5e8bec3c94f5b8dd59824c28dccb4dc3f6b7cdade82160e7d2f6655f8a93628a

Analysis

max time kernel
108s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2024, 07:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

383709cb3885c660314067b7d9543bf3_JaffaCakes118.exe
Size

251KB
MD5

383709cb3885c660314067b7d9543bf3
SHA1

0d3f6cc4e3f72f174351fc614ea54025e0715b93
SHA256

5e8bec3c94f5b8dd59824c28dccb4dc3f6b7cdade82160e7d2f6655f8a93628a
SHA512

42a4ff2c262ca601f7862dee8cac91ffb389111aa88a9c6d751721bba74fe80323daa8c84a6c5b2b66275d8ef12ed4136ff2157097a7f1a7327f5a5d55279db7
SSDEEP

6144:TRazhwlUx2EHSgoy+2eOvJWPz1X5TrUM1a:FkSgGOvJ45XVs

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	lhcalgw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	augabhg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	scvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	scvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	xatgaub.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	scvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	scvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	scvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	xckpmsr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	cugibir.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	vzdegnf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	nayvhxc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	uriztgt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	scvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tukavja.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wmpwgxl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	scvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	scvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	scvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	rnkmbch.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	clhlfgq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	ogzwvfh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	uoqygce.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	ydpcrqm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	nivkrwe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	youaqpq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	apufrzb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	dbdzqqs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	yrdjvei.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	scvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	etbzavp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	scvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	lzexqal.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	nhetwbe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	dpzcnyi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	eksyjjl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	scvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	fbwwqbt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	dbbbcel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	qddsduj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	scvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	faklarb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wylasbh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	scvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	scvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	scvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	scvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	scvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	scvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	scvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	czunfvg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	jezvoxu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	scvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	scvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	scvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	cyxlprm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	bzxbafl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	lkultiv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	ftlqmev.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	funkhti.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	qpdfinc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	scvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	jydckwe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	vgxtgpd.exe

