Analysis
-
max time kernel
67s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09-04-2024 13:41
Behavioral task
behavioral1
Sample
ea1dab772ea67edd7a56a3e641dbfa19_JaffaCakes118.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
ea1dab772ea67edd7a56a3e641dbfa19_JaffaCakes118.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
ea1dab772ea67edd7a56a3e641dbfa19_JaffaCakes118.exe
-
Size
31KB
-
MD5
ea1dab772ea67edd7a56a3e641dbfa19
-
SHA1
d1ac24e8f188e11012474fcba8f1512bd7d62e7b
-
SHA256
71fb44f467aa3d6f40e2add320b39ab6d4077a693e6a79ee63584abcbf316844
-
SHA512
eadd29209cc4aeecad4f1aa935647dfab0b567d73f7ed8ae25f28a9d82507a17832d9f4cc84822304e1ec7b36775937f93c681ada11a5fa11f1a77c58004730d
-
SSDEEP
192:5+doBNQlUjGgMUhrniMRqS4t9GuIq0ZxpfFpbpc+:4dYQlviniMRqSG5qxpfnO
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 3024 qvlre.exe 2624 zzjdimu.exe 2688 kkfdny.exe 2720 wpujtqv.exe 2464 zxnulyim.exe 2480 qkivzrv.exe 2940 kbookpr.exe 596 ywsysqy.exe 1536 keoquwf.exe 2604 ukhyq.exe 2512 bgmfihr.exe 2000 lbhzt.exe 612 vulgtcgo.exe 1628 xxzavap.exe 112 xwspavmx.exe 2208 hvqse.exe 2136 dpfatz.exe 1164 bdjxdwuo.exe 2368 okjrppho.exe 2148 ueqwqsdo.exe 2980 lkffwfkc.exe 1424 qrshnkh.exe 1688 wzccsez.exe 1300 tdgrun.exe 1988 ymlql.exe 1964 gaykyl.exe 2300 ieeibgy.exe 2232 dxjnfx.exe 2220 jlnzjw.exe 2332 dwvue.exe 2888 okhpj.exe 2020 jqtqq.exe 2992 vroaoukg.exe 2524 nemddciu.exe 2560 vjmxvx.exe 2568 vqeuarap.exe 2548 qctwv.exe 860 gefoqe.exe 2580 gvrif.exe 2636 ehyzi.exe 2372 yqkskhv.exe 1904 kxsrizoc.exe 700 jyqfmxf.exe 1168 ubrujgpw.exe 2764 krsxplu.exe 2808 zlidt.exe 1948 osaizgo.exe 1680 pxjlne.exe 280 vmvlrchn.exe 2732 yizhm.exe 320 ymswftsy.exe 2292 sovjp.exe 2876 naimyg.exe 3048 athauqpo.exe 2868 cijutnpj.exe 2984 hfcymmab.exe 1172 sxhjzp.exe 1552 hdpchju.exe 2156 oosqlwxn.exe 2388 rwshlf.exe 1572 jlornlgz.exe 2236 ugefco.exe 2144 pinwbvsl.exe 2344 czpuvrpl.exe -
Loads dropped DLL 64 IoCs
pid Process 2932 ea1dab772ea67edd7a56a3e641dbfa19_JaffaCakes118.exe 2932 ea1dab772ea67edd7a56a3e641dbfa19_JaffaCakes118.exe 3024 qvlre.exe 3024 qvlre.exe 2624 zzjdimu.exe 2624 zzjdimu.exe 2688 kkfdny.exe 2688 kkfdny.exe 2720 wpujtqv.exe 2720 wpujtqv.exe 2464 zxnulyim.exe 2464 zxnulyim.exe 2480 qkivzrv.exe 2480 qkivzrv.exe 2940 kbookpr.exe 2940 kbookpr.exe 596 ywsysqy.exe 596 ywsysqy.exe 1536 keoquwf.exe 1536 keoquwf.exe 2604 ukhyq.exe 2604 ukhyq.exe 2512 bgmfihr.exe 2512 bgmfihr.exe 2000 lbhzt.exe 2000 lbhzt.exe 612 vulgtcgo.exe 612 vulgtcgo.exe 1628 xxzavap.exe 1628 xxzavap.exe 112 xwspavmx.exe 112 xwspavmx.exe 2208 hvqse.exe 2208 hvqse.exe 2136 dpfatz.exe 2136 dpfatz.exe 1164 bdjxdwuo.exe 1164 bdjxdwuo.exe 2368 okjrppho.exe 2368 okjrppho.exe 2148 ueqwqsdo.exe 2148 ueqwqsdo.exe 2980 lkffwfkc.exe 2980 lkffwfkc.exe 1424 qrshnkh.exe 1424 qrshnkh.exe 1688 wzccsez.exe 1688 wzccsez.exe 1300 tdgrun.exe 1300 tdgrun.exe 1988 ymlql.exe 1988 ymlql.exe 1964 gaykyl.exe 1964 gaykyl.exe 2300 ieeibgy.exe 2300 ieeibgy.exe 2232 dxjnfx.exe 2232 dxjnfx.exe 2220 jlnzjw.exe 2220 jlnzjw.exe 2332 dwvue.exe 2332 dwvue.exe 2888 okhpj.exe 2888 okhpj.exe -
resource yara_rule behavioral1/memory/2932-0-0x0000000031420000-0x000000003142A000-memory.dmp upx behavioral1/files/0x0008000000012254-2.dat upx behavioral1/memory/3024-13-0x0000000031420000-0x000000003142A000-memory.dmp upx behavioral1/memory/3024-20-0x0000000000260000-0x000000000026A000-memory.dmp upx behavioral1/memory/2932-62-0x0000000031420000-0x000000003142A000-memory.dmp upx behavioral1/memory/2940-84-0x0000000000220000-0x000000000022A000-memory.dmp upx behavioral1/memory/1536-96-0x0000000031420000-0x000000003142A000-memory.dmp upx behavioral1/memory/2720-107-0x00000000002E0000-0x00000000002EA000-memory.dmp upx behavioral1/memory/2512-128-0x0000000000260000-0x000000000026A000-memory.dmp upx behavioral1/memory/112-169-0x00000000002E0000-0x00000000002EA000-memory.dmp upx behavioral1/memory/2000-184-0x0000000000260000-0x000000000026A000-memory.dmp upx behavioral1/memory/612-188-0x0000000000260000-0x000000000026A000-memory.dmp