Analysis
-
max time kernel
24s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
29/08/2024, 14:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c903194d16f0f498ac4634fd3abc1a0a_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral2
Sample
c903194d16f0f498ac4634fd3abc1a0a_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
18 signatures
150 seconds
General
-
Target
c903194d16f0f498ac4634fd3abc1a0a_JaffaCakes118.exe
-
Size
1.4MB
-
MD5
c903194d16f0f498ac4634fd3abc1a0a
-
SHA1
0b8ecc8a9a178d521a767762364c1f4b0f14a151
-
SHA256
8de128d2fff187d5688ec49d3546b692ae9ca978a8bb860a34600fa7168223d0
-
SHA512
7b1278f989672d39a8def223225719fafff353ba0644dc9345f473ad8154206bafb44d636659d2011476021db27046c4a396284e893c2d19be828338ab1720f6
-
SSDEEP
24576:mbYU9b03izz9FBENPYjFcFko9qYQTKy2tzmE8sH3bRZuEW4Bs9JgmoEnRrwc:VU0ilFMPYmCo9NaHnsH3bTuLWuJ7VnR8
Score
10/10
Malware Config
Signatures
-
Modifies security service 2 TTPs 39 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" csrss.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" csrss.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" csrss.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" csrss.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" csrss.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" csrss.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" csrss.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" csrss.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" csrss.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" csrss.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" csrss.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" csrss.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" csrss.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" csrss.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" csrss.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" csrss.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" csrss.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" csrss.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" csrss.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" csrss.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" csrss.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" csrss.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" csrss.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" csrss.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" csrss.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" csrss.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" csrss.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" csrss.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" client.exe.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" csrss.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" csrss.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" csrss.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" csrss.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" csrss.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" csrss.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" csrss.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" csrss.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" csrss.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" csrss.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" client.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" client.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" csrss.exe -
Disables RegEdit via registry modification 39 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" client.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe -
Disables Task Manager via registry modification
-
resource yara_rule behavioral1/files/0x0007000000018b6e-20.dat aspack_v212_v242 -
Executes dropped EXE 64 IoCs
pid Process 2104 client.exe.exe 2432 client.exe.exe 2176 Adobe.CS5.All-Products.Activator.exe 2008 csrss.exe 2608 csrss.exe 2664 csrss.exe 1856 csrss.exe 2580 csrss.exe 2964 csrss.exe 3000 csrss.exe 3020 csrss.exe 2856 csrss.exe 2684 csrss.exe 1248 csrss.exe 1360 csrss.exe 1824 csrss.exe 1344 csrss.exe 2220 csrss.exe 2332 csrss.exe 1412 csrss.exe 2152 csrss.exe 1668 csrss.exe 660 csrss.exe 2248 csrss.exe 2036 csrss.exe 1488 csrss.exe 1628 csrss.exe 976 csrss.exe 472 csrss.exe 816 csrss.exe 1012 csrss.exe 1100 csrss.exe 1804 csrss.exe 1568 csrss.exe 2124 csrss.exe 2520 csrss.exe 1120 csrss.exe 2588 csrss.exe 2820 csrss.exe 2864 csrss.exe 2816 csrss.exe 2780 csrss.exe 2008 csrss.exe 2312 csrss.exe 2680 csrss.exe 2848 csrss.exe 832 csrss.exe 2960 csrss.exe 568 csrss.exe 1316 csrss.exe 2672 csrss.exe 2852 csrss.exe 2712 csrss.exe 2496 csrss.exe 2188 csrss.exe 1284 csrss.exe 2024 csrss.exe 2352 csrss.exe 2464 csrss.exe 1880 csrss.exe 2264 csrss.exe 1412 csrss.exe 2204 csrss.exe 1736 csrss.exe -
Loads dropped DLL 64 IoCs
pid Process 2532 c903194d16f0f498ac4634fd3abc1a0a_JaffaCakes118.exe 2532 c903194d16f0f498ac4634fd3abc1a0a_JaffaCakes118.exe 2532 c903194d16f0f498ac4634fd3abc1a0a_JaffaCakes118.exe 2104 client.exe.exe 2176 Adobe.CS5.All-Products.Activator.exe 2432 client.exe.exe 2432 client.exe.exe 2608 csrss.exe 2608 csrss.exe 1856 csrss.exe 1856 csrss.exe 2964 csrss.exe 2964 csrss.exe 3020 csrss.exe 3020 csrss.exe 2684 csrss.exe 2684 csrss.exe 1360 csrss.exe 1360 csrss.exe 1344 csrss.exe 1344 csrss.exe 2332 csrss.exe 2332 csrss.exe 2152 csrss.exe 2152 csrss.exe 660 csrss.exe 660 csrss.exe 2036 csrss.exe 2036 csrss.exe 1628 csrss.exe 1628 csrss.exe 472 csrss.exe 472 csrss.exe 1012 csrss.exe 1012 csrss.exe 1804 csrss.exe 1804 csrss.exe 2124 csrss.exe 2124 csrss.exe 1120 csrss.exe 1120 csrss.exe 2820 csrss.exe 2820 csrss.exe 2816 csrss.exe 2816 csrss.exe 2008 csrss.exe 2008 csrss.exe 2680 csrss.exe 2680 csrss.exe 832 csrss.exe 832 csrss.exe 568 csrss.exe 568 csrss.exe 2672 csrss.exe 2672 csrss.exe 2712 csrss.exe 2712 csrss.exe 2188 csrss.exe 2188 csrss.exe 2024 csrss.exe 2024 csrss.exe 2464 csrss.exe 2464 csrss.exe 2264 csrss.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" client.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" client.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" csrss.exe -
