Analysis
-
max time kernel
40s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
15-07-2024 04:53
Behavioral task
behavioral1
Sample
484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
21 signatures
150 seconds
General
-
Target
484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe
-
Size
116KB
-
MD5
484ca151445e3fb77e6a98d077d72d1f
-
SHA1
396156a2935f2ea1a086a96021ba10ded4994cf5
-
SHA256
861dc9f7425c54ca192825634cde246290aa7e77fb71c3e070fb37b16c56c99f
-
SHA512
fd12fd738da27a7a454bed35a8e3c08820136c758f2cb2b5a8352d7630435e86a38bb7b2ac54d1e5427318adb4ee7c207112853cf73058cd23b68697ae8fcb43
-
SSDEEP
3072:8Z65UAF8tWMv55UpxPggiLrJ88cdFMz4BJ/uK:8EtF835kxPggiLrKTdWzEWK
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" ozshzk.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" ozshzk.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" ozshzk.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ozshzk.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ozshzk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ozshzk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ozshzk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ozshzk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ozshzk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" ozshzk.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" ozshzk.exe -
Disables Task Manager via registry modification
-
Deletes itself 1 IoCs
pid Process 10264 ozshzk.exe -
Executes dropped EXE 64 IoCs
pid Process 2936 domius.exe 3356 ecxgvz.exe 2848 ytvhekyp.exe 4464 skoozl.exe 3056 wuaklo.exe 4220 pedrcvmq.exe 2292 wruizqad.exe 396 cpylw.exe 2364 rfhqyt.exe 3128 kgudvsnm.exe 1100 bfcjur.exe 3384 ipvgd.exe 2212 iuugwen.exe 3236 hcbpb.exe 4552 vqtjqwg.exe 3188 fsykpzq.exe 1144 wmjhkwgf.exe 1648 isqirng.exe 1476 sefbxdn.exe 2972 uyrwz.exe 3572 hkwobb.exe 1264 dhsyxc.exe 2820 qconpt.exe 3624 tnujaefr.exe 3272 mbafvm.exe 764 pswccr.exe 2396 mpjyeyj.exe 684 ubyai.exe 5080 fyhle.exe 2360 vluut.exe 2964 jnkiyknq.exe 4396 ijnby.exe 3912 xvzkdvqk.exe 4528 mkagcivz.exe 4428 qtzapiyl.exe 1776 ratkkhk.exe 4488 lbixy.exe 2780 sikdnw.exe 4804 cucth.exe 4924 ipklg.exe 4000 qosvkkb.exe 3848 krwmnzhu.exe 3292 zvgadi.exe 3676 fkiqxdls.exe 4116 vruxl.exe 4376 rckmu.exe 3656 ggifxsn.exe 3016 jifwmsk.exe 1220 prvinai.exe 2556 xaxexw.exe 2052 hayqf.exe 2652 mhgedkz.exe 4184 ilcyl.exe 2000 ekzuyh.exe 3052 fmwbmccx.exe 3220 aazecqz.exe 208 prikzh.exe 3204 zchidvqv.exe 2176 ivrpyyak.exe 668 pwgra.exe 4580 nwnbz.exe 220 swkvv.exe 2476 jzkovmx.exe 3348 xqbbj.exe -
resource yara_rule behavioral2/memory/3636-0-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral2/memory/3636-1-0x00000000022C0000-0x000000000334E000-memory.dmp upx behavioral2/memory/3636-4-0x00000000022C0000-0x000000000334E000-memory.dmp upx behavioral2/files/0x00090000000234b1-10.dat upx behavioral2/memory/3636-9-0x00000000022C0000-0x000000000334E000-memory.dmp upx behavioral2/memory/3636-14-0x00000000022C0000-0x000000000334E000-memory.dmp upx behavioral2/memory/2936-25-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral2/memory/3356-21-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral2/memory/3636-5-0x00000000022C0000-0x000000000334E000-memory.dmp upx behavioral2/memory/3636-3-0x00000000022C0000-0x000000000334E000-memory.dmp upx behavioral2/memory/2848-33-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral2/memory/4464-36-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral2/memory/3056-41-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral2/memory/4220-46-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral2/memory/2292-51-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral2/memory/396-56-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral2/memory/3636-64-0x00000000022C0000-0x000000000334E000-memory.dmp upx behavioral2/memory/2364-65-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral2/memory/3636-69-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral2/memory/3636-67-0x00000000022C0000-0x000000000334E000-memory.dmp upx behavioral2/memory/3636-66-0x00000000022C0000-0x000000000334E000-memory.dmp upx