token: SeDebugPrivilege 2348 Win Const.exe Token: SeDebugPrivilege 1448 Win Const.exe Token: SeDebugPrivilege 4612 Win Const.exe Token: SeDebugPrivilege 228 Win Const.exe Token: SeDebugPrivilege 3324 Win Const.exe Token: SeDebugPrivilege 1312 Win Const.exe Token: SeDebugPrivilege 3944 Win Const.exe Token: SeDebugPrivilege 4988 Win Const.exe Token: SeDebugPrivilege 4232 Win Const.exe Token: SeDebugPrivilege 4404 Win Const.exe Token: SeDebugPrivilege 4448 Win Const.exe Token: SeDebugPrivilege 4052 Win Const.exe Token: SeDebugPrivilege 1952 Win Const.exe Token: SeDebugPrivilege 224 Win Const.exe Token: SeDebugPrivilege 3840 Win Const.exe Token: SeDebugPrivilege 4928 Win Const.exe Token: SeDebugPrivilege 3260 Win Const.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
844aa6db07a6fc9429af86787e6c4c39_JaffaCakes118.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exeWin Const.exedescription pid Process procid_target PID 4272 wrote to memory of 3964 4272 844aa6db07a6fc9429af86787e6c4c39_JaffaCakes118.exe 86 PID 4272 wrote to memory of 3964 4272 844aa6db07a6fc9429af86787e6c4c39_JaffaCakes118.exe 86 PID 4272 wrote to memory of 3964 4272 844aa6db07a6fc9429af86787e6c4c39_JaffaCakes118.exe 86 PID 3964 wrote to memory of 3224 3964 Win Const.exe 89 PID 3964 wrote to memory of 3224 3964 Win Const.exe 89 PID 3964 wrote to memory of 3224 3964 Win Const.exe 89 PID 3224 wrote to memory of 1932 3224 Win Const.exe 90 PID 3224 wrote to memory of 1932 3224 Win Const.exe 90 PID 3224 wrote to memory of 1932 3224 Win Const.exe 90 PID 1932 wrote to memory of 1576 1932 Win Const.exe 91 PID 1932 wrote to memory of 1576 1932 Win Const.exe 91 PID 1932 wrote to memory of 1576 1932 Win Const.exe 91 PID 1576 wrote to memory of 2296 1576 Win Const.exe 94 PID 1576 wrote to memory of 2296 1576 Win Const.exe 94 PID 1576 wrote to memory of 2296 1576 Win Const.exe 94 PID 2296 wrote to memory of 5016 2296 Win Const.exe 97 PID 2296 wrote to memory of 5016 2296 Win Const.exe 97 PID 2296 wrote to memory of 5016 2296 Win Const.exe 97 PID 5016 wrote to memory of 5068 5016 Win Const.exe 98 PID 5016 wrote to memory of 5068 5016 Win Const.exe 98 PID 5016 wrote to memory of 5068 5016 Win Const.exe 98 PID 5068 wrote to memory of 932 5068 Win Const.exe 101 PID 5068 wrote to memory of 932 5068 Win Const.exe 101 PID 5068 wrote to memory of 932 5068 Win Const.exe 101 PID 932 wrote to memory of 2328 932 Win Const.exe 102 PID 932 wrote to memory of 2328 932 Win Const.exe 102 PID 932 wrote to memory of 2328 932 Win Const.exe 102 PID 2328 wrote to memory of 1816 2328 Win Const.exe 103 PID 2328 wrote to memory of 1816 2328 Win Const.exe 103 PID 2328 wrote to memory of 1816 2328 Win Const.exe 103 PID 1816 wrote to memory of 4012 1816 Win Const.exe 107 PID 1816 wrote to memory of 4012 1816 Win Const.exe 107 PID 1816 wrote to memory of 4012 1816 Win Const.exe 107 PID 4012 wrote to memory of 3520 4012 Win Const.exe 109 PID 4012 wrote to memory of 3520 4012 Win Const.exe 109 PID 4012 wrote to memory of 3520 4012 Win Const.exe 109 PID 3520 wrote to memory of 5116 3520 Win Const.exe 110 PID 3520 wrote to memory of 5116 3520 Win Const.exe 110 PID 3520 wrote to memory of 5116 3520 Win Const.exe 110 PID 5116 wrote to memory of 228 5116 Win Const.exe 111 PID 5116 wrote to memory of 228 5116 Win Const.exe 111 PID 5116 wrote to memory of 228 5116 Win Const.exe 111 PID 228 wrote to memory of 3324 228 Win Const.exe 112 PID 228 wrote to memory of 3324 228 Win Const.exe 112 PID 228 wrote to memory of 3324 228 Win Const.exe 112 PID 3324 wrote to memory of 1532 3324 Win Const.exe 113 PID 3324 wrote to memory of 1532 3324 Win Const.exe 113 PID 3324 wrote to memory of 1532 3324 Win Const.exe 113 PID 1532 wrote to memory of 1460 1532 Win Const.exe 114 PID 1532 wrote to memory of 1460 1532 Win Const.exe 114 PID 1532 wrote to memory of 1460 1532 Win Const.exe 114 PID 1460 wrote to memory of 4380 1460 Win Const.exe 115 PID 1460 wrote to memory of 4380 1460 Win Const.exe 115 PID 1460 wrote to memory of 4380 1460 Win Const.exe 115 PID 4380 wrote to memory of 2456 4380 Win Const.exe 116 PID 4380 wrote to memory of 2456 4380 Win Const.exe 116 PID 4380 wrote to memory of 2456 4380 Win Const.exe 116 PID 2456 wrote to memory of 3292 2456 Win Const.exe 117 PID 2456 wrote to memory of 3292 2456 Win Const.exe 117 PID 2456 wrote to memory of 3292 2456 Win Const.exe 117 PID 3292 wrote to memory of 1924 3292 Win Const.exe 118 PID 3292 wrote to memory of 1924 3292 Win Const.exe 118 PID 3292 wrote to memory of 1924 3292 Win Const.exe 118 PID 1924 wrote to memory of 4836 1924 Win Const.exe 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\844aa6db07a6fc9429af86787e6c4c39_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\844aa6db07a6fc9429af86787e6c4c39_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"17⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"19⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"21⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"23⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4836 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3280 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"25⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1084 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4016 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"27⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3320 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4160 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"29⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1812 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4744 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2024 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"32⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3936 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2404 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"34⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1340 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"35⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4808 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1580 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"37⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2256 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"38⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:656 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3472 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"40⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2908 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"41⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1816 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"42⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:612 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4916 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"44⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3680 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"45⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4068 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"46⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4444 