ad8dafe6ca1d1134f9aef1a9887b76b57e0f313565c652cd15211056eee754e0

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13/05/2024, 10:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3f0011a013bd8052ae71f594ada0eeb9_JaffaCakes118.dll
Size

36KB
MD5

3f0011a013bd8052ae71f594ada0eeb9
SHA1

461c9509bd2da1f642d2fc4924f7493d09f4f55a
SHA256

ad8dafe6ca1d1134f9aef1a9887b76b57e0f313565c652cd15211056eee754e0
SHA512

546c2e53459c0ec19dfb43167c46d48eedc0b97072a3af61f04c2c5c57d50fc82645f9f2ae400ab07566bf0503f9688f91ed4d227030ae82dd0b998d340dbde7
SSDEEP

768:BsWUAohfjiT5ediUOI0+FNSW3YO5z+b+hCFfHMclBSI3ty5:60qfWT5MpOI0ekW3Ft+eul4Yty5

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
3560	hrlF368.tmp
4268	yqewma.exe
1976	yqewma.exe
2556	yqewma.exe
1924	yqewma.exe
2716	yqewma.exe
3580	hrl26BE.tmp
2212	yqewma.exe
4128	yqewma.exe
4728	yqewma.exe
324	yqewma.exe
4396	yqewma.exe
1596	yqewma.exe
1308	yqewma.exe
1608	yqewma.exe
1976	yqewma.exe
3204	yqewma.exe
4344	yqewma.exe
2716	yqewma.exe
3944	yqewma.exe
4440	yqewma.exe
4500	yqewma.exe
2928	yqewma.exe
608	yqewma.exe
3364	yqewma.exe
928	yqewma.exe
4880	yqewma.exe
2152	yqewma.exe
4140	yqewma.exe
2756	yqewma.exe
720	yqewma.exe
5048	yqewma.exe
4548	yqewma.exe
1732	yqewma.exe
3020	yqewma.exe
324	yqewma.exe
1612	yqewma.exe
3440	yqewma.exe
3884	yqewma.exe
1004	yqewma.exe
2128	yqewma.exe
4644	yqewma.exe
2268	yqewma.exe
1932	hrl8643.tmp
4344	yqewma.exe
2300	yqewma.exe
5048	yqewma.exe
4044	yqewma.exe
4428	yqewma.exe
4160	yqewma.exe
4660	yqewma.exe
4384	yqewma.exe
3288	yqewma.exe
4064	yqewma.exe
1652	yqewma.exe
4876	yqewma.exe
1620	yqewma.exe
5040	yqewma.exe
1556	yqewma.exe
1552	yqewma.exe
2296	yqewma.exe
320	yqewma.exe
4356	yqewma.exe
4956	yqewma.exe

