Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
21s -
max time network
25s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06/04/2024, 21:57
Static task
static1
Behavioral task
behavioral1
Sample
e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe
-
Size
280KB
-
MD5
e3606fe661cb86e3fe8843d598d9ac13
-
SHA1
7c63a823717d43257e641bd42d37ed5b415308f7
-
SHA256
dcfac4cd97fab0cf3a91febe447faad646115d46429349af1b80452dd446498a
-
SHA512
d57b158fc275400506ddb655c48d5fa6a24a8304ca7ca194ec4f74581c9a5998f88f3c24347dcaaab6c2e724580e69770fb2a722cdd2353459699526f5bb8344
-
SSDEEP
6144:UBycky5x57KKM6CRzMSx/2S3bwvP6bQ7yMP+DE827+c:gkvKDsU6b7MP+Dd2Sc
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 5024 hxet.exe 5068 hxet.exe 5080 wrct.exe 2232 wrct.exe 1644 wgsz.exe 3112 wgsz.exe 4444 zmgj.exe 4448 zmgj.exe 4980 ragu.exe 2224 ragu.exe 2076 jxge.exe 3156 jxge.exe 2836 hfqn.exe 4384 hfqn.exe 4896 mhyh.exe 1764 mhyh.exe 4196 pnns.exe 4376 pnns.exe 4648 mwxs.exe 116 mwxs.exe 4412 jxhf.exe 3444 jxhf.exe 3176 jtfg.exe 5080 jtfg.exe 692 wzvb.exe 2948 wzvb.exe 2024 zcyy.exe 3940 zcyy.exe 2336 txdg.exe 4664 txdg.exe 4824 olue.exe 2348 olue.exe 2836 jfzm.exe 2968 jfzm.exe 4724 rvnz.exe 4840 rvnz.exe 4312 jybk.exe 3988 jybk.exe 4592 osvn.exe 1768 osvn.exe 648 mmqa.exe 4192 mmqa.exe 1032 otfk.exe 2232 otfk.exe 1980 owrd.exe 720 owrd.exe 2088 rdxf.exe 2336 rdxf.exe 4892 zdwg.exe 4596 zdwg.exe 3156 zhiy.exe 4992 zhiy.exe 1568 eqrb.exe 2096 eqrb.exe 4208 efoy.exe 2460 efoy.exe 3016 zlfo.exe 4412 zlfo.exe 4268 eunr.exe 3232 eunr.exe 404 ysdm.exe 3248 ysdm.exe 632 wbom.exe 2384 wbom.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\jxhf.exe mwxs.exe File opened for modification C:\Windows\SysWOW64\wzvb.exe jtfg.exe File opened for modification C:\Windows\SysWOW64\dklq.exe lvwk.exe File opened for modification C:\Windows\SysWOW64\jxge.exe ragu.exe File created C:\Windows\SysWOW64\wzvb.exe jtfg.exe File created C:\Windows\SysWOW64\osvn.exe jybk.exe File opened for modification C:\Windows\SysWOW64\bwqq.exe dkuv.exe File created C:\Windows\SysWOW64\blgv.exe bwqq.exe File opened for modification C:\Windows\SysWOW64\yiob.exe dojl.exe File opened for modification C:\Windows\SysWOW64\gjwh.exe blrz.exe File created C:\Windows\SysWOW64\hxet.exe e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wgsz.exe wrct.exe File created C:\Windows\SysWOW64\eunr.exe zlfo.exe File created C:\Windows\SysWOW64\dwsm.exe ddrc.exe File opened for modification C:\Windows\SysWOW64\olue.exe txdg.exe File created C:\Windows\SysWOW64\jxge.exe ragu.exe File opened for modification C:\Windows\SysWOW64\txdg.exe zcyy.exe File created C:\Windows\SysWOW64\wbom.exe ysdm.exe File created C:\Windows\SysWOW64\mhyh.exe hfqn.exe File created C:\Windows\SysWOW64\efoy.exe eqrb.exe File created C:\Windows\SysWOW64\otfk.exe mmqa.exe File opened for modification C:\Windows\SysWOW64\rdxf.exe owrd.exe File opened for modification C:\Windows\SysWOW64\jtfg.exe jxhf.exe File created C:\Windows\SysWOW64\jybk.exe rvnz.exe File opened for modification C:\Windows\SysWOW64\mmqa.exe osvn.exe File opened for modification C:\Windows\SysWOW64\ysdm.exe eunr.exe File created C:\Windows\SysWOW64\ddrc.exe gjwh.exe File created C:\Windows\SysWOW64\daoc.exe dlrx.exe File opened for modification C:\Windows\SysWOW64\ddbv.exe daoc.exe File opened for modification C:\Windows\SysWOW64\hxet.exe e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\pnns.exe mhyh.exe File opened for modification C:\Windows\SysWOW64\osvn.exe jybk.exe File opened for modification C:\Windows\SysWOW64\qshp.exe wbom.exe File opened for modification C:\Windows\SysWOW64\lvwk.exe lgyf.exe File opened for modification C:\Windows\SysWOW64\hfqn.exe