Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
59s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
07/04/2024, 23:20
Static task
static1
Behavioral task
behavioral1
Sample
e618abbf88aedc79c3975878daba5c9a_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
e618abbf88aedc79c3975878daba5c9a_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e618abbf88aedc79c3975878daba5c9a_JaffaCakes118.exe
-
Size
102KB
-
MD5
e618abbf88aedc79c3975878daba5c9a
-
SHA1
df3bea7b926a13b6d2003bf7a280a875882f8bbe
-
SHA256
24d5464a706bf74c91841344dd879fab410a6d1b55032014c2ddb1781ac32d18
-
SHA512
efce7dd64001a96d9bdf579d4a3284efad83b63ae51334299c64e6cd9cd9e084cce72d5b6df395f48c991b92615cc3342a3f694a6143db44057e63565c01f2ef
-
SSDEEP
3072:fVsUjh2iw4XUMgQOIXdYyhQQ+bMKLo3pl0k4F9:9PlXiQNWyhQU3pX69
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 2980 srce.exe 2540 wuaumqr.exe 2404 wuksrhl.exe 1640 gbtakba.exe 1348 vuqntpk.exe 1572 wuaumqr.exe 2320 ytwyjgl.exe 1452 fmvdyat.exe 1604 wuaumqr.exe 688 uybijjg.exe 2604 eioajgo.exe 408 wuaumqr.exe 692 exegaor.exe 836 glhivoy.exe 2080 wuaumqr.exe 2908 bfmyvig.exe 2076 sfwqjou.exe 2996 wuaumqr.exe 2968 utyteob.exe 2524 zfsbxqf.exe 2284 wuaumqr.exe 1216 zretlck.exe 1592 orpgbya.exe 1352 wuaumqr.exe 2300 ldltrby.exe 840 txkyovo.exe 2748 wuaumqr.exe 2068 qmrzhtt.exe 1604 iutmmuv.exe 1460 wuaumqr.exe 1036 chgzutq.exe 1960 ztbukvw.exe 1564 wuaumqr.exe 1912 tcvcqxk.exe 3060 gpmrwbj.exe 2956 wuaumqr.exe 3048 snfeeww.exe 2544 scckvnh.exe 2612 wuaumqr.exe 2192 eauxmic.exe 1536 uurkvee.exe 2784 wuaumqr.exe 1540 cnqkcli.exe 1592 gzksvvn.exe 1868 wuaumqr.exe 1356 bgamysc.exe 1444 qrphhge.exe 584 wuaumqr.exe 2068 nshudrq.exe 688 vwravct.exe 2072 wuaumqr.exe 2176 kipfydf.exe 1016 cwnkbem.exe 2480 wuaumqr.exe 1652 gnjfmzu.exe 1704 imxvjeh.exe 2164 wuaumqr.exe 2552 itvabms.exe 2588 aeisirt.exe 2560 wuaumqr.exe 1600 euffeye.exe 1504 zxkvwrm.exe 2184 wuaumqr.exe 888 tvaqzot.exe -
Loads dropped DLL 64 IoCs
pid Process 2204 e618abbf88aedc79c3975878daba5c9a_JaffaCakes118.exe 2204 e618abbf88aedc79c3975878daba5c9a_JaffaCakes118.exe 2980 srce.exe 2980 srce.exe 2540 wuaumqr.exe 2540 wuaumqr.exe 2404 wuksrhl.exe 2404 wuksrhl.exe 1640 gbtakba.exe 1640 gbtakba.exe 1348 vuqntpk.exe 1348 vuqntpk.exe 1572 wuaumqr.exe 1572 wuaumqr.exe 2320 ytwyjgl.exe 2320 ytwyjgl.exe 1452 fmvdyat.exe 1452 fmvdyat.exe 1604 wuaumqr.exe 1604 wuaumqr.exe 688 uybijjg.exe 688 uybijjg.exe 2604 eioajgo.exe 2604 eioajgo.exe 408 wuaumqr.exe 408 wuaumqr.exe 692 exegaor.exe 692 exegaor.exe 836 glhivoy.exe 836 glhivoy.exe 2080 wuaumqr.exe 2080 wuaumqr.exe 2908 bfmyvig.exe 2908 bfmyvig.exe 2076 sfwqjou.exe 2076 sfwqjou.exe 2996 wuaumqr.exe 2996 wuaumqr.exe 2968 utyteob.exe 2968 utyteob.exe 2524 zfsbxqf.exe 2524 zfsbxqf.exe 2284 wuaumqr.exe 2284 wuaumqr.exe 1216 zretlck.exe 1216 zretlck.exe 1592 orpgbya.exe 1592 orpgbya.exe 1352 wuaumqr.exe 1352 wuaumqr.exe 2300 ldltrby.exe 2300 ldltrby.exe 840 txkyovo.exe 840 txkyovo.exe 2748 wuaumqr.exe 2748 wuaumqr.exe 2068 qmrzhtt.exe 2068 qmrzhtt.exe 1604 iutmmuv.exe 1604 iutmmuv.exe 1460 wuaumqr.exe 1460 wuaumqr.exe 1036 chgzutq.exe 1036 chgzutq.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "iutmmuv.exe" qmrzhtt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "itvabms.exe" wuaumqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "coexzut.exe" wuaumqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "wuaumqr.exe" qlolqpg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "rmjzshf.exe" wuaumqr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "gjagjoo.exe" wuaumqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "yjkpolg.exe" dzorimi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "yynygrv.exe" wuaumqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "kvifwcl.exe" wuaumqr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "wuaumqr.exe" xanfwfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "isdcbvi.exe" wuaumqr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "edagwvc.exe" wuaumqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "zidgits.exe" wuaumqr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "mzthuyz.exe" coexzut.