Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03/10/2024, 21:09 UTC
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
108371ef36e513fe10d28555b11f25d5_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
General
-
Target
108371ef36e513fe10d28555b11f25d5_JaffaCakes118.exe
-
Size
114KB
-
MD5
108371ef36e513fe10d28555b11f25d5
-
SHA1
989275215b0497d1d5eb16d34548183bffb3f333
-
SHA256
a810d7db2f261f9407731d7122361b3df0e83501a0a2fbd2c32aaac6c651a456
-
SHA512
82385b6e26c9e650b5da73841927505b338d0312278ac438c084f0542afaac4fc9207cdb41f2b0dc1cc2fc896fe06385187d170554c0ebd142452d5987618538
-
SSDEEP
3072:CuH2Pz4lYzvVbr7IPJCnWVxSBwGBOtAapckMIYp:Cu2Pz4e7dr7A5VxYJBLkMj
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Users\\Admin\\AppData\\Local\\vwfrhnot\\edwdfdud.exe" svchost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\edwdfdud.exe svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\edwdfdud.exe svchost.exe -
Executes dropped EXE 64 IoCs
pid Process 2152 vircwswq.exe 1888 vircwswq.exe 1260 vircwswq.exe 2008 vircwswq.exe 1712 vircwswq.exe 2956 vircwswq.exe 3052 vircwswq.exe 772 vircwswq.exe 2392 vircwswq.exe 812 vircwswq.exe 1072 vircwswq.exe 3016 vircwswq.exe 928 vircwswq.exe 604 vircwswq.exe 1824 vircwswq.exe 896 vircwswq.exe 2212 vircwswq.exe 3040 vircwswq.exe 652 vircwswq.exe 2592 vircwswq.exe 2144 vircwswq.exe 2192 vircwswq.exe 2256 vircwswq.exe 2316 vircwswq.exe 2992 vircwswq.exe 2736 vircwswq.exe 2124 vircwswq.exe 1516 vircwswq.exe 1724 vircwswq.exe 2740 vircwswq.exe 2816 vircwswq.exe 1092 vircwswq.exe 1608 vircwswq.exe 1752 vircwswq.exe 2944 vircwswq.exe 536 vircwswq.exe 2348 vircwswq.exe 2072 vircwswq.exe 2588 vircwswq.exe 1860 vircwswq.exe 2368 vircwswq.exe 1612 vircwswq.exe 1548 vircwswq.exe 2336 vircwswq.exe 1728 vircwswq.exe 960 vircwswq.exe 1812 vircwswq.exe 1496 vircwswq.exe 2340 vircwswq.exe 2104 vircwswq.exe 2880 vircwswq.exe 2732 vircwswq.exe 2992 vircwswq.exe 2884 vircwswq.exe 1916 vircwswq.exe 272 vircwswq.exe 1232 vircwswq.exe 1724 vircwswq.exe 2872 vircwswq.exe 2648 vircwswq.exe 2424 vircwswq.exe 1108 vircwswq.exe 660 vircwswq.exe 2644 vircwswq.exe -
Loads dropped DLL 64 IoCs
pid Process 2388 108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe 2388 108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe 2152 vircwswq.exe 1888 vircwswq.exe 1260 vircwswq.exe 2008 vircwswq.exe 1712 vircwswq.exe 2956 vircwswq.exe 3052 vircwswq.exe 772 vircwswq.exe 2392 vircwswq.exe 812 vircwswq.exe 1072 vircwswq.exe 3016 vircwswq.exe 928 vircwswq.exe 604 vircwswq.exe 1824 vircwswq.exe 896 vircwswq.exe 2212 vircwswq.exe 3040 vircwswq.exe 652 vircwswq.exe 2592 vircwswq.exe 2144 vircwswq.exe 2192 vircwswq.exe 2256 vircwswq.exe 2316 vircwswq.exe 2992 vircwswq.exe 2736 vircwswq.exe 2124 vircwswq.exe 1516 vircwswq.exe 1724 vircwswq.exe 2740 vircwswq.exe 2816 vircwswq.exe 1092 vircwswq.exe 1608 vircwswq.exe 1752 vircwswq.exe 2944 vircwswq.exe 536 vircwswq.exe 2348 vircwswq.exe 2072 vircwswq.exe 2588 vircwswq.exe 1860 vircwswq.exe 2368 vircwswq.exe 1612 vircwswq.exe 1548 vircwswq.exe 2336 vircwswq.exe 1728 vircwswq.exe 960 vircwswq.exe 1812 vircwswq.exe 1496 vircwswq.exe 2340 vircwswq.exe 2104 vircwswq.exe 2880 vircwswq.exe 2732 vircwswq.exe 2992 vircwswq.exe 2884 vircwswq.exe 1916 vircwswq.exe 272 vircwswq.exe 1232 vircwswq.exe 1724 vircwswq.exe 2872 vircwswq.exe 2648 vircwswq.exe 2424 vircwswq.exe 1108 vircwswq.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\EdwDfdud = "C:\\Users\\Admin\\AppData\\Local\\vwfrhnot\\edwdfdud.exe" svchost.exe -
Suspicious use of SetThreadContext 64 IoCs
description pid Process procid_target PID 1916 set thread context of 2388 1916 108371ef36e513fe10d28555b11f25d5_JaffaCakes118.exe 30 PID 2152 set thread context of 1888 2152 vircwswq.exe 34 PID 1260 set thread context of 2008 1260 vircwswq.exe 36 PID 1712 set thread context of 2956 1712 vircwswq.exe 38 PID 3052 set thread context of 772 3052 vircwswq.exe 40 PID 2392 set thread context of 812 2392 vircwswq.exe 42 PID 1072 set thread context of 3016 1072 vircwswq.exe 44 PID 928 set thread context of 604 928 vircwswq.exe 46 PID 1824 set thread context of 896 1824 vircwswq.exe 48 PID 2212 set thread context of 3040 2212 vircwswq.exe 50 PID 652 set thread context of 2592 652 vircwswq.exe 52 PID 2144 set thread context of 2192 2144 vircwswq.exe 54 PID 2256 set thread context of 2316 2256 vircwswq.exe 56 PID 2992 set thread context of 2736 2992 vircwswq.exe 58 PID 2124 set thread context of 1516 2124 vircwswq.exe 60 PID 1724 set thread context of 2740 1724 vircwswq.exe 62 PID 2816 set thread context of 1092 2816 vircwswq.exe 64 PID 1608 set thread context of 1752 1608 vircwswq.exe 66 PID 2944 set thread context of 536 2944 vircwswq.exe 68 PID 2348 set thread context of 2072 2348 vircwswq.exe 70 PID 2588 set thread context of 1860 2588 vircwswq.exe 72 PID 2368 set thread context of 1612 2368 vircwswq.exe 74 PID 1548 set thread context of 2336 1548 vircwswq.exe 76 PID 1728 set thread context of 960 1728 vircwswq.exe 78 PID 1812 set thread context of 1496 1812 vircwswq.exe 80 PID 2340 set thread context of 2104 2340 vircwswq.exe 82 PID 2880 set thread context of 2732 2880 vircwswq.exe 84 PID 2992 set thread context of 2884 2992 vircwswq.exe 86 PID 1916 set thread context of 