Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
137s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07/04/2024, 23:20
Static task
static1
Behavioral task
behavioral1
Sample
e618abbf88aedc79c3975878daba5c9a_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
e618abbf88aedc79c3975878daba5c9a_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e618abbf88aedc79c3975878daba5c9a_JaffaCakes118.exe
-
Size
102KB
-
MD5
e618abbf88aedc79c3975878daba5c9a
-
SHA1
df3bea7b926a13b6d2003bf7a280a875882f8bbe
-
SHA256
24d5464a706bf74c91841344dd879fab410a6d1b55032014c2ddb1781ac32d18
-
SHA512
efce7dd64001a96d9bdf579d4a3284efad83b63ae51334299c64e6cd9cd9e084cce72d5b6df395f48c991b92615cc3342a3f694a6143db44057e63565c01f2ef
-
SSDEEP
3072:fVsUjh2iw4XUMgQOIXdYyhQQ+bMKLo3pl0k4F9:9PlXiQNWyhQU3pX69
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation wuaumqr.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation zlqoofs.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation migtryp.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation zztueeg.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation jvbicrc.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation bpnpyie.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation wuaumqr.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation fmicenv.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation lttbwkt.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation kislvbz.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation ujpxdyu.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation djlnibi.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation wuaumqr.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation wuaumqr.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation wuaumqr.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation pruxowl.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation mxjwjdp.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation amyrkxq.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation udjyxbs.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation wuaumqr.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation vjdfuzr.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation wuaumqr.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation bpzrxlh.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation wuaumqr.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation urcvfie.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation wuaumqr.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation qzgclfh.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation tqiwxkl.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation wuaumqr.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation ocngxea.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation wuaumqr.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation ckmjgfa.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation wuaumqr.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation wuaumqr.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation ztkqwnk.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation pfcmkpo.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation pnowfwy.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation zkjsdbq.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation olrmcbm.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation wuaumqr.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation wuaumqr.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation wuaumqr.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation wuaumqr.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation raqjglc.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation gygqkkh.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation kadupgp.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation jgwrzex.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation zpjbsfo.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation wuaumqr.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation bavlwum.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation xxtcndn.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation mapllkz.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation pojnhon.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation wuaumqr.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation eklzetu.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation nllapbt.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation oxkfnfn.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation wuaumqr.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation wuaumqr.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation wuaumqr.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation pkebuxu.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation mjutnrm.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation wuaumqr.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation wuaumqr.exe -