Executes dropped EXE 64 IoCs

pid	Process
4900	scvhost.exe
5044	gofthna.exe
1648	nhetwbe.exe
3916	scvhost.exe
1448	yrdjvei.exe
3480	ydpcrqm.exe
4820	scvhost.exe
4356	vezklvy.exe
3056	nayvhxc.exe
1052	scvhost.exe
3464	ftlqmev.exe
4724	scvhost.exe
4812	fmxlflk.exe
448	fbwwqbt.exe
4320	scvhost.exe
4248	ybtksip.exe
5024	fyeidob.exe
3884	scvhost.exe
4708	kzyolou.exe
3504	scvhost.exe
4548	dpzcnyi.exe
4000	nzysmau.exe
4592	scvhost.exe
4644	sfuleel.exe
1200	scvhost.exe
2184	fojbgtg.exe
2216	fliujjo.exe
2424	scvhost.exe
3972	nivkrwe.exe
4636	pdhsywq.exe
3084	scvhost.exe
1940	cyxlprm.exe
2900	zwfrcyw.exe
2736	scvhost.exe
4880	funkhti.exe
2188	scvhost.exe
1028	czunfvg.exe
1992	clhlfgq.exe
4900	scvhost.exe
4548	saawqbe.exe
936	scvhost.exe
4288	xckpmsr.exe
3236	cirklbw.exe
4648	scvhost.exe
932	eksyjjl.exe
3412	scvhost.exe
1684	xatgaub.exe
1564	scvhost.exe
4696	etbzavp.exe
3604	scvhost.exe
2420	whajwxu.exe
3988	eizklly.exe
4644	scvhost.exe
1200	rkgfixi.exe
816	scvhost.exe
3264	cugibir.exe
3176	ubhdrwg.exe
3464	scvhost.exe
3992	uriztgt.exe
1860	ursxyaj.exe
4724	scvhost.exe
3988	jezvoxu.exe
5048	scvhost.exe
4752	wrrysqv.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Configuration = "sspokqx.exe"	scvhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Configuration = "ycjpnmq.exe"	scvhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Configuration = "scvhost.exe"	nseqesu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Configuration = "youaqpq.exe"	scvhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Configuration = "scvhost.exe"	cthwfnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Configuration = "apufrzb.exe"	scvhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Configuration = "nayvhxc.exe"	vezklvy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Configuration = "scvhost.exe"	ursxyaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Configuration = "scvhost.exe"	sfuleel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Configuration = "vzdegnf.exe"	uoqygce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Configuration = "ursxyaj.exe"	uriztgt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Configuration = "scvhost.exe"	nseqesu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Configuration = "scvhost.exe"	fyeidob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Configuration = "whajwxu.exe"	scvhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Configuration = "scvhost.exe"	jydckwe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Configuration = "scvhost.exe"	qpdfinc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Configuration = "enkwzci.exe"	scvhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Configuration = "vezklvy.exe"	scvhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Configuration = "wrrysqv.exe"	scvhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Configuration = "scvhost.exe"	bmckrhe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Configuration = "scvhost.exe"	fbwwqbt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Configuration = "zwfrcyw.exe"	cyxlprm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Configuration = "scvhost.exe"	fliujjo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Configuration = "xatgaub.exe"	scvhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Configuration = "jezvoxu.exe"	scvhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Configuration = "scvhost.exe"	qddsduj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Configuration = "lzexqal.exe"	lhcalgw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Configuration = "fyeidob.exe"	ybtksip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Configuration = "sfuleel.exe"	scvhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Configuration = "scvhost.exe"	pdhsywq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Configuration = "scvhost.exe"	pbbhzbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Configuration = "scvhost.exe"	lhxkbzm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Configuration = "uoqygce.exe"	scvhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Configuration = "scvhost.exe"	xpwrhhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Configuration = "zpsahmr.exe"	funkhti.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Configuration = "scvhost.exe"	zpsahmr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Configuration = "jydckwe.exe"	scvhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Configuration = "eksyjjl.exe"	scvhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Configuration = "eizklly.exe"	whajwxu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Configuration = "etbzavp.exe"	scvhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Configuration = "uriztgt.exe"	scvhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Configuration = "scvhost.exe"	ogzwvfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Configuration = "dbdzqqs.exe"	dbbbcel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Configuration = "scvhost.exe"	nayvhxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Configuration = "nivkrwe.exe"	scvhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Configuration = "pbbhzbg.exe"	sspokqx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Configuration = "vgxtgpd.exe"	lkultiv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Configuration = "scvhost.exe"	vgxtgpd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Configuration = "wpoywze.exe"	scvhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Configuration = "wmpwgxl.exe"	bzxbafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Configuration = "dbbbcel.exe"	scvhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Configuration = "dbdzqqs.exe"	dbbbcel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Configuration = "scvhost.exe"	pbbhzbg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Configuration = "scvhost.exe"	wylasbh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Configuration = "scvhost.exe"	zwfrcyw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Configuration = "eksyjjl.exe"	scvhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Configuration = "scvhost.exe"	lzexqal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Configuration = "scvhost.exe"	ogzwvfh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Configuration = "avgplvr.exe"	scvhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Configuration = "scvhost.exe"	ekawnzh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Configuration = "scvhost.exe"	cojaadm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Configuration = "dpzcnyi.exe"	scvhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Configuration = "scvhost.exe"	saawqbe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Configuration = "augabhg.exe"	scvhost.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\SysWOW64\scvhost.exe	nayvhxc.exe
File opened for modification	C:\WINDOWS\SysWOW64\rbgcmbz.exe	scvhost.exe
File opened for modification	C:\WINDOWS\SysWOW64\scvhost.exe	pojahvd.exe
File created	C:\WINDOWS\SysWOW64\scvhost.exe	rbgcmbz.exe
File created	C:\WINDOWS\SysWOW64\scvhost.exe	scvhost.exe
File created	C:\WINDOWS\SysWOW64\scvhost.exe	edrxwlu.exe
File created	C:\WINDOWS\SysWOW64\scvhost.exe	scvhost.exe
File created	C:\WINDOWS\SysWOW64\scvhost.exe	cugibir.exe
File opened for modification	C:\WINDOWS\SysWOW64\uriztgt.exe	scvhost.exe
File opened for modification	C:\WINDOWS\SysWOW64\scvhost.exe	nseqesu.exe
File opened for modification	C:\WINDOWS\SysWOW64\scvhost.exe	sfuleel.exe
File created	C:\WINDOWS\SysWOW64\rkgfixi.exe	scvhost.exe
File opened for modification	C:\WINDOWS\SysWOW64\ursxyaj.exe	uriztgt.exe
File opened for modification	C:\WINDOWS\SysWOW64\scvhost.exe	rnkmbch.exe
File created	C:\WINDOWS\SysWOW64\bmckrhe.exe	ycjpnmq.exe
File opened for modification	C:\WINDOWS\SysWOW64\wylasbh.exe	scvhost.exe
File created	C:\WINDOWS\SysWOW64\scvhost.exe	scvhost.exe
File opened for modification	C:\WINDOWS\SysWOW64\edrxwlu.exe	scvhost.exe
File opened for modification	C:\WINDOWS\SysWOW64\rkgfixi.exe	scvhost.exe
File opened for modification	C:\WINDOWS\SysWOW64\scvhost.exe	ursxyaj.exe
File created	C:\WINDOWS\SysWOW64\scvhost.exe	wrrysqv.exe
File created	C:\WINDOWS\SysWOW64\lhxkbzm.exe	rbgcmbz.exe
File created	C:\WINDOWS\SysWOW64\eizklly.exe	whajwxu.exe
File opened for modification	C:\WINDOWS\SysWOW64\jezvoxu.exe	scvhost.exe
File created	C:\WINDOWS\SysWOW64\wylasbh.exe	scvhost.exe
File created	C:\WINDOWS\SysWOW64\scvhost.exe	yrdjvei.exe
File opened for modification	C:\WINDOWS\SysWOW64\scvhost.exe	ydpcrqm.exe
File created	C:\WINDOWS\SysWOW64\fmxlflk.exe	scvhost.exe
File opened for modification	C:\WINDOWS\SysWOW64\funkhti.exe	scvhost.exe
File opened for modification	C:\WINDOWS\SysWOW64\ftlqmev.exe	scvhost.exe
File created	C:\WINDOWS\SysWOW64\scvhost.exe	ybtksip.exe
File created	C:\WINDOWS\SysWOW64\whajwxu.exe	scvhost.exe
File opened for modification	C:\WINDOWS\SysWOW64\scvhost.exe	ekawnzh.exe
File created	C:\WINDOWS\SysWOW64\scvhost.exe	scvhost.exe
File created	C:\WINDOWS\SysWOW64\sfuleel.exe	scvhost.exe
File opened for modification	C:\WINDOWS\SysWOW64\lhxkbzm.exe	rbgcmbz.exe
