Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
126s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01/10/2024, 20:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
074c415b7ff6216759269472e63ef44d_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
074c415b7ff6216759269472e63ef44d_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
074c415b7ff6216759269472e63ef44d_JaffaCakes118.exe
-
Size
73KB
-
MD5
074c415b7ff6216759269472e63ef44d
-
SHA1
238dfa827dcaa7ac3f48d30909abd20ecfedbb8e
-
SHA256
e776bac009401a8690377b7b49ba6ff61aea4eea48e1d3f208284556292fefc3
-
SHA512
8b93a53a7620a069ac046484f6c3ace792a8e83b6425d90de4b582f03d2dae3d2e531754708d4d7b9e2b5189b070f734cba9f43f084d11fd6615d5c9cb4ff81b
-
SSDEEP
1536:81z9+RskvxHkV3dDivpPpfl/WZD8bWdjyv4NXuuSY5T3:y9+Rsk54tclll/RbWtyv49V3
Score
8/10
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wcsydrv.exe -
Executes dropped EXE 64 IoCs
pid Process 3024 wcsydrv.exe 3052 wcsydrv.exe 2756 wcsydrv.exe 2672 wcsydrv.exe 2976 wcsydrv.exe 2660 wcsydrv.exe 2496 wcsydrv.exe 2556 wcsydrv.exe 2960 wcsydrv.exe 2304 wcsydrv.exe 1324 wcsydrv.exe 1508 wcsydrv.exe 1876 wcsydrv.exe 2348 wcsydrv.exe 2912 wcsydrv.exe 1640 wcsydrv.exe 2808 wcsydrv.exe 1156 wcsydrv.exe 608 wcsydrv.exe 2688 wcsydrv.exe 2396 wcsydrv.exe 2040 wcsydrv.exe 1036 wcsydrv.exe 2460 wcsydrv.exe 2028 wcsydrv.exe 760 wcsydrv.exe 2052 wcsydrv.exe 2252 wcsydrv.exe 2248 wcsydrv.exe 2576 wcsydrv.exe 2192 wcsydrv.exe 2412 wcsydrv.exe 2916 wcsydrv.exe 2316 wcsydrv.exe 944 wcsydrv.exe 1684 wcsydrv.exe 1596 wcsydrv.exe 2400 wcsydrv.exe 892 wcsydrv.exe 1960 wcsydrv.exe 1316 wcsydrv.exe 1088 wcsydrv.exe 1544 wcsydrv.exe 1776 wcsydrv.exe 824 wcsydrv.exe 1792 wcsydrv.exe 1048 wcsydrv.exe 588 wcsydrv.exe 2324 wcsydrv.exe 2072 wcsydrv.exe 1912 wcsydrv.exe 2288 wcsydrv.exe 1652 wcsydrv.exe 1944 wcsydrv.exe 1888 wcsydrv.exe 360 wcsydrv.exe 864 wcsydrv.exe 1732 wcsydrv.exe 2296 wcsydrv.exe 2700 wcsydrv.exe 2596 wcsydrv.exe 2764 wcsydrv.exe 2648 wcsydrv.exe 2624 wcsydrv.exe -
Loads dropped DLL 64 IoCs
pid Process 2728 074c415b7ff6216759269472e63ef44d_JaffaCakes118.exe 2728 074c415b7ff6216759269472e63ef44d_JaffaCakes118.exe 3024 wcsydrv.exe 3052 wcsydrv.exe 2756 wcsydrv.exe 2672 wcsydrv.exe 2976 wcsydrv.exe 2660 wcsydrv.exe 2496 wcsydrv.exe 2556 wcsydrv.exe 2960 wcsydrv.exe 2304 wcsydrv.exe 1324 wcsydrv.exe 1508 wcsydrv.exe 1876 wcsydrv.exe 2348 wcsydrv.exe 2912 wcsydrv.exe 1640 wcsydrv.exe 2808 wcsydrv.exe 1156 wcsydrv.exe 608 wcsydrv.exe 2688 wcsydrv.exe 2396 wcsydrv.exe 2040 wcsydrv.exe 1036 wcsydrv.exe 2460 wcsydrv.exe 2028 wcsydrv.exe 760 wcsydrv.exe 2052 wcsydrv.exe 2252 wcsydrv.exe 2248 wcsydrv.exe 2576 wcsydrv.exe 2192 wcsydrv.exe 2412 wcsydrv.exe 2916 wcsydrv.exe 2316 wcsydrv.exe 944 wcsydrv.exe 1684 wcsydrv.exe 1596 wcsydrv.exe 2400 wcsydrv.exe 892 wcsydrv.exe 1960 wcsydrv.exe 1316 wcsydrv.exe 1088 wcsydrv.exe 1544 wcsydrv.exe 1776 wcsydrv.exe 824 wcsydrv.exe 1792 wcsydrv.exe 1048 wcsydrv.exe 588 wcsydrv.exe 2324 wcsydrv.exe 2072 wcsydrv.exe 1912 wcsydrv.exe 2288 wcsydrv.exe 1652 wcsydrv.exe 1944 wcsydrv.exe 1888 wcsydrv.exe 360 wcsydrv.exe 864 wcsydrv.exe 1732 wcsydrv.exe 2296 wcsydrv.exe 2700 wcsydrv.exe 2596 wcsydrv.exe 2764 wcsydrv.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\074c415b7ff6216759269472e63ef44d_JaffaCakes118.exe" 074c415b7ff6216759269472e63ef44d_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe" wcsydrv.exe -
Modifies WinLogon 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe" wcsydrv.exe -
Suspicious use of SetThreadContext 64 IoCs
description pid Process procid_target PID 2700 set thread context of 2728 2700 074c415b7ff6216759269472e63ef44d_JaffaCakes118.exe 30 PID 3024 set thread context of 3052 3024 wcsydrv.exe 32 PID 2756 set thread context of 2672 2756 wcsydrv.exe 34 PID 2976 set thread context of 2660 2976 wcsydrv.exe 36 PID 2496 set thread context of 2556 2496 wcsydrv.exe 38 PID 2960 set thread context of 2304 2960 wcsydrv.exe 40 PID 1324 set thread context of 1508 1324 wcsydrv.exe 42 PID 1876 set thread context of 2348 1876 wcsydrv.exe 44 PID 2912 set thread context of 1640 2912 wcsydrv.exe 46 PID 2808 set thread context of 1156 2808 wcsydrv.exe 48 PID 608 set thread context of 2688 608 wcsydrv.exe 50 PID 2396 set thread context of 2040 2396 wcsydrv.exe 52 PID 1036 set thread context of 2460 1036 wcsydrv.exe 54 PID 2028 set thread context of 760 2028 wcsydrv.exe 56 PID 2052 set thread context of 2252 2052 wcsydrv.exe 58 PID 2248 set thread context of 2576 2248 wcsydrv.exe 