Analysis
-
max time kernel
40s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
13-07-2024 05:13
Behavioral task
behavioral1
Sample
4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe
-
Size
88KB
-
MD5
4052e869d0ef5649ad0bb14c7cdffbcf
-
SHA1
2f2eef12131183bb414d8189450d89a9a83ca604
-
SHA256
fff826d7cf48b6cbef49c9eda8b7a33205c90be8d3254de4589f1a3acdd74a21
-
SHA512
61c3667bfa5c3cd981023372eb5fe29b479b25d7d53bb2c4b58c2cf16568759ec872cd34fbaa386dbe47ef55634913caa35f6cd360dff4d645e441b5c31cbd4d
-
SSDEEP
1536:UyrizN3klVZ69QPiPy7sw2Sx1vXvfAK6skKjFsrHAstd:U1N3kPZX9sS/XbDps7AEd
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" zghpfw.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" zghpfw.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" zghpfw.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" zghpfw.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" zghpfw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" zghpfw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" zghpfw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" zghpfw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" zghpfw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" zghpfw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe -
clop
Ransomware discovered in early 2019 which has been actively developed since release.
-
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" zghpfw.exe -
Disables Task Manager via registry modification
-
Deletes itself 1 IoCs
pid Process 12192 zghpfw.exe -
Executes dropped EXE 64 IoCs
pid Process 2168 yfcvogh.exe 2724 ikvotq.exe 2896 bbdlub.exe 2620 stfhd.exe 320 wqkkqkb.exe 1908 exxqwrn.exe 1808 esvjl.exe 2784 lbgpp.exe 1972 ltign.exe 2996 svmvww.exe 1920 pbuhztlu.exe 3012 blltpxoh.exe 2572 rssdx.exe 3068 tntqinmg.exe 2568 oxljupb.exe 1532 qltpizlo.exe 1880 hxbghj.exe 1500 kuaoav.exe 2416 jyqwlae.exe 2016 pipvjxps.exe 1596 yoppfbcm.exe 328 olbumrmq.exe 380 smdclsqd.exe 1864 mwvhzhzo.exe 3008 xkzrzr.exe 2676 dhzoprs.exe 688 rmmlkihc.exe 2108 ngribm.exe 2688 vwiau.exe 2604 ctxhm.exe 2136 fdatnzm.exe 2984 fzjvj.exe 2952 qsisqhl.exe 2144 hugdriw.exe 1144 biucvzn.exe 1332 zyokl.exe 1688 sflgtcr.exe 1020 gsdivlc.exe 596 oarwk.exe 1096 vxkrinrk.exe 1000 zwfgm.exe 2372 bggercn.exe 720 xofalv.exe 2448 nohyu.exe 2824 lqwigdip.exe 2628 ctntyccr.exe 2348 hvwecdt.exe 2616 yfovla.exe 2700 dxjblcxk.exe 2024 bdlok.exe 2068 qdpsd.exe 1932 kfwvvw.exe 1680 qduqgkz.exe 1696 cjxyv.exe 1780 urajt.exe 2548 ujjeacv.exe 2256 nzusxqn.exe 592 fbetlppu.exe 2792 wswwhfzp.exe 1944 vwhhohlj.exe 3824 njupn.exe 3892 xodyknlk.exe 3956 bwrtnjkk.exe 4024 gdnbwnfn.exe -
Loads dropped DLL 64 IoCs
pid Process 1380 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 1380 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 2168 yfcvogh.exe 2168 yfcvogh.exe 2724 ikvotq.exe 2724 ikvotq.exe 2896 bbdlub.exe 2896 bbdlub.exe 2620 stfhd.exe 2620 stfhd.exe 320 wqkkqkb.exe 320 wqkkqkb.exe 1908 exxqwrn.exe 1908 exxqwrn.exe 1808 esvjl.exe 1808 esvjl.exe 2784 lbgpp.exe 2784 lbgpp.exe 1972 ltign.exe 1972 ltign.exe 2996 svmvww.exe 2996 svmvww.exe 1920 pbuhztlu.exe 1920 pbuhztlu.exe 3012 blltpxoh.exe 3012 blltpxoh.exe 2572 rssdx.exe 2572 rssdx.exe 3068 tntqinmg.exe 3068 tntqinmg.exe 2568 oxljupb.exe 2568 oxljupb.exe 1532 qltpizlo.exe 1532 qltpizlo.exe 1880 hxbghj.exe 1880 hxbghj.exe 1500 kuaoav.exe 1500 kuaoav.exe 2416 jyqwlae.exe 2416 jyqwlae.exe 2016 pipvjxps.exe 2016 pipvjxps.exe 1596 yoppfbcm.exe 1596 yoppfbcm.exe 328 olbumrmq.exe 328 olbumrmq.exe 380 smdclsqd.exe 380 smdclsqd.exe 1864 mwvhzhzo.exe 1864 mwvhzhzo.exe 3008 xkzrzr.exe 3008 xkzrzr.exe 2676 dhzoprs.exe 2676 dhzoprs.exe 688 rmmlkihc.exe 688 rmmlkihc.exe 2108 ngribm.exe 2108 ngribm.exe 2688 vwiau.exe 2688 vwiau.exe 2604 ctxhm.exe 2604 ctxhm.exe 2136 fdatnzm.exe 2136 fdatnzm.exe -
resource yara_rule behavioral1/memory/1380-0-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral1/files/0x000d000000014348-8.dat upx behavioral1/memory/1380-10-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/1380-15-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/1380-43-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/1380-38-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/2724-52-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral1/memory/1380-44-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/2168-17-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral1/memory/1380-14-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/1380-13-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/1380-11-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/1380-1-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/2896-63-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral1/memory/1380-64-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/1380-65-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/320-86-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral1/memory/2620-85-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral1/memory/1380-89-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