File created	C:\WINDOWS\SysWOW64\wpoywze.exe	scvhost.exe
File created	C:\WINDOWS\SysWOW64\scvhost.exe	scvhost.exe
File created	C:\WINDOWS\SysWOW64\dbbbcel.exe	scvhost.exe
File opened for modification	C:\WINDOWS\SysWOW64\scvhost.exe	fqfyste.exe
File created	C:\WINDOWS\SysWOW64\scvhost.exe	scvhost.exe
File created	C:\WINDOWS\SysWOW64\scvhost.exe	383709cb3885c660314067b7d9543bf3_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\yrdjvei.exe	scvhost.exe
File opened for modification	C:\WINDOWS\SysWOW64\scvhost.exe	nzysmau.exe
File opened for modification	C:\WINDOWS\SysWOW64\eksyjjl.exe	scvhost.exe
File created	C:\WINDOWS\SysWOW64\scvhost.exe	scvhost.exe
File opened for modification	C:\WINDOWS\SysWOW64\fbwwqbt.exe	fmxlflk.exe
File opened for modification	C:\WINDOWS\SysWOW64\lhcalgw.exe	scvhost.exe
File created	C:\WINDOWS\SysWOW64\scvhost.exe	fojbgtg.exe
File opened for modification	C:\WINDOWS\SysWOW64\scvhost.exe	xatgaub.exe
File created	C:\WINDOWS\SysWOW64\scvhost.exe	whajwxu.exe
File created	C:\WINDOWS\SysWOW64\qddsduj.exe	tukavja.exe
File created	C:\WINDOWS\SysWOW64\ycjpnmq.exe	scvhost.exe
File created	C:\WINDOWS\SysWOW64\scvhost.exe	lhcalgw.exe
File opened for modification	C:\WINDOWS\SysWOW64\scvhost.exe	mnbgvte.exe
File created	C:\WINDOWS\SysWOW64\vezklvy.exe	scvhost.exe
File created	C:\WINDOWS\SysWOW64\scvhost.exe	scvhost.exe
File opened for modification	C:\WINDOWS\SysWOW64\scvhost.exe	kzyolou.exe
File opened for modification	C:\WINDOWS\SysWOW64\nivkrwe.exe	scvhost.exe
File opened for modification	C:\WINDOWS\SysWOW64\cojaadm.exe	apufrzb.exe
File opened for modification	C:\WINDOWS\SysWOW64\rnkmbch.exe	scvhost.exe
File created	C:\WINDOWS\SysWOW64\scvhost.exe	vezklvy.exe
File created	C:\WINDOWS\SysWOW64\scvhost.exe	scvhost.exe
File opened for modification	C:\WINDOWS\SysWOW64\fbhnpde.exe	scvhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	czunfvg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	clhlfgq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	scvhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	xckpmsr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	scvhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	scvhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nayvhxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nivkrwe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	scvhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	etbzavp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ydpcrqm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	scvhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	saawqbe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	xpwrhhd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	pojahvd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nhetwbe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	scvhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	scvhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	dbdzqqs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	youaqpq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	bzxbafl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	scvhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	edrxwlu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ybtksip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	xatgaub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	qpdfinc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	cthwfnh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	fliujjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	zwfrcyw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	scvhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	uoqygce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	scvhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	fojbgtg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	scvhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	scvhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ogzwvfh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vgxtgpd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sspokqx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	rnkmbch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	scvhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	kzyolou.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	scvhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	scvhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	gofthna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	scvhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	cojaadm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	hprfvbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	scvhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nzysmau.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	augabhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mnbgvte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	scvhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	scvhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lkultiv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	scvhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpwgxl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	scvhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ubhdrwg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	scvhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ekawnzh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wylasbh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	yrdjvei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	scvhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	jezvoxu.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4416 wrote to memory of 4900	4416	383709cb3885c660314067b7d9543bf3_JaffaCakes118.exe	86
PID 4416 wrote to memory of 4900	4416	383709cb3885c660314067b7d9543bf3_JaffaCakes118.exe	86
PID 4416 wrote to memory of 4900	4416	383709cb3885c660314067b7d9543bf3_JaffaCakes118.exe	86
PID 4900 wrote to memory of 5044	4900	scvhost.exe	87
PID 4900 wrote to memory of 5044	4900	scvhost.exe	87
PID 4900 wrote to memory of 5044	4900	scvhost.exe	87
PID 5044 wrote to memory of 1648	5044	gofthna.exe	88
PID 5044 wrote to memory of 1648	5044	gofthna.exe	88
PID 5044 wrote to memory of 1648	5044	gofthna.exe	88
PID 1648 wrote to memory of 3916	1648	nhetwbe.exe	89
PID 1648 wrote to memory of 3916	1648	nhetwbe.exe	89
PID 1648 wrote to memory of 3916	1648	nhetwbe.exe	89
PID 3916 wrote to memory of 1448	3916	scvhost.exe	90
PID 3916 wrote to memory of 1448	3916	scvhost.exe	90
PID 3916 wrote to memory of 1448	3916	scvhost.exe	90
PID 1448 wrote to memory of 3480	1448	yrdjvei.exe	91
PID 1448 wrote to memory of 3480	1448	yrdjvei.exe	91
PID 1448 wrote to memory of 3480	1448	yrdjvei.exe	91
PID 3480 wrote to memory of 4820	3480	ydpcrqm.exe	92
PID 3480 wrote to memory of 4820	3480	ydpcrqm.exe	92
PID 3480 wrote to memory of 4820	3480	ydpcrqm.exe	92
PID 4820 wrote to memory of 4356	4820	scvhost.exe	93
PID 4820 wrote to memory of 4356	4820	scvhost.exe	93
PID 4820 wrote to memory of 4356	4820	scvhost.exe	93
PID 4356 wrote to memory of 3056	4356	vezklvy.exe	94
PID 4356 wrote to memory of 3056	4356	vezklvy.exe	94
PID 4356 wrote to memory of 3056	4356	vezklvy.exe	94
PID 3056 wrote to memory of 1052	3056	nayvhxc.exe	95
PID 3056 wrote to memory of 1052	3056	nayvhxc.exe	95
PID 3056 wrote to memory of 1052	3056	nayvhxc.exe	95
PID 1052 wrote to memory of 3464	1052	scvhost.exe	96
PID 1052 wrote to memory of 3464	1052	scvhost.exe	96
PID 1052 wrote to memory of 3464	1052	scvhost.exe	96
PID 3464 wrote to memory of 4724	3464	ftlqmev.exe	97
PID 3464 wrote to memory of 4724	3464	ftlqmev.exe	97
PID 3464 wrote to memory of 4724	3464	ftlqmev.exe	97
PID 4724 wrote to memory of 4812	4724	scvhost.exe	98
PID 4724 wrote to memory of 4812	4724	scvhost.exe	98
PID 4724 wrote to memory of 4812	4724	scvhost.exe	98
PID 4812 wrote to memory of 448	4812	fmxlflk.exe	99
PID 4812 wrote to memory of 448	4812	fmxlflk.exe	99
PID 4812 wrote to memory of 448	4812	fmxlflk.exe	99
PID 448 wrote to memory of 4320	448	fbwwqbt.exe	100
PID 448 wrote to memory of 4320	448	fbwwqbt.exe	100
PID 448 wrote to memory of 4320	448	fbwwqbt.exe	100
PID 4320 wrote to memory of 4248	4320	scvhost.exe	101
PID 4320 wrote to memory of 4248	4320	scvhost.exe	101
PID 4320 wrote to memory of 4248	4320	scvhost.exe	101
PID 4248 wrote to memory of 5024	4248	ybtksip.exe	102
PID 4248 wrote to memory of 5024	4248	ybtksip.exe	102
PID 4248 wrote to memory of 5024	4248	ybtksip.exe	102
PID 5024 wrote to memory of 3884	5024	fyeidob.exe	103
PID 5024 wrote to memory of 3884	5024	fyeidob.exe	103
PID 5024 wrote to memory of 3884	5024	fyeidob.exe	103
PID 3884 wrote to memory of 4708	3884	scvhost.exe	104
PID 3884 wrote to memory of 4708	3884	scvhost.exe	104
PID 3884 wrote to memory of 4708	3884	scvhost.exe	104
PID 4708 wrote to memory of 3504	4708	kzyolou.exe	105
PID 4708 wrote to memory of 3504	4708	kzyolou.exe	105
PID 4708 wrote to memory of 3504	4708	kzyolou.exe	105
PID 3504 wrote to memory of 4548	3504	scvhost.exe	106
PID 3504 wrote to memory of 4548	3504	scvhost.exe	106
PID 3504 wrote to memory of 4548	3504	scvhost.exe	106
PID 4548 wrote to memory of 4000	4548	dpzcnyi.exe	107