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4992 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"48⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2348 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1448 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4612 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"51⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:228 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3324 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"53⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1312 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"54⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"55⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3944 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"56⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4988 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"57⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4232 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"58⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4404 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4448 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"60⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4052 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1952 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:224 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3840 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4928 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"65⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3260 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"66⤵PID:4996
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"67⤵
- System Location Discovery: System Language Discovery
PID:860 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"68⤵PID:2924
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"69⤵
- System Location Discovery: System Language Discovery
PID:600 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"70⤵
- System Location Discovery: System Language Discovery
PID:372 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"71⤵PID:1492
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"72⤵
- System Location Discovery: System Language Discovery
PID:4656 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"73⤵
- System Location Discovery: System Language Discovery
PID:2884 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"74⤵PID:4028
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"75⤵PID:2980
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"76⤵PID:1772
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"77⤵
- System Location Discovery: System Language Discovery
PID:1404 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"78⤵PID:4344
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"79⤵PID:444
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"80⤵PID:4116
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"81⤵
- System Location Discovery: System Language Discovery
PID:3664 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"82⤵
- System Location Discovery: System Language Discovery
PID:2240 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"83⤵
- System Location Discovery: System Language Discovery
PID:432 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"84⤵
- System Location Discovery: System Language Discovery
PID:808 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"85⤵
- System Location Discovery: System Language Discovery
PID:612 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"86⤵PID:1820
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"87⤵
- System Location Discovery: System Language Discovery
PID:1476 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"88⤵
- System Location Discovery: System Language Discovery
PID:4040 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"89⤵PID:2752
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"90⤵PID:4948
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"91⤵
- System Location Discovery: System Language Discovery
PID:1168 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"92⤵
- System Location Discovery: System Language Discovery
PID:552 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"93⤵
- System Location Discovery: System Language Discovery
PID:2348 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"94⤵
- System Location Discovery: System Language Discovery
PID:4936 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"95⤵PID:588
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"96⤵PID:3976
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"97⤵PID:4804
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"98⤵
- System Location Discovery: System Language Discovery
PID:3540 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"99⤵PID:3716
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"100⤵PID:4208
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"101⤵
- System Location Discovery: System Language Discovery
PID:1032 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"102⤵PID:3224
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"103⤵
- System Location Discovery: System Language Discovery
PID:2676 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"104⤵PID:4956
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"105⤵PID:4972
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"106⤵
- System Location Discovery: System Language Discovery
PID:3168 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"107⤵
- System Location Discovery: System Language Discovery
PID:1632 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"108⤵PID:3732
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"109⤵PID:1508
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"110⤵
- System Location Discovery: System Language Discovery
PID:3468 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"111⤵
- System Location Discovery: System Language Discovery
PID:4252 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"112⤵
- System Location Discovery: System Language Discovery
PID:4356 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"113⤵PID:3700
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"114⤵
- System Location Discovery: System Language Discovery
PID:1404 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"115⤵
- System Location Discovery: System Language Discovery
PID:4344 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"116⤵PID:656
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"117⤵
- System Location Discovery: System Language Discovery
PID:2328 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"118⤵
- System Location Discovery: System Language Discovery
PID:3664 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"119⤵PID:3920
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"120⤵
- System Location Discovery: System Language Discovery
PID:4968 -
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"121⤵PID:1940
-
C:\Windows\SysWOW64\Win Types\Win Const.exe"C:\Windows\system32\Win Types\Win Const.exe"122⤵
- System Location Discovery: System Language Discovery
PID:1424
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-