60 PID 2192 set thread context of 2412 2192 wcsydrv.exe 62 PID 2916 set thread context of 2316 2916 wcsydrv.exe 64 PID 944 set thread context of 1684 944 wcsydrv.exe 66 PID 1596 set thread context of 2400 1596 wcsydrv.exe 68 PID 892 set thread context of 1960 892 wcsydrv.exe 70 PID 1316 set thread context of 1088 1316 wcsydrv.exe 72 PID 1544 set thread context of 1776 1544 wcsydrv.exe 74 PID 824 set thread context of 1792 824 wcsydrv.exe 76 PID 1048 set thread context of 588 1048 wcsydrv.exe 78 PID 2324 set thread context of 2072 2324 wcsydrv.exe 80 PID 1912 set thread context of 2288 1912 wcsydrv.exe 82 PID 1652 set thread context of 1944 1652 wcsydrv.exe 84 PID 1888 set thread context of 360 1888 wcsydrv.exe 86 PID 864 set thread context of 1732 864 wcsydrv.exe 88 PID 2296 set thread context of 2700 2296 wcsydrv.exe 90 PID 2596 set thread context of 2764 2596 wcsydrv.exe 92 PID 2648 set thread context of 2624 2648 wcsydrv.exe 94 PID 2320 set thread context of 2616 2320 wcsydrv.exe 96 PID 2732 set thread context of 2852 2732 wcsydrv.exe 98 PID 2176 set thread context of 2844 2176 wcsydrv.exe 100 PID 2672 set thread context of 2664 2672 wcsydrv.exe 102 PID 2508 set thread context of 2548 2508 wcsydrv.exe 104 PID 2524 set thread context of 2964 2524 wcsydrv.exe 106 PID 2972 set thread context of 2128 2972 wcsydrv.exe 108 PID 2968 set thread context of 2476 2968 wcsydrv.exe 110 PID 1764 set thread context of 428 1764 wcsydrv.exe 112 PID 2224 set thread context of 1876 2224 wcsydrv.exe 114 PID 2904 set thread context of 1192 2904 wcsydrv.exe 116 PID 564 set thread context of 572 564 wcsydrv.exe 118 PID 2808 set thread context of 1252 2808 wcsydrv.exe 120 PID 2480 set thread context of 2020 2480 wcsydrv.exe 122 PID 1360 set thread context of 2404 1360 wcsydrv.exe 124 PID 1144 set thread context of 1968 1144 wcsydrv.exe 126 PID 1060 set thread context of 2168 1060 wcsydrv.exe 128 PID 264 set thread context of 1984 264 wcsydrv.exe 130 PID 760 set thread context of 2372 760 wcsydrv.exe 132 PID 1716 set thread context of 2116 1716 wcsydrv.exe 134 PID 2920 set thread context of 2772 2920 wcsydrv.exe 136 PID 2576 set thread context of 2996 2576 wcsydrv.exe 138 PID 2924 set thread context of 2572 2924 wcsydrv.exe 140 PID 1696 set thread context of 1188 1696 wcsydrv.exe 142 PID 1312 set thread context of 948 1312 wcsydrv.exe 144 PID 1468 set thread context of 1132 1468 wcsydrv.exe 146 PID 1592 set thread context of 1476 1592 wcsydrv.exe 148 PID 1800 set thread context of 816 1800 wcsydrv.exe 150 PID 1632 set thread context of 1536 1632 wcsydrv.exe 152 PID 1976 set thread context of 1472 1976 wcsydrv.exe 154 PID 1532 set thread context of 860 1532 wcsydrv.exe 156 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 074c415b7ff6216759269472e63ef44d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcsydrv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2700 wrote to memory of 2728 2700 074c415b7ff6216759269472e63ef44d_JaffaCakes118.exe 30 PID 2700 wrote to memory of 2728 2700 074c415b7ff6216759269472e63ef44d_JaffaCakes118.exe 30 PID 2700 wrote to memory of 2728 2700 074c415b7ff6216759269472e63ef44d_JaffaCakes118.exe 30 PID 2700 wrote to memory of 2728 2700 074c415b7ff6216759269472e63ef44d_JaffaCakes118.exe 30 PID 2700 wrote to memory of 2728 2700 074c415b7ff6216759269472e63ef44d_JaffaCakes118.exe 30 PID 2700 wrote to memory of 2728 2700 074c415b7ff6216759269472e63ef44d_JaffaCakes118.exe 30 PID 2728 wrote to memory of 3024 2728 074c415b7ff6216759269472e63ef44d_JaffaCakes118.exe 31 PID 2728 wrote to memory of 3024 2728 074c415b7ff6216759269472e63ef44d_JaffaCakes118.exe 31 PID 2728 wrote to memory of 3024 2728 074c415b7ff6216759269472e63ef44d_JaffaCakes118.exe 31 PID 2728 wrote to memory of 3024 2728 074c415b7ff6216759269472e63ef44d_JaffaCakes118.exe 31 PID 3024 wrote to memory of 3052 3024 wcsydrv.exe 32 PID 3024 wrote to memory of 3052 3024 wcsydrv.exe 32 PID 3024 wrote to memory of 3052 3024 wcsydrv.exe 32 PID 3024 wrote to memory of 3052 3024 wcsydrv.exe 32 PID 3024 wrote to memory of 3052 3024 wcsydrv.exe 32 PID 3024 wrote to memory of 3052 3024 wcsydrv.exe 32 PID 3052 wrote to memory of 2756 3052 wcsydrv.exe 33 PID 3052 wrote to memory of 2756 3052 wcsydrv.exe 33 PID 3052 wrote to memory of 2756 3052 wcsydrv.exe 33 PID 3052 wrote to memory of 2756 3052 wcsydrv.exe 33 PID 2756 wrote to memory of 2672 2756 wcsydrv.exe 34 PID 2756 wrote to memory of 2672 2756 wcsydrv.exe 34 PID 2756 wrote to memory of 2672 2756 