Analysis
-
max time kernel
37s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
15-07-2024 04:53
Behavioral task
behavioral1
Sample
484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
21 signatures
150 seconds
General
-
Target
484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe
-
Size
116KB
-
MD5
484ca151445e3fb77e6a98d077d72d1f
-
SHA1
396156a2935f2ea1a086a96021ba10ded4994cf5
-
SHA256
861dc9f7425c54ca192825634cde246290aa7e77fb71c3e070fb37b16c56c99f
-
SHA512
fd12fd738da27a7a454bed35a8e3c08820136c758f2cb2b5a8352d7630435e86a38bb7b2ac54d1e5427318adb4ee7c207112853cf73058cd23b68697ae8fcb43
-
SSDEEP
3072:8Z65UAF8tWMv55UpxPggiLrJ88cdFMz4BJ/uK:8EtF835kxPggiLrKTdWzEWK
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" ezcvcwfm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" ezcvcwfm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" ezcvcwfm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ezcvcwfm.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ezcvcwfm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ezcvcwfm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" ezcvcwfm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ezcvcwfm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ezcvcwfm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" ezcvcwfm.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" ezcvcwfm.exe -
Disables Task Manager via registry modification
-
Deletes itself 1 IoCs
pid Process 2872 ezcvcwfm.exe -
Executes dropped EXE 64 IoCs
pid Process 2132 sauls.exe 2740 nqclpz.exe 2564 pgerf.exe 2716 jhpinvjr.exe 3004 abpssj.exe 1512 rfnqzxlf.exe 1636 xlnzd.exe 1964 lhxmd.exe 1036 xoiaojtu.exe 1968 ovdma.exe 2580 fpaluljz.exe 2096 zaxofbzj.exe 1972 zsbbb.exe 1356 xcxzera.exe 2524 hnstqm.exe 1712 jmbjs.exe 2904 pftji.exe 2164 deicdb.exe 1716 bmcve.exe 992 zqkvt.exe 1428 lfsmda.exe 1276 lvqyj.exe 2464 nrlsonlk.exe 2832 qtntjuu.exe 2692 nmhkksn.exe 2864 cparzii.exe 2340 ovuow.exe 2584 nppdte.exe 580 bppdy.exe 2200 doixako.exe 1552 ziydvoh.exe 572 drvntw.exe 2848 wujkgs.exe 2660 gzawqmdl.exe 1148 rbwgnotp.exe 1108 cmvcra.exe 1484 gdilf.exe 2844 prjnedk.exe 272 tvuzr.exe 940 tmmpz.exe 1476 joomf.exe 2356 oiqfx.exe 2800 wbbuyci.exe 2592 myxkkvg.exe 2104 akksasnc.exe 1600 srxjueki.exe 2392 pjekcs.exe 1924 ciwzhupp.exe 1696 avfvhmn.exe 1644 pbzthann.exe 2552 ooambagj.exe 1944 hvxgtp.exe 1720 njmsh.exe 2420 yyazlgrz.exe 2992 uonib.exe 2440 hmskra.exe 2872 ezcvcwfm.exe 2908 bwewar.exe 2004 kfhmmgj.exe 612 wctwyy.exe 1976 papfecrx.exe 1908 ogmpgund.exe 3012 bgicwxm.exe 560 mpwyow.exe -
Loads dropped DLL 64 IoCs
pid Process 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 2132 sauls.exe 2132 sauls.exe 2740 nqclpz.exe 2740 nqclpz.exe 2564 pgerf.exe 2564 pgerf.exe 2716 jhpinvjr.exe 2716 jhpinvjr.exe 3004 abpssj.exe 3004 abpssj.exe 1512 rfnqzxlf.exe 1512 rfnqzxlf.exe 1636 xlnzd.exe 1636 xlnzd.exe 1964 lhxmd.exe 1964 lhxmd.exe 1036 xoiaojtu.exe 1036 xoiaojtu.exe 1968 ovdma.exe 1968 ovdma.exe 2580 fpaluljz.exe 2580 fpaluljz.exe 2096 zaxofbzj.exe 2096 zaxofbzj.exe 1972 zsbbb.exe 1972 zsbbb.exe 1356 xcxzera.exe 1356 xcxzera.exe 2524 hnstqm.exe 2524 hnstqm.exe 1712 jmbjs.exe 1712 jmbjs.exe 2904 pftji.exe 2904 pftji.exe 2164 deicdb.exe 2164 deicdb.exe 1716 bmcve.exe 1716 bmcve.exe 992 zqkvt.exe 992 zqkvt.exe 1428 lfsmda.exe 1428 lfsmda.exe 1276 lvqyj.exe 1276 lvqyj.exe 2464 nrlsonlk.exe 2464 nrlsonlk.exe 2832 qtntjuu.exe 2832 qtntjuu.exe 2692 nmhkksn.exe 2692 nmhkksn.exe 2864 cparzii.exe 2864 cparzii.exe 2340 ovuow.exe 2340 ovuow.exe 2584 nppdte.exe 2584 nppdte.exe 580 bppdy.exe 580 bppdy.exe 2200 doixako.exe 2200 doixako.exe 1552 ziydvoh.exe 1552 ziydvoh.exe -
resource yara_rule behavioral1/memory/468-0-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral1/memory/468-4-0x0000000001D40000-0x0000000002DCE000-memory.dmp upx behavioral1/memory/468-8-0x0000000001D40000-0x0000000002DCE000-memory.dmp upx behavioral1/memory/468-1-0x0000000001D40000-0x0000000002DCE000-memory.dmp upx behavioral1/memory/468-5-0x0000000001D40000-0x0000000002DCE000-memory.dmp upx behavioral1/memory/468-23-0x0000000001D40000-0x0000000002DCE000-memory.dmp upx behavioral1/memory/468-7-0x0000000001D40000-0x0000000002DCE000-memory.dmp upx behavioral1/memory/468-6-0x0000000001D40000-0x0000000002DCE000-memory.dmp upx behavioral1/files/0x00080000000120ff-27.dat upx behavioral1/memory/2132-35-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral1/memory/468-24-0x0000000001D40000-0x0000000002DCE000-memory.dmp upx behavioral1/memory/468-22-0x0000000001D40000-0x0000000002DCE000-memory.dmp upx behavioral1/memory/468-40-0x0000000001D40000-0x0000000002DCE000-memory.dmp upx behavioral1/memory/2740-47-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral1/memory/468-48-0x0000000001D40000-0x0000000002DCE000-memory.dmp