272 1916 vircwswq.exe 88 PID 1232 set thread context of 1724 1232 vircwswq.exe 90 PID 2872 set thread context of 2648 2872 vircwswq.exe 92 PID 2424 set thread context of 1108 2424 vircwswq.exe 94 PID 660 set thread context of 2644 660 vircwswq.exe 96 PID 356 set thread context of 2120 356 vircwswq.exe 98 PID 2788 set thread context of 2700 2788 vircwswq.exe 100 PID 2452 set thread context of 692 2452 vircwswq.exe 102 PID 484 set thread context of 2948 484 vircwswq.exe 104 PID 300 set thread context of 1824 300 vircwswq.exe 106 PID 1728 set thread context of 980 1728 vircwswq.exe 108 PID 3036 set thread context of 2920 3036 vircwswq.exe 110 PID 1600 set thread context of 2924 1600 vircwswq.exe 112 PID 2880 set thread context of 864 2880 vircwswq.exe 114 PID 2572 set thread context of 3064 2572 vircwswq.exe 116 PID 2604 set thread context of 2152 2604 vircwswq.exe 118 PID 2076 set thread context of 2600 2076 vircwswq.exe 120 PID 2872 set thread context of 2816 2872 vircwswq.exe 122 PID 1432 set thread context of 2652 1432 vircwswq.exe 124 PID 2952 set thread context of 2864 2952 vircwswq.exe 126 PID 2280 set thread context of 1472 2280 vircwswq.exe 128 PID 1300 set thread context of 2960 1300 vircwswq.exe 130 PID 1664 set thread context of 1356 1664 vircwswq.exe 132 PID 2784 set thread context of 2252 2784 vircwswq.exe 134 PID 2472 set thread context of 548 2472 vircwswq.exe 136 PID 1840 set thread context of 2432 1840 vircwswq.exe 138 PID 2792 set thread context of 308 2792 vircwswq.exe 140 PID 2060 set thread context of 1732 2060 vircwswq.exe 142 PID 2908 set thread context of 2636 2908 vircwswq.exe 144 PID 2748 set thread context of 1916 2748 vircwswq.exe 146 PID 1248 set thread context of 2528 1248 vircwswq.exe 148 PID 2844 set thread context of 2820 2844 vircwswq.exe 150 PID 1608 set thread context of 2436 1608 vircwswq.exe 152 PID 2952 set thread context of 1720 2952 vircwswq.exe 154 PID 1348 set thread context of 2444 1348 vircwswq.exe 156 PID 2936 set thread context of 1124 2936 vircwswq.exe 158 -
resource yara_rule behavioral1/memory/2388-10-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2388-9-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2388-8-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2388-6-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2388-3-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2388-2-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2388-21-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2388-63-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/1888-98-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2956-139-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/604-203-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2592-259-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/1092-356-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/1752-369-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2072-392-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/1860-405-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/1612-420-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/960-445-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/1496-458-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2740-343-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2104-471-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2736-310-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2316-293-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2192-276-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/3040-242-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/896-220-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/604-208-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/3016-190-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/812-173-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/772-156-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2008-122-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/1888-105-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2388-85-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2732-484-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2884-493-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2884-498-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2648-535-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2700-584-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/980-633-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2920-642-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2920-647-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/864-672-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/3064-685-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2864-746-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/1356-781-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2252-794-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/1916-869-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/1720-916-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2372-1073-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2256-1160-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2280-1231-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/1040-1280-