upx behavioral1/memory/1628-198-0x00000000002F0000-0x00000000002FA000-memory.dmp upx behavioral1/memory/1424-212-0x0000000031420000-0x000000003142A000-memory.dmp upx behavioral1/memory/1988-230-0x0000000031420000-0x000000003142A000-memory.dmp upx behavioral1/memory/1988-268-0x0000000000260000-0x000000000026A000-memory.dmp upx behavioral1/memory/2568-292-0x0000000031420000-0x000000003142A000-memory.dmp upx behavioral1/memory/2372-320-0x0000000031420000-0x000000003142A000-memory.dmp upx -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\blgdlzoi.exe" tywgusge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\vljxn.exe" lqwowm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\wnhrzlm.exe" xhuvvl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\geypxch.exe" cpvlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\cltumu.exe" cteiede.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\nnawkf.exe" iirxvqhr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\dxzrq.exe" azbgwaok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\fsowrirz.exe" aupkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\tovscg.exe" ogcdrmvb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\uwsizvte.exe" yrtzy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ykgmxon.exe" loqddl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ecesgz.exe" dmkpxlt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\xhdjdtoe.exe" bcdslif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ryrbkscf.exe" mufngyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\gyrpzw.exe" udhoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\slotggq.exe" efrzi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\qwgll.exe" bmkiso.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\szzgitzc.exe" veywtmod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\gvzrl.exe" yzbypb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\sxhjzp.exe" hfcymmab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\efrzi.exe" zmwwwpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\qkivzrv.exe" zxnulyim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\xhuvvl.exe" vxqmni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\pmboyqum.exe" bnfsaajw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\midduyt.exe" lybin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\kwgygxa.exe" gvzrl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\qvlre.exe" ea1dab772ea67edd7a56a3e641dbfa19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\bgmfihr.exe" ukhyq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\vjmxvx.exe" nemddciu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ccfjjtd.exe" rquzmly.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\vrkcihcy.exe" lorcobd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\gowxnlq.exe" ajwrarlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\bmkiso.exe" ykgmxon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ubrujgpw.exe" jyqfmxf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\hfcymmab.exe" cijutnpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\imooahhh.exe" apxmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\sdezpa.exe" ebeizbdr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\cpqfdtpi.exe" qyaxjbbs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\veywtmod.exe" uktuhqtc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\agfblg.exe" pezcnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\qctwv.exe" vqeuarap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\kjiaef.exe" xunat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\bcdslif.exe" dicyzwh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\iiertmpo.exe" elcnhhxb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\dwvue.exe" jlnzjw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\wpeued.exe" nijmrfz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\mociud.exe" jvnji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ogcdrmvb.exe" xachi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\jwmsvug.exe" ealbst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\pbgzyq.exe" ufgmpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\qrshnkh.exe" lkffwfkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\bbxaq.exe" lloupud.