Executes dropped EXE 64 IoCs
pid Process 4568 srce.exe 4028 wuaumqr.exe 4564 eqfrnkl.exe 1472 bgdsgry.exe 5056 wuaumqr.exe 2544 confsqw.exe 3028 mrchftc.exe 2400 wuaumqr.exe 3584 urcvfie.exe 2004 ztkqwnk.exe 4816 wuaumqr.exe 444 uzcykkw.exe 4892 hmtoqov.exe 3424 wuaumqr.exe 5088 mzobvyf.exe 952 pfcmkpo.exe 4716 wuaumqr.exe 2800 enpkxtz.exe 4316 rbisxki.exe 208 wuaumqr.exe 2996 zuqxxyj.exe 4976 occyycx.exe 4152 wuaumqr.exe 2428 okjtjul.exe 3160 lttbwkt.exe 956 wuaumqr.exe 4460 gcxcztc.exe 2476 teexegm.exe 4240 wuaumqr.exe 5068 wluxzsc.exe 5048 jvbicrc.exe 3020 wuaumqr.exe 4436 jnlgilk.exe 1052 wbetbcq.exe 1644 wuaumqr.exe 1084 wmpbbjp.exe 216 yaerciw.exe 3056 wuaumqr.exe 1448 gicctfa.exe 2560 bhrfdrl.exe 5016 wuaumqr.exe 4340 jibjjsc.exe 1084 qtbtrtq.exe 2780 wuaumqr.exe 4204 bpnpyie.exe 4380 yqyhntn.exe 2560 wuaumqr.exe 2428 gygqkkh.exe 4392 wuaumqr.exe 1404 nwcznkh.exe 4460 qzgclfh.exe 4948 wuaumqr.exe 4888 ljiprve.exe 4976 djlnibi.exe 2428 wuaumqr.exe 3292 yplbiga.exe 3748 qaagcdy.exe 4660 wuaumqr.exe 4592 iobpdgs.exe 4380 yaihboc.exe 4464 wuaumqr.exe 1700 vjdfuzr.exe 3592 nnrqvrb.exe 1904 wuaumqr.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "xziffst.exe" wuaumqr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "zkjsdbq.exe" wuaumqr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "iqmxibh.exe" ttdskba.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "wuaumqr.exe" kislvbz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "wuaumqr.exe" qtbtrtq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "wuaumqr.exe" sxvizbt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "khwpbbi.exe" xqsuygt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "wuaumqr.exe" gaqzhee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "wuaumqr.exe" yaerciw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "faklarb.exe" nllapbt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "wuaumqr.exe" rpgoxuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "cxjdxvi.exe" wuaumqr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "qscdoks.exe" wuaumqr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "wuaumqr.exe" zpjbsfo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "mrchftc.exe" confsqw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "zlqoofs.exe" czvtqcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "aullbee.exe" qnyifgz.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "xfmzump.exe" wuaumqr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "wuaumqr.exe" fcstctr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "alwljyc.exe" wuaumqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "oxkfnfn.exe" wuaumqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "bhplbok.exe" wuaumqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "wuaumqr.exe" lfagqrj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "sxvizbt.exe" abvpdao.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "wuaumqr.exe" cmlerje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "wuaumqr.exe" eklzetu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "wuaumqr.exe" teexegm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "bpnpyie.exe" wuaumqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "wuaumqr.exe" djlnibi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "yaihboc.exe" iobpdgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "wuaumqr.exe" tciciok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "bvhcwdo.exe" wuaumqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "wuaumqr.exe" krolclu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "migtryp.exe" kbzqbgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "teexegm.exe" gcxcztc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "pkebuxu.exe" wuaumqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "pwdfsam.exe" wuaumqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "omqotdz.exe" wuaumqr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "raqjglc.exe" wuaumqr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "japqaqq.exe" wuaumqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "ckmjgfa.exe" wuaumqr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "wkkxiwy.exe" wuaumqr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "olrmcbm.exe" ccorrgf.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "wuaumqr.exe" qaagcdy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "wuaumqr.exe" yaihboc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "wuaumqr.exe" pwdfsam.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "ocngxea.exe" wuaumqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "tqiwxkl.exe" wuaumqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "wuaumqr.exe" cfpgpyw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "eqfrnkl.exe" wuaumqr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "gygqkkh.exe" wuaumqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "mjutnrm.exe" tfvblcs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "occyycx.exe" zuqxxyj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "gsgsliz.exe" wuaumqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "kkehckx.exe" xfmzump.