Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02/10/2024, 19:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe
Resource
win10v2004-20240910-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
0c2b1dd5b9eb64ad6130c61826cf2864
-
SHA1
ac1c145695ee0aece971260fb1af2115de58c0fa
-
SHA256
e849b0de5209dbb7a6e96f840ff17121fb2d147d231386d52a261f1f92945e38
-
SHA512
734d12cc8c5ed780f6e254b08c9475ea17c26383f789caa8a4502b2f422e4d2505b2addfee15fa7dd3618f1cd7ae8118c3d22e3bcfe0ff08f41b3e65cef3c530
-
SSDEEP
24576:+JGrlbe0tPFPiB3Qz+9G/o1CWEzdFtVzGKm/0PbV4R:+JGrlbe0tPFaBAza0otEzdDVvm8zV4
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 2796 svchost.exe 2920 svchost.exe 1628 svchost.exe 2712 svchost.exe 2664 svchost.exe 2308 svchost.exe 2968 svchost.exe 2076 svchost.exe 2504 svchost.exe 2072 svchost.exe 2700 svchost.exe 3000 svchost.exe 2924 svchost.exe 2880 svchost.exe 1316 svchost.exe 780 svchost.exe 1380 svchost.exe 3036 svchost.exe 2284 svchost.exe 1048 svchost.exe 1156 svchost.exe 1936 svchost.exe 296 svchost.exe 840 svchost.exe 1612 svchost.exe 1660 svchost.exe 924 svchost.exe 2120 svchost.exe 2336 svchost.exe 1000 svchost.exe 536 svchost.exe 332 svchost.exe 876 svchost.exe 1692 svchost.exe 2740 svchost.exe 2748 svchost.exe 2804 svchost.exe 2732 svchost.exe 2768 svchost.exe 1628 svchost.exe 1804 svchost.exe 2356 svchost.exe 1944 svchost.exe 2192 svchost.exe 2992 svchost.exe 2948 svchost.exe 2852 svchost.exe 1508 svchost.exe 2080 svchost.exe 2148 svchost.exe 1428 svchost.exe 1844 svchost.exe 680 svchost.exe 1620 svchost.exe 1952 svchost.exe 1300 svchost.exe 2144 svchost.exe 1124 svchost.exe 1596 svchost.exe 2960 svchost.exe 2972 svchost.exe 1676 svchost.exe 536 svchost.exe 1032 svchost.exe -
Loads dropped DLL 64 IoCs
pid Process 2744 0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe 2744 0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe 2796 svchost.exe 2920 svchost.exe 2920 svchost.exe 1628 svchost.exe 2712 svchost.exe 2712 svchost.exe 2664 svchost.exe 2308 svchost.exe 2308 svchost.exe 2968 svchost.exe 2076 svchost.exe 2076 svchost.exe 2504 svchost.exe 2072 svchost.exe 2072 svchost.exe 2700 svchost.exe 3000 svchost.exe 3000 svchost.exe 2924 svchost.exe 2880 svchost.exe 2880 svchost.exe 1316 svchost.exe 780 svchost.exe 780 svchost.exe 1380 svchost.exe 3036 svchost.exe 3036 svchost.exe 2284 svchost.exe 1048 svchost.exe 1048 svchost.exe 1156 svchost.exe 1936 svchost.exe 1936 svchost.exe 840 svchost.exe 840 svchost.exe 1660 svchost.exe 1660 svchost.exe 2120 svchost.exe 2120 svchost.exe 1000 svchost.exe 1000 svchost.exe 332 svchost.exe 332 svchost.exe 1692 svchost.exe 1692 svchost.exe 2748 svchost.exe 2748 svchost.exe 2732 svchost.exe 2732 svchost.exe 1628 svchost.exe 1628 svchost.exe 2356 svchost.exe 2356 svchost.exe 2192 svchost.exe 2192 svchost.exe 2948 svchost.exe 2948 svchost.exe 1508 svchost.exe 1508 svchost.exe 2148 svchost.exe 2148 svchost.exe 1844 svchost.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometRAT = "C:\\Windows\\system32\\test\\svchost.exe" svchost.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\test\svchost.exe Process not Found File created C:\Windows\SysWOW64\test\svchost.exe Process not Found File created C:\Windows\SysWOW64\test\svchost.exe svchost.exe File opened for modification C:\Windows\SysWOW64\test\svchost.exe svchost.exe File opened for modification C:\Windows\SysWOW64\test\svchost.exe svchost.exe File opened for modification C:\Windows\SysWOW64\test\svchost.exe Process not Found File created C:\Windows\SysWOW64\test\svchost.exe Process not Found File created C:\Windows\SysWOW64\test\svchost.exe Process not Found File opened for modification C:\Windows\SysWOW64\test\svchost.exe svchost.exe File created C:\Windows\SysWOW64\test\svchost.exe Process not Found File opened for modification C:\Windows\SysWOW64\test\svchost.exe Process not Found File opened for modification C:\Windows\SysWOW64\test\svchost.exe Process not Found File opened for modification C:\Windows\SysWOW64\test\svchost.exe Process not Found File opened for modification C:\Windows\SysWOW64\test\svchost.exe Process not Found File created C:\Windows\SysWOW64\test\svchost.exe svchost.exe File created C:\Windows\SysWOW64\test\svchost.exe svchost.exe File created C:\Windows\SysWOW64\test\svchost.exe svchost.exe File opened for modification C:\Windows\SysWOW64\test\svchost.exe Process not Found File opened for modification C:\Windows\SysWOW64\test\svchost.exe Process not Found File created C:\Windows\SysWOW64\test\svchost.exe Process not Found File created C:\Windows\SysWOW64\test\svchost.exe svchost.exe File created C:\Windows\SysWOW64\test\svchost.exe Process not Found File created C:\Windows\SysWOW64\test\svchost.exe Process not Found File created C:\Windows\SysWOW64\test\svchost.exe svchost.exe File opened for modification C:\Windows\SysWOW64\test\svchost.exe svchost.exe File opened for modification C:\Windows\SysWOW64\test\svchost.exe Process not Found File opened for modification C:\Windows\SysWOW64\test\svchost.exe Process