behavioral2/memory/3356-74-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral2/memory/3384-82-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral2/memory/2212-87-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral2/memory/4464-92-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral2/memory/3056-96-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral2/memory/4220-102-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral2/memory/2292-106-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral2/memory/396-111-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral2/memory/3128-120-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral2/memory/1100-125-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral2/memory/1264-134-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral2/memory/3384-133-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral2/memory/3636-130-0x00000000022C0000-0x000000000334E000-memory.dmp upx behavioral2/memory/3636-132-0x00000000022C0000-0x000000000334E000-memory.dmp upx behavioral2/memory/2212-138-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral2/memory/3236-143-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral2/memory/4552-149-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral2/memory/3188-154-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral2/memory/1144-159-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral2/memory/1648-163-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral2/memory/1476-168-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral2/memory/2972-174-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral2/memory/3572-179-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral2/memory/1264-184-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral2/memory/2820-187-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral2/memory/4528-191-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral2/memory/3624-190-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral2/memory/4428-195-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral2/memory/3272-194-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral2/memory/764-199-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral2/memory/3636-196-0x00000000022C0000-0x000000000334E000-memory.dmp upx behavioral2/memory/4488-203-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral2/memory/2396-202-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral2/memory/684-206-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral2/memory/5080-209-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral2/memory/2360-212-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral2/memory/4000-216-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral2/memory/2964-215-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral2/memory/4396-219-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral2/memory/3848-220-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral2/memory/3912-223-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral2/memory/3676-227-0x0000000031420000-0x0000000031443000-memory.dmp upx behavioral2/memory/4528-226-0x0000000031420000-0x0000000031443000-memory.dmp upx -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ozshzk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ozshzk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ozshzk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" ozshzk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ozshzk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ozshzk.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc ozshzk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\bmormvbb.exe" zxplezdx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\xzbqdpwy.exe" tgzjlxmw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\qwtub.exe" vtcyfx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\tpgssdf.exe" kvbbmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\sdwie.exe" tydblpy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ozimcsg.exe" dmvmy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\xpmeq.exe" mnwem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ovlyhda.exe" bawoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\yfplypn.exe" rbfemufe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\oaymr.exe" khksv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ydnfh.exe" ntrtg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\wqcvbedq.exe" wjmpero.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\pzzce.exe" arkcsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\hlhalkzn.exe" zkxzum.