jxge.exe File created C:\Windows\SysWOW64\zcyy.exe wzvb.exe File opened for modification C:\Windows\SysWOW64\lgyf.exe qshp.exe File opened for modification C:\Windows\SysWOW64\zmgj.exe wgsz.exe File opened for modification C:\Windows\SysWOW64\mwxs.exe pnns.exe File created C:\Windows\SysWOW64\owrd.exe otfk.exe File opened for modification C:\Windows\SysWOW64\wbom.exe ysdm.exe File created C:\Windows\SysWOW64\qshp.exe wbom.exe File created C:\Windows\SysWOW64\yiob.exe dojl.exe File created C:\Windows\SysWOW64\blrz.exe yiob.exe File opened for modification C:\Windows\SysWOW64\blrz.exe yiob.exe File opened for modification C:\Windows\SysWOW64\mhyh.exe hfqn.exe File created C:\Windows\SysWOW64\txdg.exe zcyy.exe File opened for modification C:\Windows\SysWOW64\dlrx.exe gcgx.exe File created C:\Windows\SysWOW64\mwxs.exe pnns.exe File opened for modification C:\Windows\SysWOW64\zcyy.exe wzvb.exe File created C:\Windows\SysWOW64\rvnz.exe jfzm.exe File opened for modification C:\Windows\SysWOW64\owrd.exe otfk.exe File created C:\Windows\SysWOW64\zhiy.exe zdwg.exe File opened for modification C:\Windows\SysWOW64\eunr.exe zlfo.exe File created C:\Windows\SysWOW64\lgyf.exe qshp.exe File created C:\Windows\SysWOW64\dojl.exe blgv.exe File created C:\Windows\SysWOW64\dlrx.exe gcgx.exe File created C:\Windows\SysWOW64\pnns.exe mhyh.exe File created C:\Windows\SysWOW64\mmqa.exe osvn.exe File opened for modification C:\Windows\SysWOW64\zhiy.exe zdwg.exe File created C:\Windows\SysWOW64\eqrb.exe zhiy.exe File opened for modification C:\Windows\SysWOW64\jxhf.exe mwxs.exe File opened for modification C:\Windows\SysWOW64\otfk.exe mmqa.exe File created C:\Windows\SysWOW64\dkuv.exe dklq.exe -
Suspicious use of SetThreadContext 50 IoCs
description pid Process procid_target PID 4752 set thread context of 3236 4752 e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe 86 PID 5024 set thread context of 5068 5024 hxet.exe 89 PID 5080 set thread context of 2232 5080 wrct.exe 92 PID 1644 set thread context of 3112 1644 wgsz.exe 95 PID 4444 set thread context of 4448 4444 zmgj.exe 97 PID 4980 set thread context of 2224 4980 ragu.exe 99 PID 2076 set thread context of 3156 2076 jxge.exe 101 PID 2836 set thread context of 4384 2836 hfqn.exe 103 PID 4896 set thread context of 1764 4896 mhyh.exe 105 PID 4196 set thread context of 4376 4196 pnns.exe 107 PID 4648 set thread context of 116 4648 mwxs.exe 109 PID 4412 set thread context of 3444 4412 jxhf.exe 111 PID 3176 set thread context of 5080 3176 jtfg.exe 113 PID 692 set thread context of 2948 692 wzvb.exe 115 PID 2024 set thread context of 3940 2024 zcyy.exe 117 PID 2336 set thread context of 4664 2336 txdg.exe 119 PID 4824 set thread context of 2348 4824 olue.exe 123 PID 2836 set thread context of 2968 2836 jfzm.exe 125 PID 4724 set thread context of 4840 4724 rvnz.exe 127 PID 4312 set thread context of 3988 4312 jybk.exe 130 PID 4592 set thread context of 1768 4592 osvn.exe 133 PID 648 set thread context of 4192 648 mmqa.exe 135 PID 1032 set thread context of 2232 1032 otfk.exe 137 PID 1980 set thread context of 720 1980 owrd.exe 139 PID 2088 set thread context of 2336 2088 rdxf.exe 141 PID 4892 set thread context of 4596 4892 zdwg.exe 143 PID 3156 set thread context of 4992 3156 zhiy.exe 145 PID 1568 set thread context of 2096 1568 eqrb.exe 148 PID 4208 set thread context of 2460 4208 efoy.exe 150 PID 3016 set thread context of 4412 3016 zlfo.exe 152 PID 4268 set thread context of 3232 4268 eunr.exe 154 PID 404 set thread context of 3248 404 ysdm.exe 156 PID 632 set thread context of 2384 632 wbom.exe 158 PID 1692 set thread context of 4652 1692 qshp.exe 160 PID 456 set thread context of 