Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
46s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
06/04/2024, 21:57
Static task
static1
Behavioral task
behavioral1
Sample
e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe
Resource
win10v2004-20240226-en
Errors
General
-
Target
e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe
-
Size
280KB
-
MD5
e3606fe661cb86e3fe8843d598d9ac13
-
SHA1
7c63a823717d43257e641bd42d37ed5b415308f7
-
SHA256
dcfac4cd97fab0cf3a91febe447faad646115d46429349af1b80452dd446498a
-
SHA512
d57b158fc275400506ddb655c48d5fa6a24a8304ca7ca194ec4f74581c9a5998f88f3c24347dcaaab6c2e724580e69770fb2a722cdd2353459699526f5bb8344
-
SSDEEP
6144:UBycky5x57KKM6CRzMSx/2S3bwvP6bQ7yMP+DE827+c:gkvKDsU6b7MP+Dd2Sc
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 2980 lvdf.exe 2620 lvdf.exe 2896 ihad.exe 2668 ihad.exe 2888 qeli.exe 1236 qeli.exe 1520 wmdl.exe 2116 wmdl.exe 2076 yodt.exe 1052 yodt.exe 3064 zfsb.exe 288 zfsb.exe 2788 juue.exe 792 juue.exe 2368 ycgw.exe 2028 ycgw.exe 3024 iutm.exe 2716 iutm.exe 2464 klim.exe 2504 klim.exe 344 tcvc.exe 1956 tcvc.exe 1636 ojlw.exe 2092 ojlw.exe 1952 plme.exe 992 plme.exe 560 ufvs.exe 2152 ufvs.exe 960 muuh.exe 1680 muuh.exe 2956 dauf.exe 2988 dauf.exe 2316 sqdx.exe 1512 sqdx.exe 2816 cabn.exe 2624 cabn.exe 2496 msgd.exe 2692 msgd.exe 2620 temi.exe 332 temi.exe 1752 fyti.exe 1536 fyti.exe 2888 shwd.exe 2704 shwd.exe 1172 gffn.exe 1952 gffn.exe 1364 aghd.exe 900 aghd.exe 1624 fiqi.exe 956 fiqi.exe 2868 advy.exe 2240 advy.exe 1584 rvgb.exe 1148 rvgb.exe 2648 ltww.exe 2816 ltww.exe 2980 yksr.exe 2580 yksr.exe 1720 kxhr.exe 2216 kxhr.exe 2872 zfbr.exe 332 zfbr.exe 2100 orzw.exe 1688 orzw.exe -
Loads dropped DLL 64 IoCs
pid Process 2800 e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe 2800 e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe 2980 lvdf.exe 2620 lvdf.exe 2620 lvdf.exe 2668 ihad.exe 2668 ihad.exe 1236 qeli.exe 1236 qeli.exe 2116 wmdl.exe 2116 wmdl.exe 1052 yodt.exe 1052 yodt.exe 288 zfsb.exe 288 zfsb.exe 792 juue.exe 792 juue.exe 2028 ycgw.exe 2028 ycgw.exe 2716 iutm.exe 2716 iutm.exe 2504 klim.exe 2504 klim.exe 1956 tcvc.exe 1956 tcvc.exe 2092 ojlw.exe 2092 ojlw.exe 992 plme.exe 992 plme.exe 2152 ufvs.exe 2152 ufvs.exe 1680 muuh.exe 1680 muuh.exe 2988 dauf.exe 2988 dauf.exe 1512 sqdx.exe 1512 sqdx.exe 2624 cabn.exe 2624 cabn.exe 2692 msgd.exe 2692 msgd.exe 332 temi.exe 332 temi.exe 1536 fyti.exe 1536 fyti.exe 2704 shwd.exe 2704 shwd.exe 1952 gffn.exe 1952 gffn.exe 900 aghd.exe 900 aghd.exe 956 fiqi.exe 956 fiqi.exe 2240 advy.exe 2240 advy.exe 1148 rvgb.exe 1148 rvgb.exe 2816 ltww.exe 2816 ltww.exe 2580 yksr.exe 2580 yksr.exe 2216 kxhr.exe 2216 kxhr.exe 332 zfbr.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 64 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 sykf.exe File opened for modification \??\PhysicalDrive0 usly.exe File opened for modification \??\PhysicalDrive0 cstw.exe File opened for modification \??\PhysicalDrive0 sqdx.exe File opened for modification \??\PhysicalDrive0 gbjz.exe File opened for modification \??\PhysicalDrive0 cxqh.exe File opened for modification \??\PhysicalDrive0 rajc.exe File opened for modification \??\PhysicalDrive0 iyfq.exe File opened for modification \??\PhysicalDrive0 eesg.exe File opened for modification \??\PhysicalDrive0 jcmh.exe File opened for modification \??\PhysicalDrive0 muuh.exe File opened for modification \??\PhysicalDrive0 msgd.exe File opened for modification \??\PhysicalDrive0 ilnu.exe File opened for modification \??\PhysicalDrive0 rvpr.exe File opened for modification \??\PhysicalDrive0 ywqv.exe File opened for modification \??\PhysicalDrive0 zvet.exe File opened for modification \??\PhysicalDrive0 ufvs.exe File opened for modification \??\PhysicalDrive0 temi.exe File opened for modification \??\PhysicalDrive0 mlpq.exe File opened for modification \??\PhysicalDrive0 phgu.exe File opened for modification \??\PhysicalDrive0 kclk.exe File opened for modification \??\PhysicalDrive0 liyp.exe File opened for modification \??\PhysicalDrive0 lvdf.exe File opened for modification \??\PhysicalDrive0 juue.exe File opened for modification \??\PhysicalDrive0 fcnl.exe File opened for modification \??\PhysicalDrive0 mnni.exe File opened for modification \??\PhysicalDrive0 klim.exe File opened for modification \??\PhysicalDrive0 advy.exe File opened for modification \??\PhysicalDrive0 zfbr.exe File opened for modification \??\PhysicalDrive0 ypro.exe File opened for modification \??