/1908-98-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral1/memory/1380-108-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral1/memory/2168-114-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral1/memory/2784-120-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral1/memory/1380-121-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/1380-122-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/1972-132-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral1/memory/2996-144-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral1/memory/2724-154-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral1/memory/3012-171-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral1/memory/320-169-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral1/memory/1920-159-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral1/memory/2896-158-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral1/memory/2572-184-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral1/memory/1908-182-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral1/memory/1808-194-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral1/memory/2784-206-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral1/memory/1532-221-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral1/memory/2996-219-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral1/memory/1972-211-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral1/memory/1920-230-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral1/memory/1880-231-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral1/memory/1500-240-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral1/memory/1880-238-0x0000000000260000-0x000000000027C000-memory.dmp upx behavioral1/memory/3012-237-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral1/memory/2416-249-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral1/memory/2572-247-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral1/memory/3068-253-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral1/memory/2568-263-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral1/memory/2016-264-0x0000000000340000-0x000000000035C000-memory.dmp upx behavioral1/memory/1596-265-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral1/memory/328-272-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral1/memory/380-283-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral1/memory/1880-282-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral1/memory/328-280-0x00000000002C0000-0x00000000002DC000-memory.dmp upx behavioral1/memory/1532-276-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral1/memory/1500-291-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral1/memory/3008-300-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral1/memory/1380-301-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/2676-311-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral1/memory/2416-308-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral1/memory/688-318-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral1/memory/2016-324-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral1/memory/2688-333-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral1/memory/1596-332-0x0000000031420000-0x000000003143C000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" zghpfw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" zghpfw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" zghpfw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc zghpfw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" zghpfw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" zghpfw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" zghpfw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ejyzu.exe" vrzfvy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\fpaou.exe" vryzlafw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\lkotz.exe" ungjuza.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\zwfgm.exe" vxkrinrk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\fbetlppu.exe" nzusxqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\bjgxw.exe" wckmxxha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\uqttnqj.exe" omrzlqsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\buwfe.exe" hzwktm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\epxwgy.exe" ysngctze.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\qvaufq.exe" jjrjsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ykghoc.exe" rmnaqdxg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\kverpqm.exe" ytooqbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\gbfmbzt.exe" zvbomc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\esvjl.exe" exxqwrn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\mwoaow.exe" lwmcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\iovfpilj.exe" uubvyxlv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\lrcntgg.exe" tviimdxl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\unghekgy.exe" uuohger.