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\nijmrfz.exe" ryrbkscf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ncvagbw.exe" qvien.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\hkmaj.exe" wxwfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\xyhesi.exe" olxywsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\zpfmxzt.exe" qwgll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\lozgti.exe" cledkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\tagso.exe" azpagvsh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\lhkzaj.exe" dxzrq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\jlnzjw.exe" dxjnfx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\gefoqe.exe" qctwv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\gaykyl.exe" ymlql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\vnvro.exe" zdtqo.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\lfzuuhf.exe xzqabk.exe File created C:\Windows\SysWOW64\qfwrq.exe fxewunv.exe File created C:\Windows\SysWOW64\okhpj.exe dwvue.exe File created C:\Windows\SysWOW64\rwepwtzf.exe qpyaxef.exe File opened for modification C:\Windows\SysWOW64\gdkyk.exe bwfjlkv.exe File created C:\Windows\SysWOW64\cvsxk.exe uxfdzt.exe File opened for modification C:\Windows\SysWOW64\cpqfdtpi.exe qyaxjbbs.exe File opened for modification C:\Windows\SysWOW64\dxjnfx.exe ieeibgy.exe File created C:\Windows\SysWOW64\edlpyz.exe ccfjjtd.exe File opened for modification C:\Windows\SysWOW64\gyrpzw.exe udhoq.exe File created C:\Windows\SysWOW64\bhqvvxu.exe qxazube.exe File opened for modification C:\Windows\SysWOW64\ryrbkscf.exe mufngyx.exe File created C:\Windows\SysWOW64\vyjvau.exe xpfsso.exe File created C:\Windows\SysWOW64\fxewunv.exe jjcihmfk.exe File opened for modification C:\Windows\SysWOW64\hkmaj.exe wxwfa.exe File created C:\Windows\SysWOW64\xachi.exe mociud.exe File opened for modification C:\Windows\SysWOW64\jnoonx.exe gtvxo.exe File opened for modification C:\Windows\SysWOW64\veywtmod.exe uktuhqtc.exe File opened for modification C:\Windows\SysWOW64\szzgitzc.exe veywtmod.exe File opened for modification C:\Windows\SysWOW64\iirxvqhr.exe sptpv.exe File created C:\Windows\SysWOW64\qstvtw.exe khxiytdp.exe File opened for modification C:\Windows\SysWOW64\ukhyq.exe keoquwf.exe File created C:\Windows\SysWOW64\jlnzjw.exe dxjnfx.exe File opened for modification C:\Windows\SysWOW64\ygiiylic.exe cvsxk.exe File opened for modification C:\Windows\SysWOW64\ymswftsy.exe yizhm.exe File opened for modification C:\Windows\SysWOW64\osdoygn.exe hwzpaz.exe File created C:\Windows\SysWOW64\dxzrq.exe azbgwaok.exe File opened for modification C:\Windows\SysWOW64\midduyt.exe lybin.exe File opened for modification C:\Windows\SysWOW64\keoquwf.exe ywsysqy.exe File opened for modification C:\Windows\SysWOW64\vroaoukg.exe jqtqq.exe File opened for modification C:\Windows\SysWOW64\krsxplu.exe ubrujgpw.exe File created C:\Windows\SysWOW64\dlhnf.exe fcsuzozf.exe File created C:\Windows\SysWOW64\apxmk.exe gvzag.exe File created C:\Windows\SysWOW64\jvnji.exe tbzqh.exe File created C:\Windows\SysWOW64\veywtmod.exe uktuhqtc.exe File opened for modification C:\Windows\SysWOW64\ofhmxvx.exe bpfli.exe File created C:\Windows\SysWOW64\xhuvvl.exe vxqmni.exe File created C:\Windows\SysWOW64\midduyt.exe lybin.exe File created C:\Windows\SysWOW64\hwzpaz.exe bbxaq.exe File created C:\Windows\SysWOW64\lfnwc.exe bfkolnt.exe File opened for modification C:\Windows\SysWOW64\gdsqnzkp.exe uikca.exe File opened for modification C:\Windows\SysWOW64\qstvtw.exe khxiytdp.exe File created C:\Windows\SysWOW64\jqtqq.exe okhpj.exe File created C:\Windows\SysWOW64\loqddl.exe pbgzyq.exe File