wcsydrv.exe 34 PID 2756 wrote to memory of 2672 2756 wcsydrv.exe 34 PID 2756 wrote to memory of 2672 2756 wcsydrv.exe 34 PID 2756 wrote to memory of 2672 2756 wcsydrv.exe 34 PID 2672 wrote to memory of 2976 2672 wcsydrv.exe 35 PID 2672 wrote to memory of 2976 2672 wcsydrv.exe 35 PID 2672 wrote to memory of 2976 2672 wcsydrv.exe 35 PID 2672 wrote to memory of 2976 2672 wcsydrv.exe 35 PID 2976 wrote to memory of 2660 2976 wcsydrv.exe 36 PID 2976 wrote to memory of 2660 2976 wcsydrv.exe 36 PID 2976 wrote to memory of 2660 2976 wcsydrv.exe 36 PID 2976 wrote to memory of 2660 2976 wcsydrv.exe 36 PID 2976 wrote to memory of 2660 2976 wcsydrv.exe 36 PID 2976 wrote to memory of 2660 2976 wcsydrv.exe 36 PID 2660 wrote to memory of 2496 2660 wcsydrv.exe 37 PID 2660 wrote to memory of 2496 2660 wcsydrv.exe 37 PID 2660 wrote to memory of 2496 2660 wcsydrv.exe 37 PID 2660 wrote to memory of 2496 2660 wcsydrv.exe 37 PID 2496 wrote to memory of 2556 2496 wcsydrv.exe 38 PID 2496 wrote to memory of 2556 2496 wcsydrv.exe 38 PID 2496 wrote to memory of 2556 2496 wcsydrv.exe 38 PID 2496 wrote to memory of 2556 2496 wcsydrv.exe 38 PID 2496 wrote to memory of 2556 2496 wcsydrv.exe 38 PID 2496 wrote to memory of 2556 2496 wcsydrv.exe 38 PID 2556 wrote to memory of 2960 2556 wcsydrv.exe 39 PID 2556 wrote to memory of 2960 2556 wcsydrv.exe 39 PID 2556 wrote to memory of 2960 2556 wcsydrv.exe 39 PID 2556 wrote to memory of 2960 2556 wcsydrv.exe 39 PID 2960 wrote to memory of 2304 2960 wcsydrv.exe 40 PID 2960 wrote to memory of 2304 2960 wcsydrv.exe 40 PID 2960 wrote to memory of 2304 2960 wcsydrv.exe 40 PID 2960 wrote to memory of 2304 2960 wcsydrv.exe 40 PID 2960 wrote to memory of 2304 2960 wcsydrv.exe 40 PID 2960 wrote to memory of 2304 2960 wcsydrv.exe 40 PID 2304 wrote to memory of 1324 2304 wcsydrv.exe 41 PID 2304 wrote to memory of 1324 2304 wcsydrv.exe 41 PID 2304 wrote to memory of 1324 2304 wcsydrv.exe 41 PID 2304 wrote to memory of 1324 2304 wcsydrv.exe 41 PID 1324 wrote to memory of 1508 1324 wcsydrv.exe 42 PID 1324 wrote to memory of 1508 1324 wcsydrv.exe 42 PID 1324 wrote to memory of 1508 1324 wcsydrv.exe 42 PID 1324 wrote to memory of 1508 1324 wcsydrv.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\074c415b7ff6216759269472e63ef44d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\074c415b7ff6216759269472e63ef44d_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\074c415b7ff6216759269472e63ef44d_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\074c415b7ff6216759269472e63ef44d_JaffaCakes118.exe2⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1508 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1876 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe16⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Loads dropped DLL
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2912 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe18⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Loads dropped DLL
PID:1640 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2808 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
PID:1156 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:608 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2688 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2396 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1036 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2460 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
- System Location Discovery: System Language Discovery
PID:760 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2052 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2252 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2248 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2576 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a33⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2192 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a35⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2916 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe36⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2316 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a37⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:944 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe38⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a39⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1596 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe40⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2400 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a41⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:892 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe42⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1960 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a43⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1316 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe44⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies WinLogon