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "wuaumqr.exe" neecxav.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "wuaumqr.exe" yztsppg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "wuaumqr.exe" qjbqoow.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "wuaumqr.exe" qwfifro.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "mdpixir.exe" wuaumqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "oaijuqw.exe" wuaumqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "xanfwfg.exe" izushjz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "xarrqzl.exe" wuaumqr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "gzksvvn.exe" cnqkcli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "vvcqkti.exe" edagwvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "wuaumqr.exe" epvgvjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "wuaumqr.exe" jtftmae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "wuaumqr.exe" sfwqjou.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "zsmsnci.exe" wuaumqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "vfaqjvm.exe" enygwpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "vtkbrnf.exe" wuaumqr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "vrtzwxg.exe" lspudyz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "wuaumqr.exe" byctier.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "wuaumqr.exe" afbjuhm.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "izvgviw.exe" qlxblhp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "wuaumqr.exe" orpgbya.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "wuaumqr.exe" gekhfux.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "suwssgd.exe" wuaumqr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "wuaumqr.exe" ipaoskn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "wuaumqr.exe" fnzoljs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "izvgviw.exe" qlxblhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "rcaknzi.exe" zsmsnci.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "wuaumqr.exe" qiqqwha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "qwbtykw.exe" agitrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "jjloycs.exe" wuaumqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "vcjqmho.exe" wuaumqr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "ztbukvw.exe" chgzutq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "iljigtm.exe" wuaumqr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "wuaumqr.exe" hreaegm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "zgpbfix.exe" wuaumqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "wuaumqr.exe" yjkpolg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "zemhuoi.exe" mormmgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "vqofmzo.exe" wuaumqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "wuaumqr.exe" jjsksng.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "oolsmwl.exe" wuaumqr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "wuaumqr.exe" vqsltog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "orpgbya.exe" zretlck.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "jcooosx.exe" wuaumqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "izushjz.exe" wuaumqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "wuaumqr.exe" grmtfhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "nridtrd.exe" wuaumqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "imxvjeh.exe" gnjfmzu.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "wuaumqr.exe" wlghxkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "wuaumqr.exe" vvcqkti.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "wuaumqr.exe" gduhwqa.