opened for modification C:\Windows\SysWOW64\lhkzaj.exe dxzrq.exe File opened for modification C:\Windows\SysWOW64\jjcihmfk.exe cabbnku.exe File opened for modification C:\Windows\SysWOW64\vopbc.exe qstvtw.exe File opened for modification C:\Windows\SysWOW64\pieglrkf.exe fsowrirz.exe File opened for modification C:\Windows\SysWOW64\nthjyjco.exe bwyyfhl.exe File created C:\Windows\SysWOW64\sdezpa.exe ebeizbdr.exe File opened for modification C:\Windows\SysWOW64\bvyfjkzd.exe jwgsvzdn.exe File opened for modification C:\Windows\SysWOW64\mufngyx.exe cceeb.exe File created C:\Windows\SysWOW64\lbfggrup.exe ftsjh.exe File opened for modification C:\Windows\SysWOW64\vsysw.exe lvtxk.exe File opened for modification C:\Windows\SysWOW64\lbhzt.exe bgmfihr.exe File opened for modification C:\Windows\SysWOW64\xhdjdtoe.exe bcdslif.exe File created C:\Windows\SysWOW64\zpfmxzt.exe qwgll.exe File opened for modification C:\Windows\SysWOW64\dpfatz.exe hvqse.exe File opened for modification C:\Windows\SysWOW64\hdpchju.exe sxhjzp.exe File created C:\Windows\SysWOW64\bcdslif.exe dicyzwh.exe File created C:\Windows\SysWOW64\ebeizbdr.exe xyhesi.exe File created C:\Windows\SysWOW64\grlwiz.exe gyrpzw.exe File created C:\Windows\SysWOW64\ftsjh.exe agnbavk.exe File opened for modification C:\Windows\SysWOW64\vnvro.exe zdtqo.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2932 ea1dab772ea67edd7a56a3e641dbfa19_JaffaCakes118.exe Token: SeDebugPrivilege 3024 qvlre.exe Token: SeDebugPrivilege 2624 zzjdimu.exe Token: SeDebugPrivilege 2688 kkfdny.exe Token: SeDebugPrivilege 2720 wpujtqv.exe Token: SeDebugPrivilege 2464 zxnulyim.exe Token: SeDebugPrivilege 2480 qkivzrv.exe Token: SeDebugPrivilege 2940 kbookpr.exe Token: SeDebugPrivilege 596 ywsysqy.exe Token: SeDebugPrivilege 1536 keoquwf.exe Token: SeDebugPrivilege 2604 ukhyq.exe Token: SeDebugPrivilege 2512 bgmfihr.exe Token: SeDebugPrivilege 2000 lbhzt.exe Token: SeDebugPrivilege 612 vulgtcgo.exe Token: SeDebugPrivilege 1628 xxzavap.exe Token: SeDebugPrivilege 112 xwspavmx.exe Token: SeDebugPrivilege 2208 hvqse.exe Token: SeDebugPrivilege 2136 dpfatz.exe Token: SeDebugPrivilege 1164 bdjxdwuo.exe Token: SeDebugPrivilege 2368 okjrppho.exe Token: SeDebugPrivilege 2148 ueqwqsdo.exe Token: SeDebugPrivilege 2980 lkffwfkc.exe Token: SeDebugPrivilege 1424 qrshnkh.exe Token: SeDebugPrivilege 1688 wzccsez.exe Token: SeDebugPrivilege 1300 tdgrun.exe Token: SeDebugPrivilege 1988 ymlql.exe Token: SeDebugPrivilege 1964 gaykyl.exe Token: SeDebugPrivilege 2300 ieeibgy.exe Token: SeDebugPrivilege 2232 dxjnfx.exe Token: SeDebugPrivilege 2220 jlnzjw.exe Token: SeDebugPrivilege 2332 dwvue.exe Token: SeDebugPrivilege 2888 okhpj.exe Token: SeDebugPrivilege 2020 jqtqq.exe Token: SeDebugPrivilege 2992 vroaoukg.exe Token: SeDebugPrivilege 2524 nemddciu.exe Token: SeDebugPrivilege 2560 vjmxvx.exe Token: SeDebugPrivilege 2568 vqeuarap.exe Token: SeDebugPrivilege 2548 qctwv.exe Token: SeDebugPrivilege 860 gefoqe.exe Token: SeDebugPrivilege 2580 gvrif.exe Token: SeDebugPrivilege 2636 ehyzi.exe Token: SeDebugPrivilege 2372 yqkskhv.exe Token: SeDebugPrivilege 1904 kxsrizoc.exe Token: SeDebugPrivilege 700 jyqfmxf.exe Token: SeDebugPrivilege 1168 ubrujgpw.exe Token: SeDebugPrivilege 2764 krsxplu.exe Token: SeDebugPrivilege 2808 zlidt.exe Token: SeDebugPrivilege 1948 osaizgo.exe Token: SeDebugPrivilege 1680 pxjlne.exe Token: SeDebugPrivilege 280 vmvlrchn.exe Token: SeDebugPrivilege 2732 yizhm.exe Token: SeDebugPrivilege 320 ymswftsy.exe Token: SeDebugPrivilege 2292 sovjp.exe Token: SeDebugPrivilege 2876 naimyg.exe Token: SeDebugPrivilege 3048 athauqpo.exe Token: SeDebugPrivilege 2868 cijutnpj.exe Token: SeDebugPrivilege 2984 hfcymmab.exe Token: SeDebugPrivilege 1172 sxhjzp.exe Token: SeDebugPrivilege 1552 hdpchju.exe Token: SeDebugPrivilege 2156 oosqlwxn.exe Token: SeDebugPrivilege 2388 rwshlf.exe Token: SeDebugPrivilege 1572 jlornlgz.exe Token: SeDebugPrivilege 2236 ugefco.exe Token: SeDebugPrivilege 2144 