PID:1088 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a45⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1544 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe46⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1776 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a47⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:824 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe48⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
PID:1792 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a49⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1048 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe50⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:588 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a51⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2324 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe52⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2072 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a53⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1912 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe54⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies WinLogon
PID:2288 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a55⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1652 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe56⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies WinLogon
PID:1944 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a57⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1888 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe58⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
PID:360 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a59⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:864 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe60⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies WinLogon
PID:1732 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a61⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2296 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe62⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a63⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2596 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe64⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2764 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a65⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2648 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe66⤵
- Executes dropped EXE
PID:2624 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a67⤵
- Suspicious use of SetThreadContext
PID:2320 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe68⤵
- Modifies WinLogon
PID:2616 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a69⤵
- Suspicious use of SetThreadContext
PID:2732 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe70⤵
- Adds Run key to start application
PID:2852 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a71⤵
- Suspicious use of SetThreadContext
PID:2176 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe72⤵
- Adds Run key to start application
- Modifies WinLogon
PID:2844 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a73⤵
- Suspicious use of SetThreadContext
PID:2672 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe74⤵
- Adds policy Run key to start application
PID:2664 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a75⤵
- Suspicious use of SetThreadContext
PID:2508 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe76⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Modifies WinLogon
- System Location Discovery: System Language Discovery
PID:2548 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a77⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2524 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe78⤵
- Adds Run key to start application
PID:2964 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a79⤵
- Suspicious use of SetThreadContext
PID:2972 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe80⤵