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\WINDOWS\SysWOW64\kazaabackupfiles\download_me.exe wuaumqr.exe File opened for modification C:\WINDOWS\SysWOW64\dkfydff.exe nridtrd.exe File created C:\WINDOWS\SysWOW64\ztbukvw.exe chgzutq.exe File opened for modification C:\WINDOWS\SysWOW64\kazaabackupfiles\download_me.exe iljigtm.exe File created C:\WINDOWS\SysWOW64\yrpwdnx.exe wuaumqr.exe File opened for modification C:\WINDOWS\SysWOW64\wuaumqr.exe yztsppg.exe File created C:\WINDOWS\SysWOW64\wtefjnu.exe wuaumqr.exe File opened for modification C:\WINDOWS\SysWOW64\vtkbrnf.exe wuaumqr.exe File opened for modification C:\WINDOWS\SysWOW64\kazaabackupfiles\download_me.exe xanfwfg.exe File created C:\WINDOWS\SysWOW64\wuaumqr.exe detdhqz.exe File created C:\WINDOWS\SysWOW64\zretlck.exe wuaumqr.exe File opened for modification C:\WINDOWS\SysWOW64\kazaabackupfiles\download_me.exe mvirzsj.exe File opened for modification C:\WINDOWS\SysWOW64\kazaabackupfiles\download_me.exe wuaumqr.exe File created C:\WINDOWS\SysWOW64\eteaboe.exe wuaumqr.exe File opened for modification C:\WINDOWS\SysWOW64\qjbqoow.exe yynygrv.exe File opened for modification C:\WINDOWS\SysWOW64\mtwwdiv.exe wuaumqr.exe File opened for modification C:\WINDOWS\SysWOW64\qqumibj.exe wuaumqr.exe File opened for modification C:\WINDOWS\SysWOW64\kazaabackupfiles\download_me.exe wuaumqr.exe File created C:\WINDOWS\SysWOW64\wuaumqr.exe wuaumqr.exe File created C:\WINDOWS\SysWOW64\wuaumqr.exe wuaumqr.exe File created C:\WINDOWS\SysWOW64\ebjhqqv.exe wuaumqr.exe File created C:\WINDOWS\SysWOW64\wuaumqr.exe zcowbiu.exe File opened for modification C:\WINDOWS\SysWOW64\kazaabackupfiles\download_me.exe tdluryh.exe File created C:\WINDOWS\SysWOW64\wciopvl.exe wuaumqr.exe File opened for modification C:\WINDOWS\SysWOW64\wuaumqr.exe gqawpbe.exe File opened for modification C:\WINDOWS\SysWOW64\kheryxn.exe ybmwkoj.exe File created C:\WINDOWS\SysWOW64\mdpixir.exe wuaumqr.exe File created C:\WINDOWS\SysWOW64\wuaumqr.exe kgvbemk.exe File opened for modification C:\WINDOWS\SysWOW64\kazaabackupfiles\download_me.exe mhfrprf.exe File opened for modification C:\WINDOWS\SysWOW64\kazaabackupfiles\download_me.exe auulwki.exe File created C:\WINDOWS\SysWOW64\wfiynwc.exe wuaumqr.exe File created C:\WINDOWS\SysWOW64\wuaumqr.exe rmjzshf.exe File created C:\WINDOWS\SysWOW64\wuaumqr.exe wuaumqr.exe File opened for modification C:\WINDOWS\SysWOW64\kazaabackupfiles\download_me.exe xvbtimo.exe File created C:\WINDOWS\SysWOW64\nridtrd.exe wuaumqr.exe File created C:\WINDOWS\SysWOW64\qrphhge.exe bgamysc.exe File created C:\WINDOWS\SysWOW64\cwnkbem.exe kipfydf.exe File created C:\WINDOWS\SysWOW64\wuaumqr.exe wuaumqr.exe File opened for modification C:\WINDOWS\SysWOW64\rqqqygr.exe wciopvl.exe File opened for modification C:\WINDOWS\SysWOW64\kazaabackupfiles\download_me.exe izvgviw.exe File created C:\WINDOWS\SysWOW64\wuaumqr.exe wuaumqr.exe File opened for modification C:\WINDOWS\SysWOW64\kazaabackupfiles\download_me.exe scckvnh.exe File opened for modification C:\WINDOWS\SysWOW64\kazaabackupfiles\download_me.exe gpmrwbj.exe File created C:\WINDOWS\SysWOW64\zgpbfix.exe wuaumqr.exe File opened for modification C:\WINDOWS\SysWOW64\jrcwepi.exe wuaumqr.exe File created C:\WINDOWS\SysWOW64\eioajgo.exe uybijjg.exe File created C:\WINDOWS\SysWOW64\pzqekwy.exe wuaumqr.exe File opened for modification C:\WINDOWS\SysWOW64\zemhuoi.exe mormmgk.exe File opened for modification C:\WINDOWS\SysWOW64\kazaabackupfiles\download_me.exe zfevssb.exe File opened for modification C:\WINDOWS\SysWOW64\wuaumqr.exe hzogccf.exe File created C:\WINDOWS\SysWOW64\wuaumqr.exe wuaumqr.exe File opened for modification C:\WINDOWS\SysWOW64\kazaabackupfiles\download_me.exe wuaumqr.exe File opened for modification C:\WINDOWS\SysWOW64\fejwlgw.exe mtwwdiv.exe File created C:\WINDOWS\SysWOW64\wuaumqr.exe wuaumqr.exe File created C:\WINDOWS\SysWOW64\wuaumqr.exe wuaumqr.exe File opened for modification C:\WINDOWS\SysWOW64\wuaumqr.exe abkkzop.exe File created C:\WINDOWS\SysWOW64\dzorimi.exe wuaumqr.exe File