pinwbvsl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2932 wrote to memory of 3024 2932 ea1dab772ea67edd7a56a3e641dbfa19_JaffaCakes118.exe 28 PID 2932 wrote to memory of 3024 2932 ea1dab772ea67edd7a56a3e641dbfa19_JaffaCakes118.exe 28 PID 2932 wrote to memory of 3024 2932 ea1dab772ea67edd7a56a3e641dbfa19_JaffaCakes118.exe 28 PID 2932 wrote to memory of 3024 2932 ea1dab772ea67edd7a56a3e641dbfa19_JaffaCakes118.exe 28 PID 3024 wrote to memory of 2624 3024 qvlre.exe 29 PID 3024 wrote to memory of 2624 3024 qvlre.exe 29 PID 3024 wrote to memory of 2624 3024 qvlre.exe 29 PID 3024 wrote to memory of 2624 3024 qvlre.exe 29 PID 2624 wrote to memory of 2688 2624 zzjdimu.exe 30 PID 2624 wrote to memory of 2688 2624 zzjdimu.exe 30 PID 2624 wrote to memory of 2688 2624 zzjdimu.exe 30 PID 2624 wrote to memory of 2688 2624 zzjdimu.exe 30 PID 2688 wrote to memory of 2720 2688 kkfdny.exe 31 PID 2688 wrote to memory of 2720 2688 kkfdny.exe 31 PID 2688 wrote to memory of 2720 2688 kkfdny.exe 31 PID 2688 wrote to memory of 2720 2688 kkfdny.exe 31 PID 2720 wrote to memory of 2464 2720 wpujtqv.exe 32 PID 2720 wrote to memory of 2464 2720 wpujtqv.exe 32 PID 2720 wrote to memory of 2464 2720 wpujtqv.exe 32 PID 2720 wrote to memory of 2464 2720 wpujtqv.exe 32 PID 2464 wrote to memory of 2480 2464 zxnulyim.exe 33 PID 2464 wrote to memory of 2480 2464 zxnulyim.exe 33 PID 2464 wrote to memory of 2480 2464 zxnulyim.exe 33 PID 2464 wrote to memory of 2480 2464 zxnulyim.exe 33 PID 2480 wrote to memory of 2940 2480 qkivzrv.exe 34 PID 2480 wrote to memory of 2940 2480 qkivzrv.exe 34 PID 2480 wrote to memory of 2940 2480 qkivzrv.exe 34 PID 2480 wrote to memory of 2940 2480 qkivzrv.exe 34 PID 2940 wrote to memory of 596 2940 kbookpr.exe 35 PID 2940 wrote to memory of 596 2940 kbookpr.exe 35 PID 2940 wrote to memory of 596 2940 kbookpr.exe 35 PID 2940 wrote to memory of 596 2940 kbookpr.exe 35 PID 596 wrote to memory of 1536 596 ywsysqy.exe 36 PID 596 wrote to memory of 1536 596 ywsysqy.exe 36 PID 596 wrote to memory of 1536 596 ywsysqy.exe 36 PID 596 wrote to memory of 1536 596 ywsysqy.exe 36 PID 1536 wrote to memory of 2604 1536 keoquwf.exe 37 PID 1536 wrote to memory of 2604 1536 keoquwf.exe 37 PID 1536 wrote to memory of 2604 1536 keoquwf.exe 37 PID 1536 wrote to memory of 2604 1536 keoquwf.exe 37 PID 2604 wrote to memory of 2512 2604 ukhyq.exe 38 PID 2604 wrote to memory of 2512 2604 ukhyq.exe 38 PID 2604 wrote to memory of 2512 2604 ukhyq.exe 38 PID 2604 wrote to memory of 2512 2604 ukhyq.exe 38 PID 2512 wrote to memory of 2000 2512 bgmfihr.exe 39 PID 2512 wrote to memory of 2000 2512 bgmfihr.exe 39 PID 2512 wrote to memory of 2000 2512 bgmfihr.exe 39 PID 2512 wrote to memory of 2000 2512 bgmfihr.exe 39 PID 2000 wrote to memory of 612 2000 lbhzt.exe 40 PID 2000 wrote to memory of 612 2000 lbhzt.exe 40 PID 2000 wrote to memory of 612 2000 lbhzt.exe 40 PID 2000 wrote to memory of 612 2000 lbhzt.exe 40 PID 612 wrote to memory of 1628 612 vulgtcgo.exe 41 PID 612 wrote to memory of 1628 612 vulgtcgo.exe 41 PID 612 wrote to memory of 1628 612 vulgtcgo.exe 41 PID 612 wrote to memory of 1628 612 vulgtcgo.exe 41 PID 1628 wrote to memory of 112 1628 xxzavap.exe 42 PID 1628 wrote to memory of 112 1628 xxzavap.exe 42 PID 1628 wrote to memory of 112 1628 xxzavap.exe 42 PID 1628 wrote to memory of 112 1628 xxzavap.exe 42 PID 112 wrote to memory of 2208 112 xwspavmx.exe 43 PID 112 wrote to memory of 2208 112 xwspavmx.exe 43 PID 112 wrote to memory of 2208 112 xwspavmx.exe 43 PID 112 wrote to memory of 2208 112 xwspavmx.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea1dab772ea67edd7a56a3e641dbfa19_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ea1dab772ea67edd7a56a3e641dbfa19_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\qvlre.exeC:\Windows\system32\qvlre.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\zzjdimu.exeC:\Windows\system32\zzjdimu.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\kkfdny.exeC:\Windows\system32\kkfdny.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\wpujtqv.exeC:\Windows\system32\wpujtqv.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\zxnulyim.exeC:\Windows\system32\zxnulyim.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\qkivzrv.exeC:\Windows\system32\qkivzrv.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\kbookpr.exeC:\Windows\system32\kbookpr.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\ywsysqy.exeC:\Windows\system32\ywsysqy.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:596 -