not Found File opened for modification C:\Windows\SysWOW64\test\svchost.exe Process not Found File created C:\Windows\SysWOW64\test\svchost.exe svchost.exe File created C:\Windows\SysWOW64\test\svchost.exe svchost.exe File created C:\Windows\SysWOW64\test\svchost.exe Process not Found File created C:\Windows\SysWOW64\test\svchost.exe Process not Found File opened for modification C:\Windows\SysWOW64\test\svchost.exe Process not Found File opened for modification C:\Windows\SysWOW64\test\svchost.exe svchost.exe File created C:\Windows\SysWOW64\test\svchost.exe svchost.exe File created C:\Windows\SysWOW64\test\svchost.exe svchost.exe File created C:\Windows\SysWOW64\test\svchost.exe svchost.exe File opened for modification C:\Windows\SysWOW64\test\svchost.exe Process not Found File created C:\Windows\SysWOW64\test\svchost.exe Process not Found File opened for modification C:\Windows\SysWOW64\test\svchost.exe svchost.exe File created C:\Windows\SysWOW64\test\svchost.exe Process not Found File opened for modification C:\Windows\SysWOW64\test\svchost.exe Process not Found File opened for modification C:\Windows\SysWOW64\test\svchost.exe svchost.exe File opened for modification C:\Windows\SysWOW64\test\svchost.exe Process not Found File opened for modification C:\Windows\SysWOW64\test\svchost.exe Process not Found File created C:\Windows\SysWOW64\test\svchost.exe svchost.exe File opened for modification C:\Windows\SysWOW64\test\svchost.exe svchost.exe File opened for modification C:\Windows\SysWOW64\test\svchost.exe svchost.exe File created C:\Windows\SysWOW64\test\svchost.exe Process not Found File opened for modification C:\Windows\SysWOW64\test\svchost.exe svchost.exe File created C:\Windows\SysWOW64\test\svchost.exe svchost.exe File created C:\Windows\SysWOW64\test\svchost.exe svchost.exe File opened for modification C:\Windows\SysWOW64\test\svchost.exe Process not Found File created C:\Windows\SysWOW64\test\svchost.exe Process not Found File created C:\Windows\SysWOW64\test\svchost.exe svchost.exe File created C:\Windows\SysWOW64\test\svchost.exe Process not Found File created C:\Windows\SysWOW64\test\svchost.exe svchost.exe File created C:\Windows\SysWOW64\test\svchost.exe svchost.exe File opened for modification C:\Windows\SysWOW64\test\svchost.exe svchost.exe File created C:\Windows\SysWOW64\test\svchost.exe svchost.exe File opened for modification C:\Windows\SysWOW64\test\svchost.exe Process not Found File opened for modification C:\Windows\SysWOW64\test\svchost.exe svchost.exe File opened for modification C:\Windows\SysWOW64\test\svchost.exe svchost.exe File created C:\Windows\SysWOW64\test\svchost.exe Process not Found -
Suspicious use of SetThreadContext 64 IoCs
description pid Process procid_target PID 2096 set thread context of 2744 2096 0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe 30 PID 2796 set thread context of 2920 2796 svchost.exe 32 PID 1628 set thread context of 2712 1628 svchost.exe 34 PID 2664 set thread context of 2308 2664 svchost.exe 36 PID 2968 set thread context of 2076 2968 svchost.exe 38 PID 2504 set thread context of 2072 2504 svchost.exe 40 PID 2700 set thread context of 3000 2700 svchost.exe 42 PID 2924 set thread context of 2880 2924 svchost.exe 44 PID 1316 set thread context of 780 1316 svchost.exe 46 PID 1380 set thread context of 3036 1380 svchost.exe 48 PID 2284 set thread context of 1048 2284 svchost.exe 50 PID 1156 set thread context of 1936 1156 svchost.exe 52 PID 296 set thread context of 840 296 svchost.exe 54 PID 1612 set thread context of 1660 1612 svchost.exe 56 PID 924 set thread context of 2120 924 svchost.exe 58 PID 2336 set thread context of 1000 2336 svchost.exe 60 PID 536 set thread context of 332 536 svchost.exe 62 PID 876 set thread context of 1692 876 svchost.exe 64 PID 2740 set thread context of 2748 2740 svchost.exe 66 PID 2804 set thread context of 2732 2804 svchost.exe 68 PID 2768 set thread context of 1628 2768 svchost.exe 70 PID 1804 set thread context of 2356 1804 svchost.exe 72 PID 1944 set thread context of 2192 1944 svchost.exe 74 PID 2992 set thread context of 2948 2992 svchost.exe 76 PID 2852 set thread context of 1508 2852 svchost.exe 78 PID 2080 set thread context of 2148 2080 svchost.exe 80 PID 1428 set thread context of 1844 1428 svchost.exe 82 PID 680 set thread context of 1620 680 svchost.exe 84 PID 1952 set thread context of 1300 1952 svchost.exe 86 PID 2144 set thread context of 1124 2144 svchost.exe 88 PID 1596 set thread context of 2960 1596 svchost.exe 90 PID 2972 set thread context of 1676 2972 svchost.exe 92 PID 536 set thread context of 1032 536 svchost.exe 94 PID 2348 set thread context of 1580 2348 svchost.exe 96 PID 1556 set thread context of 1744 1556 svchost.exe 98 PID 2412 set thread context of 2752 2412 svchost.exe 100 PID 940 set thread context of 2728 940 svchost.exe 102 PID 2760 set thread context of 1804 2760 svchost.exe 104 PID 2652 set thread context of 1956 2652 svchost.exe 106 PID 2480 set thread context of 1684 2480 svchost.exe 108 