Loads dropped DLL 64 IoCs

pid	Process
4268	yqewma.exe
1976	yqewma.exe
2556	yqewma.exe
1924	yqewma.exe
2716	yqewma.exe
2212	yqewma.exe
4128	yqewma.exe
4728	yqewma.exe
324	yqewma.exe
4396	yqewma.exe
1596	yqewma.exe
1308	yqewma.exe
1608	yqewma.exe
1976	yqewma.exe
3204	yqewma.exe
4344	yqewma.exe
2716	yqewma.exe
3944	yqewma.exe
4440	yqewma.exe
4500	yqewma.exe
2928	yqewma.exe
608	yqewma.exe
3364	yqewma.exe
928	yqewma.exe
4880	yqewma.exe
2152	yqewma.exe
4140	yqewma.exe
2756	yqewma.exe
720	yqewma.exe
5048	yqewma.exe
4548	yqewma.exe
1732	yqewma.exe
3020	yqewma.exe
324	yqewma.exe
1612	yqewma.exe
3440	yqewma.exe
3884	yqewma.exe
1004	yqewma.exe
2128	yqewma.exe
4644	yqewma.exe
2268	yqewma.exe
4344	yqewma.exe
2300	yqewma.exe
5048	yqewma.exe
4044	yqewma.exe
4428	yqewma.exe
4160	yqewma.exe
4660	yqewma.exe
4384	yqewma.exe
3288	yqewma.exe
4064	yqewma.exe
1652	yqewma.exe
4876	yqewma.exe
1620	yqewma.exe
5040	yqewma.exe
1556	yqewma.exe
1552	yqewma.exe
2296	yqewma.exe
320	yqewma.exe
4356	yqewma.exe
4956	yqewma.exe
1596	yqewma.exe
1404	yqewma.exe
4080	yqewma.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000800000002326d-2.dat	upx
behavioral2/memory/3560-3-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/3560-9-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/4268-20-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/1976-32-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/2556-44-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/1924-57-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/2716-72-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/3580-75-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/2212-86-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/4128-98-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/4728-110-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/324-122-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/4396-134-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/1596-146-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/1308-158-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/1608-171-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/1976-184-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/3204-196-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/4344-209-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/2716-221-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/3944-233-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/4440-245-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/4500-257-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/2928-266-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/608-276-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/3364-285-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/928-294-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/4880-304-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/2152-314-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/4140-324-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/2756-334-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/720-344-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/5048-354-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/4548-363-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/1732-372-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/3020-382-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/324-392-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/1612-402-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/3440-412-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/3884-422-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/1004-432-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/2128-442-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/4644-452-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/2268-462-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/4344-472-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/2300-481-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/5048-491-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/4044-500-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/4428-509-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/4160-518-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/4660-527-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/4384-536-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/3288-546-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/4064-556-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/1652-565-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/4876-575-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/1620-584-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/1620-585-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/5040-594-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/1556-604-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/1552-614-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/2296-623-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/320-633-0x0000000000400000-0x0000000000412000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File created	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	yqewma.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\yqewma.exe	hrlF368.tmp
File opened for modification	C:\Windows\yqewma.exe	hrlF368.tmp

Checks processor information in registry 2 TTPs 58 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	yqewma.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	yqewma.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	yqewma.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	yqewma.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	yqewma.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	yqewma.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	yqewma.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	yqewma.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	yqewma.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	yqewma.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	yqewma.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	yqewma.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	yqewma.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	yqewma.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	yqewma.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	yqewma.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	yqewma.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	yqewma.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	yqewma.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	yqewma.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	yqewma.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	yqewma.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	yqewma.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	yqewma.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	yqewma.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	yqewma.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	yqewma.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	yqewma.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	yqewma.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	yqewma.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	yqewma.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	yqewma.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	yqewma.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	yqewma.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	yqewma.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	yqewma.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	yqewma.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	yqewma.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	yqewma.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	yqewma.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	yqewma.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	yqewma.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	yqewma.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	yqewma.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	yqewma.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	yqewma.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	yqewma.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	yqewma.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	yqewma.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	yqewma.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	yqewma.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	yqewma.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	yqewma.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	yqewma.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	yqewma.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	yqewma.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	yqewma.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	yqewma.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4964 wrote to memory of 4660	4964	rundll32.exe	89
PID 4964 wrote to memory of 4660	4964	rundll32.exe	89
PID 4964 wrote to memory of 4660	4964	rundll32.exe	89
PID 4660 wrote to memory of 3560	4660	rundll32.exe	90
PID 4660 wrote to memory of 3560	4660	rundll32.exe	90
PID 4660 wrote to memory of 3560	4660	rundll32.exe	90
PID 2716 wrote to memory of 3580	2716	yqewma.exe	101
PID 2716 wrote to memory of 3580	2716	yqewma.exe	101
PID 2716 wrote to memory of 3580	2716	yqewma.exe	101
PID 2268 wrote to memory of 1932	2268	yqewma.exe	141
PID 2268 wrote to memory of 1932	2268	yqewma.exe	141
PID 2268 wrote to memory of 1932	2268	yqewma.exe	141
PID 1888 wrote to memory of 4388	1888	yqewma.exe	192
PID 1888 wrote to memory of 4388	1888	yqewma.exe	192
PID 1888 wrote to memory of 4388	1888	yqewma.exe	192
PID 3404 wrote to memory of 1144	3404	yqewma.exe	198
PID 3404 wrote to memory of 1144	3404	yqewma.exe	198
PID 3404 wrote to memory of 1144	3404	yqewma.exe	198
PID 4424 wrote to memory of 872	4424	yqewma.exe	231
PID 4424 wrote to memory of 872	4424	yqewma.exe	231
PID 4424 wrote to memory of 872	4424	yqewma.exe	231
PID 3976 wrote to memory of 4472	3976	yqewma.exe	233
PID 3976 wrote to memory of 4472	3976	yqewma.exe	233
PID 3976 wrote to memory of 4472	3976	yqewma.exe	233
PID 320 wrote to memory of 4688	320	yqewma.exe	253
PID 320 wrote to memory of 4688	320	yqewma.exe	253
PID 320 wrote to memory of 4688	320	yqewma.exe	253
PID 4572 wrote to memory of 4632	4572	yqewma.exe	260
PID 4572 wrote to memory of 4632	4572	yqewma.exe	260
PID 4572 wrote to memory of 4632	4572	yqewma.exe	260
PID 4640 wrote to memory of 100	4640	yqewma.exe	268
PID 4640 wrote to memory of 100	4640	yqewma.exe	268
PID 4640 wrote to memory of 100	4640	yqewma.exe	268
PID 4544 wrote to memory of 2852	4544	yqewma.exe	273
PID 4544 wrote to memory of 2852	4544	yqewma.exe	273
PID 4544 wrote to memory of 2852	4544	yqewma.exe	273
PID 912 wrote to memory of 3392	912	yqewma.exe	281
PID 912 wrote to memory of 3392	912	yqewma.exe	281
PID 912 wrote to memory of 3392	912	yqewma.exe	281
PID 4596 wrote to memory of 3608	4596	yqewma.exe	283
PID 4596 wrote to memory of 3608	4596	yqewma.exe	283
PID 4596 wrote to memory of 3608	4596	yqewma.exe	283