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "ztmlkda.exe" japqaqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "ujpxdyu.exe" ckmjgfa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "khwjwxj.exe" grswucb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "uwgccvy.exe" wuaumqr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "ickonws.exe" wuaumqr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "fcstctr.exe" nrevjwl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "djertkq.exe" wuaumqr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "wuaumqr.exe" occyycx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "wuaumqr.exe" jvbicrc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\WINDOWS\SysWOW64\kazaabackupfiles\download_me.exe wuaumqr.exe File opened for modification C:\WINDOWS\SysWOW64\kazaabackupfiles\download_me.exe jnlgilk.exe File opened for modification C:\WINDOWS\SysWOW64\xziffst.exe wuaumqr.exe File created C:\WINDOWS\SysWOW64\wuaumqr.exe wuaumqr.exe File opened for modification C:\WINDOWS\SysWOW64\kazaabackupfiles\download_me.exe wuaumqr.exe File created C:\WINDOWS\SysWOW64\mzobvyf.exe wuaumqr.exe File opened for modification C:\WINDOWS\SysWOW64\kazaabackupfiles\download_me.exe pnowfwy.exe File created C:\WINDOWS\SysWOW64\wuaumqr.exe zkjsdbq.exe File created C:\WINDOWS\SysWOW64\wuaumqr.exe wuaumqr.exe File opened for modification C:\WINDOWS\SysWOW64\kazaabackupfiles\download_me.exe tqhrmkn.exe File opened for modification C:\WINDOWS\SysWOW64\fjcecco.exe wuaumqr.exe File created C:\WINDOWS\SysWOW64\qaagcdy.exe yplbiga.exe File opened for modification C:\WINDOWS\SysWOW64\rbcuwvl.exe wuaumqr.exe File opened for modification C:\WINDOWS\SysWOW64\kazaabackupfiles\download_me.exe chqqlbu.exe File opened for modification C:\WINDOWS\SysWOW64\kazaabackupfiles\download_me.exe eqfrnkl.exe File opened for modification C:\WINDOWS\SysWOW64\ltbwbjn.exe wuaumqr.exe File created C:\WINDOWS\SysWOW64\fyptuio.exe alwljyc.exe File opened for modification C:\WINDOWS\SysWOW64\wmpbbjp.exe wuaumqr.exe File opened for modification C:\WINDOWS\SysWOW64\kazaabackupfiles\download_me.exe wuaumqr.exe File created C:\WINDOWS\SysWOW64\wuaumqr.exe wuaumqr.exe File created C:\WINDOWS\SysWOW64\khwjwxj.exe grswucb.exe File opened for modification C:\WINDOWS\SysWOW64\wuaumqr.exe hiycgct.exe File created C:\WINDOWS\SysWOW64\wuaumqr.exe ltbwbjn.exe File opened for modification C:\WINDOWS\SysWOW64\kazaabackupfiles\download_me.exe jvbicrc.exe File opened for modification C:\WINDOWS\SysWOW64\kazaabackupfiles\download_me.exe bhrfdrl.exe File created C:\WINDOWS\SysWOW64\wuaumqr.exe wuaumqr.exe File created C:\WINDOWS\SysWOW64\bhplbok.exe wuaumqr.exe File opened for modification C:\WINDOWS\SysWOW64\kazaabackupfiles\download_me.exe wuaumqr.exe File opened for modification C:\WINDOWS\SysWOW64\wuaumqr.exe zlqoofs.exe File opened for modification C:\WINDOWS\SysWOW64\kazaabackupfiles\download_me.exe wuaumqr.exe File created C:\WINDOWS\SysWOW64\omqotdz.exe wuaumqr.exe File created C:\WINDOWS\SysWOW64\kbzqbgg.exe wuaumqr.exe File opened for modification C:\WINDOWS\SysWOW64\okjtjul.exe wuaumqr.exe File opened for modification C:\WINDOWS\SysWOW64\japqaqq.exe wuaumqr.exe File created C:\WINDOWS\SysWOW64\wuaumqr.exe gcxcztc.exe File opened for modification C:\WINDOWS\SysWOW64\wuaumqr.exe gaqzhee.exe File opened for modification C:\WINDOWS\SysWOW64\kazaabackupfiles\download_me.exe ttdskba.exe File opened for modification C:\WINDOWS\SysWOW64\kazaabackupfiles\download_me.exe xqsuygt.exe File created C:\WINDOWS\SysWOW64\wuaumqr.exe wuaumqr.exe File created C:\WINDOWS\SysWOW64\wuaumqr.exe wuaumqr.exe File opened for modification C:\WINDOWS\SysWOW64\kazaabackupfiles\download_me.exe wuaumqr.exe File opened for modification C:\WINDOWS\SysWOW64\kazaabackupfiles\download_me.exe wuaumqr.exe File opened for modification C:\WINDOWS\SysWOW64\kazaabackupfiles\download_me.exe kucbhtx.exe File opened for modification C:\WINDOWS\SysWOW64\kazaabackupfiles\download_me.exe wuaumqr.exe File created C:\WINDOWS\SysWOW64\cblzwux.exe wuaumqr.exe File opened for modification C:\WINDOWS\SysWOW64\wuaumqr.exe pojnhon.exe File opened for modification C:\WINDOWS\SysWOW64\wuaumqr.exe pmbffex.exe File created C:\WINDOWS\SysWOW64\faklarb.exe nllapbt.exe File created C:\WINDOWS\SysWOW64\ccorrgf.exe wuaumqr.exe File created C:\WINDOWS\SysWOW64\wuaumqr.exe zuqxxyj.exe File opened for modification C:\WINDOWS\SysWOW64\wuaumqr.exe yaihboc.exe File opened for modification C:\WINDOWS\SysWOW64\kazaabackupfiles\download_me.exe kadupgp.exe File created C:\WINDOWS\SysWOW64\eklzetu.exe bpzrxlh.exe File created C:\WINDOWS\SysWOW64\ckmjgfa.exe wuaumqr.exe File opened for modification C:\WINDOWS\SysWOW64\wuaumqr.exe cfpgpyw.exe File created C:\WINDOWS\SysWOW64\gygqkkh.exe wuaumqr.exe File created C:\WINDOWS\SysWOW64\wuaumqr.exe wuaumqr.exe File created C:\WINDOWS\SysWOW64\wuaumqr.exe cozcvre.exe File opened for modification C:\WINDOWS\SysWOW64\ccorrgf.exe wuaumqr.exe File created C:\WINDOWS\SysWOW64\ztkqwnk.exe urcvfie.exe File created C:\WINDOWS\SysWOW64\wuaumqr.exe urcvfie.exe File created C:\WINDOWS\SysWOW64\wuaumqr.exe qnyifgz.exe File opened for modification C:\WINDOWS\SysWOW64\kazaabackupfiles\download_me.exe wuaumqr.exe File opened for modification C:\WINDOWS\SysWOW64\kazaabackupfiles\download_me.exe jnqekku.