PID 1856 set thread context of 2584 1856 svchost.exe 110 PID 2536 set thread context of 952 2536 svchost.exe 112 PID 2060 set thread context of 2932 2060 svchost.exe 114 PID 2676 set thread context of 1440 2676 svchost.exe 116 PID 996 set thread context of 2772 996 svchost.exe 118 PID 2104 set thread context of 2872 2104 svchost.exe 120 PID 1784 set thread context of 836 1784 svchost.exe 122 PID 2256 set thread context of 1156 2256 svchost.exe 124 PID 2064 set thread context of 1808 2064 svchost.exe 126 PID 2144 set thread context of 2204 2144 svchost.exe 128 PID 2360 set thread context of 1492 2360 svchost.exe 130 PID 600 set thread context of 984 600 svchost.exe 132 PID 1752 set thread context of 2428 1752 svchost.exe 134 PID 2492 set thread context of 2756 2492 svchost.exe 136 PID 1848 set thread context of 2448 1848 svchost.exe 138 PID 2644 set thread context of 804 2644 svchost.exe 140 PID 3028 set thread context of 2208 3028 svchost.exe 142 PID 2816 set thread context of 1928 2816 svchost.exe 144 PID 2520 set thread context of 2832 2520 svchost.exe 146 PID 2272 set thread context of 380 2272 svchost.exe 148 PID 1748 set thread context of 1680 1748 svchost.exe 150 PID 2564 set thread context of 1976 2564 svchost.exe 152 PID 2720 set thread context of 2656 2720 svchost.exe 154 PID 996 set thread context of 2568 996 svchost.exe 156 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2744 0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe Token: SeSecurityPrivilege 2744 0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2744 0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2744 0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2744 0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe Token: SeSystemtimePrivilege 2744 0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2744 0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2744 0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2744 0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe Token: SeBackupPrivilege 2744 0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe Token: SeRestorePrivilege 2744 0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe Token: SeShutdownPrivilege 2744 0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe Token: SeDebugPrivilege 2744 0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2744 0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2744 0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2744 0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe Token: SeUndockPrivilege 2744 0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe Token: SeManageVolumePrivilege 2744 0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe Token: SeImpersonatePrivilege 2744 0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2744 0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe Token: 33 2744 0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe Token: 34 2744 0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe Token: 35 2744 0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2920 svchost.exe Token: SeSecurityPrivilege 2920 svchost.exe Token: SeTakeOwnershipPrivilege 2920 svchost.exe Token: SeLoadDriverPrivilege 2920 svchost.exe Token: SeSystemProfilePrivilege 2920 svchost.exe Token: SeSystemtimePrivilege 2920 svchost.exe Token: SeProfSingleProcessPrivilege 2920 svchost.exe Token: SeIncBasePriorityPrivilege 2920 svchost.exe Token: SeCreatePagefilePrivilege 2920 svchost.exe Token: SeBackupPrivilege 2920 svchost.exe Token: SeRestorePrivilege 2920 svchost.exe Token: SeShutdownPrivilege 2920 svchost.exe Token: SeDebugPrivilege 2920 svchost.exe Token: SeSystemEnvironmentPrivilege 2920 svchost.exe Token: SeChangeNotifyPrivilege 2920 svchost.exe Token: SeRemoteShutdownPrivilege 2920 svchost.exe Token: SeUndockPrivilege 2920 svchost.exe Token: SeManageVolumePrivilege 2920 svchost.exe Token: SeImpersonatePrivilege 2920 svchost.exe Token: SeCreateGlobalPrivilege 2920 svchost.exe Token: 33 2920 svchost.exe Token: 34 2920 svchost.exe Token: 35 2920 svchost.exe Token: SeIncreaseQuotaPrivilege 2712 svchost.exe Token: SeSecurityPrivilege 2712 svchost.exe Token: SeTakeOwnershipPrivilege 2712 svchost.exe Token: SeLoadDriverPrivilege 2712 svchost.exe Token: SeSystemProfilePrivilege 2712 svchost.exe Token: SeSystemtimePrivilege 2712 svchost.exe Token: SeProfSingleProcessPrivilege 2712 svchost.exe Token: SeIncBasePriorityPrivilege 2712 svchost.exe Token: SeCreatePagefilePrivilege 2712 svchost.exe Token: SeBackupPrivilege 2712 svchost.exe Token: SeRestorePrivilege 2712 svchost.exe Token: SeShutdownPrivilege 2712 svchost.exe Token: SeDebugPrivilege 2712 svchost.exe Token: SeSystemEnvironmentPrivilege 2712 svchost.exe Token: SeChangeNotifyPrivilege 2712 svchost.exe Token: SeRemoteShutdownPrivilege 2712 svchost.exe Token: SeUndockPrivilege 2712 svchost.exe Token: SeManageVolumePrivilege 2712 svchost.