4704 456 lgyf.exe 164 PID 2896 set thread context of 4724 2896 lvwk.exe 166 PID 1256 set thread context of 3584 1256 dklq.exe 168 PID 3988 set thread context of 1788 3988 dkuv.exe 170 PID 2256 set thread context of 4412 2256 bwqq.exe 172 PID 1700 set thread context of 3232 1700 blgv.exe 174 PID 2296 set thread context of 1628 2296 dojl.exe 176 PID 2860 set thread context of 4448 2860 yiob.exe 178 PID 2936 set thread context of 4208 2936 blrz.exe 180 PID 3748 set thread context of 212 3748 gjwh.exe 182 PID 4012 set thread context of 3068 4012 ddrc.exe 184 PID 5060 set thread context of 2948 5060 dwsm.exe 186 PID 3272 set thread context of 4680 3272 gcgx.exe 188 PID 3920 set thread context of 4664 3920 dlrx.exe 190 PID 2024 set thread context of 3216 2024 daoc.exe 192 PID 2980 set thread context of 4892 2980 ddbv.exe 194 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ jfzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" otfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" eqrb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key zlfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key qshp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ lvwk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" gjwh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key hxet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ ragu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" mwxs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ jybk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ eunr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" jxhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key wbom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key dwsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" gcgx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key wzvb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ efoy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ bwqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ wzvb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ mmqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" dojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" eunr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" wbom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key ddrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key mwxs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key zcyy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key txdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ txdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" mmqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ zlfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key ysdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key dojl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key blrz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key daoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ daoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key wrct.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" hfqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" jtfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" owrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ zhiy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" ddrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" zmgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ mhyh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key pnns.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" rdxf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" zdwg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key dklq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ ddrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ wrct.