\PhysicalDrive0 e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe File opened for modification \??\PhysicalDrive0 ojlw.exe File opened for modification \??\PhysicalDrive0 lbzx.exe File opened for modification \??\PhysicalDrive0 ikqr.exe File opened for modification \??\PhysicalDrive0 shwd.exe File opened for modification \??\PhysicalDrive0 dhwr.exe File opened for modification \??\PhysicalDrive0 pxog.exe File opened for modification \??\PhysicalDrive0 lqmf.exe File opened for modification \??\PhysicalDrive0 qjsa.exe File opened for modification \??\PhysicalDrive0 lagj.exe File opened for modification \??\PhysicalDrive0 ythx.exe File opened for modification \??\PhysicalDrive0 rqsy.exe File opened for modification \??\PhysicalDrive0 fiqi.exe File opened for modification \??\PhysicalDrive0 rvgb.exe File opened for modification \??\PhysicalDrive0 orzw.exe File opened for modification \??\PhysicalDrive0 vcjq.exe File opened for modification \??\PhysicalDrive0 rwqh.exe File opened for modification \??\PhysicalDrive0 dkbk.exe File opened for modification \??\PhysicalDrive0 hbpl.exe File opened for modification \??\PhysicalDrive0 ycgw.exe File opened for modification \??\PhysicalDrive0 dauf.exe File opened for modification \??\PhysicalDrive0 fyti.exe File opened for modification \??\PhysicalDrive0 cabn.exe File opened for modification \??\PhysicalDrive0 uiaf.exe File opened for modification \??\PhysicalDrive0 ttou.exe File opened for modification \??\PhysicalDrive0 hhlg.exe File opened for modification \??\PhysicalDrive0 zfsb.exe File opened for modification \??\PhysicalDrive0 ebjh.exe File opened for modification \??\PhysicalDrive0 psny.exe File opened for modification \??\PhysicalDrive0 yomu.exe File opened for modification \??\PhysicalDrive0 tcvc.exe File opened for modification \??\PhysicalDrive0 aghd.exe File opened for modification \??\PhysicalDrive0 ujnh.exe File opened for modification \??\PhysicalDrive0 yksr.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\rwqh.exe ebjh.exe File created C:\Windows\SysWOW64\ujnh.exe ilnu.exe File opened for modification C:\Windows\SysWOW64\uiaf.exe lbzx.exe File created C:\Windows\SysWOW64\dhwr.exe rvpr.exe File opened for modification C:\Windows\SysWOW64\pxog.exe vcjq.exe File opened for modification C:\Windows\SysWOW64\dauf.exe muuh.exe File opened for modification C:\Windows\SysWOW64\fiqi.exe aghd.exe File opened for modification C:\Windows\SysWOW64\ufvs.exe plme.exe File created C:\Windows\SysWOW64\advy.exe fiqi.exe File opened for modification C:\Windows\SysWOW64\ycgw.exe juue.exe File created C:\Windows\SysWOW64\plme.exe ojlw.exe File created C:\Windows\SysWOW64\dkbk.exe ttou.exe File opened for modification C:\Windows\SysWOW64\jcmh.exe eesg.exe File created C:\Windows\SysWOW64\aghd.exe gffn.exe File created C:\Windows\SysWOW64\uiaf.exe lbzx.exe File created C:\Windows\SysWOW64\rvpr.exe zvet.exe File created C:\Windows\SysWOW64\iyfq.exe liyp.exe File created C:\Windows\SysWOW64\vcjq.exe rqsy.exe File created C:\Windows\SysWOW64\kxhr.exe yksr.exe File created C:\Windows\SysWOW64\psny.exe ypro.exe File created C:\Windows\SysWOW64\cstw.exe pxog.exe File opened for modification C:\Windows\SysWOW64\advy.exe fiqi.exe File created C:\Windows\SysWOW64\usly.exe hbpl.exe File created C:\Windows\SysWOW64\muuh.exe ufvs.exe File created C:\Windows\SysWOW64\shwd.exe fyti.exe File created C:\Windows\SysWOW64\ilnu.exe knou.exe File opened for modification C:\Windows\SysWOW64\zfbr.exe kxhr.exe File created C:\Windows\SysWOW64\ebjh.exe dvfm.exe File opened for modification C:\Windows\SysWOW64\dhwr.exe rvpr.exe File created C:\Windows\SysWOW64\lagj.exe cxqh.exe File created C:\Windows\SysWOW64\hbpl.exe sykf.exe File created C:\Windows\SysWOW64\ihad.exe lvdf.exe File created C:\Windows\SysWOW64\ldxq.exe qjsa.exe File opened for modification C:\Windows\SysWOW64\eesg.exe hhlg.exe File opened for modification C:\Windows\SysWOW64\qeli.exe ihad.exe File created C:\Windows\SysWOW64\ufvs.exe plme.exe File created C:\Windows\SysWOW64\juue.exe zfsb.exe File opened for modification C:\Windows\SysWOW64\knou.exe gbzu.exe File opened for modification C:\Windows\SysWOW64\ldxq.exe qjsa.exe File created C:\Windows\SysWOW64\yomu.exe dhwr.exe File opened for modification C:\Windows\SysWOW64\vcjq.exe rqsy.exe File created C:\Windows\SysWOW64\ikqr.exe vfxi.exe File opened for modification C:\Windows\SysWOW64\gffn.exe shwd.exe File created C:\Windows\SysWOW64\gbzu.exe rwqh.exe File created C:\Windows\SysWOW64\ypro.exe ywqv.exe File created C:\Windows\SysWOW64\temi.exe