C:\Users\Admin\AppData\Local\Temp\383709cb3885c660314067b7d9543bf3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\383709cb3885c660314067b7d9543bf3_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4416
- C:\WINDOWS\SysWOW64\scvhost.exe
  "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\USERS\ADMIN\APPDATA\LOCAL\TEMP\383709CB3885C660314067B7D9543BF3_JAFFACAKES118.EXE
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\WINDOWS\SysWOW64\gofthna.exe
    "C:\WINDOWS\SYSTEM32\gofthna.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5044
  - - C:\WINDOWS\SysWOW64\nhetwbe.exe
      "C:\WINDOWS\SYSTEM32\nhetwbe.exe" mElTC:\WINDOWS\SYSWOW64\GOFTHNA.EXE
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1648
    - - C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\NHETWBE.EXE
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3916
      - C:\WINDOWS\SysWOW64\yrdjvei.exe
        
        "C:\WINDOWS\SYSTEM32\yrdjvei.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\WINDOWS\SysWOW64\ydpcrqm.exe
        
        "C:\WINDOWS\SYSTEM32\ydpcrqm.exe" mElTC:\WINDOWS\SYSWOW64\YRDJVEI.EXE
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3480
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\YDPCRQM.EXE
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\WINDOWS\SysWOW64\vezklvy.exe
        
        "C:\WINDOWS\SYSTEM32\vezklvy.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\WINDOWS\SysWOW64\nayvhxc.exe
        
        "C:\WINDOWS\SYSTEM32\nayvhxc.exe" mElTC:\WINDOWS\SYSWOW64\VEZKLVY.EXE
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\NAYVHXC.EXE
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\WINDOWS\SysWOW64\ftlqmev.exe
        
        "C:\WINDOWS\SYSTEM32\ftlqmev.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\FTLQMEV.EXE
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\WINDOWS\SysWOW64\fmxlflk.exe
        
        "C:\WINDOWS\SYSTEM32\fmxlflk.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\WINDOWS\SysWOW64\fbwwqbt.exe
        
        "C:\WINDOWS\SYSTEM32\fbwwqbt.exe" mElTC:\WINDOWS\SYSWOW64\FMXLFLK.EXE
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\FBWWQBT.EXE
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\WINDOWS\SysWOW64\ybtksip.exe
        
        "C:\WINDOWS\SYSTEM32\ybtksip.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        17⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\WINDOWS\SysWOW64\fyeidob.exe
        
        "C:\WINDOWS\SYSTEM32\fyeidob.exe" mElTC:\WINDOWS\SYSWOW64\YBTKSIP.EXE
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\FYEIDOB.EXE
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\WINDOWS\SysWOW64\kzyolou.exe
        
        "C:\WINDOWS\SYSTEM32\kzyolou.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\KZYOLOU.EXE
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\WINDOWS\SysWOW64\dpzcnyi.exe
        
        "C:\WINDOWS\SYSTEM32\dpzcnyi.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\WINDOWS\SysWOW64\nzysmau.exe
        
        "C:\WINDOWS\SYSTEM32\nzysmau.exe" mElTC:\WINDOWS\SYSWOW64\DPZCNYI.EXE
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4000
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\NZYSMAU.EXE
        24⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:4592
        
        C:\WINDOWS\SysWOW64\sfuleel.exe
        
        "C:\WINDOWS\SYSTEM32\sfuleel.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        25⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4644
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\SFULEEL.EXE
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1200
        
        C:\WINDOWS\SysWOW64\fojbgtg.exe
        
        "C:\WINDOWS\SYSTEM32\fojbgtg.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2184
        
        C:\WINDOWS\SysWOW64\fliujjo.exe
        
        "C:\WINDOWS\SYSTEM32\fliujjo.exe" mElTC:\WINDOWS\SYSWOW64\FOJBGTG.EXE
        28⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:2216
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\FLIUJJO.EXE
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:2424
        
        C:\WINDOWS\SysWOW64\nivkrwe.exe
        
        "C:\WINDOWS\SYSTEM32\nivkrwe.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3972
        
        C:\WINDOWS\SysWOW64\pdhsywq.exe
        
        "C:\WINDOWS\SYSTEM32\pdhsywq.exe" mElTC:\WINDOWS\SYSWOW64\NIVKRWE.EXE
        31⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4636
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\PDHSYWQ.EXE
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3084
        
        C:\WINDOWS\SysWOW64\cyxlprm.exe
        
        "C:\WINDOWS\SYSTEM32\cyxlprm.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1940
        