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ okjtjul.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wuaumqr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ nllapbt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wuaumqr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ qtbtrtq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wuaumqr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wuaumqr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ gnqybew.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wuaumqr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ nnrqvrb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wuaumqr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ nrevjwl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wuaumqr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ pnowfwy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ ztkqwnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mzobvyf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ jvbicrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ jnlgilk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ nwcznkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ qzgclfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wuaumqr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vsprzuc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wuaumqr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ udovxyp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ gaqzhee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ zpjbsfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wuaumqr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ kxdaziu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wuaumqr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ urcvfie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpbbjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wuaumqr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wuaumqr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ yqpjyll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ yaerciw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ lfagqrj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ rpgoxuf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wuaumqr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ teexegm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wuaumqr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ olrmcbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ didrcke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ gsgsliz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wuaumqr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ ltbwbjn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ udjyxbs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wuaumqr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wuaumqr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ rbcuwvl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ hiycgct.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ omqotdz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chqqlbu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wuaumqr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ bgdsgry.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ pfcmkpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ enpkxtz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ pkkuonp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mjutnrm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ qnyifgz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wkkxiwy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wuaumqr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ yaihboc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ fcstctr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ alwljyc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4340 e618abbf88aedc79c3975878daba5c9a_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4340 wrote to memory of 4568 4340 e618abbf88aedc79c3975878daba5c9a_JaffaCakes118.exe 88 PID 4340 wrote to memory of 4568 4340 e618abbf88aedc79c3975878daba5c9a_JaffaCakes118.exe 88 PID 4340 wrote to memory of 4568 4340 e618abbf88aedc79c3975878daba5c9a_JaffaCakes118.exe 88 PID 4568 wrote to memory of 4028 4568 srce.exe 92 PID 4568 wrote to memory of 4028 4568 srce.exe 92 PID 4568 wrote to memory of 4028 4568 srce.exe 92 PID 4028 