msgd.exe File created C:\Windows\SysWOW64\mnni.exe fcnl.exe File opened for modification C:\Windows\SysWOW64\ikqr.exe vfxi.exe File opened for modification C:\Windows\SysWOW64\lvdf.exe e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe File created C:\Windows\SysWOW64\mlpq.exe uiaf.exe File opened for modification C:\Windows\SysWOW64\ltww.exe rvgb.exe File opened for modification C:\Windows\SysWOW64\ujnh.exe ilnu.exe File opened for modification C:\Windows\SysWOW64\lqmf.exe ujnh.exe File created C:\Windows\SysWOW64\kclk.exe phgu.exe File opened for modification C:\Windows\SysWOW64\msgd.exe cabn.exe File created C:\Windows\SysWOW64\gffn.exe shwd.exe File created C:\Windows\SysWOW64\ojlw.exe tcvc.exe File opened for modification C:\Windows\SysWOW64\muuh.exe ufvs.exe File created C:\Windows\SysWOW64\fiqi.exe aghd.exe File created C:\Windows\SysWOW64\rvgb.exe advy.exe File created C:\Windows\SysWOW64\yksr.exe ltww.exe File opened for modification C:\Windows\SysWOW64\liyp.exe wlpx.exe File opened for modification C:\Windows\SysWOW64\wmdl.exe qeli.exe File opened for modification C:\Windows\SysWOW64\iutm.exe ycgw.exe -
Suspicious use of SetThreadContext 64 IoCs
description pid Process procid_target PID 1288 set thread context of 2800 1288 e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe 28 PID 2980 set thread context of 2620 2980 lvdf.exe 30 PID 2896 set thread context of 2668 2896 ihad.exe 32 PID 2888 set thread context of 1236 2888 qeli.exe 34 PID 1520 set thread context of 2116 1520 wmdl.exe 36 PID 2076 set thread context of 1052 2076 yodt.exe 38 PID 3064 set thread context of 288 3064 zfsb.exe 40 PID 2788 set thread context of 792 2788 juue.exe 42 PID 2368 set thread context of 2028 2368 ycgw.exe 44 PID 3024 set thread context of 2716 3024 iutm.exe 46 PID 2464 set thread context of 2504 2464 klim.exe 48 PID 344 set thread context of 1956 344 tcvc.exe 50 PID 1636 set thread context of 2092 1636 ojlw.exe 52 PID 1952 set thread context of 992 1952 plme.exe 54 PID 560 set thread context of 2152 560 ufvs.exe 56 PID 960 set thread context of 1680 960 muuh.exe 58 PID 2956 set thread context of 2988 2956 dauf.exe 60 PID 2316 set thread context of 1512 2316 sqdx.exe 62 PID 2816 set thread context of 2624 2816 cabn.exe 64 PID 2496 set thread context of 2692 2496 msgd.exe 66 PID 2620 set thread context of 332 2620 temi.exe 68 PID 1752 set thread context of 1536 1752 fyti.exe 70 PID 2888 set thread context of 2704 2888 shwd.exe 72 PID 1172 set thread context of 1952 1172 gffn.exe 74 PID 1364 set thread context of 900 1364 aghd.exe 76 PID 1624 set thread context of 956 1624 fiqi.exe 78 PID 2868 set thread context of 2240 2868 advy.exe 80 PID 1584 set thread context of 1148 1584 rvgb.exe 82 PID 2648 set thread context of 2816 2648 ltww.exe 84 PID 2980 set thread context of 2580 2980 yksr.exe 86 PID 1720 set thread context of 2216 1720 kxhr.exe 88 PID 2872 set thread context of 332 2872 zfbr.exe 90 PID 2100 set thread context of 1688 2100 orzw.exe 92 PID 1880 set thread context of 696 1880 gbjz.exe 94 PID 3044 set thread context of 1364 3044 dvfm.exe 96 PID 1032 set thread context of 2380 1032 ebjh.exe 98 PID 1792 set thread context of 2168 1792 rwqh.exe 100 PID 2700 set thread context of 2308 2700 gbzu.exe 102 PID 2672 set thread context of 1672 2672 knou.exe 104 PID 1604 set thread context of 1796 1604 ilnu.exe 106 PID 2496 set thread context of 2200 2496 ujnh.exe 108 PID 1752 set thread context of 1972 1752 lqmf.exe 110 PID 2896 set thread context of 332 2896 lbzx.exe 112 PID 1136 set thread context of 584 1136 uiaf.exe 114 PID 2392 set thread context of 1572 2392 mlpq.exe 116 PID 1044 set thread context of 1048 1044 jbvq.exe 118 PID 956 set thread context of 572 956 qjsa.exe 120 PID 2548 set thread context of 2632 2548 ldxq.exe 122 PID 2264 set thread context of 2644 2264 fcnl.exe 124 PID 2224 set thread context of 2716 2224 mnni.exe 126 PID 1892 set thread context of 2884 1892 ywqv.exe 128 PID 1588 set thread context of 2828 1588 ypro.exe 130 PID 2836 set thread context of 2844 2836 psny.exe 132 PID 2116 set thread context of 1804 2116 zvet.exe 134 PID 1812 set thread context of 2152 1812 rvpr.exe 136 PID 920 set thread context of 2024 920 dhwr.exe 138 PID 2956 set thread context of 352 2956 yomu.exe 140 PID 2664 set thread context of 952 2664 cxqh.exe 142 PID 2892 set thread context of 2476 2892 lagj.exe 186 PID 2980 set thread context of 2772 2980 ttou.exe 146 PID 2712 set thread context of 1568 2712 dkbk.exe 148 PID 2776 set thread context of 1532 2776 rajc.exe 150 PID 784 set thread context of 336 784 jdym.exe 152 PID 1396 set thread context of 2144 1396 ythx.exe 154 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key yodt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" psny.