        C:\WINDOWS\SysWOW64\zwfrcyw.exe
        
        "C:\WINDOWS\SYSTEM32\zwfrcyw.exe" mElTC:\WINDOWS\SYSWOW64\CYXLPRM.EXE
        34⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:2900
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\ZWFRCYW.EXE
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2736
        
        C:\WINDOWS\SysWOW64\funkhti.exe
        
        "C:\WINDOWS\SYSTEM32\funkhti.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4880
        
        C:\WINDOWS\SysWOW64\zpsahmr.exe
        
        "C:\WINDOWS\SYSTEM32\zpsahmr.exe" mElTC:\WINDOWS\SYSWOW64\FUNKHTI.EXE
        37⤵
        Adds Run key to start application
        
        PID:4360
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\ZPSAHMR.EXE
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2188
        
        C:\WINDOWS\SysWOW64\czunfvg.exe
        
        "C:\WINDOWS\SYSTEM32\czunfvg.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1028
        
        C:\WINDOWS\SysWOW64\clhlfgq.exe
        
        "C:\WINDOWS\SYSTEM32\clhlfgq.exe" mElTC:\WINDOWS\SYSWOW64\CZUNFVG.EXE
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1992
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\CLHLFGQ.EXE
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4900
        
        C:\WINDOWS\SysWOW64\saawqbe.exe
        
        "C:\WINDOWS\SYSTEM32\saawqbe.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        42⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:4548
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\SAAWQBE.EXE
        43⤵
        Executes dropped EXE
        
        PID:936
        
        C:\WINDOWS\SysWOW64\xckpmsr.exe
        
        "C:\WINDOWS\SYSTEM32\xckpmsr.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4288
        
        C:\WINDOWS\SysWOW64\cirklbw.exe
        
        "C:\WINDOWS\SYSTEM32\cirklbw.exe" mElTC:\WINDOWS\SYSWOW64\XCKPMSR.EXE
        45⤵
        Executes dropped EXE
        
        PID:3236
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\CIRKLBW.EXE
        46⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4648
        
        C:\WINDOWS\SysWOW64\eksyjjl.exe
        
        "C:\WINDOWS\SYSTEM32\eksyjjl.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        47⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:932
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\EKSYJJL.EXE
        48⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3412
        
        C:\WINDOWS\SysWOW64\xatgaub.exe
        
        "C:\WINDOWS\SYSTEM32\xatgaub.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1684
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\XATGAUB.EXE
        50⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:1564
        
        C:\WINDOWS\SysWOW64\etbzavp.exe
        
        "C:\WINDOWS\SYSTEM32\etbzavp.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        51⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4696
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\ETBZAVP.EXE
        52⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3604
        
        C:\WINDOWS\SysWOW64\whajwxu.exe
        
        "C:\WINDOWS\SYSTEM32\whajwxu.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        53⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2420
        
        C:\WINDOWS\SysWOW64\eizklly.exe
        
        "C:\WINDOWS\SYSTEM32\eizklly.exe" mElTC:\WINDOWS\SYSWOW64\WHAJWXU.EXE
        54⤵
        Executes dropped EXE
        
        PID:3988
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\EIZKLLY.EXE
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4644
        
        C:\WINDOWS\SysWOW64\rkgfixi.exe
        
        "C:\WINDOWS\SYSTEM32\rkgfixi.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        56⤵
        Executes dropped EXE
        
        PID:1200
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\RKGFIXI.EXE
        57⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:816
        
        C:\WINDOWS\SysWOW64\cugibir.exe
        
        "C:\WINDOWS\SYSTEM32\cugibir.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3264
        
        C:\WINDOWS\SysWOW64\ubhdrwg.exe
        
        "C:\WINDOWS\SYSTEM32\ubhdrwg.exe" mElTC:\WINDOWS\SYSWOW64\CUGIBIR.EXE
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3176
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\UBHDRWG.EXE
        60⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3464
        
        C:\WINDOWS\SysWOW64\uriztgt.exe
        
        "C:\WINDOWS\SYSTEM32\uriztgt.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        61⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3992
        
        C:\WINDOWS\SysWOW64\ursxyaj.exe
        
        "C:\WINDOWS\SYSTEM32\ursxyaj.exe" mElTC:\WINDOWS\SYSWOW64\URIZTGT.EXE
        62⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1860
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\URSXYAJ.EXE
        63⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:4724
        
        C:\WINDOWS\SysWOW64\jezvoxu.exe
        
        "C:\WINDOWS\SYSTEM32\jezvoxu.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3988
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\JEZVOXU.EXE
        65⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:5048
        
        C:\WINDOWS\SysWOW64\wrrysqv.exe
        
        "C:\WINDOWS\SYSTEM32\wrrysqv.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4752
        
        C:\WINDOWS\SysWOW64\ekawnzh.exe
        
        "C:\WINDOWS\SYSTEM32\ekawnzh.exe" mElTC:\WINDOWS\SYSWOW64\WRRYSQV.EXE
        67⤵
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:3996
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\EKAWNZH.EXE
        68⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4836
        
        C:\WINDOWS\SysWOW64\rbgcmbz.exe
        
        "C:\WINDOWS\SYSTEM32\rbgcmbz.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        69⤵
        Drops file in System32 directory
        
        PID:544
        
        C:\WINDOWS\SysWOW64\lhxkbzm.exe
        
        "C:\WINDOWS\SYSTEM32\lhxkbzm.exe" mElTC:\WINDOWS\SYSWOW64\RBGCMBZ.EXE
        70⤵
        Adds Run key to start application
        
        PID:2268
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\LHXKBZM.EXE
        71⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1448
        
        C:\WINDOWS\SysWOW64\wpoywze.exe
        
        "C:\WINDOWS\SYSTEM32\wpoywze.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        72⤵
        
        PID:3276
        
        C:\WINDOWS\SysWOW64\ogzwvfh.exe
        
        "C:\WINDOWS\SYSTEM32\ogzwvfh.exe" mElTC:\WINDOWS\SYSWOW64\WPOYWZE.EXE
        73⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:4116
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\OGZWVFH.EXE
        74⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:3824
        