upx behavioral1/memory/468-41-0x0000000001D40000-0x0000000002DCE000-memory.dmp upx behavioral1/memory/468-63-0x0000000001D40000-0x0000000002DCE000-memory.dmp upx behavioral1/memory/468-64-0x0000000001D40000-0x0000000002DCE000-memory.dmp upx behavioral1/memory/468-69-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral1/memory/3004-83-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral1/memory/468-84-0x0000000001D40000-0x0000000002DCE000-memory.dmp upx behavioral1/memory/2132-89-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral1/memory/1512-96-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral1/memory/2740-106-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral1/memory/468-107-0x0000000001D40000-0x0000000002DCE000-memory.dmp upx behavioral1/memory/2564-112-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral1/memory/2716-128-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral1/memory/1968-139-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral1/memory/3004-149-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral1/memory/2096-162-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral1/memory/1512-160-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral1/memory/1636-179-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral1/memory/1964-184-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral1/memory/468-185-0x0000000001D40000-0x0000000002DCE000-memory.dmp upx behavioral1/memory/1036-196-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral1/memory/468-186-0x0000000001D40000-0x0000000002DCE000-memory.dmp upx behavioral1/memory/1968-202-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral1/memory/2580-209-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral1/memory/1972-221-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral1/memory/2096-219-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral1/memory/468-214-0x0000000001D40000-0x0000000002DCE000-memory.dmp upx behavioral1/memory/1356-229-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral1/memory/992-242-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral1/memory/2524-240-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral1/memory/1428-248-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral1/memory/1276-256-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral1/memory/1712-254-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral1/memory/2904-265-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral1/memory/2832-274-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral1/memory/2692-285-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral1/memory/1716-284-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral1/memory/2164-281-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral1/memory/2904-280-0x00000000002C0000-0x00000000002E3000-memory.dmp upx behavioral1/memory/468-266-0x0000000001D40000-0x0000000002DCE000-memory.dmp upx behavioral1/memory/2864-294-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral1/memory/992-292-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral1/memory/1428-302-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral1/memory/2340-305-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral1/memory/1276-304-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral1/memory/2464-314-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral1/memory/2832-319-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral1/memory/2200-327-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral1/memory/1552-334-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral1/memory/2692-333-0x0000000031420000-0x0000000031443000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" ezcvcwfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc ezcvcwfm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ezcvcwfm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ezcvcwfm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ezcvcwfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ezcvcwfm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" ezcvcwfm.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\sauls.exe" 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\xxgkgku.exe" tiftx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\utpmjmi.exe" wfqfxbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\uadiwne.exe" dlrdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\myxkkvg.exe" wbbuyci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ydfgsxfg.exe" lovir.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\oxqghnk.exe" zyuiget.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\mcemlyym.exe" dlgbgsvo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\sbllj.exe" jxague.