created C:\WINDOWS\SysWOW64\wuaumqr.exe lehovlk.exe File opened for modification C:\WINDOWS\SysWOW64\rcaknzi.exe zsmsnci.exe File created C:\WINDOWS\SysWOW64\wuaumqr.exe ytwyjgl.exe File opened for modification C:\WINDOWS\SysWOW64\wuaumqr.exe aeisirt.exe File opened for modification C:\WINDOWS\SysWOW64\enygwpg.exe wuaumqr.exe File opened for modification C:\WINDOWS\SysWOW64\kazaabackupfiles\download_me.exe fizycki.exe File opened for modification C:\WINDOWS\SysWOW64\kazaabackupfiles\download_me.exe zeusmyt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2204 e618abbf88aedc79c3975878daba5c9a_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2204 wrote to memory of 2980 2204 e618abbf88aedc79c3975878daba5c9a_JaffaCakes118.exe 28 PID 2204 wrote to memory of 2980 2204 e618abbf88aedc79c3975878daba5c9a_JaffaCakes118.exe 28 PID 2204 wrote to memory of 2980 2204 e618abbf88aedc79c3975878daba5c9a_JaffaCakes118.exe 28 PID 2204 wrote to memory of 2980 2204 e618abbf88aedc79c3975878daba5c9a_JaffaCakes118.exe 28 PID 2980 wrote to memory of 2540 2980 srce.exe 29 PID 2980 wrote to memory of 2540 2980 srce.exe 29 PID 2980 wrote to memory of 2540 2980 srce.exe 29 PID 2980 wrote to memory of 2540 2980 srce.exe 29 PID 2540 wrote to memory of 2404 2540 wuaumqr.exe 30 PID 2540 wrote to memory of 2404 2540 wuaumqr.exe 30 PID 2540 wrote to memory of 2404 2540 wuaumqr.exe 30 PID 2540 wrote to memory of 2404 2540 wuaumqr.exe 30 PID 2404 wrote to memory of 1640 2404 wuksrhl.exe 31 PID 2404 wrote to memory of 1640 2404 wuksrhl.exe 31 PID 2404 wrote to memory of 1640 2404 wuksrhl.exe 31 PID 2404 wrote to memory of 1640 2404 wuksrhl.exe 31 PID 1640 wrote to memory of 1348 1640 gbtakba.exe 32 PID 1640 wrote to memory of 1348 1640 gbtakba.exe 32 PID 1640 wrote to memory of 1348 1640 gbtakba.exe 32 PID 1640 wrote to memory of 1348 1640 gbtakba.exe 32 PID 1348 wrote to memory of 1572 1348 vuqntpk.exe 33 PID 1348 wrote to memory of 1572 1348 vuqntpk.exe 33 PID 1348 wrote to memory of 1572 1348 vuqntpk.exe 33 PID 1348 wrote to memory of 1572 1348 vuqntpk.exe 33 PID 1572 wrote to memory of 2320 1572 wuaumqr.exe 34 PID 1572 wrote to memory of 2320 1572 wuaumqr.exe 34 PID 1572 wrote to memory of 2320 1572 wuaumqr.exe 34 PID 1572 wrote to memory of 2320 1572 wuaumqr.exe 34 PID 2320 wrote to memory of 1452 2320 ytwyjgl.exe 35 PID 2320 wrote to memory of 1452 2320 ytwyjgl.exe 35 PID 2320 wrote to memory of 1452 2320 ytwyjgl.exe 35 PID 2320 wrote to memory of 1452 2320 ytwyjgl.exe 35 PID 1452 wrote to memory of 1604 1452 fmvdyat.exe 36 PID 1452 wrote to memory of 1604 1452 fmvdyat.exe 36 PID 1452 wrote to memory of 1604 1452 fmvdyat.exe 36 PID 1452 wrote to memory of 1604 1452 fmvdyat.exe 36 PID 1604 wrote to memory of 688 1604 wuaumqr.exe 37 PID 1604 wrote to memory of 688 1604 wuaumqr.exe 37 PID 1604 wrote to memory of 688 1604 wuaumqr.exe 37 PID 1604 wrote to memory of 688 1604 wuaumqr.exe 37 PID 688 wrote to memory of 2604 688 uybijjg.exe 38 PID 688 wrote to memory of 2604 688 uybijjg.exe 38 PID 688 wrote to memory of 2604 688 uybijjg.exe 38 PID 688 wrote to memory of 2604 688 uybijjg.exe 38 PID 2604 wrote to memory of 408 2604 eioajgo.exe 39 PID 2604 wrote to memory of 408 2604 eioajgo.exe 39 PID 2604 wrote to memory of 408 2604 eioajgo.exe 39 PID 2604 wrote to memory of 408 2604 eioajgo.exe 39 PID 408 wrote to memory of 692 408 wuaumqr.exe 40 PID 408 wrote to memory of 692 408 wuaumqr.exe 40 PID 408 wrote to memory of 692 408 wuaumqr.exe 40 PID 408 wrote to memory of 692 408 wuaumqr.exe 40 PID 692 wrote to memory of 836 692 exegaor.exe 41 PID 692 wrote to memory of 836 692 exegaor.exe 41 PID 692 wrote to memory of 836 692 exegaor.exe 41 PID 692 wrote to memory of 836 692 exegaor.exe 41 PID 836 wrote to memory of 2080 836 glhivoy.exe 42 PID 836 wrote to memory of 2080 836 glhivoy.exe 42 PID 836 wrote to memory of 2080 836 glhivoy.exe 42 PID 836 wrote to memory of 2080 836 glhivoy.exe 42 PID 2080 wrote to memory of 2908 2080 wuaumqr.exe 43 PID 2080 wrote to memory of 2908 2080 wuaumqr.exe 43 PID 2080 wrote to memory of 2908 2080 wuaumqr.exe 43 PID 2080 wrote to memory of 2908 2080 wuaumqr.