Adds Run key to start application 2 TTPs 39 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Windows\\system32\\1033\\csrss.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Windows\\system32\\1033\\csrss.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Windows\\system32\\1033\\csrss.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Windows\\system32\\1033\\csrss.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Windows\\system32\\1033\\csrss.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Windows\\system32\\1033\\csrss.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Windows\\system32\\1033\\csrss.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Windows\\system32\\1033\\csrss.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Windows\\system32\\1033\\csrss.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Windows\\system32\\1033\\csrss.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Windows\\system32\\1033\\csrss.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Windows\\system32\\1033\\csrss.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Windows\\system32\\1033\\csrss.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Windows\\system32\\1033\\csrss.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Windows\\system32\\1033\\csrss.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Windows\\system32\\1033\\csrss.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Windows\\system32\\1033\\csrss.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Windows\\system32\\1033\\csrss.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Windows\\system32\\1033\\csrss.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Windows\\system32\\1033\\csrss.exe" client.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Windows\\system32\\1033\\csrss.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Windows\\system32\\1033\\csrss.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Windows\\system32\\1033\\csrss.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Windows\\system32\\1033\\csrss.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Windows\\system32\\1033\\csrss.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Windows\\system32\\1033\\csrss.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Windows\\system32\\1033\\csrss.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Windows\\system32\\1033\\csrss.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Windows\\system32\\1033\\csrss.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Windows\\system32\\1033\\csrss.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Windows\\system32\\1033\\csrss.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Windows\\system32\\1033\\csrss.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Windows\\system32\\1033\\csrss.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Windows\\system32\\1033\\csrss.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Windows\\system32\\1033\\csrss.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Windows\\system32\\1033\\csrss.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Windows\\system32\\1033\\csrss.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Windows\\system32\\1033\\csrss.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Windows\\system32\\1033\\csrss.exe" csrss.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\1033\ csrss.exe File opened for modification C:\Windows\SysWOW64\1033\csrss.exe csrss.exe File created C:\Windows\SysWOW64\1033\csrss.exe csrss.exe File created C:\Windows\SysWOW64\1033\csrss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\1033\csrss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\1033\ csrss.exe File created C:\Windows\SysWOW64\1033\csrss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\1033\ csrss.exe File opened for modification C:\Windows\SysWOW64\1033\csrss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\1033\csrss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\1033\csrss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\1033\ csrss.exe File opened for modification C:\Windows\SysWOW64\1033\ csrss.exe File opened for modification C:\Windows\SysWOW64\1033\csrss.exe csrss.exe File created C:\Windows\SysWOW64\1033\csrss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\1033\csrss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\1033\csrss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\1033\csrss.exe client.exe.exe File opened for modification C:\Windows\SysWOW64\1033\csrss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\1033\csrss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\1033\ csrss.exe File created C:\Windows\SysWOW64\1033\csrss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\1033\csrss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\1033\ client.exe.exe File opened for modification C:\Windows\SysWOW64\1033\csrss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\1033\ csrss.exe File opened for modification C:\Windows\SysWOW64\1033\csrss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\1033\csrss.exe csrss.exe File created C:\Windows\SysWOW64\1033\csrss.exe csrss.exe File created C:\Windows\SysWOW64\1033\csrss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\1033\ csrss.exe File opened for