wrote to memory of 4564 4028 wuaumqr.exe 93 PID 4028 wrote to memory of 4564 4028 wuaumqr.exe 93 PID 4028 wrote to memory of 4564 4028 wuaumqr.exe 93 PID 4564 wrote to memory of 1472 4564 eqfrnkl.exe 94 PID 4564 wrote to memory of 1472 4564 eqfrnkl.exe 94 PID 4564 wrote to memory of 1472 4564 eqfrnkl.exe 94 PID 1472 wrote to memory of 5056 1472 bgdsgry.exe 95 PID 1472 wrote to memory of 5056 1472 bgdsgry.exe 95 PID 1472 wrote to memory of 5056 1472 bgdsgry.exe 95 PID 5056 wrote to memory of 2544 5056 wuaumqr.exe 97 PID 5056 wrote to memory of 2544 5056 wuaumqr.exe 97 PID 5056 wrote to memory of 2544 5056 wuaumqr.exe 97 PID 2544 wrote to memory of 3028 2544 confsqw.exe 98 PID 2544 wrote to memory of 3028 2544 confsqw.exe 98 PID 2544 wrote to memory of 3028 2544 confsqw.exe 98 PID 3028 wrote to memory of 2400 3028 mrchftc.exe 99 PID 3028 wrote to memory of 2400 3028 mrchftc.exe 99 PID 3028 wrote to memory of 2400 3028 mrchftc.exe 99 PID 2400 wrote to memory of 3584 2400 wuaumqr.exe 103 PID 2400 wrote to memory of 3584 2400 wuaumqr.exe 103 PID 2400 wrote to memory of 3584 2400 wuaumqr.exe 103 PID 3584 wrote to memory of 2004 3584 urcvfie.exe 104 PID 3584 wrote to memory of 2004 3584 urcvfie.exe 104 PID 3584 wrote to memory of 2004 3584 urcvfie.exe 104 PID 2004 wrote to memory of 4816 2004 ztkqwnk.exe 106 PID 2004 wrote to memory of 4816 2004 ztkqwnk.exe 106 PID 2004 wrote to memory of 4816 2004 ztkqwnk.exe 106 PID 4816 wrote to memory of 444 4816 wuaumqr.exe 108 PID 4816 wrote to memory of 444 4816 wuaumqr.exe 108 PID 4816 wrote to memory of 444 4816 wuaumqr.exe 108 PID 444 wrote to memory of 4892 444 uzcykkw.exe 109 PID 444 wrote to memory of 4892 444 uzcykkw.exe 109 PID 444 wrote to memory of 4892 444 uzcykkw.exe 109 PID 4892 wrote to memory of 3424 4892 hmtoqov.exe 110 PID 4892 wrote to memory of 3424 4892 hmtoqov.exe 110 PID 4892 wrote to memory of 3424 4892 hmtoqov.exe 110 PID 3424 wrote to memory of 5088 3424 wuaumqr.exe 111 PID 3424 wrote to memory of 5088 3424 wuaumqr.exe 111 PID 3424 wrote to memory of 5088 3424 wuaumqr.exe 111 PID 5088 wrote to memory of 952 5088 mzobvyf.exe 112 PID 5088 wrote to memory of 952 5088 mzobvyf.exe 112 PID 5088 wrote to memory of 952 5088 mzobvyf.exe 112 PID 952 wrote to memory of 4716 952 pfcmkpo.exe 113 PID 952 wrote to memory of 4716 952 pfcmkpo.exe 113 PID 952 wrote to memory of 4716 952 pfcmkpo.exe 113 PID 4716 wrote to memory of 2800 4716 wuaumqr.exe 114 PID 4716 wrote to memory of 2800 4716 wuaumqr.exe 114 PID 4716 wrote to memory of 2800 4716 wuaumqr.exe 114 PID 2800 wrote to memory of 4316 2800 enpkxtz.exe 116 PID 2800 wrote to memory of 4316 2800 enpkxtz.exe 116 PID 2800 wrote to memory of 4316 2800 enpkxtz.exe 116 PID 4316 wrote to memory of 208 4316 rbisxki.exe 117 PID 4316 wrote to memory of 208 4316 rbisxki.exe 117 PID 4316 wrote to memory of 208 4316 rbisxki.exe 117 PID 208 wrote to memory of 2996 208 wuaumqr.exe 118 PID 208 wrote to memory of 2996 208 wuaumqr.exe 118 PID 208 wrote to memory of 2996 208 wuaumqr.exe 118 PID 2996 wrote to memory of 4976 2996 zuqxxyj.exe 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\e618abbf88aedc79c3975878daba5c9a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e618abbf88aedc79c3975878daba5c9a_JaffaCakes118.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Users\Admin\AppData\Local\Temp\1pwT2q\srce.exeC:\Users\Admin\AppData\Local\Temp\\1pwT2q\srce.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\USERS\ADMIN\APPDATA\LOCAL\TEMP\1PWT2Q\SRCE.EXE3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\WINDOWS\SysWOW64\eqfrnkl.exe"C:\WINDOWS\SYSTEM32\eqfrnkl.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\WINDOWS\SysWOW64\bgdsgry.exe"C:\WINDOWS\SYSTEM32\bgdsgry.exe" mElTC:\WINDOWS\SYSWOW64\EQFRNKL.EXE5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\BGDSGRY.EXE6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\WINDOWS\SysWOW64\confsqw.exe"C:\WINDOWS\SYSTEM32\confsqw.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\WINDOWS\SysWOW64\mrchftc.exe"C:\WINDOWS\SYSTEM32\mrchftc.exe" mElTC:\WINDOWS\SYSWOW64\CONFSQW.EXE8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\MRCHFTC.EXE9⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\WINDOWS\SysWOW64\urcvfie.exe"C:\WINDOWS\SYSTEM32\urcvfie.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE10⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\WINDOWS\SysWOW64\ztkqwnk.exe"C:\WINDOWS\SYSTEM32\ztkqwnk.exe" mElTC:\WINDOWS\SYSWOW64\URCVFIE.EXE11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\ZTKQWNK.EXE12⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\WINDOWS\SysWOW64\uzcykkw.exe"C:\WINDOWS\SYSTEM32\uzcykkw.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:444 -