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key wgsz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" mhyh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key rdxf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" qshp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ wgsz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ zmgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" zlfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key eqrb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ eqrb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key eunr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" blrz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" jxge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4752 wrote to memory of 3236 4752 e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe 86 PID 4752 wrote to memory of 3236 4752 e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe 86 PID 4752 wrote to memory of 3236 4752 e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe 86 PID 4752 wrote to memory of 3236 4752 e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe 86 PID 4752 wrote to memory of 3236 4752 e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe 86 PID 3236 wrote to memory of 5024 3236 e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe 87 PID 3236 wrote to memory of 5024 3236 e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe 87 PID 3236 wrote to memory of 5024 3236 e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe 87 PID 5024 wrote to memory of 5068 5024 hxet.exe 89 PID 5024 wrote to memory of 5068 5024 hxet.exe 89 PID 5024 wrote to memory of 5068 5024 hxet.exe 89 PID 5024 wrote to memory of 5068 5024 hxet.exe 89 PID 5024 wrote to memory of 5068 5024 hxet.exe 89 PID 5068 wrote to memory of 5080 5068 hxet.exe 91 PID 5068 wrote to memory of 5080 5068 hxet.exe 91 PID 5068 wrote to memory of 5080 5068 hxet.exe 91 PID 5080 wrote to memory of 2232 5080 wrct.exe 92 PID 5080 wrote to memory of 2232 5080 wrct.exe 92 PID 5080 wrote to memory of 2232 5080 wrct.exe 92 PID 5080 wrote to memory of 2232 5080 wrct.exe 92 PID 5080 wrote to memory of 2232 5080 wrct.exe 92 PID 2232 wrote to memory of 1644 2232 wrct.exe 93 PID 2232 wrote to memory of 1644 2232 wrct.exe 93 PID 2232 wrote to memory of 1644 2232 wrct.exe 93 PID 1644 wrote to memory of 3112 1644 wgsz.exe 95 PID 1644 wrote to memory of 3112 1644 wgsz.exe 95 PID 1644 wrote to memory of 3112 1644 wgsz.exe 95 PID 1644 wrote to memory of 3112 1644 wgsz.exe 95 PID 1644 wrote to memory of 3112 1644 wgsz.exe 95 PID 3112 wrote to memory of 4444 3112 wgsz.exe 96 PID 3112 wrote to memory of 4444 3112 wgsz.exe 96 PID 3112 wrote to memory of 4444 3112 wgsz.exe 96 PID 4444 wrote to memory of 4448 4444 zmgj.exe 97 PID 4444 wrote to memory of 4448 4444 zmgj.exe 97 PID 4444 wrote to memory of 4448 4444 zmgj.exe 97 PID 4444 wrote to memory of 4448 4444 zmgj.exe 97 PID 4444 wrote to memory of 4448 4444 zmgj.exe 97 PID 4448 wrote to memory of 4980 4448 zmgj.exe 98 PID 4448 wrote to memory of 4980 4448 zmgj.exe 98 PID 4448 wrote to memory of 4980 4448 zmgj.exe 98 PID 4980 wrote to memory of 2224 4980 ragu.exe 99 PID 4980 wrote to memory of 2224 4980 ragu.exe 99 PID 4980 wrote to memory of 2224 4980 ragu.exe 99 PID 4980 wrote to memory of 2224 4980 ragu.exe 99 PID 4980 wrote to memory of 2224 4980 ragu.exe 99 PID 2224 wrote to memory of 2076 2224 ragu.exe 100 PID 2224 wrote to memory of 2076 2224 ragu.exe 100 PID 2224 wrote to memory of 2076 2224 ragu.exe 100 PID 2076 wrote to memory of 3156 2076 jxge.exe 101 PID 2076 