Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
95s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/09/2024, 00:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cc4ba8817473517498cb3f02d70fdd60N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
cc4ba8817473517498cb3f02d70fdd60N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
5 signatures
120 seconds
General
-
Target
cc4ba8817473517498cb3f02d70fdd60N.exe
-
Size
363KB
-
MD5
cc4ba8817473517498cb3f02d70fdd60
-
SHA1
29e4e7b61ee98f72efa5d649d964b30fc9986a6a
-
SHA256
d7dc538919b2d69267a7800324ee7144ddd7c00bf68c73b3edf201928a49bb6e
-
SHA512
330ba8332423e5b6e334c69d2442ea3634df766fc62afb33c35ac5b45890454622fcdcaae016408dde6b77079d308cfe8b7535d13c3e8824494a1043552eb38e
-
SSDEEP
6144:SFbqRq90Bgo8PCRKfeEeO4oZjec4HWsBpC+MgsxVl:4b8q90BgjhP6sjerChgu
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 2324 svchosts.exe 2680 svchosts.exe 2152 svchosts.exe 2604 svchosts.exe 2364 svchosts.exe 2088 svchosts.exe 2716 svchosts.exe 2140 svchosts.exe 372 svchosts.exe 1536 svchosts.exe 2312 svchosts.exe 2164 svchosts.exe 2576 svchosts.exe 2280 svchosts.exe 1660 svchosts.exe 852 svchosts.exe 2360 svchosts.exe 2136 svchosts.exe 1740 svchosts.exe 1620 svchosts.exe 2336 svchosts.exe 3012 svchosts.exe 2536 svchosts.exe 2648 svchosts.exe 2028 svchosts.exe 1984 svchosts.exe 2520 svchosts.exe 1884 svchosts.exe 2184 svchosts.exe 1596 svchosts.exe 2912 svchosts.exe 316 svchosts.exe 2160 svchosts.exe 2700 svchosts.exe 2264 svchosts.exe 2364 svchosts.exe 1692 svchosts.exe 2768 svchosts.exe 852 svchosts.exe 1356 svchosts.exe 1992 svchosts.exe 3064 svchosts.exe 2500 svchosts.exe 320 svchosts.exe 1432 svchosts.exe 776 svchosts.exe 1624 svchosts.exe 1088 svchosts.exe 2632 svchosts.exe 1356 svchosts.exe 2140 svchosts.exe 2784 svchosts.exe 2156 svchosts.exe 2904 svchosts.exe 2088 svchosts.exe 2264 svchosts.exe 1752 svchosts.exe 1580 svchosts.exe 1992 svchosts.exe 1924 svchosts.exe 2660 svchosts.exe 2712 svchosts.exe 2904 svchosts.exe 1796 svchosts.exe -
Loads dropped DLL 64 IoCs
pid Process 2956 cmd.exe 2956 cmd.exe 1712 cmd.exe 1712 cmd.exe 2904 cmd.exe 2904 cmd.exe 2836 cmd.exe 2836 cmd.exe 2508 cmd.exe 2508 cmd.exe 1940 cmd.exe 1940 cmd.exe 1892 cmd.exe 1892 cmd.exe 2756 cmd.exe 2756 cmd.exe 1916 cmd.exe 1916 cmd.exe 2104 cmd.exe 2104 cmd.exe 316 cmd.exe 316 cmd.exe 888 cmd.exe 888 cmd.exe 2500 cmd.exe 2500 cmd.exe 2580 cmd.exe 2580 cmd.exe 2556 cmd.exe 2556 cmd.exe 2836 cmd.exe 2836 cmd.exe 1700 cmd.exe 1700 cmd.exe 1556 cmd.exe 1556 cmd.exe 992 cmd.exe 992 cmd.exe 1748 cmd.exe 1748 cmd.exe 1652 cmd.exe 1652 cmd.exe 2276 cmd.exe 2276 cmd.exe 2156 cmd.exe 2156 cmd.exe 2548 cmd.exe 2548 cmd.exe 1336 cmd.exe 1336 cmd.exe 2692 cmd.exe 2692 cmd.exe 788 cmd.exe 788 cmd.exe 1440 cmd.exe 1440 cmd.exe 2360 cmd.exe 2360 cmd.exe 1992 cmd.exe 1992 cmd.exe 2776 cmd.exe 2776 cmd.exe 1684 cmd.exe 1684 cmd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe cc4ba8817473517498cb3f02d70fdd60N.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe 2852 DllHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1708 wrote to memory of 2956 1708 cc4ba8817473517498cb3f02d70fdd60N.exe 31 PID 1708 wrote to memory of 2956 1708 cc4ba8817473517498cb3f02d70fdd60N.exe 31 PID 1708 wrote to memory of 2956 1708 cc4ba8817473517498cb3f02d70fdd60N.exe 31 PID 1708 wrote to memory of 2956 1708 cc4ba8817473517498cb3f02d70fdd60N.exe 31 PID 2956 wrote to memory of 2324 2956 cmd.exe 33 PID 2956 wrote to memory of 2324 2956 cmd.exe 33 PID 2956 wrote to memory of 2324 2956 cmd.exe 33 PID 2956 wrote to memory of 2324 2956 cmd.exe 33 PID 2324 wrote to memory of 1712 2324 svchosts.exe 34 PID 2324 wrote to memory of 1712 2324 svchosts.exe 34 PID 2324 wrote to memory of 1712 2324 svchosts.exe 34 PID 2324 wrote to memory of 1712 2324 svchosts.exe 34 PID 1712 wrote to memory of 2680 1712 cmd.exe 37 PID 1712 wrote to memory of 2680 1712 cmd.exe 37 PID 1712 wrote to memory of 2680 1712 cmd.exe 37 PID 1712 wrote to memory of 2680 1712 cmd.exe 37 PID 2680 wrote to memory of 2904 2680 svchosts.exe 38 PID 2680 wrote to memory of 2904 2680 svchosts.exe 38 PID 2680 wrote to memory of 2904 2680 svchosts.exe 38 PID 2680 wrote to memory of 2904 2680 svchosts.exe 38 PID 2904 wrote to memory of 2152 2904 cmd.exe 40 PID 2904 wrote to memory of 2152 2904 cmd.exe 40 PID 2904 wrote to memory of 2152 2904 cmd.exe 40 PID 2904 wrote to memory of 2152 2904 cmd.exe 40 PID 2152 wrote to memory of 2836 2152 svchosts.exe 41 PID 2152 wrote to memory of 2836 2152 svchosts.exe 41 PID 2152 wrote to memory of 2836 2152 svchosts.exe 41 PID 2152 wrote to memory of 2836 2152 svchosts.exe 41 PID 2836 wrote to memory of 2604 2836 cmd.exe 43 PID 2836 wrote to memory of 2604 2836 cmd.exe 43 PID 2836 wrote to memory of 2604 2836 cmd.exe 43 PID 2836 wrote to memory of 2604 2836 cmd.exe 43 PID 2604 wrote to memory of 2508 2604 svchosts.exe 44 PID 2604 wrote to memory of 2508 2604 svchosts.exe 44 PID 2604 wrote to memory of 2508 2604 svchosts.exe 44 PID 2604 wrote to memory of 2508 2604 svchosts.exe 44 PID 2508 wrote to memory of 2364 2508 cmd.exe 46 PID 2508 wrote to memory of 2364 2508 cmd.exe 46 PID 2508 wrote to memory of 2364 2508 cmd.exe 46 PID 2508 wrote to memory of 2364 2508 cmd.exe 46 PID 2364 wrote to memory of 1940 