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 2096 0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe 2796 svchost.exe 1628 svchost.exe 2664 svchost.exe 2968 svchost.exe 2504 svchost.exe 2700 svchost.exe 2924 svchost.exe 1316 svchost.exe 1380 svchost.exe 2284 svchost.exe 1156 svchost.exe 296 svchost.exe 1612 svchost.exe 924 svchost.exe 2336 svchost.exe 536 svchost.exe 876 svchost.exe 2740 svchost.exe 2804 svchost.exe 2768 svchost.exe 1804 svchost.exe 1944 svchost.exe 2992 svchost.exe 2852 svchost.exe 2080 svchost.exe 1428 svchost.exe 680 svchost.exe 1952 svchost.exe 2144 svchost.exe 1596 svchost.exe 2972 svchost.exe 536 svchost.exe 2348 svchost.exe 1556 svchost.exe 2412 svchost.exe 940 svchost.exe 2760 svchost.exe 2652 svchost.exe 2480 svchost.exe 1856 svchost.exe 2536 svchost.exe 2060 svchost.exe 2676 svchost.exe 996 svchost.exe 2104 svchost.exe 1784 svchost.exe 2256 svchost.exe 2064 svchost.exe 2144 svchost.exe 2360 svchost.exe 600 svchost.exe 1752 svchost.exe 2492 svchost.exe 1848 svchost.exe 2644 svchost.exe 3028 svchost.exe 2816 svchost.exe 2520 svchost.exe 2272 svchost.exe 1748 svchost.exe 2564 svchost.exe 2720 svchost.exe 996 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2096 wrote to memory of 2744 2096 0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe 30 PID 2096 wrote to memory of 2744 2096 0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe 30 PID 2096 wrote to memory of 2744 2096 0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe 30 PID 2096 wrote to memory of 2744 2096 0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe 30 PID 2096 wrote to memory of 2744 2096 0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe 30 PID 2096 wrote to memory of 2744 2096 0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe 30 PID 2096 wrote to memory of 2744 2096 0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe 30 PID 2096 wrote to memory of 2744 2096 0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe 30 PID 2096 wrote to memory of 2744 2096 0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe 30 PID 2096 wrote to memory of 2744 2096 0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe 30 PID 2096 wrote to memory of 2744 2096 0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe 30 PID 2096 wrote to memory of 2744 2096 0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe 30 PID 2096 wrote to memory of 2744 2096 0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe 30 PID 2096 wrote to memory of 2744 2096 0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe 30 PID 2096 wrote to memory of 2744 2096 0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe 30 PID 2744 wrote to memory of 2796 2744 0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe 31 PID 2744 wrote to memory of 2796 2744 0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe 31 PID 2744 wrote to memory of 2796 2744 0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe 31 PID 2744 wrote to memory of 2796 2744 0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe 31 PID 2796 wrote to memory of 2920 2796 svchost.exe 32 PID 2796 wrote to memory of 2920 2796 svchost.exe 32 PID 2796 wrote to memory of 2920 2796 svchost.exe 32 PID 2796 wrote to memory of 2920 2796 svchost.exe 32 PID 2796 wrote to memory of 2920 2796 svchost.exe 32 PID 2796 wrote to memory of 2920 2796 svchost.exe 32 PID 2796 wrote to memory of 2920 2796 svchost.exe 32 PID 2796 wrote to memory of 2920 2796 svchost.exe 32 PID 2796 wrote to memory of 2920 2796 svchost.exe 32 PID 2796 wrote to memory of 2920 2796 svchost.exe 32 PID 2796 wrote to memory of 2920 2796 svchost.exe 32 PID 2796 wrote to memory of 2920 2796 svchost.exe 32 PID 2796 wrote to memory of 2920 2796 svchost.exe 32 PID 2796 wrote to memory of 2920 2796 svchost.exe 32 PID 2796 wrote to memory of 2920 2796 svchost.exe 32 PID 2920 wrote to memory of 1628 2920 svchost.exe 70 PID 2920 wrote to memory of 1628 2920 svchost.exe 70 PID 2920 wrote to memory of 1628 2920 svchost.exe 70 PID 2920 wrote to memory of 1628 2920 svchost.exe 70 PID 1628 wrote to memory of 2712 1628 svchost.exe 34 PID 1628 wrote to memory of 2712 1628 svchost.exe 34 PID 1628 wrote to memory of 2712 1628 svchost.exe 34 PID 1628 wrote to memory of 2712 1628 svchost.exe 34 PID 1628 wrote to memory of 2712 1628 svchost.exe 34 PID 1628 wrote to memory of 2712 1628 svchost.exe 34 PID 1628 wrote to memory of 2712 1628 svchost.exe 34 PID 1628 wrote to memory of 2712 1628 svchost.exe 34 PID 1628 wrote to memory of 2712 1628 svchost.exe 34 PID 1628 wrote to memory of 2712 1628 svchost.exe 34 PID 1628 wrote to memory of 2712 1628 svchost.exe 34 PID 1628 wrote to memory of 2712 1628 svchost.exe 34 PID 1628 wrote to memory of 2712 1628 svchost.exe 34 PID 1628 wrote to memory of 2712 1628 svchost.exe 34 PID 1628 wrote to memory of 2712 1628 svchost.exe 34 PID 2712 wrote to memory of 2664 2712 svchost.exe 35 PID 2712 wrote to memory of 2664 2712 svchost.exe 35 PID 2712 wrote to memory of 2664 2712 svchost.exe 35 PID 2712 wrote to memory of 2664 2712 svchost.exe 35 PID 2664 wrote to memory of 2308 2664 svchost.exe 36 PID 2664 wrote to memory of 2308 2664 svchost.exe 36 PID 2664 wrote to memory of 2308 2664 svchost.exe 36 PID 2664 wrote to memory of 2308 2664 svchost.exe 36 PID 2664 wrote to memory of 2308 2664 svchost.exe 36 PID 2664 wrote to memory of 2308 2664 svchost.exe 36 PID 2664 wrote to memory of 2308 2664 svchost.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Users\Admin\AppData\Local\Temp\0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\0c2b1dd5b9eb64ad6130c61826cf2864_JaffaCakes118.exe2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2308 -