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\aleaca.exe" iuvpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\wuaklo.exe" skoozl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\dbudras.exe" wzwrpsz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\qbuyogt.exe" piufskt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\uudfrhly.exe" sljzicq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\uznwhx.exe" aiswtqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\fueim.exe" jeorgxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\hqltrca.exe" zqcmtgku.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\jqxmphvq.exe" emrjmzqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\aglmlto.exe" vslnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\hefqgcbm.exe" lxoxms.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\vubtuhxd.exe" rsxzcqvm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\dgqbkmzj.exe" nihxvd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\vtjzloy.exe" bxlehcu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\rflqxy.exe" iptnfdtm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ryqbbla.exe" iivtc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\jcnitu.exe" chtrnu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\xnivfa.exe" iijpjin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\mfmcake.exe" vgtelt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\uqsacuqa.exe" sfgtnpti.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\fndicim.exe" hfeiokr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\xjigq.exe" lpxuyyo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\sljzicq.exe" iabal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\wrxcevif.exe" ilvkqffo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\nrilbow.exe" hhipajz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\tkpah.exe" lvqmwywm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\hfeiokr.exe" fezldv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\vepcg.exe" jwilxi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\rpoglxiy.exe" xpzzj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\aiswtqc.exe" zioym.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\pmgxaq.exe" luhybq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\hwqsi.exe" btjdwj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\atdgvwk.exe" lmdsntu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\pedrcvmq.exe" wuaklo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\opyec.exe" vnwksmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\bpfqb.exe" hjryr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\dzddhvbn.exe" aleaca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\vsuqn.exe" itxgz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\fyhle.exe" ubyai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\mfllukfs.exe" phjgreds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\vqljyk.exe" mfmcake.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ewjbzbv.exe" fueim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\jdtcvgh.exe" zejhumdt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\alacs.exe" cfdbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\nihxvd.exe" liumro.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\jeorgxa.exe" ktcuq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\qtjtz.exe" swjuxc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\brobn.exe" mtxqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\rjtgfqhc.exe" awxqka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\qconpt.exe" dhsyxc.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ozshzk.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\V: 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe File opened (read-only) \??\E: ozshzk.exe File opened (read-only) \??\I: ozshzk.exe File opened (read-only) \??\H: 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe File opened (read-only) \??\K: 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe File opened (read-only) \??\Y: 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe File opened (read-only) \??\H: ozshzk.exe File opened (read-only) \??\U: 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe File opened (read-only) \??\X: 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe File opened (read-only) \??