modification C:\Windows\SysWOW64\1033\ csrss.exe File created C:\Windows\SysWOW64\1033\csrss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\1033\csrss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\1033\ csrss.exe File created C:\Windows\SysWOW64\1033\csrss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\1033\csrss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\1033\ csrss.exe File opened for modification C:\Windows\SysWOW64\1033\ csrss.exe File opened for modification C:\Windows\SysWOW64\1033\ csrss.exe File created C:\Windows\SysWOW64\1033\csrss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\1033\csrss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\1033\ csrss.exe File opened for modification C:\Windows\SysWOW64\1033\ csrss.exe File created C:\Windows\SysWOW64\1033\csrss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\1033\ csrss.exe File opened for modification C:\Windows\SysWOW64\1033\ csrss.exe File created C:\Windows\SysWOW64\1033\csrss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\1033\csrss.exe csrss.exe File created C:\Windows\SysWOW64\1033\csrss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\1033\ csrss.exe File created C:\Windows\SysWOW64\1033\csrss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\1033\ csrss.exe File opened for modification C:\Windows\SysWOW64\1033\csrss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\1033\csrss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\1033\ csrss.exe File opened for modification C:\Windows\SysWOW64\1033\csrss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\1033\ csrss.exe File created C:\Windows\SysWOW64\1033\csrss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\1033\ csrss.exe File created C:\Windows\SysWOW64\1033\csrss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\1033\ csrss.exe File created C:\Windows\SysWOW64\1033\csrss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\1033\ csrss.exe -
Suspicious use of SetThreadContext 38 IoCs
description pid Process procid_target PID 2104 set thread context of 2432 2104 client.exe.exe 31 PID 2008 set thread context of 2608 2008 csrss.exe 34 PID 2664 set thread context of 1856 2664 csrss.exe 36 PID 2580 set thread context of 2964 2580 csrss.exe 38 PID 3000 set thread context of 3020 3000 csrss.exe 40 PID 2856 set thread context of 2684 2856 csrss.exe 42 PID 1248 set thread context of 1360 1248 csrss.exe 44 PID 1824 set thread context of 1344 1824 csrss.exe 46 PID 2220 set thread context of 2332 2220 csrss.exe 48 PID 1412 set thread context of 2152 1412 csrss.exe 50 PID 1668 set thread context of 660 1668 csrss.exe 52 PID 2248 set thread context of 2036 2248 csrss.exe 54 PID 1488 set thread context of 1628 1488 csrss.exe 56 PID 976 set thread context of 472 976 csrss.exe 58 PID 816 set thread context of 1012 816 csrss.exe 60 PID 1100 set thread context of 1804 1100 csrss.exe 191 PID 1568 set thread context of 2124 1568 csrss.exe 195 PID 2520 set thread context of 1120 2520 csrss.exe 66 PID 2588 set thread context of 2820 2588 csrss.exe 199 PID 2864 set thread context of 2816 2864 csrss.exe 70 PID 2780 set thread context of 2008 2780 csrss.exe 159 PID 2312 set thread context of 2680 2312 csrss.exe 74 PID 2848 set thread context of 832 2848 csrss.exe 252 PID 2960 set thread context of 568 2960 csrss.exe 78 PID 1316 set thread context of 2672 1316 csrss.exe 80 PID 2852 set thread context of 2712 2852 csrss.exe 82 PID 2496 set thread context of 2188 2496 csrss.exe 342 PID 1284 set thread context of 2024 1284 csrss.exe 86 PID 2352 set thread context of 2464 2352 csrss.exe 348 PID 1880 set thread context of 2264 1880 csrss.exe 438 PID 1412 set thread context of 2204 1412 csrss.exe 310 PID 1736 set thread context of 1728 1736 csrss.exe 441 PID 2480 set thread context of 980 2480 csrss.exe 443 PID 1604 set thread context of 1764 1604 csrss.exe 359 PID 1108 set thread context of 2032 1108 csrss.exe 493 PID 776 set thread context of 2544 776 csrss.exe 102 PID 1952 set thread context of 1784 1952 csrss.exe 542 PID 1560 set thread context of 2404 1560 csrss.exe 461 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adobe.CS5.All-Products.Activator.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c903194d16f0f498ac4634fd3abc1a0a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language client.exe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2432 client.exe.exe Token: SeSecurityPrivilege 2432 client.exe.exe Token: SeTakeOwnershipPrivilege 2432 client.exe.exe Token: SeLoadDriverPrivilege 2432 client.exe.exe Token: SeSystemProfilePrivilege 2432 client.exe.exe Token: SeSystemtimePrivilege 2432 client.exe.exe Token: SeProfSingleProcessPrivilege 2432 client.exe.exe Token: SeIncBasePriorityPrivilege 2432 client.exe.exe Token: SeCreatePagefilePrivilege 2432 client.exe.exe Token: SeBackupPrivilege 2432 client.exe.exe Token: SeRestorePrivilege 2432 client.exe.exe Token: SeShutdownPrivilege 2432 client.exe.exe Token: SeDebugPrivilege 2432 client.exe.exe Token: SeSystemEnvironmentPrivilege 2432 client.exe.exe Token: SeChangeNotifyPrivilege 2432 client.exe.exe Token: SeRemoteShutdownPrivilege 2432 client.exe.exe Token: SeUndockPrivilege 2432 client.exe.exe Token: SeManageVolumePrivilege 2432 client.exe.exe Token: SeImpersonatePrivilege 2432 client.exe.exe Token: SeCreateGlobalPrivilege 2432 client.exe.exe Token: 33 2432 client.exe.exe Token: 34 2432 client.exe.exe Token: 35 2432 client.exe.exe Token: 33 2740 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2740 AUDIODG.EXE Token: 33 2740 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2740 AUDIODG.EXE Token: SeIncreaseQuotaPrivilege 2608 csrss.exe Token: SeSecurityPrivilege 2608 csrss.exe Token: SeTakeOwnershipPrivilege 