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\e618abbf88aedc79c3975878daba5c9a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e618abbf88aedc79c3975878daba5c9a_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Users\Admin\AppData\Local\Temp\A0gQXA\srce.exeC:\Users\Admin\AppData\Local\Temp\\A0gQXA\srce.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\USERS\ADMIN\APPDATA\LOCAL\TEMP\A0GQXA\SRCE.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\WINDOWS\SysWOW64\wuksrhl.exe"C:\WINDOWS\SYSTEM32\wuksrhl.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\WINDOWS\SysWOW64\gbtakba.exe"C:\WINDOWS\SYSTEM32\gbtakba.exe" mElTC:\WINDOWS\SYSWOW64\WUKSRHL.EXE5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\WINDOWS\SysWOW64\vuqntpk.exe"C:\WINDOWS\SYSTEM32\vuqntpk.exe" mElTC:\WINDOWS\SYSWOW64\GBTAKBA.EXE6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\VUQNTPK.EXE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\WINDOWS\SysWOW64\ytwyjgl.exe"C:\WINDOWS\SYSTEM32\ytwyjgl.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\WINDOWS\SysWOW64\fmvdyat.exe"C:\WINDOWS\SYSTEM32\fmvdyat.exe" mElTC:\WINDOWS\SYSWOW64\YTWYJGL.EXE9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\FMVDYAT.EXE10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\WINDOWS\SysWOW64\uybijjg.exe"C:\WINDOWS\SYSTEM32\uybijjg.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:688 -
C:\WINDOWS\SysWOW64\eioajgo.exe"C:\WINDOWS\SYSTEM32\eioajgo.exe" mElTC:\WINDOWS\SYSWOW64\UYBIJJG.EXE12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\EIOAJGO.EXE13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:408 -
C:\WINDOWS\SysWOW64\exegaor.exe"C:\WINDOWS\SYSTEM32\exegaor.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:692 -
C:\WINDOWS\SysWOW64\glhivoy.exe"C:\WINDOWS\SYSTEM32\glhivoy.exe" mElTC:\WINDOWS\SYSWOW64\EXEGAOR.EXE15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:836 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\GLHIVOY.EXE16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\WINDOWS\SysWOW64\bfmyvig.exe"C:\WINDOWS\SYSTEM32\bfmyvig.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2908 -
C:\WINDOWS\SysWOW64\sfwqjou.exe"C:\WINDOWS\SYSTEM32\sfwqjou.exe" mElTC:\WINDOWS\SYSWOW64\BFMYVIG.EXE18⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2076 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\SFWQJOU.EXE19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2996 -
C:\WINDOWS\SysWOW64\utyteob.exe"C:\WINDOWS\SYSTEM32\utyteob.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2968 -
C:\WINDOWS\SysWOW64\zfsbxqf.exe"C:\WINDOWS\SYSTEM32\zfsbxqf.exe" mElTC:\WINDOWS\SYSWOW64\UTYTEOB.EXE21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2524 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\ZFSBXQF.EXE22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2284 -
C:\WINDOWS\SysWOW64\zretlck.exe"C:\WINDOWS\SYSTEM32\zretlck.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE23⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1216 -
C:\WINDOWS\SysWOW64\orpgbya.exe"C:\WINDOWS\SYSTEM32\orpgbya.exe" mElTC:\WINDOWS\SYSWOW64\ZRETLCK.EXE24⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1592 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\ORPGBYA.EXE25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1352 -
C:\WINDOWS\SysWOW64\ldltrby.exe"C:\WINDOWS\SYSTEM32\ldltrby.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2300 -
C:\WINDOWS\SysWOW64\txkyovo.exe"C:\WINDOWS\SYSTEM32\txkyovo.exe" mElTC:\WINDOWS\SYSWOW64\LDLTRBY.EXE27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:840 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\TXKYOVO.EXE28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2748 -