\P: 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe File opened (read-only) \??\W: 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe File opened (read-only) \??\I: 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe File opened (read-only) \??\E: 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe File opened (read-only) \??\R: 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe File opened (read-only) \??\S: 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe File opened (read-only) \??\G: ozshzk.exe File opened (read-only) \??\N: 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe File opened (read-only) \??\O: 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe File opened (read-only) \??\Z: 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe File opened (read-only) \??\L: 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe File opened (read-only) \??\M: 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe File opened (read-only) \??\J: 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe File opened (read-only) \??\Q: 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe File opened (read-only) \??\T: 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe File opened (read-only) \??\G: 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\ovlyhda.exe bawoh.exe File created C:\Windows\SysWOW64\aabaoo.exe nxqefv.exe File created C:\Windows\SysWOW64\oahcrc.exe stgagt.exe File created C:\Windows\SysWOW64\rjtgfqhc.exe awxqka.exe File created C:\Windows\SysWOW64\hcbpb.exe iuugwen.exe File created C:\Windows\SysWOW64\dmvmy.exe lgppk.exe File created C:\Windows\SysWOW64\rxoujke.exe zuspfwh.exe File opened for modification C:\Windows\SysWOW64\mbafvm.exe tnujaefr.exe File created C:\Windows\SysWOW64\alacs.exe cfdbc.exe File created C:\Windows\SysWOW64\btjdwj.exe rjtgfqhc.exe File opened for modification C:\Windows\SysWOW64\lxoxms.exe wjpqwaw.exe File opened for modification C:\Windows\SysWOW64\xqbbj.exe jzkovmx.exe File opened for modification C:\Windows\SysWOW64\mfllukfs.exe phjgreds.exe File created C:\Windows\SysWOW64\okesw.exe ewmqmyla.exe File created C:\Windows\SysWOW64\sljzicq.exe iabal.exe File opened for modification C:\Windows\SysWOW64\gvlywd.exe qwuslca.exe File opened for modification C:\Windows\SysWOW64\hpcnf.exe haokjk.exe File created C:\Windows\SysWOW64\klukjojc.exe veoxkd.exe File opened for modification C:\Windows\SysWOW64\xfvuasfx.exe xvucp.exe File created C:\Windows\SysWOW64\cppgba.exe craxyi.exe File created C:\Windows\SysWOW64\piuuft.exe dmfwo.exe File opened for modification C:\Windows\SysWOW64\rmwug.exe bpydjku.exe File opened for modification C:\Windows\SysWOW64\gkloa.exe frnlwxvh.exe File created C:\Windows\SysWOW64\wruizqad.exe pedrcvmq.exe File opened for modification C:\Windows\SysWOW64\pvlhc.exe zjbykm.exe File created C:\Windows\SysWOW64\zmtvizl.exe sbdkh.exe File created C:\Windows\SysWOW64\iinyz.exe ibtkzhb.exe File opened for modification C:\Windows\SysWOW64\sefbxdn.exe isqirng.exe File created C:\Windows\SysWOW64\sajaost.exe coddhqx.exe File created C:\Windows\SysWOW64\vjxwkur.exe rdiyn.exe File created C:\Windows\SysWOW64\rflqxy.exe iptnfdtm.exe File opened for modification C:\Windows\SysWOW64\gazcfocb.exe vgmgeg.exe File created C:\Windows\SysWOW64\ehbneq.exe xzbqdpwy.exe File created C:\Windows\SysWOW64\pfvkyqj.exe vtosyzw.exe File opened for modification C:\Windows\SysWOW64\oduwit.exe alacs.exe File created C:\Windows\SysWOW64\wsfsb.exe kckjq.exe File created C:\Windows\SysWOW64\lcfsi.exe pzzce.exe File created C:\Windows\SysWOW64\hlhalkzn.exe zkxzum.exe File opened for modification C:\Windows\SysWOW64\itxgz.exe hgtrvhk.exe File created C:\Windows\SysWOW64\obprvtes.exe lgkld.exe File created C:\Windows\SysWOW64\phwcx.exe umigfl.exe File opened for modification C:\Windows\SysWOW64\xdbht.exe pcmacf.exe File opened for modification C:\Windows\SysWOW64\ofckeukh.exe qeacjpd.exe File opened for modification C:\Windows\SysWOW64\bawoh.exe wveskdib.exe File opened for modification C:\Windows\SysWOW64\zcorzdt.exe cppgba.exe File created C:\Windows\SysWOW64\qbyhznyt.exe fewtlq.exe File opened for modification C:\Windows\SysWOW64\hcvkyax.exe rdiwxtsc.exe File created C:\Windows\SysWOW64\yobxtgb.exe ylzbrgpq.exe File opened for modification C:\Windows\SysWOW64\hybewgi.exe xojpjwdq.exe File opened for modification C:\Windows\SysWOW64\cxekfd.exe xfvuasfx.exe