C:\Windows\SysWOW64\keoquwf.exeC:\Windows\system32\keoquwf.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\ukhyq.exeC:\Windows\system32\ukhyq.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\bgmfihr.exeC:\Windows\system32\bgmfihr.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\lbhzt.exeC:\Windows\system32\lbhzt.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\vulgtcgo.exeC:\Windows\system32\vulgtcgo.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:612 -
C:\Windows\SysWOW64\xxzavap.exeC:\Windows\system32\xxzavap.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\xwspavmx.exeC:\Windows\system32\xwspavmx.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\SysWOW64\hvqse.exeC:\Windows\system32\hvqse.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2208 -
C:\Windows\SysWOW64\dpfatz.exeC:\Windows\system32\dpfatz.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2136 -
C:\Windows\SysWOW64\bdjxdwuo.exeC:\Windows\system32\bdjxdwuo.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1164 -
C:\Windows\SysWOW64\okjrppho.exeC:\Windows\system32\okjrppho.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2368 -
C:\Windows\SysWOW64\ueqwqsdo.exeC:\Windows\system32\ueqwqsdo.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2148 -
C:\Windows\SysWOW64\lkffwfkc.exeC:\Windows\system32\lkffwfkc.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2980 -
C:\Windows\SysWOW64\qrshnkh.exeC:\Windows\system32\qrshnkh.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1424 -
C:\Windows\SysWOW64\wzccsez.exeC:\Windows\system32\wzccsez.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1688 -
C:\Windows\SysWOW64\tdgrun.exeC:\Windows\system32\tdgrun.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1300 -
C:\Windows\SysWOW64\ymlql.exeC:\Windows\system32\ymlql.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1988 -
C:\Windows\SysWOW64\gaykyl.exeC:\Windows\system32\gaykyl.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1964 -
C:\Windows\SysWOW64\ieeibgy.exeC:\Windows\system32\ieeibgy.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2300 -
C:\Windows\SysWOW64\dxjnfx.exeC:\Windows\system32\dxjnfx.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2232 -
C:\Windows\SysWOW64\jlnzjw.exeC:\Windows\system32\jlnzjw.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2220 -
C:\Windows\SysWOW64\dwvue.exeC:\Windows\system32\dwvue.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2332 -
C:\Windows\SysWOW64\okhpj.exeC:\Windows\system32\okhpj.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2888 -
C:\Windows\SysWOW64\jqtqq.exeC:\Windows\system32\jqtqq.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2020 -
C:\Windows\SysWOW64\vroaoukg.exeC:\Windows\system32\vroaoukg.exe34⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2992 -
C:\Windows\SysWOW64\nemddciu.exeC:\Windows\system32\nemddciu.exe35⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2524 -
C:\Windows\SysWOW64\vjmxvx.exeC:\Windows\system32\vjmxvx.exe36⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2560 -
C:\Windows\SysWOW64\vqeuarap.exeC:\Windows\system32\vqeuarap.exe37⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2568 -
C:\Windows\SysWOW64\qctwv.exeC:\Windows\system32\qctwv.exe38⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2548 -
C:\Windows\SysWOW64\gefoqe.exeC:\Windows\system32\gefoqe.exe39⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:860 -
C:\Windows\SysWOW64\gvrif.exeC:\Windows\system32\gvrif.exe40⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2580 -