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\uckhvg.exe" vtqvg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\lfsmda.exe" zqkvt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\yyazlgrz.exe" njmsh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\jodwc.exe" epnbcxk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\qelnao.exe" jimmlbax.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\kykqp.exe" laqwbly.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\tpzxby.exe" bxgzhzh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\kfhmmgj.exe" bwewar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\wctwyy.exe" kfhmmgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\iecjl.exe" jhzxdne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\wgkiveqs.exe" luemulf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\zymsn.exe" adgngmji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\bwewar.exe" ezcvcwfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\lmfehqip.exe" qrobmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\tuvtpvod.exe" hmwiteaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\lvvswu.exe" avkth.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\nhvuuuj.exe" zymsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\aoichy.exe" kgsbr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\lmxgo.exe" eckur.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\dlhxsc.exe" qvkykkz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ucqmuu.exe" esgusoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\qhmbsjm.exe" lmfehqip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\kymavng.exe" fakbdhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\xrkqkex.exe" krtput.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\nppdte.exe" ovuow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\jryzb.exe" ezuxjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\jiutxu.exe" cbmder.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\dgqhxtdp.exe" kusdu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\qcbyi.exe" tpzxby.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\zttdz.exe" wjmadw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\hexnd.exe" lmgkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\qrobmo.exe" meripcv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ucwrad.exe" gbabwfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\wwkhogw.exe" ucwrad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ucskpm.exe" kfuqne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\whpjij.exe" cozwmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ewzaldk.exe" ugjxsb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\xwyhfks.exe" ewyswl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\osojkt.exe" sqruwc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\lhfsplrj.exe" cnqkyk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\lrlkvo.exe" qvccsns.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\yyqmgx.exe" ikbwamt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\zkzaqn.exe" qzqdbxt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\lhxmd.exe" xlnzd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\sqkcj.exe" hylnhin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\bdaadf.exe" rfqrl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\hpfzotdw.exe" sbllj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\qwakm.exe" yuqlcwhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ovdma.exe" xoiaojtu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\htqfqk.exe" ogpvlho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\afxtgw.exe" ewzaldk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\deicdb.exe" pftji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\lxzzlp.exe" tjltkhy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\wtouyb.exe" iecjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\wjmadw.exe" bacecc.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ezcvcwfm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe File opened (read-only) \??\X: 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe File opened (read-only) \??\Z: 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe File opened (read-only) \??\N: 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe File opened (read-only) \??\P: 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe File opened (read-only) \??\Q: 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe File opened (read-only) \??\S: 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe File opened (read-only) \??\Y: 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe File opened (read-only) \??\E: ezcvcwfm.exe File opened (read-only) \??\G: 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe File opened (read-only) \??