File created C:\Windows\SysWOW64\ijnby.exe jnkiyknq.exe File created C:\Windows\SysWOW64\hybewgi.exe xojpjwdq.exe File opened for modification C:\Windows\SysWOW64\hgtrvhk.exe gbfuczg.exe File opened for modification C:\Windows\SysWOW64\gazujx.exe zzqkmab.exe File created C:\Windows\SysWOW64\uqsacuqa.exe sfgtnpti.exe File created C:\Windows\SysWOW64\rcgjr.exe gtncjn.exe File opened for modification C:\Windows\SysWOW64\zzqkmab.exe thjkgir.exe File opened for modification C:\Windows\SysWOW64\ratkkhk.exe qtzapiyl.exe File opened for modification C:\Windows\SysWOW64\lbixy.exe ratkkhk.exe File opened for modification C:\Windows\SysWOW64\vizhzka.exe ugbmp.exe File created C:\Windows\SysWOW64\hpcnf.exe haokjk.exe File created C:\Windows\SysWOW64\zuspfwh.exe anylhpt.exe File created C:\Windows\SysWOW64\ajlrgzl.exe sdwie.exe File created C:\Windows\SysWOW64\xfvuasfx.exe xvucp.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3636 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 3636 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 3636 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 3636 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 3636 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 3636 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 10264 ozshzk.exe 10264 ozshzk.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3636 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe Token: SeDebugPrivilege 3636 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe Token: SeDebugPrivilege 3636 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe Token: SeDebugPrivilege 3636 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe Token: SeDebugPrivilege 3636 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe Token: SeDebugPrivilege 3636 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe Token: SeDebugPrivilege 3636 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe Token: SeDebugPrivilege 3636 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe Token: SeDebugPrivilege 2936 domius.exe Token: SeDebugPrivilege 3636 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe Token: SeDebugPrivilege 3636 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe Token: SeDebugPrivilege 3636 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe Token: SeDebugPrivilege 3356 ecxgvz.exe Token: SeDebugPrivilege 2848 ytvhekyp.exe Token: SeDebugPrivilege 4464 skoozl.exe Token: SeDebugPrivilege 3056 wuaklo.exe Token: SeDebugPrivilege 4220 pedrcvmq.exe Token: SeDebugPrivilege 2292 wruizqad.exe Token: SeDebugPrivilege 396 cpylw.exe Token: SeDebugPrivilege 2364 rfhqyt.exe Token: SeDebugPrivilege 3128 kgudvsnm.exe Token: SeDebugPrivilege 1100 bfcjur.exe Token: SeDebugPrivilege 3384 ipvgd.exe Token: SeDebugPrivilege 2212 iuugwen.exe Token: SeDebugPrivilege 3236 hcbpb.exe Token: SeDebugPrivilege 4552 vqtjqwg.exe Token: SeDebugPrivilege 3188 fsykpzq.exe Token: SeDebugPrivilege 1144 wmjhkwgf.exe Token: SeDebugPrivilege 1648 isqirng.exe Token: SeDebugPrivilege 1476 sefbxdn.exe Token: SeDebugPrivilege 2972 uyrwz.exe Token: SeDebugPrivilege 3572 hkwobb.exe Token: SeDebugPrivilege 1264 dhsyxc.exe Token: SeDebugPrivilege 2820 qconpt.exe Token: SeDebugPrivilege 3624 tnujaefr.exe Token: SeDebugPrivilege 3272 mbafvm.exe Token: SeDebugPrivilege 764 pswccr.exe Token: SeDebugPrivilege 2396 mpjyeyj.exe Token: SeDebugPrivilege 684 ubyai.exe Token: SeDebugPrivilege 5080 fyhle.exe Token: SeDebugPrivilege 2360 vluut.exe Token: SeDebugPrivilege 2964 jnkiyknq.exe Token: SeDebugPrivilege 4396 ijnby.exe Token: SeDebugPrivilege 3912 xvzkdvqk.exe Token: SeDebugPrivilege 4528 mkagcivz.exe Token: SeDebugPrivilege 4428 qtzapiyl.exe Token: SeDebugPrivilege 1776 ratkkhk.exe Token: SeDebugPrivilege 4488 lbixy.exe Token: SeDebugPrivilege 2780 sikdnw.exe Token: SeDebugPrivilege 4804 cucth.exe Token: SeDebugPrivilege 4924 ipklg.exe Token: SeDebugPrivilege 4000 qosvkkb.exe Token: SeDebugPrivilege 3848 krwmnzhu.exe Token: SeDebugPrivilege 3292 zvgadi.exe Token: SeDebugPrivilege 3676 fkiqxdls.exe Token: SeDebugPrivilege 4116 vruxl.exe Token: SeDebugPrivilege 4376 rckmu.exe Token: SeDebugPrivilege 3656 ggifxsn.exe Token: SeDebugPrivilege 3016 jifwmsk.exe Token: SeDebugPrivilege 1220 prvinai.exe Token: SeDebugPrivilege 2556 xaxexw.exe Token: SeDebugPrivilege 2052 hayqf.exe Token: SeDebugPrivilege 2652 mhgedkz.exe Token: SeDebugPrivilege 