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2204-1317-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/1484-1414-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2272-1463-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2688-1686-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2880-1699-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2668-1714-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2524-1833-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/1264-2050-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2424-2075-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2828-2112-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/1560-3067-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/1560-3519-0x0000000000400000-0x0000000000435000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vircwswq.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434151644" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CC243D71-81CB-11EF-9A35-EAF933E40231} = "0" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000 IEXPLORE.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe 3000 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 2388 108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe Token: SeDebugPrivilege 2388 108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe Token: SeSecurityPrivilege 1052 svchost.exe Token: SeSecurityPrivilege 3000 svchost.exe Token: SeDebugPrivilege 3000 svchost.exe Token: SeSecurityPrivilege 1888 vircwswq.exe Token: SeDebugPrivilege 1888 vircwswq.exe Token: SeSecurityPrivilege 2008 vircwswq.exe Token: SeDebugPrivilege 2008 vircwswq.exe Token: SeSecurityPrivilege 2956 vircwswq.exe Token: SeDebugPrivilege 2956 vircwswq.exe Token: SeSecurityPrivilege 772 vircwswq.exe Token: SeDebugPrivilege 772 vircwswq.exe Token: SeSecurityPrivilege 812 vircwswq.exe Token: SeDebugPrivilege 812 vircwswq.exe Token: SeSecurityPrivilege 3016 vircwswq.exe Token: SeDebugPrivilege 3016 vircwswq.exe Token: SeSecurityPrivilege 604 vircwswq.exe Token: SeDebugPrivilege 604 vircwswq.exe Token: SeSecurityPrivilege 896 vircwswq.exe Token: SeDebugPrivilege 896 vircwswq.exe Token: SeSecurityPrivilege 3040 vircwswq.exe Token: SeDebugPrivilege 3040 vircwswq.exe Token: SeSecurityPrivilege 2592 vircwswq.exe Token: SeDebugPrivilege 2592 vircwswq.exe Token: SeSecurityPrivilege 2192 vircwswq.exe Token: SeDebugPrivilege 2192 vircwswq.exe Token: SeSecurityPrivilege 2316 vircwswq.exe Token: SeDebugPrivilege 2316 vircwswq.exe Token: SeSecurityPrivilege 2736 vircwswq.exe Token: SeDebugPrivilege 2736 vircwswq.exe Token: SeSecurityPrivilege 1516 vircwswq.exe Token: SeDebugPrivilege 1516 vircwswq.exe Token: SeSecurityPrivilege 2740 vircwswq.exe Token: SeDebugPrivilege 2740 vircwswq.exe Token: SeSecurityPrivilege 1092 vircwswq.exe Token: SeDebugPrivilege 1092 vircwswq.exe Token: SeSecurityPrivilege 1752 vircwswq.exe Token: SeDebugPrivilege 1752 vircwswq.exe Token: SeSecurityPrivilege 536 vircwswq.exe Token: SeDebugPrivilege 536 vircwswq.exe Token: SeSecurityPrivilege 2072 vircwswq.exe Token: SeDebugPrivilege 2072 vircwswq.exe Token: SeSecurityPrivilege 1860 vircwswq.exe Token: SeDebugPrivilege 1860 vircwswq.exe Token: SeSecurityPrivilege 1612 vircwswq.exe Token: SeDebugPrivilege 1612 vircwswq.exe Token: SeSecurityPrivilege 2336 vircwswq.exe Token: SeDebugPrivilege 2336 vircwswq.exe Token: SeSecurityPrivilege 960 vircwswq.exe Token: SeDebugPrivilege 960 vircwswq.exe Token: SeSecurityPrivilege 1496 vircwswq.exe Token: SeDebugPrivilege 1496 vircwswq.exe Token: SeSecurityPrivilege 2104 vircwswq.exe Token: SeDebugPrivilege 2104 vircwswq.exe Token: SeSecurityPrivilege 2732 vircwswq.exe Token: SeDebugPrivilege 2732 vircwswq.exe Token: SeSecurityPrivilege 2884 vircwswq.exe Token: SeDebugPrivilege 2884 vircwswq.exe Token: SeSecurityPrivilege 272 vircwswq.exe Token: SeDebugPrivilege 272 vircwswq.exe Token: SeSecurityPrivilege 1724 vircwswq.exe Token: SeDebugPrivilege 1724 vircwswq.exe Token: SeSecurityPrivilege 2648 vircwswq.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 2000 IEXPLORE.EXE 2000 IEXPLORE.EXE 2000 IEXPLORE.EXE 2000 IEXPLORE.EXE 2000 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 30 IoCs
pid Process 2000 IEXPLORE.EXE 2000 IEXPLORE.EXE 620 IEXPLORE.EXE 620 IEXPLORE.EXE 620 IEXPLORE.EXE 620 IEXPLORE.EXE 2000 IEXPLORE.EXE 2000 IEXPLORE.EXE 3052 IEXPLORE.EXE 3052 IEXPLORE.EXE 3052 IEXPLORE.EXE 3052 IEXPLORE.EXE 2000 IEXPLORE.EXE 2000 IEXPLORE.EXE 3912 IEXPLORE.EXE 3912 IEXPLORE.EXE 3912 IEXPLORE.EXE 3912 IEXPLORE.EXE 2000 IEXPLORE.EXE 2000 IEXPLORE.EXE 3772 IEXPLORE.EXE 3772 IEXPLORE.EXE 3772 IEXPLORE.EXE 3772 IEXPLORE.EXE 2000 IEXPLORE.EXE 2000 IEXPLORE.EXE 620 IEXPLORE.EXE 620 IEXPLORE.EXE 620 IEXPLORE.EXE 620 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1916 wrote to memory of 2388 1916 108371ef36e513fe10d28555b11f25d5_JaffaCakes118.exe 30 PID 1916 wrote to memory of 2388 1916 108371ef36e513fe10d28555b11f25d5_JaffaCakes118.exe 30 PID 1916 wrote to memory of 2388 1916 108371ef36e513fe10d28555b11f25d5_JaffaCakes118.exe 30 PID 1916 wrote to memory of 2388 1916 108371ef36e513fe10d28555b11f25d5_JaffaCakes118.exe 30 PID 1916 wrote to memory of 2388 1916 108371ef36e513fe10d28555b11f25d5_JaffaCakes118.exe 30 PID 1916 wrote