        C:\WINDOWS\SysWOW64\jydckwe.exe
        
        "C:\WINDOWS\SYSTEM32\jydckwe.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        75⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4644
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\JYDCKWE.EXE
        76⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:4400
        
        C:\WINDOWS\SysWOW64\youaqpq.exe
        
        "C:\WINDOWS\SYSTEM32\youaqpq.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        77⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1544
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\YOUAQPQ.EXE
        78⤵
        Checks computer location settings
        
        PID:3572
        
        C:\WINDOWS\SysWOW64\bzxbafl.exe
        
        "C:\WINDOWS\SYSTEM32\bzxbafl.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        79⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:1308
        
        C:\WINDOWS\SysWOW64\wmpwgxl.exe
        
        "C:\WINDOWS\SYSTEM32\wmpwgxl.exe" mElTC:\WINDOWS\SYSWOW64\BZXBAFL.EXE
        80⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4256
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\WMPWGXL.EXE
        81⤵
        Modifies registry class
        
        PID:676
        
        C:\WINDOWS\SysWOW64\tokmbdk.exe
        
        "C:\WINDOWS\SYSTEM32\tokmbdk.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        82⤵
        
        PID:1448
        
        C:\WINDOWS\SysWOW64\qpdfinc.exe
        
        "C:\WINDOWS\SYSTEM32\qpdfinc.exe" mElTC:\WINDOWS\SYSWOW64\TOKMBDK.EXE
        83⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:3276
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\QPDFINC.EXE
        84⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4080
        
        C:\WINDOWS\SysWOW64\lkultiv.exe
        
        "C:\WINDOWS\SYSTEM32\lkultiv.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        85⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:4128
        
        C:\WINDOWS\SysWOW64\vgxtgpd.exe
        
        "C:\WINDOWS\SYSTEM32\vgxtgpd.exe" mElTC:\WINDOWS\SYSWOW64\LKULTIV.EXE
        86⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:4304
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\VGXTGPD.EXE
        87⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4500
        
        C:\WINDOWS\SysWOW64\ycjpnmq.exe
        
        "C:\WINDOWS\SYSTEM32\ycjpnmq.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        88⤵
        Drops file in System32 directory
        
        PID:3016
        
        C:\WINDOWS\SysWOW64\bmckrhe.exe
        
        "C:\WINDOWS\SYSTEM32\bmckrhe.exe" mElTC:\WINDOWS\SYSWOW64\YCJPNMQ.EXE
        89⤵
        Adds Run key to start application
        
        PID:4548
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\BMCKRHE.EXE
        90⤵
        Checks computer location settings
        Modifies registry class
        
        PID:936
        
        C:\WINDOWS\SysWOW64\nseqesu.exe
        
        "C:\WINDOWS\SYSTEM32\nseqesu.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        91⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:548
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\NSEQESU.EXE
        92⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3152
        
        C:\WINDOWS\SysWOW64\dbbbcel.exe
        
        "C:\WINDOWS\SYSTEM32\dbbbcel.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        93⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3244
        
        C:\WINDOWS\SysWOW64\dbdzqqs.exe
        
        "C:\WINDOWS\SYSTEM32\dbdzqqs.exe" mElTC:\WINDOWS\SYSWOW64\DBBBCEL.EXE
        94⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3956
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\DBDZQQS.EXE
        95⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:4932
        
        C:\WINDOWS\SysWOW64\avgplvr.exe
        
        "C:\WINDOWS\SYSTEM32\avgplvr.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        96⤵
        
        PID:4356
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\AVGPLVR.EXE
        97⤵
        Checks computer location settings
        Modifies registry class
        
        PID:5100
        
        C:\WINDOWS\SysWOW64\tukavja.exe
        
        "C:\WINDOWS\SYSTEM32\tukavja.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        98⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2624
        
        C:\WINDOWS\SysWOW64\qddsduj.exe
        
        "C:\WINDOWS\SYSTEM32\qddsduj.exe" mElTC:\WINDOWS\SYSWOW64\TUKAVJA.EXE
        99⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3576
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\QDDSDUJ.EXE
        100⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4520
        
        C:\WINDOWS\SysWOW64\sspokqx.exe
        
        "C:\WINDOWS\SYSTEM32\sspokqx.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        101⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:3100
        
        C:\WINDOWS\SysWOW64\pbbhzbg.exe
        
        "C:\WINDOWS\SYSTEM32\pbbhzbg.exe" mElTC:\WINDOWS\SYSWOW64\SSPOKQX.EXE
        102⤵
        Adds Run key to start application
        
        PID:1724
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\PBBHZBG.EXE
        103⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2736
        
        C:\WINDOWS\SysWOW64\lhcalgw.exe
        
        "C:\WINDOWS\SYSTEM32\lhcalgw.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        104⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4428
        
        C:\WINDOWS\SysWOW64\lzexqal.exe
        
        "C:\WINDOWS\SYSTEM32\lzexqal.exe" mElTC:\WINDOWS\SYSWOW64\LHCALGW.EXE
        105⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:556
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\LZEXQAL.EXE
        106⤵
        Adds Run key to start application
        
        PID:1028
        
        C:\WINDOWS\SysWOW64\uoqygce.exe
        
        "C:\WINDOWS\SYSTEM32\uoqygce.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        107⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:3060
        
        C:\WINDOWS\SysWOW64\vzdegnf.exe
        
        "C:\WINDOWS\SYSTEM32\vzdegnf.exe" mElTC:\WINDOWS\SYSWOW64\UOQYGCE.EXE
        108⤵
        Checks computer location settings
        
        PID:3204
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\VZDEGNF.EXE
        109⤵
        Adds Run key to start application
        
        PID:1564
        
        C:\WINDOWS\SysWOW64\augabhg.exe
        
        "C:\WINDOWS\SYSTEM32\augabhg.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        110⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3084
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\AUGABHG.EXE
        111⤵
        Checks computer location settings
        
        PID:4812
        
        C:\WINDOWS\SysWOW64\faklarb.exe
        
        "C:\WINDOWS\SYSTEM32\faklarb.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        112⤵
        Checks computer location settings
        
        PID:4156
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\FAKLARB.EXE
        113⤵
        Checks computer location settings
        