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" hbpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ rqsy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key pxog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" temi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ fyti.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" advy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ yksr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" dvfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ ujnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key yomu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ lagj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ zfsb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key muuh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ gffn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ cstw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" jcmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ jcmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key advy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key liyp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" pxog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key usly.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ dvfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" mlpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" iyfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" sqdx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" ypro.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key dhwr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key ythx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key wlpx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key fyti.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key dvfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" yomu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key rajc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" vcjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" juue.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key temi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" zvet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ vfxi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ advy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" ltww.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key fcnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key lqmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ phgu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ cxqh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key vcjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" ikqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ lvdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ zvet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ rvpr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key zvet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" ttou.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" rqsy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key jcmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key juue.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" ycgw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ fcnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" rvgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" ebjh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key iyfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ jdym.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" wlpx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ hhlg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1288 wrote to memory of 2800 1288 e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe 28 PID 1288 wrote to memory of 2800 1288 e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe 28 PID 1288 wrote to memory of 2800 1288 e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe 28 PID 1288 wrote to memory of 2800 1288 e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe 28 PID 1288 wrote to memory of 2800 1288 e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe 28 PID 1288 wrote to memory of 2800 1288 e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe 28 PID 2800 wrote to memory of 2980 2800 e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe 29 PID 2800 wrote to memory of 2980 2800 e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe 29 PID 2800 wrote to memory of 2980 2800 e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe 29 PID 2800 wrote to memory of 2980 2800 e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe 29 PID 2980 wrote to memory of 2620 2980 lvdf.exe 30 PID 2980 wrote to memory of 2620 2980 lvdf.exe 30 PID 2980 wrote to memory of 2620 2980 lvdf.exe 30 PID 2980 wrote to memory of 2620 2980 lvdf.exe 30 PID 2980 wrote to memory of 2620 2980 lvdf.exe 30 PID 2980 wrote to memory of 2620 2980 lvdf.exe 30 PID 2620 wrote to memory of 2896 2620 lvdf.exe 31 PID 2620 wrote to memory of 2896 2620 lvdf.exe 31 PID 2620 wrote to memory of 2896 2620 lvdf.exe 31 PID 2620 wrote to memory of 2896 2620 lvdf.exe 31 PID 2896 wrote to memory of 2668 2896 ihad.exe 32 PID 2896 wrote to memory of 2668 2896 ihad.exe 32 PID 2896 wrote to memory of 2668 2896 ihad.exe 32 PID 2896 wrote to memory of 2668 2896 ihad.exe 32 PID 2896 wrote to memory of 2668 2896 ihad.exe 32 PID 2896 wrote to memory of 2668 2896 ihad.exe 32 PID 2668 wrote to memory of 2888 2668 ihad.exe 33 PID 2668 wrote to memory of 2888 2668 ihad.exe 33 PID 2668 wrote to memory of 2888 2668 ihad.exe 33 PID 2668 wrote to memory of 2888 2668 ihad.exe 33 PID 2888 wrote to memory of 1236 2888 qeli.exe 34 PID 2888 wrote to memory of 1236 2888 qeli.exe 34 PID 2888 wrote to memory of 1236 2888 qeli.exe 34 PID 2888 wrote to memory of 1236 2888 qeli.exe 34 PID 2888 wrote to memory of 1236 2888 qeli.exe 34 PID 2888 wrote to memory of 1236 2888 qeli.exe 34 PID 1236 wrote to memory of 1520 1236 qeli.exe 35 PID 1236 wrote to memory of 1520 1236 qeli.exe 35 PID 1236 wrote to memory of 1520 1236 qeli.exe 35 PID 1236 wrote to memory of 1520 1236 qeli.exe 35 PID 1520 wrote to memory of 2116 1520 wmdl.exe 36 PID 1520 wrote to memory of 2116 1520 wmdl.exe 36 PID 1520 wrote to memory of 2116 1520 wmdl.exe 36 PID 1520 wrote to memory of 2116 1520 wmdl.exe 36 PID 1520 wrote to memory of 2116 1520 wmdl.exe 36 PID 1520 wrote to memory of 2116 1520 wmdl.exe 36 PID 2116 wrote to memory of 2076 2116 wmdl.exe 37 PID 2116 wrote to memory of 2076 2116 wmdl.exe 37 PID 2116 wrote to memory of 2076 2116 wmdl.exe 37 PID 2116 wrote to memory of 2076 2116 wmdl.exe 37 PID 2076 wrote to memory of 1052 2076 yodt.exe 38 PID 2076 wrote to memory of 1052 2076 yodt.exe 38 PID 2076 wrote to memory of 1052 2076 yodt.exe 38 PID 2076 wrote to memory of 1052 2076 yodt.exe 38 PID 2076 wrote to memory of 1052 2076 yodt.exe 38 PID 2076 wrote to memory of 1052 2076 yodt.exe 38 PID 1052 wrote to memory of 3064 1052 yodt.exe 39 PID 1052 wrote to memory of 3064 1052 yodt.exe 39 PID 1052 wrote to memory of 3064 1052 yodt.exe 39 PID 1052 wrote to memory of 3064 1052 yodt.exe 39 PID 3064 wrote to memory of 288 3064 zfsb.exe 40 PID 3064 wrote to memory of 288 3064 zfsb.exe 40 PID 3064 wrote to memory of 288 3064 zfsb.exe 40 PID 3064 wrote to memory of 288 3064 zfsb.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\lvdf.exeC:\Windows\system32\lvdf.exe 500 "C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\lvdf.exeC:\Windows\SysWOW64\lvdf.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\ihad.exeC:\Windows\system32\ihad.exe 456 "C:\Windows\SysWOW64\lvdf.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\ihad.exeC:\Windows\SysWOW64\ihad.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\qeli.exeC:\Windows\system32\qeli.exe 456 "C:\Windows\SysWOW64\ihad.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\qeli.exeC:\Windows\SysWOW64\qeli.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\wmdl.exeC:\Windows\system32\wmdl.exe 456 "C:\Windows\SysWOW64\qeli.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\wmdl.exeC:\Windows\SysWOW64\wmdl.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\yodt.exeC:\Windows\system32\yodt.exe 432 "C:\Windows\SysWOW64\wmdl.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\yodt.exeC:\Windows\SysWOW64\yodt.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\zfsb.exeC:\Windows\system32\zfsb.exe 456 "C:\Windows\SysWOW64\yodt.exe"13⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\zfsb.exeC:\Windows\SysWOW64\zfsb.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:288 -
C:\Windows\SysWOW64\juue.exeC:\Windows\system32\juue.exe 460 "C:\Windows\SysWOW64\zfsb.exe"15⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\juue.exeC:\Windows\SysWOW64\juue.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:792 -