2608 csrss.exe Token: SeLoadDriverPrivilege 2608 csrss.exe Token: SeSystemProfilePrivilege 2608 csrss.exe Token: SeSystemtimePrivilege 2608 csrss.exe Token: SeProfSingleProcessPrivilege 2608 csrss.exe Token: SeIncBasePriorityPrivilege 2608 csrss.exe Token: SeCreatePagefilePrivilege 2608 csrss.exe Token: SeBackupPrivilege 2608 csrss.exe Token: SeRestorePrivilege 2608 csrss.exe Token: SeShutdownPrivilege 2608 csrss.exe Token: SeDebugPrivilege 2608 csrss.exe Token: SeSystemEnvironmentPrivilege 2608 csrss.exe Token: SeChangeNotifyPrivilege 2608 csrss.exe Token: SeRemoteShutdownPrivilege 2608 csrss.exe Token: SeUndockPrivilege 2608 csrss.exe Token: SeManageVolumePrivilege 2608 csrss.exe Token: SeImpersonatePrivilege 2608 csrss.exe Token: SeCreateGlobalPrivilege 2608 csrss.exe Token: 33 2608 csrss.exe Token: 34 2608 csrss.exe Token: 35 2608 csrss.exe Token: SeIncreaseQuotaPrivilege 1856 csrss.exe Token: SeSecurityPrivilege 1856 csrss.exe Token: SeTakeOwnershipPrivilege 1856 csrss.exe Token: SeLoadDriverPrivilege 1856 csrss.exe Token: SeSystemProfilePrivilege 1856 csrss.exe Token: SeSystemtimePrivilege 1856 csrss.exe Token: SeProfSingleProcessPrivilege 1856 csrss.exe Token: SeIncBasePriorityPrivilege 1856 csrss.exe Token: SeCreatePagefilePrivilege 1856 csrss.exe Token: SeBackupPrivilege 1856 csrss.exe Token: SeRestorePrivilege 1856 csrss.exe Token: SeShutdownPrivilege 1856 csrss.exe Token: SeDebugPrivilege 1856 csrss.exe Token: SeSystemEnvironmentPrivilege 1856 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2532 wrote to memory of 2104 2532 c903194d16f0f498ac4634fd3abc1a0a_JaffaCakes118.exe 29 PID 2532 wrote to memory of 2104 2532 c903194d16f0f498ac4634fd3abc1a0a_JaffaCakes118.exe 29 PID 2532 wrote to memory of 2104 2532 c903194d16f0f498ac4634fd3abc1a0a_JaffaCakes118.exe 29 PID 2532 wrote to memory of 2104 2532 c903194d16f0f498ac4634fd3abc1a0a_JaffaCakes118.exe 29 PID 2532 wrote to memory of 2176 2532 c903194d16f0f498ac4634fd3abc1a0a_JaffaCakes118.exe 30 PID 2532 wrote to memory of 2176 2532 c903194d16f0f498ac4634fd3abc1a0a_JaffaCakes118.exe 30 PID 2532 wrote to memory of 2176 2532 c903194d16f0f498ac4634fd3abc1a0a_JaffaCakes118.exe 30 PID 2532 wrote to memory of 2176 2532 c903194d16f0f498ac4634fd3abc1a0a_JaffaCakes118.exe 30 PID 2104 wrote to memory of 2432 2104 client.exe.exe 31 PID 2104 wrote to memory of 2432 2104 client.exe.exe 31 PID 2104 wrote to memory of 2432 2104 client.exe.exe 31 PID 2104 wrote to memory of 2432 2104 client.exe.exe 31 PID 2104 wrote to memory of 2432 2104 client.exe.exe 31 PID 2104 wrote to memory of 2432 2104 client.exe.exe 31 PID 2432 wrote to memory of 2008 2432 client.exe.exe 33 PID 2432 wrote to memory of 2008 2432 client.exe.exe 33 PID 2432 wrote to memory of 2008 2432 client.exe.exe 33 PID 2432 wrote to memory of 2008 2432 client.exe.exe 33 PID 2008 wrote to memory of 2608 2008 csrss.exe 34 PID 2008 wrote to memory of 2608 2008 csrss.exe 34 PID 2008 wrote to memory of 2608 2008 csrss.exe 34 PID 2008 wrote to memory of 2608 2008 csrss.exe 34 PID 2008 wrote to memory of 2608 2008 csrss.exe 34 PID 2008 wrote to memory of 2608 2008 csrss.exe 34 PID 2608 wrote to memory of 2664 2608 csrss.exe 35 PID 2608 wrote to memory of 2664 2608 csrss.exe 35 PID 2608 wrote to memory of 2664 2608 csrss.exe 35 PID 2608 wrote to memory of 2664 2608 csrss.exe 35 PID 2664 wrote to memory of 1856 2664 csrss.exe 36 PID 2664 wrote to memory of 1856 2664 csrss.exe 36 PID 2664 wrote to memory of 1856 2664 csrss.exe 36 PID 2664 wrote to memory of 1856 2664 csrss.exe 36 PID 2664 wrote to memory of 1856 2664 csrss.exe 36 PID 2664 wrote to memory of 1856 2664 csrss.exe 36 PID 1856 wrote to memory of 2580 1856 csrss.exe 37 PID 1856 wrote to memory of 2580 1856 csrss.exe 37 PID 1856 wrote to memory of 2580 1856 csrss.exe 37 PID 1856 wrote to memory of 2580 1856 csrss.exe 37 PID 2580 wrote to memory of 2964 2580 csrss.exe 38 PID 2580 wrote to memory of 2964 2580 csrss.exe 38 PID 2580 wrote to memory of 2964 2580 csrss.exe 38 PID 2580 wrote to memory of 2964 2580 csrss.exe 38 PID 2580 wrote to memory of 2964 2580 csrss.exe 38 PID 2580 wrote to memory of 2964 2580 csrss.exe 38 PID 2964 wrote to memory of 3000 2964 csrss.exe 39 PID 2964 wrote to memory of 3000 2964 csrss.exe 39 PID 2964 wrote to memory of 3000 2964 csrss.exe 39 PID 2964 wrote to memory of 3000 2964 csrss.exe 39 PID 3000 wrote to memory of 3020 3000 csrss.exe 40 PID 3000 wrote to memory of 3020 3000 csrss.exe 40 PID 3000 wrote to memory of 3020 3000 csrss.exe 40 PID 3000 wrote to memory of 3020 3000 csrss.exe 40 PID 3000 wrote to memory of 3020 3000 csrss.exe 40 PID 3000 wrote to memory of 3020 3000 csrss.exe 40 PID 3020 wrote to memory of 2856 3020 csrss.exe 41 PID 3020 wrote to memory of 2856 3020 csrss.exe 41 PID 3020 wrote to memory of 2856 3020 csrss.exe 41 PID 3020 wrote to memory of 2856 3020 csrss.exe 41 PID 2856 wrote to memory of 2684 2856 csrss.exe 42 PID 2856 wrote to memory of 2684 2856 csrss.exe 42 PID 2856 wrote to memory of 2684 2856 csrss.exe 42 PID 2856 wrote to memory of 2684 2856 csrss.exe 42 PID 2856 wrote to memory of 2684 2856 csrss.exe 42 PID 2856 wrote to memory of 2684 2856 csrss.exe 42 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern client.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" client.exe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion csrss.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c903194d16f0f498ac4634fd3abc1a0a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c903194d16f0f498ac4634fd3abc1a0a_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Users\Admin\AppData\Local\Temp\client.exe.exe"C:\Users\Admin\AppData\Local\Temp\client.exe.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Users\Admin\AppData\Local\Temp\client.exe.exe"C:\Users\Admin\AppData\Local\Temp\client.exe.exe"3⤵