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2968 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2076 -
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2504 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2072 -
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2700 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3000 -
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2924 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2880 -
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1316 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:780 -
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1380 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3036 -
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2284 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1048 -
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1156 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1936 -
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:296 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:840 -
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1612 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1660 -
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:924 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2120 -
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2336 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1000 -
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:536 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:332 -
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:876 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe36⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1692 -
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2740 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe38⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2748 -
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2804 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe40⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2732 -
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2768 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe42⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1628 -
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1804 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe44⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2356 -
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1944 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe46⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2192 -
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2992 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe48⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2948 -
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2852 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe50⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1508 -
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2080 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe52⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2148 -
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1428 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe54⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1844 -
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:680 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe56⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1952 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe58⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2144 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe60⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1596 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe62⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"63⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2972 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe64⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"65⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:536 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe66⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1032 -
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"67⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2348 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe68⤵PID:1580
-
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"69⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1556 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe70⤵PID:1744
-
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"71⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2412 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe72⤵
- Adds Run key to start application
PID:2752 -
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"73⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:940 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe74⤵PID:2728
-
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"75⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2760 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe76⤵PID:1804
-
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"77⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2652 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe78⤵PID:1956
-
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"79⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2480 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe80⤵PID:1684
-
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"81⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1856 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe82⤵PID:2584
-
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"83⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2536 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe84⤵PID:952
-
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"85⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2060 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe86⤵PID:2932
-
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"87⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2676 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe88⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:1440 -
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"89⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:996 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe90⤵PID:2772
-
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"91⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2104 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe92⤵PID:2872
-
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"93⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1784 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe94⤵PID:836
-
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"95⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2256 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe96⤵PID:1156
-
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"97⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2064 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe98⤵PID:1808
-
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"99⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2144 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe100⤵PID:2204
-
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"101⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2360 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe102⤵PID:1492
-
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"103⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:600 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe104⤵
- Adds Run key to start application
PID:984 -
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"105⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1752 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe106⤵PID:2428
-
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"107⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2492 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe108⤵
- System Location Discovery: System Language Discovery
PID:2756 -
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"109⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1848 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe110⤵PID:2448
-
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"111⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2644 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe112⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:804 -
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"113⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3028 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe114⤵PID:2208
-
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"115⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2816 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe116⤵PID:1928
-
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"117⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2520 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe118⤵PID:2832
-
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"119⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2272 -
C:\Windows\SysWOW64\test\svchost.exeC:\Windows\SysWOW64\test\svchost.exe120⤵PID:380
-
C:\Windows\SysWOW64\test\svchost.exe"C:\Windows\system32\test\svchost.exe"121⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1748
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-