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3f0011a013bd8052ae71f594ada0eeb9_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\3f0011a013bd8052ae71f594ada0eeb9_JaffaCakes118.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4660
- - C:\Users\Admin\AppData\Local\Temp\hrlF368.tmp
    C:\Users\Admin\AppData\Local\Temp\hrlF368.tmp
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3560

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:4268

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1976

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2556

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1924

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\TEMP\hrl26BE.tmp
  C:\Windows\TEMP\hrl26BE.tmp
  2⤵
  - Executes dropped EXE
  PID:3580

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2212

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4128

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4728

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:324

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:4396

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1596

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1308

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1608

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1976

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3204

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:4344

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2716

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3944

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4440

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:4500

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2928

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:608

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3364

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:928

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:4880

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2152

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4140

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2756

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:720

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5048

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:4548

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1732

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3020

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:324

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1612

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3440

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3884

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1004

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2128

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:4644

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\TEMP\hrl8643.tmp
  C:\Windows\TEMP\hrl8643.tmp
  2⤵
  - Executes dropped EXE
  PID:1932

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:4344

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2300

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:5048

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4044

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:4428

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:4160

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4660

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4384

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3288

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:4064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3764 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:3516

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1652

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4876

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1620

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5040

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1556

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1552

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2296

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:320

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4356

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4956

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Loads dropped DLL
PID:1596

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Loads dropped DLL
PID:1404

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Loads dropped DLL
PID:4080

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:2288

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:1460

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Drops file in System32 directory
PID:3596

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:2512

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:2964

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:2148

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:2656

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:3676

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Drops file in System32 directory
PID:4524

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:2340

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:2396

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:4108

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:4268

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:4384

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:4968

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:3884

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:1792

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:1152

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:2672

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:1932

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:3608

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:4508

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Drops file in System32 directory
PID:2808

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:4248

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Drops file in System32 directory
PID:772