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2432 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"5⤵
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2608 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"7⤵
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"9⤵
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2964 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"11⤵
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3020 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"12⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"13⤵
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:2684 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"14⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1248 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"15⤵
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:1360 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"16⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1824 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"17⤵
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- System policy modification
PID:1344 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"18⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2220 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"19⤵
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:2332 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"20⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1412 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"21⤵
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- System policy modification
PID:2152 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"22⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1668 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"23⤵
- Modifies security service
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:660 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"24⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2248 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"25⤵
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:2036 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"26⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1488 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"27⤵
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:1628 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"28⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:976 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"29⤵
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:472 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"30⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:816 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"31⤵
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:1012 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"32⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1100 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"33⤵
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:1804 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"34⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1568 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"35⤵
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:2124 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"36⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2520 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"37⤵
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- System policy modification
PID:1120 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"38⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2588 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"39⤵
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2820 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"40⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2864 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"41⤵
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:2816 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"42⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"43⤵
- Modifies security service
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:2008 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"44⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2312 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"45⤵
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:2680 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"46⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2848 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"47⤵
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:832 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"48⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2960 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"49⤵
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- System policy modification
PID:568 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"50⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1316 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"51⤵
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:2672 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"52⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2852 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"53⤵
- Modifies security service
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:2712 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"54⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2496 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"55⤵