wrote to memory of 3156 2076 jxge.exe 101 PID 2076 wrote to memory of 3156 2076 jxge.exe 101 PID 2076 wrote to memory of 3156 2076 jxge.exe 101 PID 2076 wrote to memory of 3156 2076 jxge.exe 101 PID 3156 wrote to memory of 2836 3156 jxge.exe 102 PID 3156 wrote to memory of 2836 3156 jxge.exe 102 PID 3156 wrote to memory of 2836 3156 jxge.exe 102 PID 2836 wrote to memory of 4384 2836 hfqn.exe 103 PID 2836 wrote to memory of 4384 2836 hfqn.exe 103 PID 2836 wrote to memory of 4384 2836 hfqn.exe 103 PID 2836 wrote to memory of 4384 2836 hfqn.exe 103 PID 2836 wrote to memory of 4384 2836 hfqn.exe 103 PID 4384 wrote to memory of 4896 4384 hfqn.exe 104 PID 4384 wrote to memory of 4896 4384 hfqn.exe 104 PID 4384 wrote to memory of 4896 4384 hfqn.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Windows\SysWOW64\hxet.exeC:\Windows\system32\hxet.exe 1004 "C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\hxet.exeC:\Windows\SysWOW64\hxet.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\wrct.exeC:\Windows\system32\wrct.exe 1020 "C:\Windows\SysWOW64\hxet.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\SysWOW64\wrct.exeC:\Windows\SysWOW64\wrct.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\wgsz.exeC:\Windows\system32\wgsz.exe 1152 "C:\Windows\SysWOW64\wrct.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\wgsz.exeC:\Windows\SysWOW64\wgsz.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\zmgj.exeC:\Windows\system32\zmgj.exe 1048 "C:\Windows\SysWOW64\wgsz.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\SysWOW64\zmgj.exeC:\Windows\SysWOW64\zmgj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\SysWOW64\ragu.exeC:\Windows\system32\ragu.exe 1156 "C:\Windows\SysWOW64\zmgj.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\ragu.exeC:\Windows\SysWOW64\ragu.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\jxge.exeC:\Windows\system32\jxge.exe 1048 "C:\Windows\SysWOW64\ragu.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\jxge.exeC:\Windows\SysWOW64\jxge.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\SysWOW64\hfqn.exeC:\Windows\system32\hfqn.exe 1028 "C:\Windows\SysWOW64\jxge.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\hfqn.exeC:\Windows\SysWOW64\hfqn.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\mhyh.exeC:\Windows\system32\mhyh.exe 1048 "C:\Windows\SysWOW64\hfqn.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
PID:4896 -
C:\Windows\SysWOW64\mhyh.exeC:\Windows\SysWOW64\mhyh.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1764 -
C:\Windows\SysWOW64\pnns.exeC:\Windows\system32\pnns.exe 1036 "C:\Windows\SysWOW64\mhyh.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
PID:4196 -
C:\Windows\SysWOW64\pnns.exeC:\Windows\SysWOW64\pnns.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4376 -
C:\Windows\SysWOW64\mwxs.exeC:\Windows\system32\mwxs.exe 1164 "C:\Windows\SysWOW64\pnns.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
PID:4648 -
C:\Windows\SysWOW64\mwxs.exeC:\Windows\SysWOW64\mwxs.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:116 -
C:\Windows\SysWOW64\jxhf.exeC:\Windows\system32\jxhf.exe 1020 "C:\Windows\SysWOW64\mwxs.exe"23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
PID:4412 -
C:\Windows\SysWOW64\jxhf.exeC:\Windows\SysWOW64\jxhf.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3444 -
C:\Windows\SysWOW64\jtfg.exeC:\Windows\system32\jtfg.exe 1028 "C:\Windows\SysWOW64\jxhf.exe"25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
PID:3176 -
C:\Windows\SysWOW64\jtfg.exeC:\Windows\SysWOW64\jtfg.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5080 -
C:\Windows\SysWOW64\wzvb.exeC:\Windows\system32\wzvb.exe 1040 "C:\Windows\SysWOW64\jtfg.exe"27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