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\zzgcorej.exe" jzijlexk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\nkjymuuq.exe" hgpai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\klvoiw.exe" xqtspqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\rmnaqdxg.exe" uqttnqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\xkpurzm.exe" qfipilf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ofdpfne.exe" kaisszl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ehmytk.exe" lpiikmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\exqept.exe" vjzveioq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\jrthwz.exe" nhhbgaav.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\bspxpn.exe" hspzbmdy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\dhzoprs.exe" xkzrzr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\nohyu.exe" xofalv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\topuie.exe" kygdy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\kontdin.exe" czlrtel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\xxmffviu.exe" aqokv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\jfawm.exe" iwfobv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\hzwktm.exe" uajcuux.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\awmrfk.exe" oeowcmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\lpiikmi.exe" ihwqaumx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\jyqwlae.exe" kuaoav.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\bbpmrfft.exe" pqxtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\tbiassi.exe" bfkbv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\duvzafv.exe" rqmmvx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ugdzz.exe" fpaou.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\vkaxbih.exe" xlnguv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ppgyztk.exe" ykyxzmbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\lxphl.exe" fdeyaogu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\cdhvbe.exe" gjazl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\bswqh.exe" duvzafv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\xgapyoe.exe" ywprrlw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\lryqgjeq.exe" rnckq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\kmvsymhs.exe" dgbnt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ikdwe.exe" gmuhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\crfxnjuo.exe" gavhwvvh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\pzttb.exe" yakzk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\dckqq.exe" opyodmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\thkyazg.exe" lsyzmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\kdezsrq.exe" zxhpcksw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\pqxtl.exe" kvptve.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\kimwmwz.exe" hctwca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\hirqni.exe" qohqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\xhjdmiej.exe" prrgrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ptkrmvto.exe" lccif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\zezjwlh.exe" hutpvqza.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ulagfh.exe" lqnxwm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\sexwla.exe" exqept.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" zghpfw.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe File opened (read-only) \??\L: 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe File opened (read-only) \??\V: 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe File opened (read-only) \??\G: 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe File opened (read-only) \??\I: 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe File opened (read-only) \??\P: 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe File opened (read-only) \??\S: 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe File opened (read-only) \??\E: 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe File opened (read-only) \??\G: zghpfw.exe File opened (read-only) \??\I: zghpfw.exe File opened (read-only) \??\X: 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe File opened (read-only) \??\H: 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe File opened (read-only) \??\J: 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe File opened (read-only) \??\Z: 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe File opened (read-only) \??\M: 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe File opened (read-only) \??\O: 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe File opened (read-only) \??\R: 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe File opened (read-only) \??\T: 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe File opened (read-only) \??\Y: 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe File opened (read-only) \??\E: zghpfw.exe File opened (read-only) \??\H: zghpfw.exe File opened (read-only) \??