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:2188 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"56⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1284 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"57⤵
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:2024 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"58⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2352 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"59⤵
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:2464 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"60⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1880 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"61⤵
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:2264 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"62⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1412 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"63⤵
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:2204 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"64⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1736 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"65⤵
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:1728 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"66⤵
- Suspicious use of SetThreadContext
PID:2480 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"67⤵
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:980 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"68⤵
- Suspicious use of SetThreadContext
PID:1604 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"69⤵
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:1764 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"70⤵
- Suspicious use of SetThreadContext
PID:1108 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"71⤵
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:2032 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"72⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:776 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"73⤵
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:2544 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"74⤵
- Suspicious use of SetThreadContext
PID:1952 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"75⤵
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:1784 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"76⤵
- System Location Discovery: System Language Discovery
PID:2316 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"77⤵
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- System policy modification
PID:836 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"78⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1560 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"79⤵
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:2404 -
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"80⤵PID:2164
-
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"81⤵PID:2104
-
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"82⤵PID:2416
-
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"83⤵PID:2832
-
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"84⤵PID:2156
-
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"85⤵PID:2764
-
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"86⤵PID:2676
-
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"87⤵PID:2016
-
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"88⤵PID:3028
-
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"89⤵PID:2056
-
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"90⤵PID:2992
-
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"91⤵PID:3044
-
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"92⤵PID:3008
-
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"93⤵PID:2964
-
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"94⤵PID:3020
-
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"95⤵PID:2600
-
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"96⤵PID:1632
-
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"97⤵PID:2484
-
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"98⤵PID:960
-
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"99⤵PID:860
-
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"100⤵PID:2144
-
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"101⤵PID:2384
-
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"102⤵PID:2096
-
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"103⤵PID:2216
-
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"104⤵PID:1444
-
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"105⤵PID:2440
-
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"106⤵PID:608
-
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"107⤵PID:1996
-
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"108⤵PID:2508
-
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"109⤵PID:1728
-
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"110⤵PID:1812
-
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"111⤵PID:2248
-
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"112⤵PID:2028
-
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"113⤵PID:2304
-
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"114⤵PID:584
-
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"115⤵PID:636
-
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"116⤵PID:816
-
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"117⤵PID:2088
-
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"118⤵PID:2004
-
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"119⤵PID:1784
-
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\system32\1033\csrss.exe"120⤵PID:1232
-
C:\Windows\SysWOW64\1033\csrss.exe"C:\Windows\SysWOW64\1033\csrss.exe"121⤵PID:2228
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-