4184 ilcyl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3636 wrote to memory of 2936 3636 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 83 PID 3636 wrote to memory of 2936 3636 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 83 PID 3636 wrote to memory of 2936 3636 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 83 PID 3636 wrote to memory of 784 3636 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 8 PID 3636 wrote to memory of 788 3636 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 9 PID 3636 wrote to memory of 384 3636 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 13 PID 3636 wrote to memory of 2436 3636 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 42 PID 3636 wrote to memory of 2452 3636 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 43 PID 3636 wrote to memory of 2748 3636 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 49 PID 3636 wrote to memory of 3564 3636 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 56 PID 2936 wrote to memory of 3356 2936 domius.exe 84 PID 2936 wrote to memory of 3356 2936 domius.exe 84 PID 2936 wrote to memory of 3356 2936 domius.exe 84 PID 3636 wrote to memory of 3704 3636 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 57 PID 3636 wrote to memory of 3896 3636 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 58 PID 3636 wrote to memory of 3992 3636 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 59 PID 3636 wrote to memory of 4056 3636 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 60 PID 3636 wrote to memory of 1336 3636 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 61 PID 3636 wrote to memory of 4120 3636 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 62 PID 3636 wrote to memory of 1092 3636 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 75 PID 3636 wrote to memory of 3432 3636 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 76 PID 3636 wrote to memory of 3764 3636 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 80 PID 3636 wrote to memory of 2372 3636 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 81 PID 3636 wrote to memory of 2936 3636 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 83 PID 3636 wrote to memory of 2936 3636 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe 83 PID 3356 wrote to memory of 2848 3356 ecxgvz.exe 85 PID 3356 wrote to memory of 2848 3356 ecxgvz.exe 85 PID 3356 wrote to memory of 2848 3356 ecxgvz.exe 85 PID 2848 wrote to memory of 4464 2848 ytvhekyp.exe 86 PID 2848 wrote to memory of 4464 2848 ytvhekyp.exe 86 PID 2848 wrote to memory of 4464 2848 ytvhekyp.exe 86 PID 4464 wrote to memory of 3056 4464 skoozl.exe 87 PID 4464 wrote to memory of 3056 4464 skoozl.exe 87 PID 4464 wrote to memory of 3056 4464 skoozl.exe 87 PID 3056 wrote to memory of 4220 3056 wuaklo.exe 89 PID 3056 wrote to memory of 4220 3056 wuaklo.exe 89 PID 3056 wrote to memory of 4220 3056 wuaklo.exe 89 PID 4220 wrote to memory of 2292 4220 pedrcvmq.exe 90 PID 4220 wrote to memory of 2292 4220 pedrcvmq.exe 90 PID 4220 wrote to memory of 2292 4220 pedrcvmq.exe 90 PID 2292 wrote to memory of 396 2292 wruizqad.exe 92 PID 2292 wrote to memory of 396 2292 wruizqad.exe 92 PID 2292 wrote to memory of 396 2292 wruizqad.exe 92 PID 396 wrote to memory of 2364 396 cpylw.exe 93 PID 396 wrote to memory of 2364 396 cpylw.exe 93 PID 396 wrote to memory of 2364 396 cpylw.exe 93 PID 2364 wrote to memory of 3128 2364 rfhqyt.exe 94 PID 2364 wrote to memory of 3128 2364 rfhqyt.exe 94 PID 2364 wrote to memory of 3128 2364 rfhqyt.exe 94 PID 3128 wrote to memory of 1100 3128 kgudvsnm.exe 95 PID 3128 wrote to memory of 1100 3128 kgudvsnm.exe 95 PID 3128 wrote to memory of 1100 3128 kgudvsnm.exe 95 PID 1100 wrote to memory of 3384 1100 bfcjur.exe 96 PID 1100 wrote to memory of 3384 1100 bfcjur.exe 96 PID 1100 wrote to memory of 3384 1100 bfcjur.exe 96 PID 3384 wrote to memory of 2212 3384 ipvgd.exe 98 PID 3384 wrote to memory of 2212 3384 ipvgd.exe 98 PID 3384 wrote to memory of 2212 3384 ipvgd.exe 98 PID 2212 wrote to memory of 3236 2212 iuugwen.exe 99 PID 2212 wrote to memory of 3236 2212 iuugwen.exe 99 PID 2212 wrote to memory of 3236 2212 iuugwen.exe 99 PID 3236 wrote to memory of 4552 3236 hcbpb.exe 100 PID 3236 wrote to memory of 4552 3236 hcbpb.exe 100 PID 3236 wrote to memory of 4552 3236 hcbpb.exe 100 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ozshzk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:384