C:\WINDOWS\SysWOW64\qmrzhtt.exe"C:\WINDOWS\SYSTEM32\qmrzhtt.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE29⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2068 -
C:\WINDOWS\SysWOW64\iutmmuv.exe"C:\WINDOWS\SYSTEM32\iutmmuv.exe" mElTC:\WINDOWS\SYSWOW64\QMRZHTT.EXE30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1604 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\IUTMMUV.EXE31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1460 -
C:\WINDOWS\SysWOW64\chgzutq.exe"C:\WINDOWS\SYSTEM32\chgzutq.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE32⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1036 -
C:\WINDOWS\SysWOW64\ztbukvw.exe"C:\WINDOWS\SYSTEM32\ztbukvw.exe" mElTC:\WINDOWS\SYSWOW64\CHGZUTQ.EXE33⤵
- Executes dropped EXE
PID:1960 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\ZTBUKVW.EXE34⤵
- Executes dropped EXE
PID:1564 -
C:\WINDOWS\SysWOW64\tcvcqxk.exe"C:\WINDOWS\SYSTEM32\tcvcqxk.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE35⤵
- Executes dropped EXE
PID:1912 -
C:\WINDOWS\SysWOW64\gpmrwbj.exe"C:\WINDOWS\SYSTEM32\gpmrwbj.exe" mElTC:\WINDOWS\SYSWOW64\TCVCQXK.EXE36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3060 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\GPMRWBJ.EXE37⤵
- Executes dropped EXE
PID:2956 -
C:\WINDOWS\SysWOW64\snfeeww.exe"C:\WINDOWS\SYSTEM32\snfeeww.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE38⤵
- Executes dropped EXE
PID:3048 -
C:\WINDOWS\SysWOW64\scckvnh.exe"C:\WINDOWS\SYSTEM32\scckvnh.exe" mElTC:\WINDOWS\SYSWOW64\SNFEEWW.EXE39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2544 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\SCCKVNH.EXE40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2612 -
C:\WINDOWS\SysWOW64\eauxmic.exe"C:\WINDOWS\SYSTEM32\eauxmic.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE41⤵
- Executes dropped EXE
PID:2192 -
C:\WINDOWS\SysWOW64\uurkvee.exe"C:\WINDOWS\SYSTEM32\uurkvee.exe" mElTC:\WINDOWS\SYSWOW64\EAUXMIC.EXE42⤵
- Executes dropped EXE
PID:1536 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\UURKVEE.EXE43⤵
- Executes dropped EXE
PID:2784 -
C:\WINDOWS\SysWOW64\cnqkcli.exe"C:\WINDOWS\SYSTEM32\cnqkcli.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE44⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1540 -
C:\WINDOWS\SysWOW64\gzksvvn.exe"C:\WINDOWS\SYSTEM32\gzksvvn.exe" mElTC:\WINDOWS\SYSWOW64\CNQKCLI.EXE45⤵
- Executes dropped EXE
PID:1592 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\GZKSVVN.EXE46⤵
- Executes dropped EXE
PID:1868 -
C:\WINDOWS\SysWOW64\bgamysc.exe"C:\WINDOWS\SYSTEM32\bgamysc.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1356 -
C:\WINDOWS\SysWOW64\qrphhge.exe"C:\WINDOWS\SYSTEM32\qrphhge.exe" mElTC:\WINDOWS\SYSWOW64\BGAMYSC.EXE48⤵
- Executes dropped EXE
PID:1444 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\QRPHHGE.EXE49⤵
- Executes dropped EXE
PID:584 -
C:\WINDOWS\SysWOW64\nshudrq.exe"C:\WINDOWS\SYSTEM32\nshudrq.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE50⤵
- Executes dropped EXE
PID:2068 -
C:\WINDOWS\SysWOW64\vwravct.exe"C:\WINDOWS\SYSTEM32\vwravct.exe" mElTC:\WINDOWS\SYSWOW64\NSHUDRQ.EXE51⤵
- Executes dropped EXE
PID:688 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\VWRAVCT.EXE52⤵
- Executes dropped EXE
PID:2072 -
C:\WINDOWS\SysWOW64\kipfydf.exe"C:\WINDOWS\SYSTEM32\kipfydf.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2176 -
C:\WINDOWS\SysWOW64\cwnkbem.exe"C:\WINDOWS\SYSTEM32\cwnkbem.exe" mElTC:\WINDOWS\SYSWOW64\KIPFYDF.EXE54⤵
- Executes dropped EXE
PID:1016 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\CWNKBEM.EXE55⤵
- Executes dropped EXE
PID:2480 -
C:\WINDOWS\SysWOW64\gnjfmzu.exe"C:\WINDOWS\SYSTEM32\gnjfmzu.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE56⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1652 -
C:\WINDOWS\SysWOW64\imxvjeh.exe"C:\WINDOWS\SYSTEM32\imxvjeh.exe" mElTC:\WINDOWS\SYSWOW64\GNJFMZU.EXE57⤵
- Executes dropped EXE
PID:1704 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\IMXVJEH.EXE58⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2164 -