C:\Windows\SysWOW64\ycgw.exeC:\Windows\system32\ycgw.exe 460 "C:\Windows\SysWOW64\juue.exe"17⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
PID:2368 -
C:\Windows\SysWOW64\ycgw.exeC:\Windows\SysWOW64\ycgw.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\iutm.exeC:\Windows\system32\iutm.exe 460 "C:\Windows\SysWOW64\ycgw.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3024 -
C:\Windows\SysWOW64\iutm.exeC:\Windows\SysWOW64\iutm.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2716 -
C:\Windows\SysWOW64\klim.exeC:\Windows\system32\klim.exe 480 "C:\Windows\SysWOW64\iutm.exe"21⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
PID:2464 -
C:\Windows\SysWOW64\klim.exeC:\Windows\SysWOW64\klim.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2504 -
C:\Windows\SysWOW64\tcvc.exeC:\Windows\system32\tcvc.exe 460 "C:\Windows\SysWOW64\klim.exe"23⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
PID:344 -
C:\Windows\SysWOW64\tcvc.exeC:\Windows\SysWOW64\tcvc.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1956 -
C:\Windows\SysWOW64\ojlw.exeC:\Windows\system32\ojlw.exe 480 "C:\Windows\SysWOW64\tcvc.exe"25⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
PID:1636 -
C:\Windows\SysWOW64\ojlw.exeC:\Windows\SysWOW64\ojlw.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2092 -
C:\Windows\SysWOW64\plme.exeC:\Windows\system32\plme.exe 472 "C:\Windows\SysWOW64\ojlw.exe"27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1952 -
C:\Windows\SysWOW64\plme.exeC:\Windows\SysWOW64\plme.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:992 -
C:\Windows\SysWOW64\ufvs.exeC:\Windows\system32\ufvs.exe 480 "C:\Windows\SysWOW64\plme.exe"29⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
PID:560 -
C:\Windows\SysWOW64\ufvs.exeC:\Windows\SysWOW64\ufvs.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2152 -
C:\Windows\SysWOW64\muuh.exeC:\Windows\system32\muuh.exe 536 "C:\Windows\SysWOW64\ufvs.exe"31⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
PID:960 -
C:\Windows\SysWOW64\muuh.exeC:\Windows\SysWOW64\muuh.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1680 -
C:\Windows\SysWOW64\dauf.exeC:\Windows\system32\dauf.exe 468 "C:\Windows\SysWOW64\muuh.exe"33⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
PID:2956 -
C:\Windows\SysWOW64\dauf.exeC:\Windows\SysWOW64\dauf.exe34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2988 -
C:\Windows\SysWOW64\sqdx.exeC:\Windows\system32\sqdx.exe 468 "C:\Windows\SysWOW64\dauf.exe"35⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
PID:2316 -
C:\Windows\SysWOW64\sqdx.exeC:\Windows\SysWOW64\sqdx.exe36⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1512 -
C:\Windows\SysWOW64\cabn.exeC:\Windows\system32\cabn.exe 460 "C:\Windows\SysWOW64\sqdx.exe"37⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
PID:2816 -
C:\Windows\SysWOW64\cabn.exeC:\Windows\SysWOW64\cabn.exe38⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2624 -
C:\Windows\SysWOW64\msgd.exeC:\Windows\system32\msgd.exe 472 "C:\Windows\SysWOW64\cabn.exe"39⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
PID:2496 -
C:\Windows\SysWOW64\msgd.exeC:\Windows\SysWOW64\msgd.exe40⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2692 -
C:\Windows\SysWOW64\temi.exeC:\Windows\system32\temi.exe 464 "C:\Windows\SysWOW64\msgd.exe"41⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\temi.exeC:\Windows\SysWOW64\temi.exe42⤵
- Executes dropped EXE
- Loads dropped DLL
PID:332 -
C:\Windows\SysWOW64\fyti.exeC:\Windows\system32\fyti.exe 464 "C:\Windows\SysWOW64\temi.exe"43⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
PID:1752 -
C:\Windows\SysWOW64\fyti.exeC:\Windows\SysWOW64\fyti.exe44⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1536 -
C:\Windows\SysWOW64\shwd.exeC:\Windows\system32\shwd.exe 456 "C:\Windows\SysWOW64\fyti.exe"45⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
PID:2888 -
C:\Windows\SysWOW64\shwd.exeC:\Windows\SysWOW64\shwd.exe46⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2704 -
C:\Windows\SysWOW64\gffn.exeC:\Windows\system32\gffn.exe 468 "C:\Windows\SysWOW64\shwd.exe"47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
PID:1172 -
C:\Windows\SysWOW64\gffn.exeC:\Windows\SysWOW64\gffn.exe48⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1952 -
C:\Windows\SysWOW64\aghd.exeC:\Windows\system32\aghd.exe 456 "C:\Windows\SysWOW64\gffn.exe"49⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