C:\Windows\SysWOW64\ehyzi.exeC:\Windows\system32\ehyzi.exe41⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2636 -
C:\Windows\SysWOW64\yqkskhv.exeC:\Windows\system32\yqkskhv.exe42⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2372 -
C:\Windows\SysWOW64\kxsrizoc.exeC:\Windows\system32\kxsrizoc.exe43⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1904 -
C:\Windows\SysWOW64\jyqfmxf.exeC:\Windows\system32\jyqfmxf.exe44⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:700 -
C:\Windows\SysWOW64\ubrujgpw.exeC:\Windows\system32\ubrujgpw.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1168 -
C:\Windows\SysWOW64\krsxplu.exeC:\Windows\system32\krsxplu.exe46⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2764 -
C:\Windows\SysWOW64\zlidt.exeC:\Windows\system32\zlidt.exe47⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2808 -
C:\Windows\SysWOW64\osaizgo.exeC:\Windows\system32\osaizgo.exe48⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1948 -
C:\Windows\SysWOW64\pxjlne.exeC:\Windows\system32\pxjlne.exe49⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1680 -
C:\Windows\SysWOW64\vmvlrchn.exeC:\Windows\system32\vmvlrchn.exe50⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:280 -
C:\Windows\SysWOW64\yizhm.exeC:\Windows\system32\yizhm.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2732 -
C:\Windows\SysWOW64\ymswftsy.exeC:\Windows\system32\ymswftsy.exe52⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:320 -
C:\Windows\SysWOW64\sovjp.exeC:\Windows\system32\sovjp.exe53⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2292 -
C:\Windows\SysWOW64\naimyg.exeC:\Windows\system32\naimyg.exe54⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2876 -
C:\Windows\SysWOW64\athauqpo.exeC:\Windows\system32\athauqpo.exe55⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3048 -
C:\Windows\SysWOW64\cijutnpj.exeC:\Windows\system32\cijutnpj.exe56⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2868 -
C:\Windows\SysWOW64\hfcymmab.exeC:\Windows\system32\hfcymmab.exe57⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2984 -
C:\Windows\SysWOW64\sxhjzp.exeC:\Windows\system32\sxhjzp.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1172 -
C:\Windows\SysWOW64\hdpchju.exeC:\Windows\system32\hdpchju.exe59⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1552 -
C:\Windows\SysWOW64\oosqlwxn.exeC:\Windows\system32\oosqlwxn.exe60⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2156 -
C:\Windows\SysWOW64\rwshlf.exeC:\Windows\system32\rwshlf.exe61⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2388 -
C:\Windows\SysWOW64\jlornlgz.exeC:\Windows\system32\jlornlgz.exe62⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1572 -
C:\Windows\SysWOW64\ugefco.exeC:\Windows\system32\ugefco.exe63⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2236 -
C:\Windows\SysWOW64\pinwbvsl.exeC:\Windows\system32\pinwbvsl.exe64⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2144 -
C:\Windows\SysWOW64\czpuvrpl.exeC:\Windows\system32\czpuvrpl.exe65⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\evccr.exeC:\Windows\system32\evccr.exe66⤵PID:2988
-
C:\Windows\SysWOW64\jerky.exeC:\Windows\system32\jerky.exe67⤵PID:2628
-
C:\Windows\SysWOW64\aupkd.exeC:\Windows\system32\aupkd.exe68⤵
- Adds Run key to start application
PID:2280 -
C:\Windows\SysWOW64\fsowrirz.exeC:\Windows\system32\fsowrirz.exe69⤵
- Drops file in System32 directory
PID:2440 -
C:\Windows\SysWOW64\pieglrkf.exeC:\Windows\system32\pieglrkf.exe70⤵PID:2432
-
C:\Windows\SysWOW64\tmgcbxn.exeC:\Windows\system32\tmgcbxn.exe71⤵PID:2936
-
C:\Windows\SysWOW64\olrvd.exeC:\Windows\system32\olrvd.exe72⤵PID:584
-
C:\Windows\SysWOW64\fsrvgsx.exeC:\Windows\system32\fsrvgsx.exe73⤵PID:1116
-
C:\Windows\SysWOW64\bgstg.exeC:\Windows\system32\bgstg.exe74⤵PID:2780
-
C:\Windows\SysWOW64\zpdznj.exeC:\Windows\system32\zpdznj.exe75⤵PID:1720
-
C:\Windows\SysWOW64\ylkaa.exeC:\Windows\system32\ylkaa.exe76⤵PID:2248