to memory of 2388 1916 108371ef36e513fe10d28555b11f25d5_JaffaCakes118.exe 30 PID 1916 wrote to memory of 2388 1916 108371ef36e513fe10d28555b11f25d5_JaffaCakes118.exe 30 PID 1916 wrote to memory of 2388 1916 108371ef36e513fe10d28555b11f25d5_JaffaCakes118.exe 30 PID 2388 wrote to memory of 1052 2388 108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe 31 PID 2388 wrote to memory of 1052 2388 108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe 31 PID 2388 wrote to memory of 1052 2388 108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe 31 PID 2388 wrote to memory of 1052 2388 108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe 31 PID 2388 wrote to memory of 1052 2388 108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe 31 PID 2388 wrote to memory of 1052 2388 108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe 31 PID 2388 wrote to memory of 1052 2388 108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe 31 PID 2388 wrote to memory of 1052 2388 108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe 31 PID 2388 wrote to memory of 1052 2388 108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe 31 PID 2388 wrote to memory of 1052 2388 108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe 31 PID 2388 wrote to memory of 1052 2388 108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe 31 PID 2388 wrote to memory of 3000 2388 108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe 32 PID 2388 wrote to memory of 3000 2388 108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe 32 PID 2388 wrote to memory of 3000 2388 108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe 32 PID 2388 wrote to memory of 3000 2388 108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe 32 PID 2388 wrote to memory of 3000 2388 108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe 32 PID 2388 wrote to memory of 3000 2388 108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe 32 PID 2388 wrote to memory of 3000 2388 108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe 32 PID 2388 wrote to memory of 3000 2388 108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe 32 PID 2388 wrote to memory of 3000 2388 108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe 32 PID 2388 wrote to memory of 3000 2388 108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe 32 PID 2388 wrote to memory of 3000 2388 108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe 32 PID 2388 wrote to memory of 2152 2388 108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe 33 PID 2388 wrote to memory of 2152 2388 108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe 33 PID 2388 wrote to memory of 2152 2388 108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe 33 PID 2388 wrote to memory of 2152 2388 108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe 33 PID 2152 wrote to memory of 1888 2152 vircwswq.exe 34 PID 2152 wrote to memory of 1888 2152 vircwswq.exe 34 PID 2152 wrote to memory of 1888 2152 vircwswq.exe 34 PID 2152 wrote to memory of 1888 2152 vircwswq.exe 34 PID 2152 wrote to memory of 1888 2152 vircwswq.exe 34 PID 2152 wrote to memory of 1888 2152 vircwswq.exe 34 PID 2152 wrote to memory of 1888 2152 vircwswq.exe 34 PID 2152 wrote to memory of 1888 2152 vircwswq.exe 34 PID 1888 wrote to memory of 1260 1888 vircwswq.exe 35 PID 1888 wrote to memory of 1260 1888 vircwswq.exe 35 PID 1888 wrote to memory of 1260 1888 vircwswq.exe 35 PID 1888 wrote to memory of 1260 1888 vircwswq.exe 35 PID 1260 wrote to memory of 2008 1260 vircwswq.exe 36 PID 1260 wrote to memory of 2008 1260 vircwswq.exe 36 PID 1260 wrote to memory of 2008 1260 vircwswq.exe 36 PID 1260 wrote to memory of 2008 1260 vircwswq.exe 36 PID 1260 wrote to memory of 2008 1260 vircwswq.exe 36 PID 1260 wrote to memory of 2008 1260 vircwswq.exe 36 PID 1260 wrote to memory of 2008 1260 vircwswq.exe 36 PID 1260 wrote to memory of 2008 1260 vircwswq.exe 36 PID 2008 wrote to memory of 1712 2008 vircwswq.exe 37 PID 2008 wrote to memory of 1712 2008 vircwswq.exe 37 PID 2008 wrote to memory of 1712 2008 vircwswq.exe 37 PID 2008 wrote to memory of 1712 2008 vircwswq.exe 37 PID 1712 wrote to memory of 2956 1712 vircwswq.exe 38 PID 1712 wrote to memory of 2956 1712 vircwswq.exe 38 PID 1712 wrote to memory of 2956 1712 vircwswq.exe 38 PID 1712 wrote to memory of 2956 1712 vircwswq.exe 38 PID 1712 wrote to memory of 2956 1712 vircwswq.exe 38 PID 1712 wrote to memory of 2956 1712 vircwswq.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\108371ef36e513fe10d28555b11f25d5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\108371ef36e513fe10d28555b11f25d5_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1916 -
\??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe"c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1052
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3000
-
-
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1260 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1712 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2956 -
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:3052 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:772 -
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2392 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:812 -