PID:1364 -
C:\Windows\SysWOW64\aghd.exeC:\Windows\SysWOW64\aghd.exe50⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:900 -
C:\Windows\SysWOW64\fiqi.exeC:\Windows\system32\fiqi.exe 464 "C:\Windows\SysWOW64\aghd.exe"51⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
PID:1624 -
C:\Windows\SysWOW64\fiqi.exeC:\Windows\SysWOW64\fiqi.exe52⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:956 -
C:\Windows\SysWOW64\advy.exeC:\Windows\system32\advy.exe 468 "C:\Windows\SysWOW64\fiqi.exe"53⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
PID:2868 -
C:\Windows\SysWOW64\advy.exeC:\Windows\SysWOW64\advy.exe54⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2240 -
C:\Windows\SysWOW64\rvgb.exeC:\Windows\system32\rvgb.exe 468 "C:\Windows\SysWOW64\advy.exe"55⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\rvgb.exeC:\Windows\SysWOW64\rvgb.exe56⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1148 -
C:\Windows\SysWOW64\ltww.exeC:\Windows\system32\ltww.exe 464 "C:\Windows\SysWOW64\rvgb.exe"57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\ltww.exeC:\Windows\SysWOW64\ltww.exe58⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2816 -
C:\Windows\SysWOW64\yksr.exeC:\Windows\system32\yksr.exe 504 "C:\Windows\SysWOW64\ltww.exe"59⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\yksr.exeC:\Windows\SysWOW64\yksr.exe60⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2580 -
C:\Windows\SysWOW64\kxhr.exeC:\Windows\system32\kxhr.exe 500 "C:\Windows\SysWOW64\yksr.exe"61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1720 -
C:\Windows\SysWOW64\kxhr.exeC:\Windows\SysWOW64\kxhr.exe62⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2216 -
C:\Windows\SysWOW64\zfbr.exeC:\Windows\system32\zfbr.exe 480 "C:\Windows\SysWOW64\kxhr.exe"63⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
PID:2872 -
C:\Windows\SysWOW64\zfbr.exeC:\Windows\SysWOW64\zfbr.exe64⤵
- Executes dropped EXE
- Loads dropped DLL
PID:332 -
C:\Windows\SysWOW64\orzw.exeC:\Windows\system32\orzw.exe 476 "C:\Windows\SysWOW64\zfbr.exe"65⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
PID:2100 -
C:\Windows\SysWOW64\orzw.exeC:\Windows\SysWOW64\orzw.exe66⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\gbjz.exeC:\Windows\system32\gbjz.exe 464 "C:\Windows\SysWOW64\orzw.exe"67⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
PID:1880 -
C:\Windows\SysWOW64\gbjz.exeC:\Windows\SysWOW64\gbjz.exe68⤵PID:696
-
C:\Windows\SysWOW64\dvfm.exeC:\Windows\system32\dvfm.exe 460 "C:\Windows\SysWOW64\gbjz.exe"69⤵
- Suspicious use of SetThreadContext
- Modifies registry class
PID:3044 -
C:\Windows\SysWOW64\dvfm.exeC:\Windows\SysWOW64\dvfm.exe70⤵
- Drops file in System32 directory
PID:1364 -
C:\Windows\SysWOW64\ebjh.exeC:\Windows\system32\ebjh.exe 468 "C:\Windows\SysWOW64\dvfm.exe"71⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
PID:1032 -
C:\Windows\SysWOW64\ebjh.exeC:\Windows\SysWOW64\ebjh.exe72⤵
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\rwqh.exeC:\Windows\system32\rwqh.exe 480 "C:\Windows\SysWOW64\ebjh.exe"73⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
PID:1792 -
C:\Windows\SysWOW64\rwqh.exeC:\Windows\SysWOW64\rwqh.exe74⤵
- Drops file in System32 directory
PID:2168 -
C:\Windows\SysWOW64\gbzu.exeC:\Windows\system32\gbzu.exe 464 "C:\Windows\SysWOW64\rwqh.exe"75⤵
- Suspicious use of SetThreadContext
PID:2700 -
C:\Windows\SysWOW64\gbzu.exeC:\Windows\SysWOW64\gbzu.exe76⤵
- Drops file in System32 directory
PID:2308 -
C:\Windows\SysWOW64\knou.exeC:\Windows\system32\knou.exe 456 "C:\Windows\SysWOW64\gbzu.exe"77⤵
- Suspicious use of SetThreadContext
PID:2672 -
C:\Windows\SysWOW64\knou.exeC:\Windows\SysWOW64\knou.exe78⤵
- Drops file in System32 directory
PID:1672 -
C:\Windows\SysWOW64\ilnu.exeC:\Windows\system32\ilnu.exe 464 "C:\Windows\SysWOW64\knou.exe"79⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
PID:1604 -
C:\Windows\SysWOW64\ilnu.exeC:\Windows\SysWOW64\ilnu.exe80⤵
- Drops file in System32 directory
PID:1796 -
C:\Windows\SysWOW64\ujnh.exeC:\Windows\system32\ujnh.exe 468 "C:\Windows\SysWOW64\ilnu.exe"81⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
PID:2496 -
C:\Windows\SysWOW64\ujnh.exeC:\Windows\SysWOW64\ujnh.exe82⤵
- Drops file in System32 directory
PID:2200 -
C:\Windows\SysWOW64\lqmf.exeC:\Windows\system32\lqmf.exe 476 "C:\Windows\SysWOW64\ujnh.exe"83⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
PID:1752 -
C:\Windows\SysWOW64\lqmf.exeC:\Windows\SysWOW64\lqmf.exe84⤵PID:1972