PID:692 -
C:\Windows\SysWOW64\wzvb.exeC:\Windows\SysWOW64\wzvb.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2948 -
C:\Windows\SysWOW64\zcyy.exeC:\Windows\system32\zcyy.exe 1048 "C:\Windows\SysWOW64\wzvb.exe"29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
PID:2024 -
C:\Windows\SysWOW64\zcyy.exeC:\Windows\SysWOW64\zcyy.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3940 -
C:\Windows\SysWOW64\txdg.exeC:\Windows\system32\txdg.exe 900 "C:\Windows\SysWOW64\zcyy.exe"31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
PID:2336 -
C:\Windows\SysWOW64\txdg.exeC:\Windows\SysWOW64\txdg.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4664 -
C:\Windows\SysWOW64\olue.exeC:\Windows\system32\olue.exe 1048 "C:\Windows\SysWOW64\txdg.exe"33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4824 -
C:\Windows\SysWOW64\olue.exeC:\Windows\SysWOW64\olue.exe34⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\jfzm.exeC:\Windows\system32\jfzm.exe 1032 "C:\Windows\SysWOW64\olue.exe"35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\jfzm.exeC:\Windows\SysWOW64\jfzm.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2968 -
C:\Windows\SysWOW64\rvnz.exeC:\Windows\system32\rvnz.exe 1096 "C:\Windows\SysWOW64\jfzm.exe"37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4724 -
C:\Windows\SysWOW64\rvnz.exeC:\Windows\SysWOW64\rvnz.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4840 -
C:\Windows\SysWOW64\jybk.exeC:\Windows\system32\jybk.exe 1064 "C:\Windows\SysWOW64\rvnz.exe"39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
PID:4312 -
C:\Windows\SysWOW64\jybk.exeC:\Windows\SysWOW64\jybk.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3988 -
C:\Windows\SysWOW64\osvn.exeC:\Windows\system32\osvn.exe 1036 "C:\Windows\SysWOW64\jybk.exe"41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4592 -
C:\Windows\SysWOW64\osvn.exeC:\Windows\SysWOW64\osvn.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1768 -
C:\Windows\SysWOW64\mmqa.exeC:\Windows\system32\mmqa.exe 1036 "C:\Windows\SysWOW64\osvn.exe"43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
PID:648 -
C:\Windows\SysWOW64\mmqa.exeC:\Windows\SysWOW64\mmqa.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4192 -
C:\Windows\SysWOW64\otfk.exeC:\Windows\system32\otfk.exe 1036 "C:\Windows\SysWOW64\mmqa.exe"45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
PID:1032 -
C:\Windows\SysWOW64\otfk.exeC:\Windows\SysWOW64\otfk.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2232 -
C:\Windows\SysWOW64\owrd.exeC:\Windows\system32\owrd.exe 1044 "C:\Windows\SysWOW64\otfk.exe"47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
PID:1980 -
C:\Windows\SysWOW64\owrd.exeC:\Windows\SysWOW64\owrd.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:720 -
C:\Windows\SysWOW64\rdxf.exeC:\Windows\system32\rdxf.exe 1056 "C:\Windows\SysWOW64\owrd.exe"49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\rdxf.exeC:\Windows\SysWOW64\rdxf.exe50⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\zdwg.exeC:\Windows\system32\zdwg.exe 1052 "C:\Windows\SysWOW64\rdxf.exe"51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
PID:4892 -
C:\Windows\SysWOW64\zdwg.exeC:\Windows\SysWOW64\zdwg.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4596 -
C:\Windows\SysWOW64\zhiy.exeC:\Windows\system32\zhiy.exe 1036 "C:\Windows\SysWOW64\zdwg.exe"53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
PID:3156 -
C:\Windows\SysWOW64\zhiy.exeC:\Windows\SysWOW64\zhiy.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4992 -
C:\Windows\SysWOW64\eqrb.exeC:\Windows\system32\eqrb.exe 1032 "C:\Windows\SysWOW64\zhiy.exe"55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