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1072 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:928 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:604 -
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1824 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"18⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:896 -
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2212 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"20⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3040 -
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:652 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"22⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2592 -
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2144 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"24⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2192 -
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2256 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"26⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2316 -
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2992 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"28⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2736 -
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2124 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"30⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1516 -
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1724 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"32⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2740 -
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate33⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2816 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"34⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1092 -
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate35⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1608 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"36⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1752 -
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate37⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2944 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"38⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:536 -
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate39⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2348 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"40⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2072 -
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate41⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2588 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"42⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1860 -
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate43⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2368 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"44⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1612 -
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate45⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1548 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"46⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2336 -
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate47⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1728 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"48⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:960 -
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate49⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1812 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"50⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1496 -
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate51⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2340 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"52⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2104 -
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate53⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2880 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"54⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2732 -
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate55⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2992 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"56⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2884 -
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate57⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1916 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"58⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:272 -
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate59⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1232 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"60⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1724 -
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate61⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2872 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"62⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2648 -
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate63⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2424 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"64⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1108 -
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate65⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:660 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"66⤵
- Executes dropped EXE
PID:2644 -
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate67⤵
- Suspicious use of SetThreadContext
PID:356 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"68⤵PID:2120
-
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate69⤵
- Suspicious use of SetThreadContext
PID:2788 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"70⤵PID:2700
-
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate71⤵
- Suspicious use of SetThreadContext
PID:2452 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"72⤵PID:692
-
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate73⤵
- Suspicious use of SetThreadContext
PID:484 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"74⤵PID:2948
-
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate75⤵
- Suspicious use of SetThreadContext
PID:300 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"76⤵PID:1824
-
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate77⤵
- Suspicious use of SetThreadContext
PID:1728 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"78⤵PID:980
-
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate79⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3036 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"80⤵PID:2920
-
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate81⤵
- Suspicious use of SetThreadContext
PID:1600 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"82⤵PID:2924
-
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate83⤵
- Suspicious use of SetThreadContext
PID:2880 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"84⤵PID:864
-
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate85⤵
- Suspicious use of SetThreadContext
PID:2572 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"86⤵PID:3064
-
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate87⤵
- Suspicious use of SetThreadContext
PID:2604 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"88⤵PID:2152
-
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate89⤵
- Suspicious use of SetThreadContext
PID:2076 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"90⤵PID:2600
-
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate91⤵
- Suspicious use of SetThreadContext
PID:2872 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"92⤵PID:2816
-
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate93⤵
- Suspicious use of SetThreadContext
PID:1432 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"94⤵PID:2652
-
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate95⤵
- Suspicious use of SetThreadContext
PID:2952 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"96⤵PID:2864
-
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate97⤵
- Suspicious use of SetThreadContext
PID:2280 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"98⤵PID:1472
-
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate99⤵
- Suspicious use of SetThreadContext
PID:1300 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"100⤵PID:2960
-
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate101⤵
- Suspicious use of SetThreadContext
PID:1664 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"102⤵PID:1356
-
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate103⤵
- Suspicious use of SetThreadContext
PID:2784 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"104⤵PID:2252
-
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate105⤵
- Suspicious use of SetThreadContext
PID:2472 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"106⤵
- System Location Discovery: System Language Discovery
PID:548 -
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate107⤵
- Suspicious use of SetThreadContext
PID:1840 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"108⤵PID:2432
-
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate109⤵
- Suspicious use of SetThreadContext
PID:2792 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"110⤵PID:308
-
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate111⤵
- Suspicious use of SetThreadContext
PID:2060 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"112⤵PID:1732
-
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate113⤵
- Suspicious use of SetThreadContext
PID:2908 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"114⤵PID:2636
-
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate115⤵
- Suspicious use of SetThreadContext
PID:2748 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"116⤵PID:1916
-
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate117⤵
- Suspicious use of SetThreadContext
PID:1248 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"118⤵PID:2528
-
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate119⤵
- Suspicious use of SetThreadContext
PID:2844 -
\??\c:\users\admin\appdata\local\temp\vircwswq.exe"c:\users\admin\appdata\local\temp\vircwswq.exe"120⤵PID:2820
-
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate121⤵
- Suspicious use of SetThreadContext
PID:1608
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-