C:\WINDOWS\SysWOW64\hmtoqov.exe"C:\WINDOWS\SYSTEM32\hmtoqov.exe" mElTC:\WINDOWS\SYSWOW64\UZCYKKW.EXE14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\HMTOQOV.EXE15⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\WINDOWS\SysWOW64\mzobvyf.exe"C:\WINDOWS\SYSTEM32\mzobvyf.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\WINDOWS\SysWOW64\pfcmkpo.exe"C:\WINDOWS\SYSTEM32\pfcmkpo.exe" mElTC:\WINDOWS\SYSWOW64\MZOBVYF.EXE17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:952 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\PFCMKPO.EXE18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\WINDOWS\SysWOW64\enpkxtz.exe"C:\WINDOWS\SYSTEM32\enpkxtz.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\WINDOWS\SysWOW64\rbisxki.exe"C:\WINDOWS\SYSTEM32\rbisxki.exe" mElTC:\WINDOWS\SYSWOW64\ENPKXTZ.EXE20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\RBISXKI.EXE21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:208 -
C:\WINDOWS\SysWOW64\zuqxxyj.exe"C:\WINDOWS\SYSTEM32\zuqxxyj.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE22⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\WINDOWS\SysWOW64\occyycx.exe"C:\WINDOWS\SYSTEM32\occyycx.exe" mElTC:\WINDOWS\SYSWOW64\ZUQXXYJ.EXE23⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4976 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\OCCYYCX.EXE24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4152 -
C:\WINDOWS\SysWOW64\okjtjul.exe"C:\WINDOWS\SYSTEM32\okjtjul.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE25⤵
- Executes dropped EXE
- Modifies registry class
PID:2428 -
C:\WINDOWS\SysWOW64\lttbwkt.exe"C:\WINDOWS\SYSTEM32\lttbwkt.exe" mElTC:\WINDOWS\SYSWOW64\OKJTJUL.EXE26⤵
- Checks computer location settings
- Executes dropped EXE
PID:3160 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\LTTBWKT.EXE27⤵
- Executes dropped EXE
PID:956 -
C:\WINDOWS\SysWOW64\gcxcztc.exe"C:\WINDOWS\SYSTEM32\gcxcztc.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE28⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4460 -
C:\WINDOWS\SysWOW64\teexegm.exe"C:\WINDOWS\SYSTEM32\teexegm.exe" mElTC:\WINDOWS\SYSWOW64\GCXCZTC.EXE29⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:2476 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\TEEXEGM.EXE30⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:4240 -
C:\WINDOWS\SysWOW64\wluxzsc.exe"C:\WINDOWS\SYSTEM32\wluxzsc.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE31⤵
- Executes dropped EXE
PID:5068 -
C:\WINDOWS\SysWOW64\jvbicrc.exe"C:\WINDOWS\SYSTEM32\jvbicrc.exe" mElTC:\WINDOWS\SYSWOW64\WLUXZSC.EXE32⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:5048 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\JVBICRC.EXE33⤵
- Checks computer location settings
- Executes dropped EXE
PID:3020 -
C:\WINDOWS\SysWOW64\jnlgilk.exe"C:\WINDOWS\SYSTEM32\jnlgilk.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE34⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4436 -
C:\WINDOWS\SysWOW64\wbetbcq.exe"C:\WINDOWS\SYSTEM32\wbetbcq.exe" mElTC:\WINDOWS\SYSWOW64\JNLGILK.EXE35⤵
- Executes dropped EXE
PID:1052 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\WBETBCQ.EXE36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1644 -
C:\WINDOWS\SysWOW64\wmpbbjp.exe"C:\WINDOWS\SYSTEM32\wmpbbjp.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE37⤵
- Executes dropped EXE
- Modifies registry class
PID:1084 -
C:\WINDOWS\SysWOW64\yaerciw.exe"C:\WINDOWS\SYSTEM32\yaerciw.exe" mElTC:\WINDOWS\SYSWOW64\WMPBBJP.EXE38⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:216 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\YAERCIW.EXE39⤵
- Executes dropped EXE
PID:3056 -
C:\WINDOWS\SysWOW64\gicctfa.exe"C:\WINDOWS\SYSTEM32\gicctfa.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE40⤵
- Executes dropped EXE
PID:1448 -
C:\WINDOWS\SysWOW64\bhrfdrl.exe"C:\WINDOWS\SYSTEM32\bhrfdrl.exe" mElTC:\WINDOWS\SYSWOW64\GICCTFA.EXE41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2560 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\BHRFDRL.EXE42⤵
- Executes dropped EXE
PID:5016 -
C:\WINDOWS\SysWOW64\jibjjsc.exe"C:\WINDOWS\SYSTEM32\jibjjsc.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE43⤵
- Executes dropped EXE
PID:4340 -
C:\WINDOWS\SysWOW64\qtbtrtq.exe"C:\WINDOWS\SYSTEM32\qtbtrtq.exe" mElTC:\WINDOWS\SYSWOW64\JIBJJSC.EXE44⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:1084 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\QTBTRTQ.EXE45⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:2780 -
C:\WINDOWS\SysWOW64\bpnpyie.exe"C:\WINDOWS\SYSTEM32\bpnpyie.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE46⤵
- Checks computer location settings
- Executes dropped EXE
PID:4204 -
C:\WINDOWS\SysWOW64\yqyhntn.exe"C:\WINDOWS\SYSTEM32\yqyhntn.exe" mElTC:\WINDOWS\SYSWOW64\BPNPYIE.EXE47⤵
- Executes dropped EXE
PID:4380 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\YQYHNTN.EXE48⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2560 -
C:\WINDOWS\SysWOW64\gygqkkh.exe"C:\WINDOWS\SYSTEM32\gygqkkh.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE49⤵
- Checks computer location settings
- Executes dropped EXE
PID:2428 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\GYGQKKH.EXE50⤵
- Executes dropped EXE
PID:4392 -