\W: 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe File opened (read-only) \??\N: 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe File opened (read-only) \??\Q: 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe File opened (read-only) \??\U: 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\blltpxoh.exe pbuhztlu.exe File created C:\Windows\SysWOW64\qdpsd.exe bdlok.exe File created C:\Windows\SysWOW64\wtgla.exe lefuqtg.exe File opened for modification C:\Windows\SysWOW64\jsgvx.exe nkjymuuq.exe File created C:\Windows\SysWOW64\djhayjbc.exe syoktbtg.exe File opened for modification C:\Windows\SysWOW64\vryzlafw.exe noxzz.exe File created C:\Windows\SysWOW64\lsyzmh.exe egfimr.exe File created C:\Windows\SysWOW64\bwrtnjkk.exe xodyknlk.exe File created C:\Windows\SysWOW64\gdnbwnfn.exe bwrtnjkk.exe File created C:\Windows\SysWOW64\jeilpzaj.exe qolwmked.exe File created C:\Windows\SysWOW64\gvaofju.exe ugtyt.exe File created C:\Windows\SysWOW64\pieposr.exe azmfgpzv.exe File opened for modification C:\Windows\SysWOW64\xtmihow.exe ejnldd.exe File opened for modification C:\Windows\SysWOW64\fymsw.exe buwfe.exe File created C:\Windows\SysWOW64\lxphl.exe fdeyaogu.exe File opened for modification C:\Windows\SysWOW64\ygqde.exe jdrutty.exe File opened for modification C:\Windows\SysWOW64\isdcmk.exe nsmjfhp.exe File opened for modification C:\Windows\SysWOW64\hmrtxa.exe qixjkryo.exe File opened for modification C:\Windows\SysWOW64\vjzveioq.exe wtgla.exe File created C:\Windows\SysWOW64\oibnu.exe kurmkbb.exe File created C:\Windows\SysWOW64\hctwca.exe swxoitn.exe File opened for modification C:\Windows\SysWOW64\ycuqch.exe dgqwla.exe File created C:\Windows\SysWOW64\ytowz.exe qpgvyvw.exe File opened for modification C:\Windows\SysWOW64\gvmgga.exe oghydqf.exe File created C:\Windows\SysWOW64\aqfujl.exe disvcpw.exe File created C:\Windows\SysWOW64\zezjwlh.exe hutpvqza.exe File created C:\Windows\SysWOW64\vwiau.exe ngribm.exe File opened for modification C:\Windows\SysWOW64\ugwiykq.exe lryqgjeq.exe File opened for modification C:\Windows\SysWOW64\bcmxq.exe wmquu.exe File opened for modification C:\Windows\SysWOW64\wyknbwol.exe rptrkhek.exe File created C:\Windows\SysWOW64\izltv.exe joqhpq.exe File created C:\Windows\SysWOW64\yfcvogh.exe 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe File created C:\Windows\SysWOW64\rssdx.exe blltpxoh.exe File created C:\Windows\SysWOW64\tbwiu.exe qpkkfa.exe File opened for modification C:\Windows\SysWOW64\memqdj.exe yskqu.exe File opened for modification C:\Windows\SysWOW64\rgdwstwn.exe tpivgbdf.exe File opened for modification C:\Windows\SysWOW64\fdeyaogu.exe hqmkva.exe File opened for modification C:\Windows\SysWOW64\wteyb.exe gcqnweki.exe File created C:\Windows\SysWOW64\nzusxqn.exe ujjeacv.exe File created C:\Windows\SysWOW64\hrfax.exe dtrmflq.exe File created C:\Windows\SysWOW64\qfipilf.exe cwbsm.exe File created C:\Windows\SysWOW64\jzijlexk.exe dlbrxw.exe File created C:\Windows\SysWOW64\jerzl.exe rgdwstwn.exe File opened for modification C:\Windows\SysWOW64\jvyxx.exe xvjmockj.exe File opened for modification C:\Windows\SysWOW64\uqttnqj.exe omrzlqsn.exe File created C:\Windows\SysWOW64\fimyef.exe thkyazg.exe File opened for modification C:\Windows\SysWOW64\mwvhzhzo.exe smdclsqd.exe File opened for modification C:\Windows\SysWOW64\yymendo.exe ntyrmam.exe File created C:\Windows\SysWOW64\dwhgasba.exe zpiku.exe File opened for modification C:\Windows\SysWOW64\lrcntgg.exe tviimdxl.exe File created C:\Windows\SysWOW64\mjxlcsqa.exe mmwugbns.exe File created C:\Windows\SysWOW64\egnpyulo.exe fxicfp.exe File opened for modification C:\Windows\SysWOW64\jhtre.exe idbxzuk.exe File opened for modification C:\Windows\SysWOW64\fzjvj.exe fdatnzm.exe File created C:\Windows\SysWOW64\vrzfvy.exe goarjkd.exe File opened for modification C:\Windows\SysWOW64\mrfsojz.exe nueqcbe.exe File opened for modification C:\Windows\SysWOW64\dfdkhkyj.exe mjxlcsqa.exe File created C:\Windows\SysWOW64\rizxygg.exe wuntqb.exe File opened for modification C:\Windows\SysWOW64\lkolg.exe hrfax.exe File opened for modification C:\Windows\SysWOW64\gqdocza.exe ryoshf.exe File created C:\Windows\SysWOW64\vijppfd.exe yyjnvydm.exe File created C:\Windows\SysWOW64\nrgacxnt.exe rwiwrzk.exe File opened for modification C:\Windows\SysWOW64\zcnifcu.exe kquqk.exe File opened for modification C:\Windows\SysWOW64\hugdriw.exe qsisqhl.