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Windows\TEMP\hrl6BE.tmp
  C:\Windows\TEMP\hrl6BE.tmp
  2⤵
  PID:4388

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Drops file in System32 directory
PID:4304

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:2392

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:4944

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Drops file in System32 directory
PID:636

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Windows\TEMP\hrl146A.tmp
  C:\Windows\TEMP\hrl146A.tmp
  2⤵
  PID:1144

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Drops file in System32 directory
PID:4588

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:2512

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:4404

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:4904

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:2656

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Drops file in System32 directory
PID:2192

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:1900

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:2340

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:1612

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:2060

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Drops file in System32 directory
- Checks processor information in registry
PID:1808

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:3316

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Drops file in System32 directory
PID:3204

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:4988

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Drops file in System32 directory
PID:1780

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Checks processor information in registry
PID:4588

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Drops file in System32 directory
PID:2988

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Checks processor information in registry
PID:2652

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:2148

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Drops file in System32 directory
PID:3972

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:2808

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Drops file in System32 directory
PID:2760

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:2140

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:4108

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:3164

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Drops file in System32 directory
PID:2208

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Drops file in System32 directory
PID:4392

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:3288

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Drops file in System32 directory
PID:4240

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:3596

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Drops file in System32 directory
PID:1064

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Windows\TEMP\hrl6EFD.tmp
  C:\Windows\TEMP\hrl6EFD.tmp
  2⤵
  PID:872

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3976
- C:\Windows\TEMP\hrl722A.tmp
  C:\Windows\TEMP\hrl722A.tmp
  2⤵
  PID:4472

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:4404

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Drops file in System32 directory
PID:4584

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:3516

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:4604

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:2124

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Drops file in System32 directory
PID:2140

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Drops file in System32 directory
- Checks processor information in registry
PID:4068

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:3424

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Checks processor information in registry
PID:3248

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Drops file in System32 directory
PID:4944

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:3024

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Checks processor information in registry
PID:4876

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:4272

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Checks processor information in registry
PID:2964

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Drops file in System32 directory
PID:5044

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:4640

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Checks processor information in registry
PID:1960

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:4636

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:320
- C:\Windows\TEMP\hrlA8E9.tmp
  C:\Windows\TEMP\hrlA8E9.tmp
  2⤵
  PID:4688

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Checks processor information in registry
PID:2124

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Checks processor information in registry
PID:4108

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:3064

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:1216

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:2288

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4572
- C:\Windows\TEMP\hrlBB58.tmp
  C:\Windows\TEMP\hrlBB58.tmp
  2⤵
  PID:4632

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Checks processor information in registry
PID:4988

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Drops file in System32 directory
- Checks processor information in registry
PID:3480

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:4224

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Checks processor information in registry
PID:1644

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:756

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Drops file in System32 directory
PID:4648

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4640
- C:\Windows\TEMP\hrlD4BC.tmp
  C:\Windows\TEMP\hrlD4BC.tmp
  2⤵
  PID:100

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:456

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:2340

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Drops file in System32 directory
PID:3436

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4544
- C:\Windows\TEMP\hrlE19D.tmp
  C:\Windows\TEMP\hrlE19D.tmp
  2⤵
  PID:2852

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Drops file in System32 directory
- Checks processor information in registry
PID:3884

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:4080

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:508

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Checks processor information in registry
PID:4628

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:4016

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Drops file in System32 directory
PID:2336

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:912
- C:\Windows\TEMP\hrlF719.tmp
  C:\Windows\TEMP\hrlF719.tmp
  2⤵
  PID:3392

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Windows\TEMP\hrlFC97.tmp
  C:\Windows\TEMP\hrlFC97.tmp
  2⤵
  PID:3608

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:3568

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:3580

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:4044

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Checks processor information in registry
PID:4504

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Checks processor information in registry
PID:828

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Drops file in System32 directory
PID:4956

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Drops file in System32 directory
PID:3436

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Drops file in System32 directory
PID:1832

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:1596

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:4984

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Drops file in System32 directory
PID:4944

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:2644

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Drops file in System32 directory
PID:636