\K: 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe File opened (read-only) \??\U: 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe File opened (read-only) \??\V: 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe File opened (read-only) \??\H: 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe File opened (read-only) \??\M: 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe File opened (read-only) \??\T: 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe File opened (read-only) \??\O: 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe File opened (read-only) \??\R: 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe File opened (read-only) \??\E: 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe File opened (read-only) \??\I: 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe File opened (read-only) \??\J: 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe File opened (read-only) \??\L: 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\tpviqcly.exe bthlw.exe File opened for modification C:\Windows\SysWOW64\sbsvdrh.exe sxahzsse.exe File created C:\Windows\SysWOW64\tegsyv.exe sbqar.exe File opened for modification C:\Windows\SysWOW64\uhsjxmr.exe brnrs.exe File created C:\Windows\SysWOW64\brhvh.exe wjzzwnb.exe File created C:\Windows\SysWOW64\aubdm.exe qwtbaa.exe File created C:\Windows\SysWOW64\lnqetqc.exe hysvtaal.exe File opened for modification C:\Windows\SysWOW64\utpmjmi.exe wfqfxbg.exe File created C:\Windows\SysWOW64\ewzaldk.exe ugjxsb.exe File opened for modification C:\Windows\SysWOW64\ntttdy.exe bqzaillm.exe File opened for modification C:\Windows\SysWOW64\zsbbb.exe zaxofbzj.exe File created C:\Windows\SysWOW64\rfqrl.exe yfjfhmz.exe File opened for modification C:\Windows\SysWOW64\ogpvlho.exe bdaadf.exe File opened for modification C:\Windows\SysWOW64\qpggmbrm.exe spjvpvc.exe File created C:\Windows\SysWOW64\qprjbtnb.exe wyqreh.exe File created C:\Windows\SysWOW64\grjun.exe izpqtzx.exe File opened for modification C:\Windows\SysWOW64\zaxofbzj.exe fpaluljz.exe File created C:\Windows\SysWOW64\wykokqc.exe fvvec.exe File opened for modification C:\Windows\SysWOW64\rypmhp.exe whpjij.exe File created C:\Windows\SysWOW64\grmbbd.exe uibiqofr.exe File opened for modification C:\Windows\SysWOW64\siltlb.exe ocjlty.exe File opened for modification C:\Windows\SysWOW64\pmvjhi.exe cdojfn.exe File created C:\Windows\SysWOW64\whdaowu.exe otsiburc.exe File created C:\Windows\SysWOW64\jjaztgy.exe zjaotig.exe File opened for modification C:\Windows\SysWOW64\hvosccun.exe djpaowjx.exe File opened for modification C:\Windows\SysWOW64\kymavng.exe fakbdhb.exe File opened for modification C:\Windows\SysWOW64\upaqomsx.exe grjun.exe File opened for modification C:\Windows\SysWOW64\osojkt.exe sqruwc.exe File created C:\Windows\SysWOW64\jhsrkz.exe mxdospl.exe File opened for modification C:\Windows\SysWOW64\otcvbg.exe fuxif.exe File opened for modification C:\Windows\SysWOW64\cctmfk.exe pqfymab.exe File created C:\Windows\SysWOW64\uadiwne.exe dlrdc.exe File created C:\Windows\SysWOW64\qtntjuu.exe nrlsonlk.exe File created C:\Windows\SysWOW64\qokpwouw.exe tuqqxrt.exe File created C:\Windows\SysWOW64\hostn.exe qslmduur.exe File created C:\Windows\SysWOW64\laqwbly.exe iwhshwzh.exe File opened for modification C:\Windows\SysWOW64\oyqevlyd.exe rjgqcsza.exe File created C:\Windows\SysWOW64\drvntw.exe ziydvoh.exe File created C:\Windows\SysWOW64\qghlh.exe fiucutyt.exe File created C:\Windows\SysWOW64\ogpvlho.exe bdaadf.exe File opened for modification C:\Windows\SysWOW64\elmvbreu.exe hbvkz.exe File created C:\Windows\SysWOW64\eckur.exe mlrroo.exe File opened for modification C:\Windows\SysWOW64\gjmbu.exe qokpwouw.exe File created C:\Windows\SysWOW64\tlzhkak.exe gfsurry.exe File created C:\Windows\SysWOW64\bmmkj.exe etmsdibt.exe File created C:\Windows\SysWOW64\utpmjmi.exe wfqfxbg.exe File opened for modification C:\Windows\SysWOW64\lmfehqip.exe qrobmo.exe File opened for modification C:\Windows\SysWOW64\gakddn.exe inoofc.exe File created C:\Windows\SysWOW64\yzsosy.exe oxfgpf.exe File created C:\Windows\SysWOW64\xlnzd.exe rfnqzxlf.exe File opened for modification C:\Windows\SysWOW64\qtntjuu.exe nrlsonlk.exe File opened for modification C:\Windows\SysWOW64\kfuqne.exe kuhrlv.exe File opened for modification C:\Windows\SysWOW64\svwkawul.exe lnqetqc.exe File created C:\Windows\SysWOW64\ptmhtb.exe sbvxvqef.exe File created C:\Windows\SysWOW64\brnrs.exe eebcem.exe File created C:\Windows\SysWOW64\wemrr.exe yawmlszj.exe File opened for modification C:\Windows\SysWOW64\tywyqo.exe bloxvn.exe File created C:\Windows\SysWOW64\fwrxhda.exe tlzhkak.exe File created C:\Windows\SysWOW64\apwkgqa.exe xdjrk.exe File created C:\Windows\SysWOW64\tojpdcx.exe zkwshsq.exe File opened for modification C:\Windows\SysWOW64\tpzxby.exe bxgzhzh.exe File created C:\Windows\SysWOW64\tqnnsj.exe nuvxzae.exe File opened for modification C:\Windows\SysWOW64\cdojfn.exe akbczbh.exe File opened for modification C:\Windows\SysWOW64\laqwbly.exe iwhshwzh.