C:\WINDOWS\SysWOW64\nwcznkh.exe"C:\WINDOWS\SYSTEM32\nwcznkh.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE51⤵
- Executes dropped EXE
- Modifies registry class
PID:1404 -
C:\WINDOWS\SysWOW64\qzgclfh.exe"C:\WINDOWS\SYSTEM32\qzgclfh.exe" mElTC:\WINDOWS\SYSWOW64\NWCZNKH.EXE52⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:4460 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\QZGCLFH.EXE53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4948 -
C:\WINDOWS\SysWOW64\ljiprve.exe"C:\WINDOWS\SYSTEM32\ljiprve.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE54⤵
- Executes dropped EXE
PID:4888 -
C:\WINDOWS\SysWOW64\djlnibi.exe"C:\WINDOWS\SYSTEM32\djlnibi.exe" mElTC:\WINDOWS\SYSWOW64\LJIPRVE.EXE55⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:4976 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\DJLNIBI.EXE56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2428 -
C:\WINDOWS\SysWOW64\yplbiga.exe"C:\WINDOWS\SYSTEM32\yplbiga.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3292 -
C:\WINDOWS\SysWOW64\qaagcdy.exe"C:\WINDOWS\SYSTEM32\qaagcdy.exe" mElTC:\WINDOWS\SYSWOW64\YPLBIGA.EXE58⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3748 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\QAAGCDY.EXE59⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4660 -
C:\WINDOWS\SysWOW64\iobpdgs.exe"C:\WINDOWS\SYSTEM32\iobpdgs.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE60⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4592 -
C:\WINDOWS\SysWOW64\yaihboc.exe"C:\WINDOWS\SYSTEM32\yaihboc.exe" mElTC:\WINDOWS\SYSWOW64\IOBPDGS.EXE61⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:4380 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\YAIHBOC.EXE62⤵
- Executes dropped EXE
PID:4464 -
C:\WINDOWS\SysWOW64\vjdfuzr.exe"C:\WINDOWS\SYSTEM32\vjdfuzr.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE63⤵
- Checks computer location settings
- Executes dropped EXE
PID:1700 -
C:\WINDOWS\SysWOW64\nnrqvrb.exe"C:\WINDOWS\SYSTEM32\nnrqvrb.exe" mElTC:\WINDOWS\SYSWOW64\VJDFUZR.EXE64⤵
- Executes dropped EXE
- Modifies registry class
PID:3592 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\NNRQVRB.EXE65⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1904 -
C:\WINDOWS\SysWOW64\alwljyc.exe"C:\WINDOWS\SYSTEM32\alwljyc.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE66⤵
- Drops file in System32 directory
- Modifies registry class
PID:4436 -
C:\WINDOWS\SysWOW64\fyptuio.exe"C:\WINDOWS\SYSTEM32\fyptuio.exe" mElTC:\WINDOWS\SYSWOW64\ALWLJYC.EXE67⤵PID:3060
-
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\FYPTUIO.EXE68⤵
- Checks computer location settings
- Modifies registry class
PID:3948 -
C:\WINDOWS\SysWOW64\grswucb.exe"C:\WINDOWS\SYSTEM32\grswucb.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE69⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:1720 -
C:\WINDOWS\SysWOW64\khwjwxj.exe"C:\WINDOWS\SYSTEM32\khwjwxj.exe" mElTC:\WINDOWS\SYSWOW64\GRSWUCB.EXE70⤵PID:4532
-
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\KHWJWXJ.EXE71⤵PID:2756
-
C:\WINDOWS\SysWOW64\abvpdao.exe"C:\WINDOWS\SYSTEM32\abvpdao.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE72⤵
- Adds Run key to start application
PID:676 -
C:\WINDOWS\SysWOW64\sxvizbt.exe"C:\WINDOWS\SYSTEM32\sxvizbt.exe" mElTC:\WINDOWS\SYSWOW64\ABVPDAO.EXE73⤵
- Adds Run key to start application
PID:1660 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\SXVIZBT.EXE74⤵
- Adds Run key to start application
PID:952 -
C:\WINDOWS\SysWOW64\cxjdxvi.exe"C:\WINDOWS\SYSTEM32\cxjdxvi.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE75⤵PID:3632
-
C:\WINDOWS\SysWOW64\xolgnkr.exe"C:\WINDOWS\SYSTEM32\xolgnkr.exe" mElTC:\WINDOWS\SYSWOW64\CXJDXVI.EXE76⤵PID:3324
-
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\XOLGNKR.EXE77⤵
- Modifies registry class
PID:4308 -
C:\WINDOWS\SysWOW64\flxjkpj.exe"C:\WINDOWS\SYSTEM32\flxjkpj.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE78⤵PID:4532
-
C:\WINDOWS\SysWOW64\pkkuonp.exe"C:\WINDOWS\SYSTEM32\pkkuonp.exe" mElTC:\WINDOWS\SYSWOW64\FLXJKPJ.EXE79⤵
- Modifies registry class
PID:2756 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\PKKUONP.EXE80⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:676 -
C:\WINDOWS\SysWOW64\xziffst.exe"C:\WINDOWS\SYSTEM32\xziffst.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE81⤵PID:3836
-
C:\WINDOWS\SysWOW64\qwzptty.exe"C:\WINDOWS\SYSTEM32\qwzptty.exe" mElTC:\WINDOWS\SYSWOW64\XZIFFST.EXE82⤵PID:952
-
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\QWZPTTY.EXE83⤵
- Adds Run key to start application
- Modifies registry class
PID:3632 -
C:\WINDOWS\SysWOW64\zkjsdbq.exe"C:\WINDOWS\SYSTEM32\zkjsdbq.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE84⤵
- Checks computer location settings
- Drops file in System32 directory
PID:744 -
C:\WINDOWS\SysWOW64\pojnhon.exe"C:\WINDOWS\SYSTEM32\pojnhon.exe" mElTC:\WINDOWS\SYSWOW64\ZKJSDBQ.EXE85⤵
- Checks computer location settings
- Drops file in System32 directory
PID:3124 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\POJNHON.EXE86⤵PID:4864