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Drops file in System32 directory
PID:3404

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:824

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:1556

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
- Drops file in System32 directory
PID:4200

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:2772

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:3528

C:\Windows\yqewma.exe
C:\Windows\yqewma.exe
1⤵
PID:3580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\RCX2110.tmp

Filesize
36KB

MD5
3f0011a013bd8052ae71f594ada0eeb9

SHA1
461c9509bd2da1f642d2fc4924f7493d09f4f55a

SHA256
ad8dafe6ca1d1134f9aef1a9887b76b57e0f313565c652cd15211056eee754e0

SHA512
546c2e53459c0ec19dfb43167c46d48eedc0b97072a3af61f04c2c5c57d50fc82645f9f2ae400ab07566bf0503f9688f91ed4d227030ae82dd0b998d340dbde7

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrlF368.tmp

Filesize
23KB

MD5
667e49ae0da46239e030f439c934f60e

SHA1
f4e6af5e20790408ce5b96bb5bc6d7cc172ebf96

SHA256
ff171611a18051b36a945f24a1a7125de420efa90fac7f07dee892b0e2d0ff4c

SHA512
c97174fd94d0ef2b7e34ebbf355d4bef5d3d4d7c95b45752a979649e27929f389221e947bf211cc175ccf16bf461725c48ed2d513829e5a64eb8d15088dd137d

Download Submit
C:\Windows\SysWOW64\hra8.dll

Filesize
12KB

MD5
de61de242b5500304af17e4661100ea5

SHA1
ed6c1fce0696ce100a93f2d3cea83a0475947e4f

SHA256
3c373fde7222d1e3c5a13339d37f3b5752374210ae09974b4f17baa261c3b9a5

SHA512
b393464bfd694bb314cf9c8f3d19ab6750cc65d9e3506c1b91a8658a227e9f8614b1f65b8eaa7b7e844d7308b450e690627e3eb1a8101ca80917c62233d1473f

Download Submit
memory/320-633-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/324-392-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/324-122-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/608-276-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/636-984-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/720-344-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/772-931-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/928-294-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1004-432-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1064-1306-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1152-861-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1308-158-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1404-671-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1460-701-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1552-614-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1556-604-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1596-661-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1596-146-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1608-171-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1612-402-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1612-1086-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1620-585-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1620-584-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1652-565-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1732-372-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1780-1146-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1792-851-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1808-1106-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1888-942-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1900-1066-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1924-57-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1932-881-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1976-32-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1976-184-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2060-1096-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2128-442-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2140-1226-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2148-1186-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2148-741-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2152-314-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2192-1056-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2208-1256-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2212-86-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2268-462-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2288-691-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2296-623-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2300-481-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2340-1076-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2340-781-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2392-964-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2396-791-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2512-721-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2512-1016-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2556-44-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2652-1176-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2656-751-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2656-1046-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2672-871-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2716-221-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2716-72-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2756-334-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2760-1216-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2808-911-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2808-1206-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2928-266-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2964-731-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2988-1166-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3020-382-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3164-1246-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3204-1126-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3204-196-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3288-546-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3288-1276-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3316-1116-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3364-285-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3404-995-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3440-412-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3560-3-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3560-9-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3580-75-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3596-711-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3596-1296-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3608-891-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3676-761-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3884-422-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3884-841-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3944-233-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3972-1196-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4044-500-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4064-556-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4080-681-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4108-1236-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4108-801-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4128-98-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4140-324-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4160-518-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4240-1286-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4248-921-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4268-20-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4268-811-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4304-954-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4304-944-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4344-472-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4344-209-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4356-642-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4384-821-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4384-536-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4392-1266-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4396-134-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4404-1026-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4428-509-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4440-245-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4500-257-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4508-901-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4524-771-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4548-363-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4588-1006-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4588-1156-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4644-452-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4660-527-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4728-110-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4876-575-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4880-304-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4904-1036-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4944-974-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4956-651-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4968-831-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4988-1136-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5040-594-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5048-354-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5048-491-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download