2364 svchosts.exe 47 PID 2364 wrote to memory of 1940 2364 svchosts.exe 47 PID 2364 wrote to memory of 1940 2364 svchosts.exe 47 PID 2364 wrote to memory of 1940 2364 svchosts.exe 47 PID 1940 wrote to memory of 2088 1940 cmd.exe 49 PID 1940 wrote to memory of 2088 1940 cmd.exe 49 PID 1940 wrote to memory of 2088 1940 cmd.exe 49 PID 1940 wrote to memory of 2088 1940 cmd.exe 49 PID 2088 wrote to memory of 1892 2088 svchosts.exe 50 PID 2088 wrote to memory of 1892 2088 svchosts.exe 50 PID 2088 wrote to memory of 1892 2088 svchosts.exe 50 PID 2088 wrote to memory of 1892 2088 svchosts.exe 50 PID 1892 wrote to memory of 2716 1892 cmd.exe 52 PID 1892 wrote to memory of 2716 1892 cmd.exe 52 PID 1892 wrote to memory of 2716 1892 cmd.exe 52 PID 1892 wrote to memory of 2716 1892 cmd.exe 52 PID 2716 wrote to memory of 2756 2716 svchosts.exe 53 PID 2716 wrote to memory of 2756 2716 svchosts.exe 53 PID 2716 wrote to memory of 2756 2716 svchosts.exe 53 PID 2716 wrote to memory of 2756 2716 svchosts.exe 53 PID 2756 wrote to memory of 2140 2756 cmd.exe 55 PID 2756 wrote to memory of 2140 2756 cmd.exe 55 PID 2756 wrote to memory of 2140 2756 cmd.exe 55 PID 2756 wrote to memory of 2140 2756 cmd.exe 55
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc4ba8817473517498cb3f02d70fdd60N.exe"C:\Users\Admin\AppData\Local\Temp\cc4ba8817473517498cb3f02d70fdd60N.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe8⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe10⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe12⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe14⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe16⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2140 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe18⤵
- Loads dropped DLL
PID:1916 -
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe19⤵
- Executes dropped EXE
PID:372 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe20⤵
- Loads dropped DLL
PID:2104 -
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe21⤵
- Executes dropped EXE
PID:1536 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe22⤵
- Loads dropped DLL
PID:316 -
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe23⤵
- Executes dropped EXE
PID:2312 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe24⤵
- Loads dropped DLL
PID:888 -
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2164 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe26⤵
- Loads dropped DLL
PID:2500 -
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe27⤵
- Executes dropped EXE
PID:2576 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe28⤵
- Loads dropped DLL
PID:2580 -
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe29⤵
- Executes dropped EXE
PID:2280 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe30⤵
- Loads dropped DLL
PID:2556 -
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe31⤵
- Executes dropped EXE
PID:1660 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe32⤵
- Loads dropped DLL
PID:2836 -
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:852 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe34⤵
- Loads dropped DLL
PID:1700 -
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe35⤵
- Executes dropped EXE
PID:2360 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe36⤵
- Loads dropped DLL
PID:1556 -
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2136 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe38⤵
- Loads dropped DLL
PID:992 -
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe39⤵
- Executes dropped EXE
PID:1740 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe40⤵
- Loads dropped DLL
PID:1748 -
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe41⤵
- Executes dropped EXE
PID:1620 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe42⤵
- Loads dropped DLL
PID:1652 -
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe43⤵
- Executes dropped EXE
PID:2336 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe44⤵
- Loads dropped DLL
PID:2276 -
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3012 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe46⤵
- Loads dropped DLL
PID:2156 -
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe47⤵
- Executes dropped EXE
PID:2536 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe48⤵
- Loads dropped DLL
PID:2548 -
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe49⤵
- Executes dropped EXE
PID:2648 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe50⤵
- Loads dropped DLL
PID:1336 -
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe51⤵
- Executes dropped EXE
PID:2028 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe52⤵
- Loads dropped DLL
PID:2692 -
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe53⤵
- Executes dropped EXE
PID:1984 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe54⤵
- Loads dropped DLL
PID:788 -
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe55⤵
- Executes dropped EXE
PID:2520 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe56⤵
- Loads dropped DLL
PID:1440 -
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe57⤵
- Executes dropped EXE
PID:1884 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe58⤵
- Loads dropped DLL
PID:2360 -