C:\WINDOWS\SysWOW64\itvabms.exe"C:\WINDOWS\SYSTEM32\itvabms.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE59⤵
- Executes dropped EXE
PID:2552 -
C:\WINDOWS\SysWOW64\aeisirt.exe"C:\WINDOWS\SYSTEM32\aeisirt.exe" mElTC:\WINDOWS\SYSWOW64\ITVABMS.EXE60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2588 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\AEISIRT.EXE61⤵
- Executes dropped EXE
PID:2560 -
C:\WINDOWS\SysWOW64\euffeye.exe"C:\WINDOWS\SYSTEM32\euffeye.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE62⤵
- Executes dropped EXE
PID:1600 -
C:\WINDOWS\SysWOW64\zxkvwrm.exe"C:\WINDOWS\SYSTEM32\zxkvwrm.exe" mElTC:\WINDOWS\SYSWOW64\EUFFEYE.EXE63⤵
- Executes dropped EXE
PID:1504 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\ZXKVWRM.EXE64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2184 -
C:\WINDOWS\SysWOW64\tvaqzot.exe"C:\WINDOWS\SYSTEM32\tvaqzot.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE65⤵
- Executes dropped EXE
PID:888 -
C:\WINDOWS\SysWOW64\jsiymhd.exe"C:\WINDOWS\SYSTEM32\jsiymhd.exe" mElTC:\WINDOWS\SYSWOW64\TVAQZOT.EXE66⤵PID:1592
-
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\JSIYMHD.EXE67⤵
- Adds Run key to start application
PID:2100 -
C:\WINDOWS\SysWOW64\iljigtm.exe"C:\WINDOWS\SYSTEM32\iljigtm.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE68⤵
- Drops file in System32 directory
PID:2856 -
C:\WINDOWS\SysWOW64\qptvxmp.exe"C:\WINDOWS\SYSTEM32\qptvxmp.exe" mElTC:\WINDOWS\SYSWOW64\ILJIGTM.EXE69⤵PID:1444
-
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\QPTVXMP.EXE70⤵
- Drops file in System32 directory
PID:584 -
C:\WINDOWS\SysWOW64\scwysne.exe"C:\WINDOWS\SYSTEM32\scwysne.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE71⤵PID:2824
-
C:\WINDOWS\SysWOW64\hshgzwz.exe"C:\WINDOWS\SYSTEM32\hshgzwz.exe" mElTC:\WINDOWS\SYSWOW64\SCWYSNE.EXE72⤵PID:1692
-
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\HSHGZWZ.EXE73⤵PID:408
-
C:\WINDOWS\SysWOW64\jrvoxbn.exe"C:\WINDOWS\SYSTEM32\jrvoxbn.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE74⤵PID:2340
-
C:\WINDOWS\SysWOW64\rvgbgmy.exe"C:\WINDOWS\SYSTEM32\rvgbgmy.exe" mElTC:\WINDOWS\SYSWOW64\JRVOXBN.EXE75⤵PID:1016
-
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\RVGBGMY.EXE76⤵PID:2828
-
C:\WINDOWS\SysWOW64\tfxqyig.exe"C:\WINDOWS\SYSTEM32\tfxqyig.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE77⤵PID:2024
-
C:\WINDOWS\SysWOW64\olnbhtd.exe"C:\WINDOWS\SYSTEM32\olnbhtd.exe" mElTC:\WINDOWS\SYSWOW64\TFXQYIG.EXE78⤵PID:2992
-
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\OLNBHTD.EXE79⤵PID:2424
-
C:\WINDOWS\SysWOW64\oacgybo.exe"C:\WINDOWS\SYSTEM32\oacgybo.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE80⤵PID:2668
-
C:\WINDOWS\SysWOW64\yzoejan.exe"C:\WINDOWS\SYSTEM32\yzoejan.exe" mElTC:\WINDOWS\SYSWOW64\OACGYBO.EXE81⤵PID:2528
-
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\YZOEJAN.EXE82⤵
- Drops file in System32 directory
PID:2436 -
C:\WINDOWS\SysWOW64\yrpwdnx.exe"C:\WINDOWS\SYSTEM32\yrpwdnx.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE83⤵PID:1600
-
C:\WINDOWS\SysWOW64\maijsrn.exe"C:\WINDOWS\SYSTEM32\maijsrn.exe" mElTC:\WINDOWS\SYSWOW64\YRPWDNX.EXE84⤵PID:1640
-
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\MAIJSRN.EXE85⤵
- Drops file in System32 directory
PID:2184 -
C:\WINDOWS\SysWOW64\xvbtimo.exe"C:\WINDOWS\SYSTEM32\xvbtimo.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE86⤵
- Drops file in System32 directory
PID:1448 -
C:\WINDOWS\SysWOW64\hunrskv.exe"C:\WINDOWS\SYSTEM32\hunrskv.exe" mElTC:\WINDOWS\SYSWOW64\XVBTIMO.EXE87⤵PID:2632
-
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\HUNRSKV.EXE88⤵
- Drops file in System32 directory
PID:2924 -
C:\WINDOWS\SysWOW64\pzqekwy.exe"C:\WINDOWS\SYSTEM32\pzqekwy.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE89⤵PID:2652
-
C:\WINDOWS\SysWOW64\gqawpbe.exe"C:\WINDOWS\SYSTEM32\gqawpbe.exe" mElTC:\WINDOWS\SYSWOW64\PZQEKWY.EXE90⤵
- Drops file in System32 directory