-
C:\Windows\SysWOW64\lbzx.exeC:\Windows\system32\lbzx.exe 476 "C:\Windows\SysWOW64\lqmf.exe"85⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
PID:2896 -
C:\Windows\SysWOW64\lbzx.exeC:\Windows\SysWOW64\lbzx.exe86⤵
- Drops file in System32 directory
PID:332 -
C:\Windows\SysWOW64\uiaf.exeC:\Windows\system32\uiaf.exe 492 "C:\Windows\SysWOW64\lbzx.exe"87⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
PID:1136 -
C:\Windows\SysWOW64\uiaf.exeC:\Windows\SysWOW64\uiaf.exe88⤵
- Drops file in System32 directory
PID:584 -
C:\Windows\SysWOW64\mlpq.exeC:\Windows\system32\mlpq.exe 464 "C:\Windows\SysWOW64\uiaf.exe"89⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\mlpq.exeC:\Windows\SysWOW64\mlpq.exe90⤵PID:1572
-
C:\Windows\SysWOW64\jbvq.exeC:\Windows\system32\jbvq.exe 472 "C:\Windows\SysWOW64\mlpq.exe"91⤵
- Suspicious use of SetThreadContext
PID:1044 -
C:\Windows\SysWOW64\jbvq.exeC:\Windows\SysWOW64\jbvq.exe92⤵PID:1048
-
C:\Windows\SysWOW64\qjsa.exeC:\Windows\system32\qjsa.exe 460 "C:\Windows\SysWOW64\jbvq.exe"93⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
PID:956 -
C:\Windows\SysWOW64\qjsa.exeC:\Windows\SysWOW64\qjsa.exe94⤵
- Drops file in System32 directory
PID:572 -
C:\Windows\SysWOW64\ldxq.exeC:\Windows\system32\ldxq.exe 460 "C:\Windows\SysWOW64\qjsa.exe"95⤵
- Suspicious use of SetThreadContext
PID:2548 -
C:\Windows\SysWOW64\ldxq.exeC:\Windows\SysWOW64\ldxq.exe96⤵PID:2632
-
C:\Windows\SysWOW64\fcnl.exeC:\Windows\system32\fcnl.exe 468 "C:\Windows\SysWOW64\ldxq.exe"97⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\fcnl.exeC:\Windows\SysWOW64\fcnl.exe98⤵
- Drops file in System32 directory
PID:2644 -
C:\Windows\SysWOW64\mnni.exeC:\Windows\system32\mnni.exe 464 "C:\Windows\SysWOW64\fcnl.exe"99⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
PID:2224 -
C:\Windows\SysWOW64\mnni.exeC:\Windows\SysWOW64\mnni.exe100⤵PID:2716
-
C:\Windows\SysWOW64\ywqv.exeC:\Windows\system32\ywqv.exe 456 "C:\Windows\SysWOW64\mnni.exe"101⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
PID:1892 -
C:\Windows\SysWOW64\ywqv.exeC:\Windows\SysWOW64\ywqv.exe102⤵
- Drops file in System32 directory
PID:2884 -
C:\Windows\SysWOW64\ypro.exeC:\Windows\system32\ypro.exe 480 "C:\Windows\SysWOW64\ywqv.exe"103⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
PID:1588 -
C:\Windows\SysWOW64\ypro.exeC:\Windows\SysWOW64\ypro.exe104⤵
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\psny.exeC:\Windows\system32\psny.exe 464 "C:\Windows\SysWOW64\ypro.exe"105⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\psny.exeC:\Windows\SysWOW64\psny.exe106⤵PID:2844
-
C:\Windows\SysWOW64\zvet.exeC:\Windows\system32\zvet.exe 468 "C:\Windows\SysWOW64\psny.exe"107⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\zvet.exeC:\Windows\SysWOW64\zvet.exe108⤵
- Drops file in System32 directory
PID:1804 -
C:\Windows\SysWOW64\rvpr.exeC:\Windows\system32\rvpr.exe 472 "C:\Windows\SysWOW64\zvet.exe"109⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
PID:1812 -
C:\Windows\SysWOW64\rvpr.exeC:\Windows\SysWOW64\rvpr.exe110⤵
- Drops file in System32 directory
PID:2152 -
C:\Windows\SysWOW64\dhwr.exeC:\Windows\system32\dhwr.exe 472 "C:\Windows\SysWOW64\rvpr.exe"111⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
PID:920 -
C:\Windows\SysWOW64\dhwr.exeC:\Windows\SysWOW64\dhwr.exe112⤵
- Drops file in System32 directory
PID:2024 -
C:\Windows\SysWOW64\yomu.exeC:\Windows\system32\yomu.exe 460 "C:\Windows\SysWOW64\dhwr.exe"113⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\yomu.exeC:\Windows\SysWOW64\yomu.exe114⤵PID:352
-
C:\Windows\SysWOW64\cxqh.exeC:\Windows\system32\cxqh.exe 460 "C:\Windows\SysWOW64\yomu.exe"115⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\cxqh.exeC:\Windows\SysWOW64\cxqh.exe116⤵
- Drops file in System32 directory
PID:952 -
C:\Windows\SysWOW64\lagj.exeC:\Windows\system32\lagj.exe 476 "C:\Windows\SysWOW64\cxqh.exe"117⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\lagj.exeC:\Windows\SysWOW64\lagj.exe118⤵PID:2476
-
C:\Windows\SysWOW64\ttou.exeC:\Windows\system32\ttou.exe 460 "C:\Windows\SysWOW64\lagj.exe"119⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\ttou.exeC:\Windows\SysWOW64\ttou.exe120⤵
- Drops file in System32 directory
PID:2772 -
C:\Windows\SysWOW64\dkbk.exeC:\Windows\system32\dkbk.exe 464 "C:\Windows\SysWOW64\ttou.exe"121⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
PID:2712 -
C:\Windows\SysWOW64\dkbk.exeC:\Windows\SysWOW64\dkbk.exe122⤵PID:1568
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-