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 1380 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 1380 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 1380 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 1380 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 1380 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 1380 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 1380 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 1380 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 1380 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 1380 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 1380 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 1380 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 1380 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 1380 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 1380 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 1380 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 1380 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 1380 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 1380 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 12192 zghpfw.exe 12192 zghpfw.exe 12192 zghpfw.exe 12192 zghpfw.exe 12192 zghpfw.exe 12192 zghpfw.exe 12192 zghpfw.exe 12192 zghpfw.exe 12192 zghpfw.exe 12192 zghpfw.exe 12192 zghpfw.exe 12192 zghpfw.exe 12192 zghpfw.exe 12192 zghpfw.exe 12192 zghpfw.exe 12192 zghpfw.exe 12192 zghpfw.exe 12192 zghpfw.exe 12192 zghpfw.exe 12192 zghpfw.exe 12192 zghpfw.exe 12192 zghpfw.exe 12192 zghpfw.exe 12192 zghpfw.exe 12192 zghpfw.exe 12192 zghpfw.exe 12192 zghpfw.exe 12192 zghpfw.exe 12192 zghpfw.exe 12192 zghpfw.exe 12192 zghpfw.exe 12192 zghpfw.exe 12192 zghpfw.exe 12192 zghpfw.exe 12192 zghpfw.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1380 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Token: SeDebugPrivilege 1380 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Token: SeDebugPrivilege 2168 yfcvogh.exe Token: SeDebugPrivilege 2724 ikvotq.exe Token: SeDebugPrivilege 2896 bbdlub.exe Token: SeDebugPrivilege 2620 stfhd.exe Token: SeDebugPrivilege 320 wqkkqkb.exe Token: SeDebugPrivilege 1908 exxqwrn.exe Token: SeDebugPrivilege 1808 esvjl.exe Token: SeDebugPrivilege 2784 lbgpp.exe Token: SeDebugPrivilege 1972 ltign.exe Token: SeDebugPrivilege 2996 svmvww.exe Token: SeDebugPrivilege 1920 pbuhztlu.exe Token: SeDebugPrivilege 3012 blltpxoh.exe Token: SeDebugPrivilege 2572 rssdx.exe Token: SeDebugPrivilege 3068 tntqinmg.exe Token: SeDebugPrivilege 2568 oxljupb.exe Token: SeDebugPrivilege 1532 qltpizlo.exe Token: SeDebugPrivilege 1880 hxbghj.exe Token: SeDebugPrivilege 1500 kuaoav.exe Token: SeDebugPrivilege 2416 jyqwlae.exe Token: SeDebugPrivilege 2016 pipvjxps.exe Token: SeDebugPrivilege 1596 yoppfbcm.exe Token: SeDebugPrivilege 328 olbumrmq.exe Token: SeDebugPrivilege 380 smdclsqd.exe Token: SeDebugPrivilege 1864 mwvhzhzo.exe Token: SeDebugPrivilege 3008 xkzrzr.exe Token: SeDebugPrivilege 2676 dhzoprs.exe Token: SeDebugPrivilege 688 rmmlkihc.exe Token: SeDebugPrivilege 2108 ngribm.exe Token: SeDebugPrivilege 2688 vwiau.exe Token: SeDebugPrivilege 2604 ctxhm.exe Token: SeDebugPrivilege 2136 fdatnzm.exe Token: SeDebugPrivilege 2984 fzjvj.exe Token: SeDebugPrivilege 2952 qsisqhl.exe Token: SeDebugPrivilege 2144 hugdriw.exe Token: SeDebugPrivilege 1144 biucvzn.exe Token: SeDebugPrivilege 1332 zyokl.exe Token: SeDebugPrivilege 1688 sflgtcr.exe Token: SeDebugPrivilege 1020 gsdivlc.exe Token: SeDebugPrivilege 596 oarwk.exe Token: SeDebugPrivilege 1096 vxkrinrk.exe Token: SeDebugPrivilege 1000 zwfgm.exe Token: SeDebugPrivilege 2372 bggercn.exe Token: SeDebugPrivilege 720 xofalv.exe Token: SeDebugPrivilege 2448 nohyu.exe Token: SeDebugPrivilege 2824 lqwigdip.exe Token: SeDebugPrivilege 2628 ctntyccr.exe Token: SeDebugPrivilege 2348 hvwecdt.exe Token: SeDebugPrivilege 2616 yfovla.exe Token: SeDebugPrivilege 2700 dxjblcxk.exe Token: SeDebugPrivilege 2024 bdlok.exe Token: SeDebugPrivilege 2068 qdpsd.exe Token: SeDebugPrivilege 1932 kfwvvw.exe Token: SeDebugPrivilege 1680 qduqgkz.exe Token: SeDebugPrivilege 1696 cjxyv.exe Token: SeDebugPrivilege 1780 urajt.exe Token: SeDebugPrivilege 2548 ujjeacv.exe Token: SeDebugPrivilege 2256 nzusxqn.exe Token: SeDebugPrivilege 592 fbetlppu.exe Token: SeDebugPrivilege 1380 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Token: SeDebugPrivilege 2792 wswwhfzp.exe Token: SeDebugPrivilege 1944 vwhhohlj.exe Token: SeDebugPrivilege 3824 njupn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1380 wrote to memory of 2168 1380 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 30 PID 1380 wrote to memory of 2168 1380 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 30 PID 1380 wrote to memory of 2168 1380 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 30 PID 1380 wrote to memory of 2168 1380 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 30 PID 1380 wrote to memory of 1124 1380 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 19 PID 1380 wrote to memory of 1176 1380 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 20 PID 1380 wrote to memory of 1272 1380 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 21 PID 1380 wrote to memory of 1228 1380 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 23 PID 1380 wrote to memory of 2168 1380 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 30 PID 1380 wrote to memory of 2168 1380 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 30 PID 2168 wrote to memory of 2724 2168 yfcvogh.exe 31 PID 2168 wrote to memory of 2724 2168 yfcvogh.exe 31 PID 2168 wrote to memory of 2724 2168 yfcvogh.exe 31 PID 2168 wrote to