-
C:\Windows\SysWOW64\lloupud.exeC:\Windows\system32\lloupud.exe77⤵
- Adds Run key to start application
PID:2312 -
C:\Windows\SysWOW64\bbxaq.exeC:\Windows\system32\bbxaq.exe78⤵
- Drops file in System32 directory
PID:856 -
C:\Windows\SysWOW64\hwzpaz.exeC:\Windows\system32\hwzpaz.exe79⤵
- Drops file in System32 directory
PID:2088 -
C:\Windows\SysWOW64\osdoygn.exeC:\Windows\system32\osdoygn.exe80⤵PID:1604
-
C:\Windows\SysWOW64\qbxmkys.exeC:\Windows\system32\qbxmkys.exe81⤵PID:2872
-
C:\Windows\SysWOW64\vaxajb.exeC:\Windows\system32\vaxajb.exe82⤵PID:2996
-
C:\Windows\SysWOW64\tywgusge.exeC:\Windows\system32\tywgusge.exe83⤵
- Adds Run key to start application
PID:1912 -
C:\Windows\SysWOW64\blgdlzoi.exeC:\Windows\system32\blgdlzoi.exe84⤵PID:984
-
C:\Windows\SysWOW64\vaziuhug.exeC:\Windows\system32\vaziuhug.exe85⤵PID:936
-
C:\Windows\SysWOW64\xnwiar.exeC:\Windows\system32\xnwiar.exe86⤵PID:2336
-
C:\Windows\SysWOW64\uxxjfhbm.exeC:\Windows\system32\uxxjfhbm.exe87⤵PID:2884
-
C:\Windows\SysWOW64\hbsmlyd.exeC:\Windows\system32\hbsmlyd.exe88⤵PID:884
-
C:\Windows\SysWOW64\aaccw.exeC:\Windows\system32\aaccw.exe89⤵PID:1588
-
C:\Windows\SysWOW64\xunat.exeC:\Windows\system32\xunat.exe90⤵
- Adds Run key to start application
PID:2680 -
C:\Windows\SysWOW64\kjiaef.exeC:\Windows\system32\kjiaef.exe91⤵PID:2788
-
C:\Windows\SysWOW64\aahopw.exeC:\Windows\system32\aahopw.exe92⤵PID:2488
-
C:\Windows\SysWOW64\bkjchy.exeC:\Windows\system32\bkjchy.exe93⤵PID:816
-
C:\Windows\SysWOW64\rquzmly.exeC:\Windows\system32\rquzmly.exe94⤵
- Adds Run key to start application
PID:2592 -
C:\Windows\SysWOW64\ccfjjtd.exeC:\Windows\system32\ccfjjtd.exe95⤵
- Drops file in System32 directory
PID:1764 -
C:\Windows\SysWOW64\edlpyz.exeC:\Windows\system32\edlpyz.exe96⤵PID:2476
-
C:\Windows\SysWOW64\rztdc.exeC:\Windows\system32\rztdc.exe97⤵PID:1996
-
C:\Windows\SysWOW64\qxazube.exeC:\Windows\system32\qxazube.exe98⤵
- Drops file in System32 directory
PID:2092 -
C:\Windows\SysWOW64\bhqvvxu.exeC:\Windows\system32\bhqvvxu.exe99⤵PID:812
-
C:\Windows\SysWOW64\cpvlh.exeC:\Windows\system32\cpvlh.exe100⤵
- Adds Run key to start application
PID:1908 -
C:\Windows\SysWOW64\geypxch.exeC:\Windows\system32\geypxch.exe101⤵PID:540
-
C:\Windows\SysWOW64\pudnjhgm.exeC:\Windows\system32\pudnjhgm.exe102⤵PID:1392
-
C:\Windows\SysWOW64\bbcvje.exeC:\Windows\system32\bbcvje.exe103⤵PID:1276
-
C:\Windows\SysWOW64\eozsgnyq.exeC:\Windows\system32\eozsgnyq.exe104⤵PID:1716
-
C:\Windows\SysWOW64\bfkolnt.exeC:\Windows\system32\bfkolnt.exe105⤵
- Drops file in System32 directory
PID:3020 -
C:\Windows\SysWOW64\lfnwc.exeC:\Windows\system32\lfnwc.exe106⤵PID:2044
-
C:\Windows\SysWOW64\qwprbf.exeC:\Windows\system32\qwprbf.exe107⤵PID:1124
-
C:\Windows\SysWOW64\dicyzwh.exeC:\Windows\system32\dicyzwh.exe108⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:3032 -
C:\Windows\SysWOW64\bcdslif.exeC:\Windows\system32\bcdslif.exe109⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:1772 -
C:\Windows\SysWOW64\xhdjdtoe.exeC:\Windows\system32\xhdjdtoe.exe110⤵PID:2060
-
C:\Windows\SysWOW64\hgnufls.exeC:\Windows\system32\hgnufls.exe111⤵PID:1100
-
C:\Windows\SysWOW64\idxssufa.exeC:\Windows\system32\idxssufa.exe112⤵PID:1960
-
C:\Windows\SysWOW64\ozmnmh.exeC:\Windows\system32\ozmnmh.exe113⤵PID:1496
-
C:\Windows\SysWOW64\pvieqftg.exeC:\Windows\system32\pvieqftg.exe114⤵PID:2564
-
C:\Windows\SysWOW64\ciyfelbo.exeC:\Windows\system32\ciyfelbo.exe115⤵PID:2528
-
C:\Windows\SysWOW64\lqwowm.exeC:\Windows\system32\lqwowm.exe116⤵
- Adds Run key to start application
PID:2792 -
C:\Windows\SysWOW64\vljxn.exeC:\Windows\system32\vljxn.exe117⤵PID:2716
-
C:\Windows\SysWOW64\xvbcmx.exeC:\Windows\system32\xvbcmx.exe118⤵PID:1596
-
C:\Windows\SysWOW64\waxhgksi.exeC:\Windows\system32\waxhgksi.exe119⤵PID:1812
-
C:\Windows\SysWOW64\zzotm.exeC:\Windows\system32\zzotm.exe120⤵PID:1624
-
C:\Windows\SysWOW64\elcnhhxb.exeC:\Windows\system32\elcnhhxb.exe121⤵
- Adds Run key to start application
PID:392
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-