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 2872 ezcvcwfm.exe 2872 ezcvcwfm.exe 2872 ezcvcwfm.exe 2872 ezcvcwfm.exe 2872 ezcvcwfm.exe 2872 ezcvcwfm.exe 2872 ezcvcwfm.exe 2872 ezcvcwfm.exe 2872 ezcvcwfm.exe 2872 ezcvcwfm.exe 2872 ezcvcwfm.exe 2872 ezcvcwfm.exe 2872 ezcvcwfm.exe 2872 ezcvcwfm.exe 2872 ezcvcwfm.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe Token: SeDebugPrivilege 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe Token: SeDebugPrivilege 2132 sauls.exe Token: SeDebugPrivilege 2740 nqclpz.exe Token: SeDebugPrivilege 2564 pgerf.exe Token: SeDebugPrivilege 2716 jhpinvjr.exe Token: SeDebugPrivilege 3004 abpssj.exe Token: SeDebugPrivilege 1512 rfnqzxlf.exe Token: SeDebugPrivilege 1636 xlnzd.exe Token: SeDebugPrivilege 1964 lhxmd.exe Token: SeDebugPrivilege 1036 xoiaojtu.exe Token: SeDebugPrivilege 1968 ovdma.exe Token: SeDebugPrivilege 2580 fpaluljz.exe Token: SeDebugPrivilege 2096 zaxofbzj.exe Token: SeDebugPrivilege 1972 zsbbb.exe Token: SeDebugPrivilege 1356 xcxzera.exe Token: SeDebugPrivilege 2524 hnstqm.exe Token: SeDebugPrivilege 1712 jmbjs.exe Token: SeDebugPrivilege 2904 pftji.exe Token: SeDebugPrivilege 2164 deicdb.exe Token: SeDebugPrivilege 1716 bmcve.exe Token: SeDebugPrivilege 992 zqkvt.exe Token: SeDebugPrivilege 1428 lfsmda.exe Token: SeDebugPrivilege 1276 lvqyj.exe Token: SeDebugPrivilege 2464 nrlsonlk.exe Token: SeDebugPrivilege 2832 qtntjuu.exe Token: SeDebugPrivilege 2692 nmhkksn.exe Token: SeDebugPrivilege 2864 cparzii.exe Token: SeDebugPrivilege 2340 ovuow.exe Token: SeDebugPrivilege 2584 nppdte.exe Token: SeDebugPrivilege 580 bppdy.exe Token: SeDebugPrivilege 2200 doixako.exe Token: SeDebugPrivilege 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe Token: SeDebugPrivilege 1552 ziydvoh.exe Token: SeDebugPrivilege 572 drvntw.exe Token: SeDebugPrivilege 2848 wujkgs.exe Token: SeDebugPrivilege 2660 gzawqmdl.exe Token: SeDebugPrivilege 1148 rbwgnotp.exe Token: SeDebugPrivilege 1108 cmvcra.exe Token: SeDebugPrivilege 1484 gdilf.exe Token: SeDebugPrivilege 2844 prjnedk.exe Token: SeDebugPrivilege 272 tvuzr.exe Token: SeDebugPrivilege 940 tmmpz.exe Token: SeDebugPrivilege 1476 joomf.exe Token: SeDebugPrivilege 2356 oiqfx.exe Token: SeDebugPrivilege 2800 wbbuyci.exe Token: SeDebugPrivilege 2592 myxkkvg.exe Token: SeDebugPrivilege 2104 akksasnc.exe Token: SeDebugPrivilege 1600 srxjueki.exe Token: SeDebugPrivilege 2392 pjekcs.exe Token: SeDebugPrivilege 1924 ciwzhupp.exe Token: SeDebugPrivilege 1696 avfvhmn.exe Token: SeDebugPrivilege 1644 pbzthann.exe Token: SeDebugPrivilege 2552 ooambagj.exe Token: SeDebugPrivilege 1944 hvxgtp.exe Token: SeDebugPrivilege 1720 njmsh.exe Token: SeDebugPrivilege 2420 yyazlgrz.exe Token: SeDebugPrivilege 2992 uonib.exe Token: SeDebugPrivilege 2440 hmskra.exe Token: SeDebugPrivilege 2872 ezcvcwfm.exe Token: SeDebugPrivilege 2908 bwewar.exe Token: SeDebugPrivilege 2004 kfhmmgj.exe Token: SeDebugPrivilege 612 wctwyy.exe Token: SeDebugPrivilege 1976 papfecrx.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 468 wrote to memory of 1044 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 17 PID 468 wrote to memory of 1072 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 18 PID 468 wrote to memory of 1112 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 20 PID 468 wrote to memory of 1864 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 25 PID 468 wrote to memory of 2132 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 31 PID 468 wrote to memory of 2132 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 31 PID 468 wrote to memory of 2132 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 31 PID 468 wrote to memory of 2132 468 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 31 PID 2132 wrote to memory of 2740 2132 sauls.exe 32 PID 2132 wrote to memory of 2740 2132 sauls.exe 32 PID 2132 wrote to memory of 2740 2132 sauls.exe 32 PID 2132 wrote to memory of 2740 2132 sauls.exe 32 PID 2740 wrote to memory of 2564 2740 nqclpz.exe 33 PID 2740 wrote to memory of 2564 2740 nqclpz.exe 33 PID 2740 wrote to memory of 2564 2740 nqclpz.exe 33 PID 2740 wrote to memory of 2564 2740 nqclpz.exe 33 PID 2564 wrote to memory of 2716 2564 pgerf.exe 34 PID 2564 wrote to memory of 2716 2564 pgerf.exe 34 PID 2564 wrote to memory of 2716 2564 pgerf.exe 34 PID 2564 wrote to memory of 2716 2564 pgerf.exe 34 PID 2716 wrote to memory of 3004 2716 jhpinvjr.exe 35 PID 2716 wrote to memory of 3004 2716 jhpinvjr.exe 35 PID 2716 wrote to memory of 3004 2716 jhpinvjr.exe 35 PID 