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2436
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2452
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2748
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3564
-
C:\Users\Admin\AppData\Local\Temp\484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\484ca151445e3fb77e6a98d077d72d1f_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3636 -
C:\Windows\SysWOW64\domius.exeC:\Windows\system32\domius.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\ecxgvz.exeC:\Windows\system32\ecxgvz.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\ytvhekyp.exeC:\Windows\system32\ytvhekyp.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\skoozl.exeC:\Windows\system32\skoozl.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\SysWOW64\wuaklo.exeC:\Windows\system32\wuaklo.exe7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\pedrcvmq.exeC:\Windows\system32\pedrcvmq.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\SysWOW64\wruizqad.exeC:\Windows\system32\wruizqad.exe9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\cpylw.exeC:\Windows\system32\cpylw.exe10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\rfhqyt.exeC:\Windows\system32\rfhqyt.exe11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\kgudvsnm.exeC:\Windows\system32\kgudvsnm.exe12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Windows\SysWOW64\bfcjur.exeC:\Windows\system32\bfcjur.exe13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\ipvgd.exeC:\Windows\system32\ipvgd.exe14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Windows\SysWOW64\iuugwen.exeC:\Windows\system32\iuugwen.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\hcbpb.exeC:\Windows\system32\hcbpb.exe16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Windows\SysWOW64\vqtjqwg.exeC:\Windows\system32\vqtjqwg.exe17⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4552 -
C:\Windows\SysWOW64\fsykpzq.exeC:\Windows\system32\fsykpzq.exe18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3188 -
C:\Windows\SysWOW64\wmjhkwgf.exeC:\Windows\system32\wmjhkwgf.exe19⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1144 -
C:\Windows\SysWOW64\isqirng.exeC:\Windows\system32\isqirng.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1648 -
C:\Windows\SysWOW64\sefbxdn.exeC:\Windows\system32\sefbxdn.exe21⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1476 -
C:\Windows\SysWOW64\uyrwz.exeC:\Windows\system32\uyrwz.exe22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2972 -
C:\Windows\SysWOW64\hkwobb.exeC:\Windows\system32\hkwobb.exe23⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3572 -
C:\Windows\SysWOW64\dhsyxc.exeC:\Windows\system32\dhsyxc.exe24⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1264 -
C:\Windows\SysWOW64\qconpt.exeC:\Windows\system32\qconpt.exe25⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2820 -
C:\Windows\SysWOW64\tnujaefr.exeC:\Windows\system32\tnujaefr.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3624 -
C:\Windows\SysWOW64\mbafvm.exeC:\Windows\system32\mbafvm.exe27⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3272 -
C:\Windows\SysWOW64\pswccr.exeC:\Windows\system32\pswccr.exe28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:764 -
C:\Windows\SysWOW64\mpjyeyj.exeC:\Windows\system32\mpjyeyj.exe29⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2396 -
C:\Windows\SysWOW64\ubyai.exeC:\Windows\system32\ubyai.exe30⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:684 -
C:\Windows\SysWOW64\fyhle.exeC:\Windows\system32\fyhle.exe31⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5080 -
C:\Windows\SysWOW64\vluut.exeC:\Windows\system32\vluut.exe32⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2360 -
C:\Windows\SysWOW64\jnkiyknq.exeC:\Windows\system32\jnkiyknq.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2964 -
C:\Windows\SysWOW64\ijnby.exeC:\Windows\system32\ijnby.exe34⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4396 -
C:\Windows\SysWOW64\xvzkdvqk.exeC:\Windows\system32\xvzkdvqk.exe35⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3912 -
C:\Windows\SysWOW64\mkagcivz.exeC:\Windows\system32\mkagcivz.exe36⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4528 -