PID:1784 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\GQAWPBE.EXE91⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2068 -
C:\WINDOWS\SysWOW64\gjagjoo.exe"C:\WINDOWS\SYSTEM32\gjagjoo.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE92⤵PID:1588
-
C:\WINDOWS\SysWOW64\qfbzzjp.exe"C:\WINDOWS\SYSTEM32\qfbzzjp.exe" mElTC:\WINDOWS\SYSWOW64\GJAGJOO.EXE93⤵PID:1688
-
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\QFBZZJP.EXE94⤵
- Drops file in System32 directory
PID:3004 -
C:\WINDOWS\SysWOW64\ybmwkoj.exe"C:\WINDOWS\SYSTEM32\ybmwkoj.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE95⤵
- Drops file in System32 directory
PID:1232 -
C:\WINDOWS\SysWOW64\kheryxn.exe"C:\WINDOWS\SYSTEM32\kheryxn.exe" mElTC:\WINDOWS\SYSWOW64\YBMWKOJ.EXE96⤵PID:2328
-
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\KHERYXN.EXE97⤵
- Drops file in System32 directory
PID:3032 -
C:\WINDOWS\SysWOW64\ebjhqqv.exe"C:\WINDOWS\SYSTEM32\ebjhqqv.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE98⤵PID:3040
-
C:\WINDOWS\SysWOW64\pinejpc.exe"C:\WINDOWS\SYSTEM32\pinejpc.exe" mElTC:\WINDOWS\SYSWOW64\EBJHQQV.EXE99⤵PID:2592
-
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\PINEJPC.EXE100⤵PID:2704
-
C:\WINDOWS\SysWOW64\rwqhepr.exe"C:\WINDOWS\SYSTEM32\rwqhepr.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE101⤵PID:1560
-
C:\WINDOWS\SysWOW64\mvirzsj.exe"C:\WINDOWS\SYSTEM32\mvirzsj.exe" mElTC:\WINDOWS\SYSWOW64\RWQHEPR.EXE102⤵
- Drops file in System32 directory
PID:2588 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\MVIRZSJ.EXE103⤵PID:764
-
C:\WINDOWS\SysWOW64\qoyzycb.exe"C:\WINDOWS\SYSTEM32\qoyzycb.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE104⤵PID:1840
-
C:\WINDOWS\SysWOW64\gekhfux.exe"C:\WINDOWS\SYSTEM32\gekhfux.exe" mElTC:\WINDOWS\SYSWOW64\QOYZYCB.EXE105⤵
- Adds Run key to start application
PID:1580 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\GEKHFUX.EXE106⤵PID:2648
-
C:\WINDOWS\SysWOW64\giumofh.exe"C:\WINDOWS\SYSTEM32\giumofh.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE107⤵PID:1356
-
C:\WINDOWS\SysWOW64\xawebln.exe"C:\WINDOWS\SYSTEM32\xawebln.exe" mElTC:\WINDOWS\SYSWOW64\GIUMOFH.EXE108⤵PID:2664
-
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\XAWEBLN.EXE109⤵PID:952
-
C:\WINDOWS\SysWOW64\xtfpvxx.exe"C:\WINDOWS\SYSTEM32\xtfpvxx.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE110⤵PID:1552
-
C:\WINDOWS\SysWOW64\wlghxkh.exe"C:\WINDOWS\SYSTEM32\wlghxkh.exe" mElTC:\WINDOWS\SYSWOW64\XTFPVXX.EXE111⤵
- Adds Run key to start application
PID:688 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\WLGHXKH.EXE112⤵
- Adds Run key to start application
PID:1220 -
C:\WINDOWS\SysWOW64\zsmsnci.exe"C:\WINDOWS\SYSTEM32\zsmsnci.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE113⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:900 -
C:\WINDOWS\SysWOW64\rcaknzi.exe"C:\WINDOWS\SYSTEM32\rcaknzi.exe" mElTC:\WINDOWS\SYSWOW64\ZSMSNCI.EXE114⤵PID:1300
-
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\RCAKNZI.EXE115⤵
- Drops file in System32 directory
PID:1520 -
C:\WINDOWS\SysWOW64\wtefjnu.exe"C:\WINDOWS\SYSTEM32\wtefjnu.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE116⤵PID:3068
-
C:\WINDOWS\SysWOW64\gduhwqa.exe"C:\WINDOWS\SYSTEM32\gduhwqa.exe" mElTC:\WINDOWS\SYSWOW64\WTEFJNU.EXE117⤵
- Adds Run key to start application
PID:2680 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\GDUHWQA.EXE118⤵PID:864
-
C:\WINDOWS\SysWOW64\linppsn.exe"C:\WINDOWS\SYSTEM32\linppsn.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE119⤵PID:2672
-
C:\WINDOWS\SysWOW64\abkkzop.exe"C:\WINDOWS\SYSTEM32\abkkzop.exe" mElTC:\WINDOWS\SYSWOW64\LINPPSN.EXE120⤵
- Drops file in System32 directory
PID:2972 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\ABKKZOP.EXE121⤵PID:2584
-
C:\WINDOWS\SysWOW64\fzhsmpp.exe"C:\WINDOWS\SYSTEM32\fzhsmpp.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE122⤵PID:2528
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-