PID:1568 -
C:\Windows\SysWOW64\eqrb.exeC:\Windows\SysWOW64\eqrb.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2096 -
C:\Windows\SysWOW64\efoy.exeC:\Windows\system32\efoy.exe 1084 "C:\Windows\SysWOW64\eqrb.exe"57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
PID:4208 -
C:\Windows\SysWOW64\efoy.exeC:\Windows\SysWOW64\efoy.exe58⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\zlfo.exeC:\Windows\system32\zlfo.exe 1028 "C:\Windows\SysWOW64\efoy.exe"59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\zlfo.exeC:\Windows\SysWOW64\zlfo.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4412 -
C:\Windows\SysWOW64\eunr.exeC:\Windows\system32\eunr.exe 1032 "C:\Windows\SysWOW64\zlfo.exe"61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
PID:4268 -
C:\Windows\SysWOW64\eunr.exeC:\Windows\SysWOW64\eunr.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3232 -
C:\Windows\SysWOW64\ysdm.exeC:\Windows\system32\ysdm.exe 1160 "C:\Windows\SysWOW64\eunr.exe"63⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
PID:404 -
C:\Windows\SysWOW64\ysdm.exeC:\Windows\SysWOW64\ysdm.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3248 -
C:\Windows\SysWOW64\wbom.exeC:\Windows\system32\wbom.exe 1052 "C:\Windows\SysWOW64\ysdm.exe"65⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
PID:632 -
C:\Windows\SysWOW64\wbom.exeC:\Windows\SysWOW64\wbom.exe66⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2384 -
C:\Windows\SysWOW64\qshp.exeC:\Windows\system32\qshp.exe 1152 "C:\Windows\SysWOW64\wbom.exe"67⤵
- Suspicious use of SetThreadContext
- Modifies registry class
PID:1692 -
C:\Windows\SysWOW64\qshp.exeC:\Windows\SysWOW64\qshp.exe68⤵
- Drops file in System32 directory
PID:4652 -
C:\Windows\SysWOW64\lgyf.exeC:\Windows\system32\lgyf.exe 1056 "C:\Windows\SysWOW64\qshp.exe"69⤵
- Suspicious use of SetThreadContext
PID:456 -
C:\Windows\SysWOW64\lgyf.exeC:\Windows\SysWOW64\lgyf.exe70⤵
- Drops file in System32 directory
PID:4704 -
C:\Windows\SysWOW64\lvwk.exeC:\Windows\system32\lvwk.exe 1056 "C:\Windows\SysWOW64\lgyf.exe"71⤵
- Suspicious use of SetThreadContext
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\lvwk.exeC:\Windows\SysWOW64\lvwk.exe72⤵
- Drops file in System32 directory
PID:4724 -
C:\Windows\SysWOW64\dklq.exeC:\Windows\system32\dklq.exe 1020 "C:\Windows\SysWOW64\lvwk.exe"73⤵
- Suspicious use of SetThreadContext
- Modifies registry class
PID:1256 -
C:\Windows\SysWOW64\dklq.exeC:\Windows\SysWOW64\dklq.exe74⤵
- Drops file in System32 directory
PID:3584 -
C:\Windows\SysWOW64\dkuv.exeC:\Windows\system32\dkuv.exe 1032 "C:\Windows\SysWOW64\dklq.exe"75⤵
- Suspicious use of SetThreadContext
PID:3988 -
C:\Windows\SysWOW64\dkuv.exeC:\Windows\SysWOW64\dkuv.exe76⤵
- Drops file in System32 directory
PID:1788 -
C:\Windows\SysWOW64\bwqq.exeC:\Windows\system32\bwqq.exe 1036 "C:\Windows\SysWOW64\dkuv.exe"77⤵
- Suspicious use of SetThreadContext
- Modifies registry class
PID:2256 -
C:\Windows\SysWOW64\bwqq.exeC:\Windows\SysWOW64\bwqq.exe78⤵
- Drops file in System32 directory
PID:4412 -
C:\Windows\SysWOW64\blgv.exeC:\Windows\system32\blgv.exe 1040 "C:\Windows\SysWOW64\bwqq.exe"79⤵
- Suspicious use of SetThreadContext
PID:1700 -
C:\Windows\SysWOW64\blgv.exeC:\Windows\SysWOW64\blgv.exe80⤵
- Drops file in System32 directory
PID:3232 -
C:\Windows\SysWOW64\dojl.exeC:\Windows\system32\dojl.exe 1036 "C:\Windows\SysWOW64\blgv.exe"81⤵
- Suspicious use of SetThreadContext
- Modifies registry class
PID:2296 -
C:\Windows\SysWOW64\dojl.exeC:\Windows\SysWOW64\dojl.exe82⤵
- Drops file in System32 directory
PID:1628 -
C:\Windows\SysWOW64\yiob.exeC:\Windows\system32\yiob.exe 1044 "C:\Windows\SysWOW64\dojl.exe"83⤵