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2184 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe60⤵
- Loads dropped DLL
PID:1992 -
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe61⤵
- Executes dropped EXE
PID:1596 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe62⤵
- Loads dropped DLL
PID:2776 -
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe63⤵
- Executes dropped EXE
PID:2912 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe64⤵
- Loads dropped DLL
PID:1684 -
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe65⤵
- Executes dropped EXE
PID:316 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe66⤵PID:2856
-
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe67⤵
- Executes dropped EXE
PID:2160 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe68⤵PID:2780
-
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe69⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2700 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe70⤵PID:2208
-
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe71⤵
- Executes dropped EXE
PID:2264 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe72⤵PID:2648
-
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe73⤵
- Executes dropped EXE
PID:2364 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe74⤵PID:2996
-
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe75⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1692 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe76⤵PID:2872
-
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe77⤵
- Executes dropped EXE
PID:2768 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe78⤵PID:1472
-
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe79⤵
- Executes dropped EXE
PID:852 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe80⤵
- System Location Discovery: System Language Discovery
PID:1156 -
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe81⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1356 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe82⤵PID:612
-
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe83⤵
- Executes dropped EXE
PID:1992 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe84⤵PID:1368
-
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe85⤵
- Executes dropped EXE
PID:3064 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe86⤵PID:912
-
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe87⤵
- Executes dropped EXE
PID:2500 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe88⤵PID:2900
-
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe89⤵
- Executes dropped EXE
PID:320 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe90⤵
- System Location Discovery: System Language Discovery
PID:2668 -
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe91⤵
- Executes dropped EXE
PID:1432 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe92⤵PID:1484
-
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe93⤵
- Executes dropped EXE
PID:776 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe94⤵PID:2528
-
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe95⤵
- Executes dropped EXE
PID:1624 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe96⤵PID:1976
-
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe97⤵
- Executes dropped EXE
PID:1088 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe98⤵PID:788
-
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe99⤵
- Executes dropped EXE
PID:2632 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe100⤵PID:1472
-
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe101⤵
- Executes dropped EXE
PID:1356 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe102⤵PID:536
-
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe103⤵
- Executes dropped EXE
PID:2140 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe104⤵PID:2592
-
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe105⤵
- Executes dropped EXE
PID:2784 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe106⤵PID:556
-
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe107⤵
- Executes dropped EXE
PID:2156 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe108⤵PID:2384
-
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe109⤵
- Executes dropped EXE
PID:2904 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe110⤵PID:1796
-
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe111⤵
- Executes dropped EXE
PID:2088 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe112⤵PID:1316
-
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe113⤵
- Executes dropped EXE
PID:2264 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe114⤵PID:2572
-
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe115⤵
- Executes dropped EXE
PID:1752 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe116⤵PID:2056
-
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe117⤵
- Executes dropped EXE
PID:1580 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe118⤵PID:1784
-
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe119⤵
- Executes dropped EXE
PID:1992 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\WINDOWS\system32\svchosts.exe120⤵PID:2968
-
C:\WINDOWS\SysWOW64\svchosts.exeC:\WINDOWS\system32\svchosts.exe121⤵
- Executes dropped EXE
PID:1924
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-