memory of 2724 2168 yfcvogh.exe 31 PID 2724 wrote to memory of 2896 2724 ikvotq.exe 32 PID 2724 wrote to memory of 2896 2724 ikvotq.exe 32 PID 2724 wrote to memory of 2896 2724 ikvotq.exe 32 PID 2724 wrote to memory of 2896 2724 ikvotq.exe 32 PID 2896 wrote to memory of 2620 2896 bbdlub.exe 33 PID 2896 wrote to memory of 2620 2896 bbdlub.exe 33 PID 2896 wrote to memory of 2620 2896 bbdlub.exe 33 PID 2896 wrote to memory of 2620 2896 bbdlub.exe 33 PID 2620 wrote to memory of 320 2620 stfhd.exe 34 PID 2620 wrote to memory of 320 2620 stfhd.exe 34 PID 2620 wrote to memory of 320 2620 stfhd.exe 34 PID 2620 wrote to memory of 320 2620 stfhd.exe 34 PID 320 wrote to memory of 1908 320 wqkkqkb.exe 35 PID 320 wrote to memory of 1908 320 wqkkqkb.exe 35 PID 320 wrote to memory of 1908 320 wqkkqkb.exe 35 PID 320 wrote to memory of 1908 320 wqkkqkb.exe 35 PID 1908 wrote to memory of 1808 1908 exxqwrn.exe 36 PID 1908 wrote to memory of 1808 1908 exxqwrn.exe 36 PID 1908 wrote to memory of 1808 1908 exxqwrn.exe 36 PID 1908 wrote to memory of 1808 1908 exxqwrn.exe 36 PID 1808 wrote to memory of 2784 1808 esvjl.exe 37 PID 1808 wrote to memory of 2784 1808 esvjl.exe 37 PID 1808 wrote to memory of 2784 1808 esvjl.exe 37 PID 1808 wrote to memory of 2784 1808 esvjl.exe 37 PID 2784 wrote to memory of 1972 2784 lbgpp.exe 38 PID 2784 wrote to memory of 1972 2784 lbgpp.exe 38 PID 2784 wrote to memory of 1972 2784 lbgpp.exe 38 PID 2784 wrote to memory of 1972 2784 lbgpp.exe 38 PID 1972 wrote to memory of 2996 1972 ltign.exe 40 PID 1972 wrote to memory of 2996 1972 ltign.exe 40 PID 1972 wrote to memory of 2996 1972 ltign.exe 40 PID 1972 wrote to memory of 2996 1972 ltign.exe 40 PID 2996 wrote to memory of 1920 2996 svmvww.exe 41 PID 2996 wrote to memory of 1920 2996 svmvww.exe 41 PID 2996 wrote to memory of 1920 2996 svmvww.exe 41 PID 2996 wrote to memory of 1920 2996 svmvww.exe 41 PID 1920 wrote to memory of 3012 1920 pbuhztlu.exe 42 PID 1920 wrote to memory of 3012 1920 pbuhztlu.exe 42 PID 1920 wrote to memory of 3012 1920 pbuhztlu.exe 42 PID 1920 wrote to memory of 3012 1920 pbuhztlu.exe 42 PID 3012 wrote to memory of 2572 3012 blltpxoh.exe 43 PID 3012 wrote to memory of 2572 3012 blltpxoh.exe 43 PID 3012 wrote to memory of 2572 3012 blltpxoh.exe 43 PID 3012 wrote to memory of 2572 3012 blltpxoh.exe 43 PID 2572 wrote to memory of 3068 2572 rssdx.exe 44 PID 2572 wrote to memory of 3068 2572 rssdx.exe 44 PID 2572 wrote to memory of 3068 2572 rssdx.exe 44 PID 2572 wrote to memory of 3068 2572 rssdx.exe 44 PID 3068 wrote to memory of 2568 3068 tntqinmg.exe 45 PID 3068 wrote to memory of 2568 3068 tntqinmg.exe 45 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" zghpfw.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1124
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1176
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1272
-
C:\Users\Admin\AppData\Local\Temp\4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1380 -
C:\Windows\SysWOW64\yfcvogh.exeC:\Windows\system32\yfcvogh.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\ikvotq.exeC:\Windows\system32\ikvotq.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\bbdlub.exeC:\Windows\system32\bbdlub.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\stfhd.exeC:\Windows\system32\stfhd.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\wqkkqkb.exeC:\Windows\system32\wqkkqkb.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\exxqwrn.exeC:\Windows\system32\exxqwrn.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\esvjl.exeC:\Windows\system32\esvjl.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\lbgpp.exeC:\Windows\system32\lbgpp.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\ltign.exeC:\Windows\system32\ltign.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\svmvww.exeC:\Windows\system32\svmvww.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\pbuhztlu.exeC:\Windows\system32\pbuhztlu.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\blltpxoh.exeC:\Windows\system32\blltpxoh.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\rssdx.exeC:\Windows\system32\rssdx.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\tntqinmg.exeC:\Windows\system32\tntqinmg.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\oxljupb.exeC:\Windows\system32\oxljupb.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2568 -
C:\Windows\SysWOW64\qltpizlo.exeC:\Windows\system32\qltpizlo.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1532 -
C:\Windows\SysWOW64\hxbghj.exeC:\Windows\system32\hxbghj.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1880 -
C:\Windows\SysWOW64\kuaoav.exeC:\Windows\system32\kuaoav.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1500 -
C:\Windows\SysWOW64\jyqwlae.exeC:\Windows\system32\jyqwlae.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2416 -
C:\Windows\SysWOW64\pipvjxps.exeC:\Windows\system32\pipvjxps.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2016 -
C:\Windows\SysWOW64\yoppfbcm.exeC:\Windows\system32\yoppfbcm.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1596 -