2716 wrote to memory of 3004 2716 jhpinvjr.exe 35 PID 3004 wrote to memory of 1512 3004 abpssj.exe 36 PID 3004 wrote to memory of 1512 3004 abpssj.exe 36 PID 3004 wrote to memory of 1512 3004 abpssj.exe 36 PID 3004 wrote to memory of 1512 3004 abpssj.exe 36 PID 1512 wrote to memory of 1636 1512 rfnqzxlf.exe 37 PID 1512 wrote to memory of 1636 1512 rfnqzxlf.exe 37 PID 1512 wrote to memory of 1636 1512 rfnqzxlf.exe 37 PID 1512 wrote to memory of 1636 1512 rfnqzxlf.exe 37 PID 1636 wrote to memory of 1964 1636 xlnzd.exe 38 PID 1636 wrote to memory of 1964 1636 xlnzd.exe 38 PID 1636 wrote to memory of 1964 1636 xlnzd.exe 38 PID 1636 wrote to memory of 1964 1636 xlnzd.exe 38 PID 1964 wrote to memory of 1036 1964 lhxmd.exe 39 PID 1964 wrote to memory of 1036 1964 lhxmd.exe 39 PID 1964 wrote to memory of 1036 1964 lhxmd.exe 39 PID 1964 wrote to memory of 1036 1964 lhxmd.exe 39 PID 1036 wrote to memory of 1968 1036 xoiaojtu.exe 40 PID 1036 wrote to memory of 1968 1036 xoiaojtu.exe 40 PID 1036 wrote to memory of 1968 1036 xoiaojtu.exe 40 PID 1036 wrote to memory of 1968 1036 xoiaojtu.exe 40 PID 1968 wrote to memory of 2580 1968 ovdma.exe 41 PID 1968 wrote to memory of 2580 1968 ovdma.exe 41 PID 1968 wrote to memory of 2580 1968 ovdma.exe 41 PID 1968 wrote to memory of 2580 1968 ovdma.exe 41 PID 2580 wrote to memory of 2096 2580 fpaluljz.exe 42 PID 2580 wrote to memory of 2096 2580 fpaluljz.exe 42 PID 2580 wrote to memory of 2096 2580 fpaluljz.exe 42 PID 2580 wrote to memory of 2096 2580 fpaluljz.exe 42 PID 2096 wrote to memory of 1972 2096 zaxofbzj.exe 43 PID 2096 wrote to memory of 1972 2096 zaxofbzj.exe 43 PID 2096 wrote to memory of 1972 2096 zaxofbzj.exe 43 PID 2096 wrote to memory of 1972 2096 zaxofbzj.exe 43 PID 1972 wrote to memory of 1356 1972 zsbbb.exe 44 PID 1972 wrote to memory of 1356 1972 zsbbb.exe 44 PID 1972 wrote to memory of 1356 1972 zsbbb.exe 44 PID 1972 wrote to memory of 1356 1972 zsbbb.exe 44 PID 1356 wrote to memory of 2524 1356 xcxzera.exe 45 PID 1356 wrote to memory of 2524 1356 xcxzera.exe 45 PID 1356 wrote to memory of 2524 1356 xcxzera.exe 45 PID 1356 wrote to memory of 2524 1356 xcxzera.exe 45 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ezcvcwfm.exe
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1044
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1072
-
C:\Users\Admin\AppData\Local\Temp\484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:468 -
C:\Windows\SysWOW64\sauls.exeC:\Windows\system32\sauls.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\nqclpz.exeC:\Windows\system32\nqclpz.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\pgerf.exeC:\Windows\system32\pgerf.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\jhpinvjr.exeC:\Windows\system32\jhpinvjr.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\abpssj.exeC:\Windows\system32\abpssj.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\rfnqzxlf.exeC:\Windows\system32\rfnqzxlf.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\xlnzd.exeC:\Windows\system32\xlnzd.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\lhxmd.exeC:\Windows\system32\lhxmd.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\xoiaojtu.exeC:\Windows\system32\xoiaojtu.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\ovdma.exeC:\Windows\system32\ovdma.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\fpaluljz.exeC:\Windows\system32\fpaluljz.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\zaxofbzj.exeC:\Windows\system32\zaxofbzj.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\zsbbb.exeC:\Windows\system32\zsbbb.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\xcxzera.exeC:\Windows\system32\xcxzera.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\hnstqm.exeC:\Windows\system32\hnstqm.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2524 -
C:\Windows\SysWOW64\jmbjs.exeC:\Windows\system32\jmbjs.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1712 -
C:\Windows\SysWOW64\pftji.exeC:\Windows\system32\pftji.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2904 -
C:\Windows\SysWOW64\deicdb.exeC:\Windows\system32\deicdb.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2164 -
C:\Windows\SysWOW64\bmcve.exeC:\Windows\system32\bmcve.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1716 -
C:\Windows\SysWOW64\zqkvt.exeC:\Windows\system32\zqkvt.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:992 -
C:\Windows\SysWOW64\lfsmda.exeC:\Windows\system32\lfsmda.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1428 -
C:\Windows\SysWOW64\lvqyj.exeC:\Windows\system32\lvqyj.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1276 -
C:\Windows\SysWOW64\nrlsonlk.exeC:\Windows\system32\nrlsonlk.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2464 -