        PID:3792
        
        C:\WINDOWS\SysWOW64\xpwrhhd.exe
        
        "C:\WINDOWS\SYSTEM32\xpwrhhd.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        114⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:872
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\XPWRHHD.EXE
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4352
        
        C:\WINDOWS\SysWOW64\fbhnpde.exe
        
        "C:\WINDOWS\SYSTEM32\fbhnpde.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        116⤵
        
        PID:4632
        
        C:\WINDOWS\SysWOW64\fqfyste.exe
        
        "C:\WINDOWS\SYSTEM32\fqfyste.exe" mElTC:\WINDOWS\SYSWOW64\FBHNPDE.EXE
        117⤵
        Drops file in System32 directory
        
        PID:4944
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\FQFYSTE.EXE
        118⤵
        
        PID:3212
        
        C:\WINDOWS\SysWOW64\mnbgvte.exe
        
        "C:\WINDOWS\SYSTEM32\mnbgvte.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        119⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1076
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\MNBGVTE.EXE
        120⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:960
        
        C:\WINDOWS\SysWOW64\apufrzb.exe
        
        "C:\WINDOWS\SYSTEM32\apufrzb.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        121⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3608
        
        C:\WINDOWS\SysWOW64\cojaadm.exe
        
        "C:\WINDOWS\SYSTEM32\cojaadm.exe" mElTC:\WINDOWS\SYSWOW64\APUFRZB.EXE
        122⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:1108
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\COJAADM.EXE
        123⤵
        Drops file in System32 directory
        
        PID:4856
        
        C:\WINDOWS\SysWOW64\wylasbh.exe
        
        "C:\WINDOWS\SYSTEM32\wylasbh.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        124⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:4472
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\WYLASBH.EXE
        125⤵
        Drops file in System32 directory
        
        PID:3356
        
        C:\WINDOWS\SysWOW64\zuabwjo.exe
        
        "C:\WINDOWS\SYSTEM32\zuabwjo.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        126⤵
        
        PID:1136
        
        C:\WINDOWS\SysWOW64\cthwfnh.exe
        
        "C:\WINDOWS\SYSTEM32\cthwfnh.exe" mElTC:\WINDOWS\SYSWOW64\ZUABWJO.EXE
        127⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:1536
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\CTHWFNH.EXE
        128⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3764
        
        C:\WINDOWS\SysWOW64\edrxwlu.exe
        
        "C:\WINDOWS\SYSTEM32\edrxwlu.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        129⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4708
        
        C:\WINDOWS\SysWOW64\pojahvd.exe
        
        "C:\WINDOWS\SYSTEM32\pojahvd.exe" mElTC:\WINDOWS\SYSWOW64\EDRXWLU.EXE
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3212
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\POJAHVD.EXE
        131⤵
        Drops file in System32 directory
        
        PID:4000
        
        C:\WINDOWS\SysWOW64\rnkmbch.exe
        
        "C:\WINDOWS\SYSTEM32\rnkmbch.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        132⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:960
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\RNKMBCH.EXE
        133⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4816
        
        C:\WINDOWS\SysWOW64\jvuflzh.exe
        
        "C:\WINDOWS\SYSTEM32\jvuflzh.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        134⤵
        
        PID:1296
        
        C:\WINDOWS\SysWOW64\hprfvbl.exe
        
        "C:\WINDOWS\SYSTEM32\hprfvbl.exe" mElTC:\WINDOWS\SYSWOW64\JVUFLZH.EXE
        135⤵
        Modifies registry class
        
        PID:4320
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\HPRFVBL.EXE
        136⤵
        Adds Run key to start application
        
        PID:1860
        
        C:\WINDOWS\SysWOW64\enkwzci.exe
        
        "C:\WINDOWS\SYSTEM32\enkwzci.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        137⤵
        
        PID:3800
        
        C:\WINDOWS\SysWOW64\mkwzwha.exe
        
        "C:\WINDOWS\SYSTEM32\mkwzwha.exe" mElTC:\WINDOWS\SYSWOW64\ENKWZCI.EXE
        138⤵
        
        PID:1136
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\MKWZWHA.EXE
        139⤵
        
        PID:1536
        
        C:\WINDOWS\SysWOW64\bonqrja.exe
        
        "C:\WINDOWS\SYSTEM32\bonqrja.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        140⤵
        
        PID:2532
        
        C:\WINDOWS\SysWOW64\jayiuca.exe
        
        "C:\WINDOWS\SYSTEM32\jayiuca.exe" mElTC:\WINDOWS\SYSWOW64\BONQRJA.EXE
        141⤵
        
        PID:4708
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\JAYIUCA.EXE
        142⤵
        
        PID:1648
        
        C:\WINDOWS\SysWOW64\ddczrnc.exe
        
        "C:\WINDOWS\SYSTEM32\ddczrnc.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        143⤵
        
        PID:3860
        
        C:\WINDOWS\SysWOW64\uxjnyii.exe
        
        "C:\WINDOWS\SYSTEM32\uxjnyii.exe" mElTC:\WINDOWS\SYSWOW64\DDCZRNC.EXE
        144⤵
        
        PID:3568
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\UXJNYII.EXE
        145⤵
        
        PID:1732
        
        C:\WINDOWS\SysWOW64\lpygqcq.exe
        
        "C:\WINDOWS\SYSTEM32\lpygqcq.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        146⤵
        
        PID:1480
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\LPYGQCQ.EXE
        147⤵
        
        PID:3276
        
        C:\WINDOWS\SysWOW64\ivooatl.exe
        
        "C:\WINDOWS\SYSTEM32\ivooatl.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        148⤵
        
        PID:3920
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\IVOOATL.EXE
        149⤵
        
        PID:4716
        
        C:\WINDOWS\SysWOW64\tgqhyqk.exe
        
        "C:\WINDOWS\SYSTEM32\tgqhyqk.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        150⤵
        
        PID:4468
        
        C:\WINDOWS\SysWOW64\gljvjoq.exe
        
        "C:\WINDOWS\SYSTEM32\gljvjoq.exe" mElTC:\WINDOWS\SYSWOW64\TGQHYQK.EXE
        151⤵
        