- Adds policy Run key to start application
- Modifies WinLogon
- System Location Discovery: System Language Discovery
PID:2128 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a81⤵
- Suspicious use of SetThreadContext
PID:2968 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe82⤵PID:2476
-
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a83⤵
- Suspicious use of SetThreadContext
PID:1764 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe84⤵
- Adds Run key to start application
PID:428 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a85⤵
- Suspicious use of SetThreadContext
PID:2224 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe86⤵
- Adds policy Run key to start application
PID:1876 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a87⤵
- Suspicious use of SetThreadContext
PID:2904 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe88⤵PID:1192
-
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a89⤵
- Suspicious use of SetThreadContext
PID:564 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe90⤵
- Adds policy Run key to start application
- Adds Run key to start application
PID:572 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a91⤵
- Suspicious use of SetThreadContext
PID:2808 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe92⤵
- Adds Run key to start application
PID:1252 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a93⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2480 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe94⤵PID:2020
-
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a95⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1360 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe96⤵
- Adds policy Run key to start application
PID:2404 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a97⤵
- Suspicious use of SetThreadContext
PID:1144 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe98⤵
- Modifies WinLogon
PID:1968 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a99⤵
- Suspicious use of SetThreadContext
PID:1060 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe100⤵
- Modifies WinLogon
PID:2168 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a101⤵
- Suspicious use of SetThreadContext
PID:264 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe102⤵
- Adds policy Run key to start application
PID:1984 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a103⤵
- Suspicious use of SetThreadContext
PID:760 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe104⤵
- Adds policy Run key to start application
- Modifies WinLogon
PID:2372 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a105⤵
- Suspicious use of SetThreadContext
PID:1716 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe106⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2116 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a107⤵
- Suspicious use of SetThreadContext
PID:2920 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe108⤵PID:2772
-
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a109⤵
- Suspicious use of SetThreadContext
PID:2576 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe110⤵
- Adds policy Run key to start application
- Modifies WinLogon
PID:2996 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a111⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe112⤵
- Adds policy Run key to start application
PID:2572 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a113⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1696 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe114⤵PID:1188
-
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a115⤵
- Suspicious use of SetThreadContext
PID:1312 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe116⤵
- Modifies WinLogon
PID:948 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a117⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1468 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe118⤵
- Adds policy Run key to start application
- Adds Run key to start application
PID:1132 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a119⤵
- Suspicious use of SetThreadContext
PID:1592 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exeC:\Users\Admin\AppData\Local\Temp\wcsydrv.exe120⤵
- Adds Run key to start application
PID:1476 -
C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe"C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a121⤵
- Suspicious use of SetThreadContext
PID:1800
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-