- Suspicious use of SetThreadContext
PID:2860 -
C:\Windows\SysWOW64\yiob.exeC:\Windows\SysWOW64\yiob.exe84⤵
- Drops file in System32 directory
PID:4448 -
C:\Windows\SysWOW64\blrz.exeC:\Windows\system32\blrz.exe 1060 "C:\Windows\SysWOW64\yiob.exe"85⤵
- Suspicious use of SetThreadContext
- Modifies registry class
PID:2936 -
C:\Windows\SysWOW64\blrz.exeC:\Windows\SysWOW64\blrz.exe86⤵
- Drops file in System32 directory
PID:4208 -
C:\Windows\SysWOW64\gjwh.exeC:\Windows\system32\gjwh.exe 1048 "C:\Windows\SysWOW64\blrz.exe"87⤵
- Suspicious use of SetThreadContext
- Modifies registry class
PID:3748 -
C:\Windows\SysWOW64\gjwh.exeC:\Windows\SysWOW64\gjwh.exe88⤵
- Drops file in System32 directory
PID:212 -
C:\Windows\SysWOW64\ddrc.exeC:\Windows\system32\ddrc.exe 1048 "C:\Windows\SysWOW64\gjwh.exe"89⤵
- Suspicious use of SetThreadContext
- Modifies registry class
PID:4012 -
C:\Windows\SysWOW64\ddrc.exeC:\Windows\SysWOW64\ddrc.exe90⤵
- Drops file in System32 directory
PID:3068 -
C:\Windows\SysWOW64\dwsm.exeC:\Windows\system32\dwsm.exe 1036 "C:\Windows\SysWOW64\ddrc.exe"91⤵
- Suspicious use of SetThreadContext
- Modifies registry class
PID:5060 -
C:\Windows\SysWOW64\dwsm.exeC:\Windows\SysWOW64\dwsm.exe92⤵PID:2948
-
C:\Windows\SysWOW64\gcgx.exeC:\Windows\system32\gcgx.exe 1044 "C:\Windows\SysWOW64\dwsm.exe"93⤵
- Suspicious use of SetThreadContext
- Modifies registry class
PID:3272 -
C:\Windows\SysWOW64\gcgx.exeC:\Windows\SysWOW64\gcgx.exe94⤵
- Drops file in System32 directory
PID:4680 -
C:\Windows\SysWOW64\dlrx.exeC:\Windows\system32\dlrx.exe 1048 "C:\Windows\SysWOW64\gcgx.exe"95⤵
- Suspicious use of SetThreadContext
PID:3920 -
C:\Windows\SysWOW64\dlrx.exeC:\Windows\SysWOW64\dlrx.exe96⤵
- Drops file in System32 directory
PID:4664 -
C:\Windows\SysWOW64\daoc.exeC:\Windows\system32\daoc.exe 1048 "C:\Windows\SysWOW64\dlrx.exe"97⤵
- Suspicious use of SetThreadContext
- Modifies registry class
PID:2024 -
C:\Windows\SysWOW64\daoc.exeC:\Windows\SysWOW64\daoc.exe98⤵
- Drops file in System32 directory
PID:3216 -
C:\Windows\SysWOW64\ddbv.exeC:\Windows\system32\ddbv.exe 1048 "C:\Windows\SysWOW64\daoc.exe"99⤵
- Suspicious use of SetThreadContext
PID:2980 -
C:\Windows\SysWOW64\ddbv.exeC:\Windows\SysWOW64\ddbv.exe100⤵PID:4892
-
C:\Windows\SysWOW64\dpfv.exeC:\Windows\system32\dpfv.exe 1032 "C:\Windows\SysWOW64\ddbv.exe"101⤵PID:4132
-
C:\Windows\SysWOW64\dpfv.exeC:\Windows\SysWOW64\dpfv.exe102⤵PID:3460
-
C:\Windows\SysWOW64\yghq.exeC:\Windows\system32\yghq.exe 1152 "C:\Windows\SysWOW64\dpfv.exe"103⤵PID:3388
-
C:\Windows\SysWOW64\yghq.exeC:\Windows\SysWOW64\yghq.exe104⤵PID:4548
-
C:\Windows\SysWOW64\gvvd.exeC:\Windows\system32\gvvd.exe 1040 "C:\Windows\SysWOW64\yghq.exe"105⤵PID:2480
-
C:\Windows\SysWOW64\gvvd.exeC:\Windows\SysWOW64\gvvd.exe106⤵PID:3436
-
C:\Windows\SysWOW64\yvgj.exeC:\Windows\system32\yvgj.exe 1036 "C:\Windows\SysWOW64\gvvd.exe"107⤵PID:2872
-
C:\Windows\SysWOW64\yvgj.exeC:\Windows\SysWOW64\yvgj.exe108⤵PID:4584
-
C:\Windows\SysWOW64\ygsb.exeC:\Windows\system32\ygsb.exe 1036 "C:\Windows\SysWOW64\yvgj.exe"109⤵PID:2308
-
C:\Windows\SysWOW64\ygsb.exeC:\Windows\SysWOW64\ygsb.exe110⤵PID:4908
-
C:\Windows\SysWOW64\yket.exeC:\Windows\system32\yket.exe 1036 "C:\Windows\SysWOW64\ygsb.exe"111⤵PID:720
-
C:\Windows\SysWOW64\yket.exeC:\Windows\SysWOW64\yket.exe112⤵PID:4444
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280KB
MD5e3606fe661cb86e3fe8843d598d9ac13
SHA17c63a823717d43257e641bd42d37ed5b415308f7
SHA256dcfac4cd97fab0cf3a91febe447faad646115d46429349af1b80452dd446498a
SHA512d57b158fc275400506ddb655c48d5fa6a24a8304ca7ca194ec4f74581c9a5998f88f3c24347dcaaab6c2e724580e69770fb2a722cdd2353459699526f5bb8344