C:\Windows\SysWOW64\qtntjuu.exeC:\Windows\system32\qtntjuu.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2832 -
C:\Windows\SysWOW64\nmhkksn.exeC:\Windows\system32\nmhkksn.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2692 -
C:\Windows\SysWOW64\cparzii.exeC:\Windows\system32\cparzii.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2864 -
C:\Windows\SysWOW64\ovuow.exeC:\Windows\system32\ovuow.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2340 -
C:\Windows\SysWOW64\nppdte.exeC:\Windows\system32\nppdte.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2584 -
C:\Windows\SysWOW64\bppdy.exeC:\Windows\system32\bppdy.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:580 -
C:\Windows\SysWOW64\doixako.exeC:\Windows\system32\doixako.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2200 -
C:\Windows\SysWOW64\ziydvoh.exeC:\Windows\system32\ziydvoh.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1552 -
C:\Windows\SysWOW64\drvntw.exeC:\Windows\system32\drvntw.exe34⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:572 -
C:\Windows\SysWOW64\wujkgs.exeC:\Windows\system32\wujkgs.exe35⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2848 -
C:\Windows\SysWOW64\gzawqmdl.exeC:\Windows\system32\gzawqmdl.exe36⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2660 -
C:\Windows\SysWOW64\rbwgnotp.exeC:\Windows\system32\rbwgnotp.exe37⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1148 -
C:\Windows\SysWOW64\cmvcra.exeC:\Windows\system32\cmvcra.exe38⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1108 -
C:\Windows\SysWOW64\gdilf.exeC:\Windows\system32\gdilf.exe39⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1484 -
C:\Windows\SysWOW64\prjnedk.exeC:\Windows\system32\prjnedk.exe40⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2844 -
C:\Windows\SysWOW64\tvuzr.exeC:\Windows\system32\tvuzr.exe41⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:272 -
C:\Windows\SysWOW64\tmmpz.exeC:\Windows\system32\tmmpz.exe42⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:940 -
C:\Windows\SysWOW64\joomf.exeC:\Windows\system32\joomf.exe43⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1476 -
C:\Windows\SysWOW64\oiqfx.exeC:\Windows\system32\oiqfx.exe44⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2356 -
C:\Windows\SysWOW64\wbbuyci.exeC:\Windows\system32\wbbuyci.exe45⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2800 -
C:\Windows\SysWOW64\myxkkvg.exeC:\Windows\system32\myxkkvg.exe46⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2592 -
C:\Windows\SysWOW64\akksasnc.exeC:\Windows\system32\akksasnc.exe47⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2104 -
C:\Windows\SysWOW64\srxjueki.exeC:\Windows\system32\srxjueki.exe48⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1600 -
C:\Windows\SysWOW64\pjekcs.exeC:\Windows\system32\pjekcs.exe49⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2392 -
C:\Windows\SysWOW64\ciwzhupp.exeC:\Windows\system32\ciwzhupp.exe50⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1924 -
C:\Windows\SysWOW64\avfvhmn.exeC:\Windows\system32\avfvhmn.exe51⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1696 -
C:\Windows\SysWOW64\pbzthann.exeC:\Windows\system32\pbzthann.exe52⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1644 -
C:\Windows\SysWOW64\ooambagj.exeC:\Windows\system32\ooambagj.exe53⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2552 -
C:\Windows\SysWOW64\hvxgtp.exeC:\Windows\system32\hvxgtp.exe54⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1944 -
C:\Windows\SysWOW64\njmsh.exeC:\Windows\system32\njmsh.exe55⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1720 -
C:\Windows\SysWOW64\yyazlgrz.exeC:\Windows\system32\yyazlgrz.exe56⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2420 -
C:\Windows\SysWOW64\uonib.exeC:\Windows\system32\uonib.exe57⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2992 -
C:\Windows\SysWOW64\hmskra.exeC:\Windows\system32\hmskra.exe58⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2440 -
C:\Windows\SysWOW64\ezcvcwfm.exeC:\Windows\system32\ezcvcwfm.exe59⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2872 -
C:\Windows\SysWOW64\bwewar.exeC:\Windows\system32\bwewar.exe60⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2908 -
C:\Windows\SysWOW64\kfhmmgj.exeC:\Windows\system32\kfhmmgj.exe61⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2004 -
C:\Windows\SysWOW64\wctwyy.exeC:\Windows\system32\wctwyy.exe62⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:612 -
C:\Windows\SysWOW64\papfecrx.exeC:\Windows\system32\papfecrx.exe63⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1976 -
C:\Windows\SysWOW64\ogmpgund.exeC:\Windows\system32\ogmpgund.exe64⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\bgicwxm.exeC:\Windows\system32\bgicwxm.exe65⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\mpwyow.exeC:\Windows\system32\mpwyow.exe66⤵