C:\Windows\SysWOW64\olbumrmq.exeC:\Windows\system32\olbumrmq.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:328 -
C:\Windows\SysWOW64\smdclsqd.exeC:\Windows\system32\smdclsqd.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:380 -
C:\Windows\SysWOW64\mwvhzhzo.exeC:\Windows\system32\mwvhzhzo.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1864 -
C:\Windows\SysWOW64\xkzrzr.exeC:\Windows\system32\xkzrzr.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3008 -
C:\Windows\SysWOW64\dhzoprs.exeC:\Windows\system32\dhzoprs.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2676 -
C:\Windows\SysWOW64\rmmlkihc.exeC:\Windows\system32\rmmlkihc.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:688 -
C:\Windows\SysWOW64\ngribm.exeC:\Windows\system32\ngribm.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2108 -
C:\Windows\SysWOW64\vwiau.exeC:\Windows\system32\vwiau.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2688 -
C:\Windows\SysWOW64\ctxhm.exeC:\Windows\system32\ctxhm.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2604 -
C:\Windows\SysWOW64\fdatnzm.exeC:\Windows\system32\fdatnzm.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2136 -
C:\Windows\SysWOW64\fzjvj.exeC:\Windows\system32\fzjvj.exe34⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2984 -
C:\Windows\SysWOW64\qsisqhl.exeC:\Windows\system32\qsisqhl.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2952 -
C:\Windows\SysWOW64\hugdriw.exeC:\Windows\system32\hugdriw.exe36⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2144 -
C:\Windows\SysWOW64\biucvzn.exeC:\Windows\system32\biucvzn.exe37⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1144 -
C:\Windows\SysWOW64\zyokl.exeC:\Windows\system32\zyokl.exe38⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1332 -
C:\Windows\SysWOW64\sflgtcr.exeC:\Windows\system32\sflgtcr.exe39⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1688 -
C:\Windows\SysWOW64\gsdivlc.exeC:\Windows\system32\gsdivlc.exe40⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1020 -
C:\Windows\SysWOW64\oarwk.exeC:\Windows\system32\oarwk.exe41⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:596 -
C:\Windows\SysWOW64\vxkrinrk.exeC:\Windows\system32\vxkrinrk.exe42⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1096 -
C:\Windows\SysWOW64\zwfgm.exeC:\Windows\system32\zwfgm.exe43⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1000 -
C:\Windows\SysWOW64\bggercn.exeC:\Windows\system32\bggercn.exe44⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2372 -
C:\Windows\SysWOW64\xofalv.exeC:\Windows\system32\xofalv.exe45⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:720 -
C:\Windows\SysWOW64\nohyu.exeC:\Windows\system32\nohyu.exe46⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2448 -
C:\Windows\SysWOW64\lqwigdip.exeC:\Windows\system32\lqwigdip.exe47⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2824 -
C:\Windows\SysWOW64\ctntyccr.exeC:\Windows\system32\ctntyccr.exe48⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2628 -
C:\Windows\SysWOW64\hvwecdt.exeC:\Windows\system32\hvwecdt.exe49⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2348 -
C:\Windows\SysWOW64\yfovla.exeC:\Windows\system32\yfovla.exe50⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2616 -
C:\Windows\SysWOW64\dxjblcxk.exeC:\Windows\system32\dxjblcxk.exe51⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2700 -
C:\Windows\SysWOW64\bdlok.exeC:\Windows\system32\bdlok.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2024 -
C:\Windows\SysWOW64\qdpsd.exeC:\Windows\system32\qdpsd.exe53⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2068 -
C:\Windows\SysWOW64\kfwvvw.exeC:\Windows\system32\kfwvvw.exe54⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1932 -
C:\Windows\SysWOW64\qduqgkz.exeC:\Windows\system32\qduqgkz.exe55⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1680 -
C:\Windows\SysWOW64\cjxyv.exeC:\Windows\system32\cjxyv.exe56⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1696 -
C:\Windows\SysWOW64\urajt.exeC:\Windows\system32\urajt.exe57⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1780 -
C:\Windows\SysWOW64\ujjeacv.exeC:\Windows\system32\ujjeacv.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2548 -
C:\Windows\SysWOW64\nzusxqn.exeC:\Windows\system32\nzusxqn.exe59⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2256 -
C:\Windows\SysWOW64\fbetlppu.exeC:\Windows\system32\fbetlppu.exe60⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:592 -
C:\Windows\SysWOW64\wswwhfzp.exeC:\Windows\system32\wswwhfzp.exe61⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2792 -
C:\Windows\SysWOW64\vwhhohlj.exeC:\Windows\system32\vwhhohlj.exe62⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1944 -
C:\Windows\SysWOW64\njupn.exeC:\Windows\system32\njupn.exe63⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3824 -
C:\Windows\SysWOW64\xodyknlk.exeC:\Windows\system32\xodyknlk.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3892 -