        PID:3428
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\GLJVJOQ.EXE
        152⤵
        
        PID:4528
        
        C:\WINDOWS\SysWOW64\bhyopqp.exe
        
        "C:\WINDOWS\SYSTEM32\bhyopqp.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        153⤵
        
        PID:2212
        
        C:\WINDOWS\SysWOW64\ldamilo.exe
        
        "C:\WINDOWS\SYSTEM32\ldamilo.exe" mElTC:\WINDOWS\SYSWOW64\BHYOPQP.EXE
        154⤵
        
        PID:1712
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\LDAMILO.EXE
        155⤵
        
        PID:2204
        
        C:\WINDOWS\SysWOW64\iiivrur.exe
        
        "C:\WINDOWS\SYSTEM32\iiivrur.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        156⤵
        
        PID:3792
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\IIIVRUR.EXE
        157⤵
        
        PID:4880
        
        C:\WINDOWS\SysWOW64\twujsdp.exe
        
        "C:\WINDOWS\SYSTEM32\twujsdp.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        158⤵
        
        PID:2148
        
        C:\WINDOWS\SysWOW64\tiigapq.exe
        
        "C:\WINDOWS\SYSTEM32\tiigapq.exe" mElTC:\WINDOWS\SYSWOW64\TWUJSDP.EXE
        159⤵
        
        PID:4424
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\TIIGAPQ.EXE
        160⤵
        
        PID:4824
        
        C:\WINDOWS\SysWOW64\lxumifs.exe
        
        "C:\WINDOWS\SYSTEM32\lxumifs.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        161⤵
        
        PID:628
        
        C:\WINDOWS\SysWOW64\yrkahdm.exe
        
        "C:\WINDOWS\SYSTEM32\yrkahdm.exe" mElTC:\WINDOWS\SYSWOW64\LXUMIFS.EXE
        162⤵
        
        PID:4468
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\YRKAHDM.EXE
        163⤵
        
        PID:2972
        
        C:\WINDOWS\SysWOW64\fhgoksn.exe
        
        "C:\WINDOWS\SYSTEM32\fhgoksn.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        164⤵
        
        PID:4412
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\FHGOKSN.EXE
        165⤵
        
        PID:452
        
        C:\WINDOWS\SysWOW64\idvzhum.exe
        
        "C:\WINDOWS\SYSTEM32\idvzhum.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        166⤵
        
        PID:1140
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\IDVZHUM.EXE
        167⤵
        
        PID:532
        
        C:\WINDOWS\SysWOW64\njjqfkl.exe
        
        "C:\WINDOWS\SYSTEM32\njjqfkl.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        168⤵
        
        PID:672
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\NJJQFKL.EXE
        169⤵
        
        PID:4404
        
        C:\WINDOWS\SysWOW64\vgymafy.exe
        
        "C:\WINDOWS\SYSTEM32\vgymafy.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        170⤵
        
        PID:2872
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\VGYMAFY.EXE
        171⤵
        
        PID:1052
        
        C:\WINDOWS\SysWOW64\dspiohd.exe
        
        "C:\WINDOWS\SYSTEM32\dspiohd.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        172⤵
        
        PID:4360
        
        C:\WINDOWS\SysWOW64\iuibkzr.exe
        
        "C:\WINDOWS\SYSTEM32\iuibkzr.exe" mElTC:\WINDOWS\SYSWOW64\DSPIOHD.EXE
        173⤵
        
        PID:1144
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\IUIBKZR.EXE
        174⤵
        
        PID:4956
        
        C:\WINDOWS\SysWOW64\sfjuidh.exe
        
        "C:\WINDOWS\SYSTEM32\sfjuidh.exe" mElTC:\WINDOWS\SYSWOW64\SCVHOST.EXE
        175⤵
        
        PID:184
        
        C:\WINDOWS\SysWOW64\suzzzms.exe
        
        "C:\WINDOWS\SYSTEM32\suzzzms.exe" mElTC:\WINDOWS\SYSWOW64\SFJUIDH.EXE
        176⤵
        
        PID:4000
        
        C:\WINDOWS\SysWOW64\scvhost.exe
        
        "C:\WINDOWS\SYSTEM32\scvhost.exe" mElTC:\WINDOWS\SYSWOW64\SUZZZMS.EXE
        177⤵
        
        PID:4812

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv g/6PyPalK0K4UbMnzHfp7Q.0.1
1⤵
PID:3972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\scvhost.exe

Filesize
251KB

MD5
383709cb3885c660314067b7d9543bf3

SHA1
0d3f6cc4e3f72f174351fc614ea54025e0715b93

SHA256
5e8bec3c94f5b8dd59824c28dccb4dc3f6b7cdade82160e7d2f6655f8a93628a

SHA512
42a4ff2c262ca601f7862dee8cac91ffb389111aa88a9c6d751721bba74fe80323daa8c84a6c5b2b66275d8ef12ed4136ff2157097a7f1a7327f5a5d55279db7

Download Submit
memory/448-513-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/816-1843-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/932-1521-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/936-1395-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1028-1265-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1052-374-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1200-880-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1200-1809-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1448-204-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1564-1617-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1648-135-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1684-1585-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1860-2001-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1940-1104-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1992-1297-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2184-912-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2188-1233-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2216-944-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2420-1713-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2424-976-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2736-1168-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2900-1136-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3056-339-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3084-1072-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3176-1905-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3236-1457-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3264-1873-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3412-1553-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3464-1937-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3464-410-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3480-240-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3504-716-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3604-1681-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3884-647-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3916-169-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3972-1008-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3988-2065-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3988-1745-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3992-1969-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4000-783-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4248-581-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4288-1425-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4320-544-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4356-305-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4360-1201-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4416-33-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4548-750-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4548-1363-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4592-816-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4636-1040-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4644-848-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4644-1777-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4648-1489-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4696-1649-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4708-681-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4724-443-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4724-2033-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4812-477-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4820-274-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4880-1169-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4900-67-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4900-1329-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/5024-616-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/5044-103-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads