Analysis
-
max time kernel
39s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
13-07-2024 05:13
Behavioral task
behavioral1
Sample
4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe
-
Size
88KB
-
MD5
4052e869d0ef5649ad0bb14c7cdffbcf
-
SHA1
2f2eef12131183bb414d8189450d89a9a83ca604
-
SHA256
fff826d7cf48b6cbef49c9eda8b7a33205c90be8d3254de4589f1a3acdd74a21
-
SHA512
61c3667bfa5c3cd981023372eb5fe29b479b25d7d53bb2c4b58c2cf16568759ec872cd34fbaa386dbe47ef55634913caa35f6cd360dff4d645e441b5c31cbd4d
-
SSDEEP
1536:UyrizN3klVZ69QPiPy7sw2Sx1vXvfAK6skKjFsrHAstd:U1N3kPZX9sS/XbDps7AEd
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" qkbrl.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" qkbrl.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" qkbrl.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qkbrl.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" qkbrl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" qkbrl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" qkbrl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" qkbrl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" qkbrl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" qkbrl.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" qkbrl.exe -
Disables Task Manager via registry modification
-
Deletes itself 1 IoCs
pid Process 1452 qkbrl.exe -
Executes dropped EXE 64 IoCs
pid Process 656 jppyfux.exe 2296 cpiprzz.exe 4484 sceegl.exe 1092 hildzip.exe 556 omwidfu.exe 4560 khcfykp.exe 1880 neoircu.exe 1632 luqtmvzx.exe 2464 fbvkfah.exe 2424 cgmii.exe 2088 cwyvqg.exe 1260 ejirvr.exe 5048 ebbto.exe 4512 bplistfu.exe 2208 cywybp.exe 4664 ygmsezv.exe 5104 uaruclyr.exe 1412 fxalmdc.exe 3716 zlttlg.exe 2132 kools.exe 4972 msushd.exe 1976 vcgdsta.exe 4940 lwqimod.exe 4104 fkdaque.exe 1452 qkbrl.exe 4304 gpfzz.exe 5012 ufeyyzb.exe 5020 nndwoyim.exe 4876 tjkrh.exe 3556 vimwppiz.exe 232 vxebiru.exe 1672 blqumlo.exe 4380 rrxkrnw.exe 3292 rwqdqc.exe 236 rmlzf.exe 2684 sauwg.exe 4464 ohrkwyqr.exe 2784 ezyrvsri.exe 3256 uixkh.exe 3416 qalxkfr.exe 2584 hcecoas.exe 392 srlreil.exe 3156 ybessi.exe 2572 kawgxeky.exe 4232 rbfitdg.exe 872 fjhja.exe 3504 eomyfti.exe 4660 jyxwg.exe 1396 mldozksb.exe 3720 prjqiz.exe 1484 trqxtx.exe 4460 pcullquh.exe 2340 tounn.exe 3052 rfvwjxlp.exe 4776 fdapxi.exe 3880 wwuxjp.exe 4180 pnuplse.exe 4200 ugtpoiue.exe 5000 hbocd.exe 4472 zbkida.exe 2072 auokssnw.exe 1824 hfubufd.exe 1436 zdehfdzn.exe 1872 cozbt.exe -
resource yara_rule behavioral2/memory/4436-0-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral2/memory/4436-1-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/4436-4-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/4436-3-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/4436-8-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/4436-9-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/656-15-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral2/files/0x000a0000000234a8-20.dat upx behavioral2/memory/4436-14-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/4436-5-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/4436-26-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/4484-33-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral2/memory/4436-28-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/4436-27-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/1092-38-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral2/memory/556-45-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral2/memory/4436-40-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/4560-52-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral2/memory/4436-51-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/4436-43-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/1880-56-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral2/memory/4436-61-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral2/memory/2088-79-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral2/memory/2296-77-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral2/memory/4484-89-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral2/memory/4512-96-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral2/memory/1092-95-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral2/memory/2208-102-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral2/memory/556-101-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral2/memory/1880-111-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral2/memory/1632-165-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral2/memory/2464-171-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral2/memory/2424-175-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral2/memory/2088-180-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral2/memory/1260-185-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral2/memory/5048-190-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral2/memory/4512-195-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral2/memory/2208-200-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral2/memory/4304-208-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral2/memory/4664-207-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral2/memory/5104-213-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral2/memory/5012-214-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral2/memory/1412-218-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral2/memory/3716-223-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral2/memory/2132-228-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral2/memory/4972-233-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral2/memory/1976-238-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral2/memory/4940-242-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral2/memory/4104-245-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral2/memory/1452-248-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral2/memory/4304-252-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral2/memory/5012-255-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral2/memory/5020-258-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral2/memory/2784-259-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral2/memory/4876-262-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral2/memory/3556-265-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral2/memory/232-268-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral2/memory/1672-271-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral2/memory/4380-274-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral2/memory/3292-277-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral2/memory/236-280-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral2/memory/2684-284-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral2/memory/4464-287-0x0000000031420000-0x000000003143C000-memory.dmp upx behavioral2/memory/2784-290-0x0000000031420000-0x000000003143C000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" qkbrl.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc qkbrl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" qkbrl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" qkbrl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" qkbrl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" qkbrl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" qkbrl.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\prjqiz.exe" mldozksb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\rdulaak.exe" cccmlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\afesq.exe" vsysbr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\pvnwc.exe" ptjsjuue.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ulush.exe" ozmofmho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\kzxzijyi.exe" vzpbv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\xwkurk.exe" abdwqcqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ibwrm.exe" slbxjv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\itvmn.exe" qzipvt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\rwqdqc.exe" rrxkrnw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\mritfjbn.exe" cfbxmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ewdwxn.exe" lxztfgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\sauwg.exe" rmlzf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ugtpoiue.exe" pnuplse.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\doqluvzg.exe" mmajmfkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\teukjoml.exe" jausz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\xqunppti.exe" miwtgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\fkdaque.exe" lwqimod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\secucwhl.exe" vyphoskv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\yawaw.exe" rndoud.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\zwdnsb.exe" repfuym.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ooihatg.exe" teukjoml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\buueoa.exe" deuanle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ebbto.exe" ejirvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\jyxwg.exe" eomyfti.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\wwuxjp.exe" fdapxi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\uksybqp.exe" rymwdvi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\bkddkwxv.exe" hijwrbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\swampe.exe" aweoiwk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\azmmj.exe" zrlek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\cmkmndkv.exe" cawtgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\kbjtr.exe" nlickn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\pkhxcek.exe" khyxff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\jausz.exe" pfnlwtq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\gpfzz.exe" qkbrl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\kawgxeky.exe" ybessi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\iywpfh.exe" pidcfcy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\dnnagdgs.exe" gkptfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\eevgvx.exe" hdyyv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\wysmmhe.exe" krgdjwcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ktmxjbfe.exe" csdxw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\auokssnw.exe" zbkida.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\qorwtm.exe" rcwtvg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\eggbq.exe" pwnvygta.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\vvuys.exe" gazyu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\gavzh.exe" mapgrkqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\xoomgqoh.exe" mwhrmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\zrlek.exe" ydnet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\vkcwkq.exe" pkhxcek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\jdwyew.exe" ofonkndr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\bzynipv.exe" tfrmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\nxovle.exe" ldlxx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\xwyfv.exe" gtzmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ynuzfnl.exe" yawaw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\wlijird.exe" lmyarebi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\cfbxmg.exe" zdqbfw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\qkbrl.exe" fkdaque.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\hcecoas.exe" qalxkfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\hbocd.exe" ugtpoiue.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\aoipxo.exe" xwkurk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\vimwppiz.exe" tjkrh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\awmtzr.exe" zdjhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\cnozz.exe" aoipxo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\gptrb.exe" vlybfq.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qkbrl.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe File opened (read-only) \??\Q: 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe File opened (read-only) \??\E: 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe File opened (read-only) \??\H: 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe File opened (read-only) \??\W: 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe File opened (read-only) \??\E: qkbrl.exe File opened (read-only) \??\H: qkbrl.exe File opened (read-only) \??\O: 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe File opened (read-only) \??\U: 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe File opened (read-only) \??\M: 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe File opened (read-only) \??\R: 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe File opened (read-only) \??\T: 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe File opened (read-only) \??\V: 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe File opened (read-only) \??\G: qkbrl.exe File opened (read-only) \??\J: 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe File opened (read-only) \??\L: 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe File opened (read-only) \??\N: 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe File opened (read-only) \??\P: 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe File opened (read-only) \??\S: 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe File opened (read-only) \??\G: 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe File opened (read-only) \??\K: 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\kools.exe zlttlg.exe File created C:\Windows\SysWOW64\vyphoskv.exe pkhxaf.exe File created C:\Windows\SysWOW64\pyhgxx.exe gptrb.exe File created C:\Windows\SysWOW64\khyxff.exe bjeytp.exe File created C:\Windows\SysWOW64\bplistfu.exe ebbto.exe File opened for modification C:\Windows\SysWOW64\doqluvzg.exe mmajmfkm.exe File created C:\Windows\SysWOW64\ejgfegf.exe zqvmg.exe File created C:\Windows\SysWOW64\eefmvc.exe vkcwkq.exe File opened for modification C:\Windows\SysWOW64\miwtgc.exe hoxuglv.exe File opened for modification C:\Windows\SysWOW64\uxtfutm.exe adlgaybk.exe File created C:\Windows\SysWOW64\ozucjum.exe zfzurfv.exe File opened for modification C:\Windows\SysWOW64\kfhrr.exe gekfheop.exe File created C:\Windows\SysWOW64\vfxscu.exe ppaxcks.exe File opened for modification C:\Windows\SysWOW64\afesq.exe vsysbr.exe File created C:\Windows\SysWOW64\zqvmg.exe orlkg.exe File opened for modification C:\Windows\SysWOW64\atkzko.exe ieaupze.exe File created C:\Windows\SysWOW64\hjmaxc.exe onlnvd.exe File opened for modification C:\Windows\SysWOW64\nsntn.exe gzarkjso.exe File created C:\Windows\SysWOW64\zdehfdzn.exe hfubufd.exe File created C:\Windows\SysWOW64\hfubufd.exe auokssnw.exe File opened for modification C:\Windows\SysWOW64\btsetisa.exe iywpfh.exe File opened for modification C:\Windows\SysWOW64\faofl.exe dwydi.exe File opened for modification C:\Windows\SysWOW64\ieaupze.exe qomumd.exe File created C:\Windows\SysWOW64\zzkaki.exe uksybqp.exe File created C:\Windows\SysWOW64\twvcnuu.exe ltiqrq.exe File created C:\Windows\SysWOW64\sdhie.exe gqdaqo.exe File created C:\Windows\SysWOW64\tjkrh.exe nndwoyim.exe File opened for modification C:\Windows\SysWOW64\oxjvoiok.exe kmdpws.exe File created C:\Windows\SysWOW64\rymwdvi.exe ooftzep.exe File opened for modification C:\Windows\SysWOW64\vyphoskv.exe pkhxaf.exe File created C:\Windows\SysWOW64\gdyhxrol.exe jddyxxry.exe File opened for modification C:\Windows\SysWOW64\pisapljy.exe qtyextm.exe File opened for modification C:\Windows\SysWOW64\rcwtvg.exe fybllhf.exe File opened for modification C:\Windows\SysWOW64\tfrmj.exe gooca.exe File created C:\Windows\SysWOW64\ctnbmlh.exe cqxqaola.exe File created C:\Windows\SysWOW64\ynuzfnl.exe yawaw.exe File opened for modification C:\Windows\SysWOW64\atafsbu.exe jywdjfur.exe File created C:\Windows\SysWOW64\cfbxmg.exe zdqbfw.exe File opened for modification C:\Windows\SysWOW64\ejirvr.exe cwyvqg.exe File created C:\Windows\SysWOW64\utkmref.exe afesq.exe File opened for modification C:\Windows\SysWOW64\zqvmg.exe orlkg.exe File opened for modification C:\Windows\SysWOW64\ctnbmlh.exe cqxqaola.exe File opened for modification C:\Windows\SysWOW64\xwyfv.exe gtzmx.exe File opened for modification C:\Windows\SysWOW64\ynuzfnl.exe yawaw.exe File opened for modification C:\Windows\SysWOW64\khyxff.exe bjeytp.exe File created C:\Windows\SysWOW64\yrqqbbt.exe dtdnvui.exe File created C:\Windows\SysWOW64\prjqiz.exe mldozksb.exe File opened for modification C:\Windows\SysWOW64\nndwoyim.exe ufeyyzb.exe File opened for modification C:\Windows\SysWOW64\pwnvygta.exe qorwtm.exe File opened for modification C:\Windows\SysWOW64\osijesj.exe gxliy.exe File opened for modification C:\Windows\SysWOW64\nnzoud.exe ncyyril.exe File created C:\Windows\SysWOW64\pnckz.exe vwqsmgw.exe File opened for modification C:\Windows\SysWOW64\broxi.exe pxqwfy.exe File opened for modification C:\Windows\SysWOW64\gekfheop.exe kjojl.exe File created C:\Windows\SysWOW64\hildzip.exe sceegl.exe File opened for modification C:\Windows\SysWOW64\deuanle.exe zqewtlq.exe File opened for modification C:\Windows\SysWOW64\vlybfq.exe teuiegiv.exe File created C:\Windows\SysWOW64\hbnvqd.exe zarbyu.exe File created C:\Windows\SysWOW64\vkcwkq.exe pkhxcek.exe File opened for modification C:\Windows\SysWOW64\ddhofiw.exe nsntn.exe File created C:\Windows\SysWOW64\bpcow.exe wlijird.exe File opened for modification C:\Windows\SysWOW64\hoxuglv.exe kmbmy.exe File opened for modification C:\Windows\SysWOW64\rmlzf.exe rwqdqc.exe File opened for modification C:\Windows\SysWOW64\trqxtx.exe prjqiz.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4436 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 4436 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 4436 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 4436 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 4436 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 4436 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 1452 qkbrl.exe 1452 qkbrl.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4436 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Token: SeDebugPrivilege 4436 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Token: SeDebugPrivilege 4436 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Token: SeDebugPrivilege 4436 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Token: SeDebugPrivilege 4436 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Token: SeDebugPrivilege 4436 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Token: SeDebugPrivilege 4436 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Token: SeDebugPrivilege 656 jppyfux.exe Token: SeDebugPrivilege 4436 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Token: SeDebugPrivilege 4436 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Token: SeDebugPrivilege 4436 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Token: SeDebugPrivilege 4436 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Token: SeDebugPrivilege 2296 cpiprzz.exe Token: SeDebugPrivilege 4484 sceegl.exe Token: SeDebugPrivilege 1092 hildzip.exe Token: SeDebugPrivilege 556 omwidfu.exe Token: SeDebugPrivilege 4560 khcfykp.exe Token: SeDebugPrivilege 1880 neoircu.exe Token: SeDebugPrivilege 1632 luqtmvzx.exe Token: SeDebugPrivilege 2464 fbvkfah.exe Token: SeDebugPrivilege 2424 cgmii.exe Token: SeDebugPrivilege 2088 cwyvqg.exe Token: SeDebugPrivilege 1260 ejirvr.exe Token: SeDebugPrivilege 5048 ebbto.exe Token: SeDebugPrivilege 4512 bplistfu.exe Token: SeDebugPrivilege 2208 cywybp.exe Token: SeDebugPrivilege 4664 ygmsezv.exe Token: SeDebugPrivilege 4436 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Token: SeDebugPrivilege 4436 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Token: SeDebugPrivilege 4436 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Token: SeDebugPrivilege 4436 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Token: SeDebugPrivilege 4436 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Token: SeDebugPrivilege 4436 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Token: SeDebugPrivilege 4436 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Token: SeDebugPrivilege 4436 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Token: SeDebugPrivilege 4436 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Token: SeDebugPrivilege 4436 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Token: SeDebugPrivilege 5104 uaruclyr.exe Token: SeDebugPrivilege 1412 fxalmdc.exe Token: SeDebugPrivilege 3716 zlttlg.exe Token: SeDebugPrivilege 2132 kools.exe Token: SeDebugPrivilege 4972 msushd.exe Token: SeDebugPrivilege 1976 vcgdsta.exe Token: SeDebugPrivilege 4940 lwqimod.exe Token: SeDebugPrivilege 4104 fkdaque.exe Token: SeDebugPrivilege 1452 qkbrl.exe Token: SeDebugPrivilege 4304 gpfzz.exe Token: SeDebugPrivilege 5012 ufeyyzb.exe Token: SeDebugPrivilege 5020 nndwoyim.exe Token: SeDebugPrivilege 4876 tjkrh.exe Token: SeDebugPrivilege 3556 vimwppiz.exe Token: SeDebugPrivilege 232 vxebiru.exe Token: SeDebugPrivilege 1672 blqumlo.exe Token: SeDebugPrivilege 4380 rrxkrnw.exe Token: SeDebugPrivilege 3292 rwqdqc.exe Token: SeDebugPrivilege 236 rmlzf.exe Token: SeDebugPrivilege 2684 sauwg.exe Token: SeDebugPrivilege 4464 ohrkwyqr.exe Token: SeDebugPrivilege 2784 ezyrvsri.exe Token: SeDebugPrivilege 3256 uixkh.exe Token: SeDebugPrivilege 3416 qalxkfr.exe Token: SeDebugPrivilege 2584 hcecoas.exe Token: SeDebugPrivilege 392 srlreil.exe Token: SeDebugPrivilege 3156 ybessi.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4436 wrote to memory of 656 4436 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 84 PID 4436 wrote to memory of 656 4436 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 84 PID 4436 wrote to memory of 656 4436 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 84 PID 4436 wrote to memory of 800 4436 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 9 PID 4436 wrote to memory of 808 4436 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 10 PID 4436 wrote to memory of 1020 4436 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 13 PID 4436 wrote to memory of 2500 4436 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 42 PID 4436 wrote to memory of 2520 4436 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 43 PID 4436 wrote to memory of 2652 4436 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 46 PID 656 wrote to memory of 2296 656 jppyfux.exe 85 PID 656 wrote to memory of 2296 656 jppyfux.exe 85 PID 656 wrote to memory of 2296 656 jppyfux.exe 85 PID 4436 wrote to memory of 3524 4436 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 56 PID 4436 wrote to memory of 3672 4436 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 57 PID 4436 wrote to memory of 3864 4436 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 58 PID 4436 wrote to memory of 3964 4436 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 59 PID 4436 wrote to memory of 4032 4436 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 60 PID 4436 wrote to memory of 764 4436 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 61 PID 4436 wrote to memory of 3540 4436 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 62 PID 4436 wrote to memory of 1608 4436 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 74 PID 4436 wrote to memory of 3380 4436 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 76 PID 4436 wrote to memory of 2488 4436 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 80 PID 4436 wrote to memory of 4180 4436 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 81 PID 4436 wrote to memory of 2536 4436 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 83 PID 4436 wrote to memory of 656 4436 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 84 PID 4436 wrote to memory of 656 4436 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe 84 PID 2296 wrote to memory of 4484 2296 cpiprzz.exe 86 PID 2296 wrote to memory of 4484 2296 cpiprzz.exe 86 PID 2296 wrote to memory of 4484 2296 cpiprzz.exe 86 PID 4484 wrote to memory of 1092 4484 sceegl.exe 87 PID 4484 wrote to memory of 1092 4484 sceegl.exe 87 PID 4484 wrote to memory of 1092 4484 sceegl.exe 87 PID 1092 wrote to memory of 556 1092 hildzip.exe 89 PID 1092 wrote to memory of 556 1092 hildzip.exe 89 PID 1092 wrote to memory of 556 1092 hildzip.exe 89 PID 556 wrote to memory of 4560 556 omwidfu.exe 90 PID 556 wrote to memory of 4560 556 omwidfu.exe 90 PID 556 wrote to memory of 4560 556 omwidfu.exe 90 PID 4560 wrote to memory of 1880 4560 khcfykp.exe 91 PID 4560 wrote to memory of 1880 4560 khcfykp.exe 91 PID 4560 wrote to memory of 1880 4560 khcfykp.exe 91 PID 1880 wrote to memory of 1632 1880 neoircu.exe 92 PID 1880 wrote to memory of 1632 1880 neoircu.exe 92 PID 1880 wrote to memory of 1632 1880 neoircu.exe 92 PID 1632 wrote to memory of 2464 1632 luqtmvzx.exe 93 PID 1632 wrote to memory of 2464 1632 luqtmvzx.exe 93 PID 1632 wrote to memory of 2464 1632 luqtmvzx.exe 93 PID 2464 wrote to memory of 2424 2464 fbvkfah.exe 94 PID 2464 wrote to memory of 2424 2464 fbvkfah.exe 94 PID 2464 wrote to memory of 2424 2464 fbvkfah.exe 94 PID 2424 wrote to memory of 2088 2424 cgmii.exe 95 PID 2424 wrote to memory of 2088 2424 cgmii.exe 95 PID 2424 wrote to memory of 2088 2424 cgmii.exe 95 PID 2088 wrote to memory of 1260 2088 cwyvqg.exe 96 PID 2088 wrote to memory of 1260 2088 cwyvqg.exe 96 PID 2088 wrote to memory of 1260 2088 cwyvqg.exe 96 PID 1260 wrote to memory of 5048 1260 ejirvr.exe 97 PID 1260 wrote to memory of 5048 1260 ejirvr.exe 97 PID 1260 wrote to memory of 5048 1260 ejirvr.exe 97 PID 5048 wrote to memory of 4512 5048 ebbto.exe 98 PID 5048 wrote to memory of 4512 5048 ebbto.exe 98 PID 5048 wrote to memory of 4512 5048 ebbto.exe 98 PID 4512 wrote to memory of 2208 4512 bplistfu.exe 99 PID 4512 wrote to memory of 2208 4512 bplistfu.exe 99 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qkbrl.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:808
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1020
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2500
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2520
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2652
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3524
-
C:\Users\Admin\AppData\Local\Temp\4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4052e869d0ef5649ad0bb14c7cdffbcf_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4436 -
C:\Windows\SysWOW64\jppyfux.exeC:\Windows\system32\jppyfux.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Windows\SysWOW64\cpiprzz.exeC:\Windows\system32\cpiprzz.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\sceegl.exeC:\Windows\system32\sceegl.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\SysWOW64\hildzip.exeC:\Windows\system32\hildzip.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\SysWOW64\omwidfu.exeC:\Windows\system32\omwidfu.exe7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\SysWOW64\khcfykp.exeC:\Windows\system32\khcfykp.exe8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\neoircu.exeC:\Windows\system32\neoircu.exe9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\luqtmvzx.exeC:\Windows\system32\luqtmvzx.exe10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\fbvkfah.exeC:\Windows\system32\fbvkfah.exe11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\cgmii.exeC:\Windows\system32\cgmii.exe12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\cwyvqg.exeC:\Windows\system32\cwyvqg.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\ejirvr.exeC:\Windows\system32\ejirvr.exe14⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\ebbto.exeC:\Windows\system32\ebbto.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\bplistfu.exeC:\Windows\system32\bplistfu.exe16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\cywybp.exeC:\Windows\system32\cywybp.exe17⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2208 -
C:\Windows\SysWOW64\ygmsezv.exeC:\Windows\system32\ygmsezv.exe18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4664 -
C:\Windows\SysWOW64\uaruclyr.exeC:\Windows\system32\uaruclyr.exe19⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5104 -
C:\Windows\SysWOW64\fxalmdc.exeC:\Windows\system32\fxalmdc.exe20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1412 -
C:\Windows\SysWOW64\zlttlg.exeC:\Windows\system32\zlttlg.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3716 -
C:\Windows\SysWOW64\kools.exeC:\Windows\system32\kools.exe22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2132 -
C:\Windows\SysWOW64\msushd.exeC:\Windows\system32\msushd.exe23⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4972 -
C:\Windows\SysWOW64\vcgdsta.exeC:\Windows\system32\vcgdsta.exe24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1976 -
C:\Windows\SysWOW64\lwqimod.exeC:\Windows\system32\lwqimod.exe25⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4940 -
C:\Windows\SysWOW64\fkdaque.exeC:\Windows\system32\fkdaque.exe26⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4104 -
C:\Windows\SysWOW64\qkbrl.exeC:\Windows\system32\qkbrl.exe27⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1452 -
C:\Windows\SysWOW64\gpfzz.exeC:\Windows\system32\gpfzz.exe28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4304 -
C:\Windows\SysWOW64\ufeyyzb.exeC:\Windows\system32\ufeyyzb.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5012 -
C:\Windows\SysWOW64\nndwoyim.exeC:\Windows\system32\nndwoyim.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5020 -
C:\Windows\SysWOW64\tjkrh.exeC:\Windows\system32\tjkrh.exe31⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4876 -
C:\Windows\SysWOW64\vimwppiz.exeC:\Windows\system32\vimwppiz.exe32⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3556 -
C:\Windows\SysWOW64\vxebiru.exeC:\Windows\system32\vxebiru.exe33⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:232 -
C:\Windows\SysWOW64\blqumlo.exeC:\Windows\system32\blqumlo.exe34⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1672 -
C:\Windows\SysWOW64\rrxkrnw.exeC:\Windows\system32\rrxkrnw.exe35⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4380 -
C:\Windows\SysWOW64\rwqdqc.exeC:\Windows\system32\rwqdqc.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3292 -
C:\Windows\SysWOW64\rmlzf.exeC:\Windows\system32\rmlzf.exe37⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:236 -
C:\Windows\SysWOW64\sauwg.exeC:\Windows\system32\sauwg.exe38⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2684 -
C:\Windows\SysWOW64\ohrkwyqr.exeC:\Windows\system32\ohrkwyqr.exe39⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4464 -
C:\Windows\SysWOW64\ezyrvsri.exeC:\Windows\system32\ezyrvsri.exe40⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2784 -
C:\Windows\SysWOW64\uixkh.exeC:\Windows\system32\uixkh.exe41⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3256 -
C:\Windows\SysWOW64\qalxkfr.exeC:\Windows\system32\qalxkfr.exe42⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3416 -
C:\Windows\SysWOW64\hcecoas.exeC:\Windows\system32\hcecoas.exe43⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2584 -
C:\Windows\SysWOW64\srlreil.exeC:\Windows\system32\srlreil.exe44⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:392 -
C:\Windows\SysWOW64\ybessi.exeC:\Windows\system32\ybessi.exe45⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3156 -
C:\Windows\SysWOW64\kawgxeky.exeC:\Windows\system32\kawgxeky.exe46⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\rbfitdg.exeC:\Windows\system32\rbfitdg.exe47⤵
- Executes dropped EXE
PID:4232 -
C:\Windows\SysWOW64\fjhja.exeC:\Windows\system32\fjhja.exe48⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\eomyfti.exeC:\Windows\system32\eomyfti.exe49⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3504 -
C:\Windows\SysWOW64\jyxwg.exeC:\Windows\system32\jyxwg.exe50⤵
- Executes dropped EXE
PID:4660 -
C:\Windows\SysWOW64\mldozksb.exeC:\Windows\system32\mldozksb.exe51⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1396 -
C:\Windows\SysWOW64\prjqiz.exeC:\Windows\system32\prjqiz.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3720 -
C:\Windows\SysWOW64\trqxtx.exeC:\Windows\system32\trqxtx.exe53⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\pcullquh.exeC:\Windows\system32\pcullquh.exe54⤵
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\tounn.exeC:\Windows\system32\tounn.exe55⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\rfvwjxlp.exeC:\Windows\system32\rfvwjxlp.exe56⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\fdapxi.exeC:\Windows\system32\fdapxi.exe57⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4776 -
C:\Windows\SysWOW64\wwuxjp.exeC:\Windows\system32\wwuxjp.exe58⤵
- Executes dropped EXE
PID:3880 -
C:\Windows\SysWOW64\pnuplse.exeC:\Windows\system32\pnuplse.exe59⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4180 -
C:\Windows\SysWOW64\ugtpoiue.exeC:\Windows\system32\ugtpoiue.exe60⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4200 -
C:\Windows\SysWOW64\hbocd.exeC:\Windows\system32\hbocd.exe61⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\zbkida.exeC:\Windows\system32\zbkida.exe62⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4472 -
C:\Windows\SysWOW64\auokssnw.exeC:\Windows\system32\auokssnw.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2072 -
C:\Windows\SysWOW64\hfubufd.exeC:\Windows\system32\hfubufd.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1824 -
C:\Windows\SysWOW64\zdehfdzn.exeC:\Windows\system32\zdehfdzn.exe65⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\cozbt.exeC:\Windows\system32\cozbt.exe66⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\jgrvtb.exeC:\Windows\system32\jgrvtb.exe67⤵PID:3600
-
C:\Windows\SysWOW64\nbojpxqj.exeC:\Windows\system32\nbojpxqj.exe68⤵PID:1052
-
C:\Windows\SysWOW64\jwycib.exeC:\Windows\system32\jwycib.exe69⤵PID:3620
-
C:\Windows\SysWOW64\ebfqst.exeC:\Windows\system32\ebfqst.exe70⤵PID:4404
-
C:\Windows\SysWOW64\qtyextm.exeC:\Windows\system32\qtyextm.exe71⤵
- Drops file in System32 directory
PID:1972 -
C:\Windows\SysWOW64\pisapljy.exeC:\Windows\system32\pisapljy.exe72⤵PID:844
-
C:\Windows\SysWOW64\hwqrsgaf.exeC:\Windows\system32\hwqrsgaf.exe73⤵PID:2756
-
C:\Windows\SysWOW64\evfkxru.exeC:\Windows\system32\evfkxru.exe74⤵PID:3896
-
C:\Windows\SysWOW64\cgziml.exeC:\Windows\system32\cgziml.exe75⤵PID:1776
-
C:\Windows\SysWOW64\oirruwg.exeC:\Windows\system32\oirruwg.exe76⤵PID:4028
-
C:\Windows\SysWOW64\pahvabrm.exeC:\Windows\system32\pahvabrm.exe77⤵PID:4796
-
C:\Windows\SysWOW64\zmyvu.exeC:\Windows\system32\zmyvu.exe78⤵PID:4400
-
C:\Windows\SysWOW64\hknlne.exeC:\Windows\system32\hknlne.exe79⤵PID:2928
-
C:\Windows\SysWOW64\jcpdcwu.exeC:\Windows\system32\jcpdcwu.exe80⤵PID:5156
-
C:\Windows\SysWOW64\yrzxdxzz.exeC:\Windows\system32\yrzxdxzz.exe81⤵PID:5188
-
C:\Windows\SysWOW64\cccmlh.exeC:\Windows\system32\cccmlh.exe82⤵
- Adds Run key to start application
PID:5224 -
C:\Windows\SysWOW64\rdulaak.exeC:\Windows\system32\rdulaak.exe83⤵PID:5256
-
C:\Windows\SysWOW64\pidcfcy.exeC:\Windows\system32\pidcfcy.exe84⤵
- Adds Run key to start application
PID:5288 -
C:\Windows\SysWOW64\iywpfh.exeC:\Windows\system32\iywpfh.exe85⤵
- Drops file in System32 directory
PID:5324 -
C:\Windows\SysWOW64\btsetisa.exeC:\Windows\system32\btsetisa.exe86⤵PID:5356
-
C:\Windows\SysWOW64\iprxm.exeC:\Windows\system32\iprxm.exe87⤵PID:5400
-
C:\Windows\SysWOW64\lduyex.exeC:\Windows\system32\lduyex.exe88⤵PID:5432
-
C:\Windows\SysWOW64\vvhbtzot.exeC:\Windows\system32\vvhbtzot.exe89⤵PID:5468
-
C:\Windows\SysWOW64\xitnj.exeC:\Windows\system32\xitnj.exe90⤵PID:5500
-
C:\Windows\SysWOW64\vsysbr.exeC:\Windows\system32\vsysbr.exe91⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:5532 -
C:\Windows\SysWOW64\afesq.exeC:\Windows\system32\afesq.exe92⤵
- Drops file in System32 directory
PID:5564 -
C:\Windows\SysWOW64\utkmref.exeC:\Windows\system32\utkmref.exe93⤵PID:5596
-
C:\Windows\SysWOW64\qsrucqk.exeC:\Windows\system32\qsrucqk.exe94⤵PID:5628
-
C:\Windows\SysWOW64\gkptfi.exeC:\Windows\system32\gkptfi.exe95⤵
- Adds Run key to start application
PID:5660 -
C:\Windows\SysWOW64\dnnagdgs.exeC:\Windows\system32\dnnagdgs.exe96⤵PID:5692
-
C:\Windows\SysWOW64\ythao.exeC:\Windows\system32\ythao.exe97⤵PID:5724
-
C:\Windows\SysWOW64\kxrykhgc.exeC:\Windows\system32\kxrykhgc.exe98⤵PID:5756
-
C:\Windows\SysWOW64\orlkg.exeC:\Windows\system32\orlkg.exe99⤵
- Drops file in System32 directory
PID:5792 -
C:\Windows\SysWOW64\zqvmg.exeC:\Windows\system32\zqvmg.exe100⤵
- Drops file in System32 directory
PID:5836 -
C:\Windows\SysWOW64\ejgfegf.exeC:\Windows\system32\ejgfegf.exe101⤵PID:5872
-
C:\Windows\SysWOW64\pstyz.exeC:\Windows\system32\pstyz.exe102⤵PID:5904
-
C:\Windows\SysWOW64\iugik.exeC:\Windows\system32\iugik.exe103⤵PID:5936
-
C:\Windows\SysWOW64\dwydi.exeC:\Windows\system32\dwydi.exe104⤵
- Drops file in System32 directory
PID:5972 -
C:\Windows\SysWOW64\faofl.exeC:\Windows\system32\faofl.exe105⤵PID:6012
-
C:\Windows\SysWOW64\chcrwsca.exeC:\Windows\system32\chcrwsca.exe106⤵PID:6048
-
C:\Windows\SysWOW64\stilcoj.exeC:\Windows\system32\stilcoj.exe107⤵PID:6080
-
C:\Windows\SysWOW64\fybllhf.exeC:\Windows\system32\fybllhf.exe108⤵
- Drops file in System32 directory
PID:6112 -
C:\Windows\SysWOW64\rcwtvg.exeC:\Windows\system32\rcwtvg.exe109⤵
- Adds Run key to start application
PID:184 -
C:\Windows\SysWOW64\qorwtm.exeC:\Windows\system32\qorwtm.exe110⤵
- Drops file in System32 directory
PID:5196 -
C:\Windows\SysWOW64\pwnvygta.exeC:\Windows\system32\pwnvygta.exe111⤵
- Adds Run key to start application
PID:5268 -
C:\Windows\SysWOW64\eggbq.exeC:\Windows\system32\eggbq.exe112⤵PID:5336
-
C:\Windows\SysWOW64\avzlly.exeC:\Windows\system32\avzlly.exe113⤵PID:5440
-
C:\Windows\SysWOW64\gooca.exeC:\Windows\system32\gooca.exe114⤵
- Drops file in System32 directory
PID:5560 -
C:\Windows\SysWOW64\tfrmj.exeC:\Windows\system32\tfrmj.exe115⤵
- Adds Run key to start application
PID:5640 -
C:\Windows\SysWOW64\bzynipv.exeC:\Windows\system32\bzynipv.exe116⤵PID:5732
-
C:\Windows\SysWOW64\nyaoej.exeC:\Windows\system32\nyaoej.exe117⤵PID:5800
-
C:\Windows\SysWOW64\sxmtxmi.exeC:\Windows\system32\sxmtxmi.exe118⤵PID:5460
-
C:\Windows\SysWOW64\clzafbop.exeC:\Windows\system32\clzafbop.exe119⤵PID:5956
-
C:\Windows\SysWOW64\gxliy.exeC:\Windows\system32\gxliy.exe120⤵
- Drops file in System32 directory
PID:6044 -
C:\Windows\SysWOW64\osijesj.exeC:\Windows\system32\osijesj.exe121⤵PID:6132
-
C:\Windows\SysWOW64\piivz.exeC:\Windows\system32\piivz.exe122⤵PID:5372
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-