C:\Windows\SysWOW64\bwrtnjkk.exeC:\Windows\system32\bwrtnjkk.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3956 -
C:\Windows\SysWOW64\gdnbwnfn.exeC:\Windows\system32\gdnbwnfn.exe66⤵
- Executes dropped EXE
PID:4024 -
C:\Windows\SysWOW64\ntizv.exeC:\Windows\system32\ntizv.exe67⤵PID:968
-
C:\Windows\SysWOW64\lwmcp.exeC:\Windows\system32\lwmcp.exe68⤵
- Adds Run key to start application
PID:1492 -
C:\Windows\SysWOW64\mwoaow.exeC:\Windows\system32\mwoaow.exe69⤵PID:2360
-
C:\Windows\SysWOW64\feegi.exeC:\Windows\system32\feegi.exe70⤵PID:3204
-
C:\Windows\SysWOW64\klzpl.exeC:\Windows\system32\klzpl.exe71⤵PID:1892
-
C:\Windows\SysWOW64\pxzmoruy.exeC:\Windows\system32\pxzmoruy.exe72⤵PID:3136
-
C:\Windows\SysWOW64\xeeck.exeC:\Windows\system32\xeeck.exe73⤵PID:3240
-
C:\Windows\SysWOW64\wbehin.exeC:\Windows\system32\wbehin.exe74⤵PID:3336
-
C:\Windows\SysWOW64\vkvbxg.exeC:\Windows\system32\vkvbxg.exe75⤵PID:3420
-
C:\Windows\SysWOW64\yoabyag.exeC:\Windows\system32\yoabyag.exe76⤵PID:3512
-
C:\Windows\SysWOW64\zxhpcksw.exeC:\Windows\system32\zxhpcksw.exe77⤵
- Adds Run key to start application
PID:3600 -
C:\Windows\SysWOW64\kdezsrq.exeC:\Windows\system32\kdezsrq.exe78⤵PID:3720
-
C:\Windows\SysWOW64\odrmxku.exeC:\Windows\system32\odrmxku.exe79⤵PID:3812
-
C:\Windows\SysWOW64\yfiwqdu.exeC:\Windows\system32\yfiwqdu.exe80⤵PID:3896
-
C:\Windows\SysWOW64\goarjkd.exeC:\Windows\system32\goarjkd.exe81⤵
- Drops file in System32 directory
PID:3976 -
C:\Windows\SysWOW64\vrzfvy.exeC:\Windows\system32\vrzfvy.exe82⤵
- Adds Run key to start application
PID:4092 -
C:\Windows\SysWOW64\ejyzu.exeC:\Windows\system32\ejyzu.exe83⤵PID:1652
-
C:\Windows\SysWOW64\ntyrmam.exeC:\Windows\system32\ntyrmam.exe84⤵
- Drops file in System32 directory
PID:2612 -
C:\Windows\SysWOW64\yymendo.exeC:\Windows\system32\yymendo.exe85⤵PID:2988
-
C:\Windows\SysWOW64\kvptve.exeC:\Windows\system32\kvptve.exe86⤵
- Adds Run key to start application
PID:3184 -
C:\Windows\SysWOW64\pqxtl.exeC:\Windows\system32\pqxtl.exe87⤵
- Adds Run key to start application
PID:3348 -
C:\Windows\SysWOW64\bbpmrfft.exeC:\Windows\system32\bbpmrfft.exe88⤵PID:3464
-
C:\Windows\SysWOW64\ciexn.exeC:\Windows\system32\ciexn.exe89⤵PID:3560
-
C:\Windows\SysWOW64\hcyikjob.exeC:\Windows\system32\hcyikjob.exe90⤵PID:3740
-
C:\Windows\SysWOW64\wslfq.exeC:\Windows\system32\wslfq.exe91⤵PID:3856
-
C:\Windows\SysWOW64\zpiku.exeC:\Windows\system32\zpiku.exe92⤵
- Drops file in System32 directory
PID:4000 -
C:\Windows\SysWOW64\dwhgasba.exeC:\Windows\system32\dwhgasba.exe93⤵PID:1728
-
C:\Windows\SysWOW64\lvfrk.exeC:\Windows\system32\lvfrk.exe94⤵PID:1048
-
C:\Windows\SysWOW64\gsagsq.exeC:\Windows\system32\gsagsq.exe95⤵PID:3280
-
C:\Windows\SysWOW64\micxpf.exeC:\Windows\system32\micxpf.exe96⤵PID:3552
-
C:\Windows\SysWOW64\rnckq.exeC:\Windows\system32\rnckq.exe97⤵
- Adds Run key to start application
PID:3776 -
C:\Windows\SysWOW64\lryqgjeq.exeC:\Windows\system32\lryqgjeq.exe98⤵
- Drops file in System32 directory
PID:4048 -
C:\Windows\SysWOW64\ugwiykq.exeC:\Windows\system32\ugwiykq.exe99⤵PID:2880
-
C:\Windows\SysWOW64\dtbdbs.exeC:\Windows\system32\dtbdbs.exe100⤵PID:3384
-
C:\Windows\SysWOW64\ewrsa.exeC:\Windows\system32\ewrsa.exe101⤵PID:3648
-
C:\Windows\SysWOW64\wesfh.exeC:\Windows\system32\wesfh.exe102⤵PID:1812
-
C:\Windows\SysWOW64\vobkensv.exeC:\Windows\system32\vobkensv.exe103⤵PID:3120
-
C:\Windows\SysWOW64\pikipti.exeC:\Windows\system32\pikipti.exe104⤵PID:3864
-
C:\Windows\SysWOW64\jjrjsw.exeC:\Windows\system32\jjrjsw.exe105⤵
- Adds Run key to start application
PID:664 -
C:\Windows\SysWOW64\qvaufq.exeC:\Windows\system32\qvaufq.exe106⤵PID:3928
-
C:\Windows\SysWOW64\uubvyxlv.exeC:\Windows\system32\uubvyxlv.exe107⤵
- Adds Run key to start application
PID:2504 -
C:\Windows\SysWOW64\iovfpilj.exeC:\Windows\system32\iovfpilj.exe108⤵PID:2220
-
C:\Windows\SysWOW64\rnrfevu.exeC:\Windows\system32\rnrfevu.exe109⤵PID:4132
-
C:\Windows\SysWOW64\oqzzicx.exeC:\Windows\system32\oqzzicx.exe110⤵PID:4180
-
C:\Windows\SysWOW64\mmlxljva.exeC:\Windows\system32\mmlxljva.exe111⤵PID:4224
-
C:\Windows\SysWOW64\fgvsojfl.exeC:\Windows\system32\fgvsojfl.exe112⤵PID:4268
-
C:\Windows\SysWOW64\ocnmwydk.exeC:\Windows\system32\ocnmwydk.exe113⤵PID:4308
-
C:\Windows\SysWOW64\jdrutty.exeC:\Windows\system32\jdrutty.exe114⤵
- Drops file in System32 directory
PID:4360 -
C:\Windows\SysWOW64\ygqde.exeC:\Windows\system32\ygqde.exe115⤵PID:4408
-
C:\Windows\SysWOW64\hhzid.exeC:\Windows\system32\hhzid.exe116⤵PID:4464
-
C:\Windows\SysWOW64\qolwmked.exeC:\Windows\system32\qolwmked.exe117⤵
- Drops file in System32 directory
PID:4516 -
C:\Windows\SysWOW64\jeilpzaj.exeC:\Windows\system32\jeilpzaj.exe118⤵PID:4564
-
C:\Windows\SysWOW64\fkuzeg.exeC:\Windows\system32\fkuzeg.exe119⤵PID:4608
-
C:\Windows\SysWOW64\achkubg.exeC:\Windows\system32\achkubg.exe120⤵PID:4652
-
C:\Windows\SysWOW64\nsmjfhp.exeC:\Windows\system32\nsmjfhp.exe121⤵
- Drops file in System32 directory
PID:4692 -
C:\Windows\SysWOW64\isdcmk.exeC:\Windows\system32\isdcmk.exe122⤵PID:4744
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-