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\fzdzdhz.exeC:\Windows\system32\fzdzdhz.exe67⤵PID:3112
-
C:\Windows\SysWOW64\ailfkck.exeC:\Windows\system32\ailfkck.exe68⤵PID:3156
-
C:\Windows\SysWOW64\pxraeslp.exeC:\Windows\system32\pxraeslp.exe69⤵PID:3200
-
C:\Windows\SysWOW64\jehlbf.exeC:\Windows\system32\jehlbf.exe70⤵PID:3244
-
C:\Windows\SysWOW64\slzbdtbm.exeC:\Windows\system32\slzbdtbm.exe71⤵PID:3284
-
C:\Windows\SysWOW64\cdjacb.exeC:\Windows\system32\cdjacb.exe72⤵PID:3332
-
C:\Windows\SysWOW64\nuvxzae.exeC:\Windows\system32\nuvxzae.exe73⤵
- Drops file in System32 directory
PID:3384 -
C:\Windows\SysWOW64\tqnnsj.exeC:\Windows\system32\tqnnsj.exe74⤵PID:3440
-
C:\Windows\SysWOW64\kbzzbdao.exeC:\Windows\system32\kbzzbdao.exe75⤵PID:3484
-
C:\Windows\SysWOW64\sowlv.exeC:\Windows\system32\sowlv.exe76⤵PID:3536
-
C:\Windows\SysWOW64\hmwiteaj.exeC:\Windows\system32\hmwiteaj.exe77⤵
- Adds Run key to start application
PID:3588 -
C:\Windows\SysWOW64\tuvtpvod.exeC:\Windows\system32\tuvtpvod.exe78⤵PID:3636
-
C:\Windows\SysWOW64\uyuhtqk.exeC:\Windows\system32\uyuhtqk.exe79⤵PID:3680
-
C:\Windows\SysWOW64\majrokva.exeC:\Windows\system32\majrokva.exe80⤵PID:3724
-
C:\Windows\SysWOW64\manux.exeC:\Windows\system32\manux.exe81⤵PID:3780
-
C:\Windows\SysWOW64\umtvidid.exeC:\Windows\system32\umtvidid.exe82⤵PID:3824
-
C:\Windows\SysWOW64\hylnhin.exeC:\Windows\system32\hylnhin.exe83⤵
- Adds Run key to start application
PID:3868 -
C:\Windows\SysWOW64\sqkcj.exeC:\Windows\system32\sqkcj.exe84⤵PID:3916
-
C:\Windows\SysWOW64\idygos.exeC:\Windows\system32\idygos.exe85⤵PID:3960
-
C:\Windows\SysWOW64\avkth.exeC:\Windows\system32\avkth.exe86⤵
- Adds Run key to start application
PID:4008 -
C:\Windows\SysWOW64\lvvswu.exeC:\Windows\system32\lvvswu.exe87⤵PID:4048
-
C:\Windows\SysWOW64\vkwranwf.exeC:\Windows\system32\vkwranwf.exe88⤵PID:2128
-
C:\Windows\SysWOW64\jdofxykq.exeC:\Windows\system32\jdofxykq.exe89⤵PID:3152
-
C:\Windows\SysWOW64\zlkvqegh.exeC:\Windows\system32\zlkvqegh.exe90⤵PID:3220
-
C:\Windows\SysWOW64\wbicrb.exeC:\Windows\system32\wbicrb.exe91⤵PID:3296
-
C:\Windows\SysWOW64\bnmms.exeC:\Windows\system32\bnmms.exe92⤵PID:3364
-
C:\Windows\SysWOW64\ezuxjn.exeC:\Windows\system32\ezuxjn.exe93⤵
- Adds Run key to start application
PID:3448 -
C:\Windows\SysWOW64\jryzb.exeC:\Windows\system32\jryzb.exe94⤵PID:3496
-
C:\Windows\SysWOW64\tjltkhy.exeC:\Windows\system32\tjltkhy.exe95⤵
- Adds Run key to start application
PID:3572 -
C:\Windows\SysWOW64\lxzzlp.exeC:\Windows\system32\lxzzlp.exe96⤵PID:3644
-
C:\Windows\SysWOW64\bqwingk.exeC:\Windows\system32\bqwingk.exe97⤵PID:3696
-
C:\Windows\SysWOW64\epnbcxk.exeC:\Windows\system32\epnbcxk.exe98⤵
- Adds Run key to start application
PID:3776 -
C:\Windows\SysWOW64\jodwc.exeC:\Windows\system32\jodwc.exe99⤵PID:3840
-
C:\Windows\SysWOW64\nbjuztjg.exeC:\Windows\system32\nbjuztjg.exe100⤵PID:2828
-
C:\Windows\SysWOW64\lypbnkj.exeC:\Windows\system32\lypbnkj.exe101⤵PID:3976
-
C:\Windows\SysWOW64\mthxbhhj.exeC:\Windows\system32\mthxbhhj.exe102⤵PID:4068
-
C:\Windows\SysWOW64\gydxp.exeC:\Windows\system32\gydxp.exe103⤵PID:3128
-
C:\Windows\SysWOW64\lovir.exeC:\Windows\system32\lovir.exe104⤵
- Adds Run key to start application
PID:3264 -
C:\Windows\SysWOW64\ydfgsxfg.exeC:\Windows\system32\ydfgsxfg.exe105⤵PID:3360
-
C:\Windows\SysWOW64\qgatgw.exeC:\Windows\system32\qgatgw.exe106⤵PID:3512
-
C:\Windows\SysWOW64\aoxwh.exeC:\Windows\system32\aoxwh.exe107⤵PID:3600
-
C:\Windows\SysWOW64\sbvxvqef.exeC:\Windows\system32\sbvxvqef.exe108⤵
- Drops file in System32 directory
PID:3732 -
C:\Windows\SysWOW64\ptmhtb.exeC:\Windows\system32\ptmhtb.exe109⤵PID:3800
-
C:\Windows\SysWOW64\qkpoyd.exeC:\Windows\system32\qkpoyd.exe110⤵PID:3884
-
C:\Windows\SysWOW64\qjlnyibb.exeC:\Windows\system32\qjlnyibb.exe111⤵PID:3992
-
C:\Windows\SysWOW64\ohxgo.exeC:\Windows\system32\ohxgo.exe112⤵PID:4080
-
C:\Windows\SysWOW64\xvubxxg.exeC:\Windows\system32\xvubxxg.exe113⤵PID:3172
-
C:\Windows\SysWOW64\jhzxdne.exeC:\Windows\system32\jhzxdne.exe114⤵
- Adds Run key to start application
PID:3408 -
C:\Windows\SysWOW64\iecjl.exeC:\Windows\system32\iecjl.exe115⤵
- Adds Run key to start application
PID:3548 -
C:\Windows\SysWOW64\wtouyb.exeC:\Windows\system32\wtouyb.exe116⤵PID:3736
-
C:\Windows\SysWOW64\qvkykkz.exeC:\Windows\system32\qvkykkz.exe117⤵
- Adds Run key to start application
PID:3932 -
C:\Windows\SysWOW64\dlhxsc.exeC:\Windows\system32\dlhxsc.exe118⤵PID:4064
-
C:\Windows\SysWOW64\azxbviuo.exeC:\Windows\system32\azxbviuo.exe119⤵PID:3240
-
C:\Windows\SysWOW64\otjzsbve.exeC:\Windows\system32\otjzsbve.exe120⤵PID:3556
-
C:\Windows\SysWOW64\ciphnnio.exeC:\Windows\system32\ciphnnio.exe121⤵PID:3852
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-