-
C:\WINDOWS\SysWOW64\uepnocw.exe"C:\WINDOWS\SYSTEM32\uepnocw.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE87⤵PID:4460
-
C:\WINDOWS\SysWOW64\kucbhtx.exe"C:\WINDOWS\SYSTEM32\kucbhtx.exe" mElTC:\WINDOWS\SYSWOW64\UEPNOCW.EXE88⤵
- Drops file in System32 directory
PID:4660 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\KUCBHTX.EXE89⤵PID:976
-
C:\WINDOWS\SysWOW64\xqsuygt.exe"C:\WINDOWS\SYSTEM32\xqsuygt.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE90⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:3904 -
C:\WINDOWS\SysWOW64\khwpbbi.exe"C:\WINDOWS\SYSTEM32\khwpbbi.exe" mElTC:\WINDOWS\SYSWOW64\XQSUYGT.EXE91⤵PID:4884
-
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\KHWPBBI.EXE92⤵PID:3708
-
C:\WINDOWS\SysWOW64\ckukasn.exe"C:\WINDOWS\SYSTEM32\ckukasn.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE93⤵PID:3964
-
C:\WINDOWS\SysWOW64\pmbffex.exe"C:\WINDOWS\SYSTEM32\pmbffex.exe" mElTC:\WINDOWS\SYSWOW64\CKUKASN.EXE94⤵
- Drops file in System32 directory
PID:3156 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\PMBFFEX.EXE95⤵
- Drops file in System32 directory
PID:2800 -
C:\WINDOWS\SysWOW64\czvtqcm.exe"C:\WINDOWS\SYSTEM32\czvtqcm.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE96⤵
- Adds Run key to start application
PID:1944 -
C:\WINDOWS\SysWOW64\zlqoofs.exe"C:\WINDOWS\SYSTEM32\zlqoofs.exe" mElTC:\WINDOWS\SYSWOW64\CZVTQCM.EXE97⤵
- Checks computer location settings
- Drops file in System32 directory
PID:3536 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\ZLQOOFS.EXE98⤵
- Checks computer location settings
- Drops file in System32 directory
PID:1456 -
C:\WINDOWS\SysWOW64\pfyepnz.exe"C:\WINDOWS\SYSTEM32\pfyepnz.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE99⤵PID:2372
-
C:\WINDOWS\SysWOW64\kadupgp.exe"C:\WINDOWS\SYSTEM32\kadupgp.exe" mElTC:\WINDOWS\SYSWOW64\PFYEPNZ.EXE100⤵
- Checks computer location settings
- Drops file in System32 directory
PID:3584 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\KADUPGP.EXE101⤵
- Checks computer location settings
- Drops file in System32 directory
PID:2916 -
C:\WINDOWS\SysWOW64\rbcuwvl.exe"C:\WINDOWS\SYSTEM32\rbcuwvl.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE102⤵
- Modifies registry class
PID:1648 -
C:\WINDOWS\SysWOW64\huzhfjo.exe"C:\WINDOWS\SYSTEM32\huzhfjo.exe" mElTC:\WINDOWS\SYSWOW64\RBCUWVL.EXE103⤵PID:1400
-
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\HUZHFJO.EXE104⤵
- Adds Run key to start application
PID:4436 -
C:\WINDOWS\SysWOW64\uwgccvy.exe"C:\WINDOWS\SYSTEM32\uwgccvy.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE105⤵PID:3188
-
C:\WINDOWS\SysWOW64\pruxowl.exe"C:\WINDOWS\SYSTEM32\pruxowl.exe" mElTC:\WINDOWS\SYSWOW64\UWGCCVY.EXE106⤵
- Checks computer location settings
PID:2072 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\PRUXOWL.EXE107⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
PID:1640 -
C:\WINDOWS\SysWOW64\pkebuxu.exe"C:\WINDOWS\SYSTEM32\pkebuxu.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE108⤵
- Checks computer location settings
PID:4056 -
C:\WINDOWS\SysWOW64\cmlerje.exe"C:\WINDOWS\SYSTEM32\cmlerje.exe" mElTC:\WINDOWS\SYSWOW64\PKEBUXU.EXE109⤵
- Adds Run key to start application
PID:4280 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\CMLERJE.EXE110⤵
- Checks computer location settings
- Drops file in System32 directory
PID:4688 -
C:\WINDOWS\SysWOW64\cblzwux.exe"C:\WINDOWS\SYSTEM32\cblzwux.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE111⤵PID:4320
-
C:\WINDOWS\SysWOW64\jgwrzex.exe"C:\WINDOWS\SYSTEM32\jgwrzex.exe" mElTC:\WINDOWS\SYSWOW64\CBLZWUX.EXE112⤵
- Checks computer location settings
PID:4188 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\JGWRZEX.EXE113⤵
- Adds Run key to start application
PID:3424 -
C:\WINDOWS\SysWOW64\pwdfsam.exe"C:\WINDOWS\SYSTEM32\pwdfsam.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE114⤵
- Adds Run key to start application
PID:428 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\PWDFSAM.EXE115⤵PID:4128
-
C:\WINDOWS\SysWOW64\mmudrtg.exe"C:\WINDOWS\SYSTEM32\mmudrtg.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE116⤵PID:4588
-
C:\WINDOWS\SysWOW64\unujrii.exe"C:\WINDOWS\SYSTEM32\unujrii.exe" mElTC:\WINDOWS\SYSWOW64\MMUDRTG.EXE117⤵PID:5084
-
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\UNUJRII.EXE118⤵
- Modifies registry class
PID:1260 -
C:\WINDOWS\SysWOW64\tfvblcs.exe"C:\WINDOWS\SYSTEM32\tfvblcs.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE119⤵
- Adds Run key to start application
PID:2260 -
C:\WINDOWS\SysWOW64\mjutnrm.exe"C:\WINDOWS\SYSTEM32\mjutnrm.exe" mElTC:\WINDOWS\SYSWOW64\TFVBLCS.EXE120⤵
- Checks computer location settings
- Modifies registry class
PID:4320 -
C:\WINDOWS\SysWOW64\wuaumqr.exe"C:\WINDOWS\SYSTEM32\wuaumqr.exe" mElTC:\WINDOWS\SYSWOW64\MJUTNRM.EXE121⤵
- Drops file in System32 directory
PID:3324 -
C:\WINDOWS\SysWOW64\uriztgt.exe"C:\WINDOWS\SYSTEM32\uriztgt.exe" mElTC:\WINDOWS\SYSWOW64\WUAUMQR.EXE122⤵PID:3492
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-