C:\Windows\SysWOW64\qtzapiyl.exeC:\Windows\system32\qtzapiyl.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4428 -
C:\Windows\SysWOW64\ratkkhk.exeC:\Windows\system32\ratkkhk.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1776 -
C:\Windows\SysWOW64\lbixy.exeC:\Windows\system32\lbixy.exe39⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4488 -
C:\Windows\SysWOW64\sikdnw.exeC:\Windows\system32\sikdnw.exe40⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2780 -
C:\Windows\SysWOW64\cucth.exeC:\Windows\system32\cucth.exe41⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4804 -
C:\Windows\SysWOW64\ipklg.exeC:\Windows\system32\ipklg.exe42⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4924 -
C:\Windows\SysWOW64\qosvkkb.exeC:\Windows\system32\qosvkkb.exe43⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4000 -
C:\Windows\SysWOW64\krwmnzhu.exeC:\Windows\system32\krwmnzhu.exe44⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3848 -
C:\Windows\SysWOW64\zvgadi.exeC:\Windows\system32\zvgadi.exe45⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3292 -
C:\Windows\SysWOW64\fkiqxdls.exeC:\Windows\system32\fkiqxdls.exe46⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3676 -
C:\Windows\SysWOW64\vruxl.exeC:\Windows\system32\vruxl.exe47⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4116 -
C:\Windows\SysWOW64\rckmu.exeC:\Windows\system32\rckmu.exe48⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4376 -
C:\Windows\SysWOW64\ggifxsn.exeC:\Windows\system32\ggifxsn.exe49⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3656 -
C:\Windows\SysWOW64\jifwmsk.exeC:\Windows\system32\jifwmsk.exe50⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3016 -
C:\Windows\SysWOW64\prvinai.exeC:\Windows\system32\prvinai.exe51⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1220 -
C:\Windows\SysWOW64\xaxexw.exeC:\Windows\system32\xaxexw.exe52⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2556 -
C:\Windows\SysWOW64\hayqf.exeC:\Windows\system32\hayqf.exe53⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2052 -
C:\Windows\SysWOW64\mhgedkz.exeC:\Windows\system32\mhgedkz.exe54⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2652 -
C:\Windows\SysWOW64\ilcyl.exeC:\Windows\system32\ilcyl.exe55⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4184 -
C:\Windows\SysWOW64\ekzuyh.exeC:\Windows\system32\ekzuyh.exe56⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\fmwbmccx.exeC:\Windows\system32\fmwbmccx.exe57⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\aazecqz.exeC:\Windows\system32\aazecqz.exe58⤵
- Executes dropped EXE
PID:3220 -
C:\Windows\SysWOW64\prikzh.exeC:\Windows\system32\prikzh.exe59⤵
- Executes dropped EXE
PID:208 -
C:\Windows\SysWOW64\zchidvqv.exeC:\Windows\system32\zchidvqv.exe60⤵
- Executes dropped EXE
PID:3204 -
C:\Windows\SysWOW64\ivrpyyak.exeC:\Windows\system32\ivrpyyak.exe61⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\pwgra.exeC:\Windows\system32\pwgra.exe62⤵
- Executes dropped EXE
PID:668 -
C:\Windows\SysWOW64\nwnbz.exeC:\Windows\system32\nwnbz.exe63⤵
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\swkvv.exeC:\Windows\system32\swkvv.exe64⤵
- Executes dropped EXE
PID:220 -
C:\Windows\SysWOW64\jzkovmx.exeC:\Windows\system32\jzkovmx.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2476 -
C:\Windows\SysWOW64\xqbbj.exeC:\Windows\system32\xqbbj.exe66⤵
- Executes dropped EXE
PID:3348 -
C:\Windows\SysWOW64\czych.exeC:\Windows\system32\czych.exe67⤵PID:3580
-
C:\Windows\SysWOW64\ampgcp.exeC:\Windows\system32\ampgcp.exe68⤵PID:4928
-
C:\Windows\SysWOW64\mnwem.exeC:\Windows\system32\mnwem.exe69⤵
- Adds Run key to start application
PID:4512 -
C:\Windows\SysWOW64\xpmeq.exeC:\Windows\system32\xpmeq.exe70⤵PID:4400
-
C:\Windows\SysWOW64\rsxzcqvm.exeC:\Windows\system32\rsxzcqvm.exe71⤵
- Adds Run key to start application
PID:5028 -
C:\Windows\SysWOW64\vubtuhxd.exeC:\Windows\system32\vubtuhxd.exe72⤵PID:228
-
C:\Windows\SysWOW64\qeacjpd.exeC:\Windows\system32\qeacjpd.exe73⤵
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\ofckeukh.exeC:\Windows\system32\ofckeukh.exe74⤵PID:3808
-
C:\Windows\SysWOW64\ywhsuvz.exeC:\Windows\system32\ywhsuvz.exe75⤵PID:2388
-
C:\Windows\SysWOW64\rdrzdaz.exeC:\Windows\system32\rdrzdaz.exe76⤵PID:1832
-
C:\Windows\SysWOW64\xexoaxl.exeC:\Windows\system32\xexoaxl.exe77⤵PID:3616
-
C:\Windows\SysWOW64\ewpyt.exeC:\Windows\system32\ewpyt.exe78⤵PID:2132
-
C:\Windows\SysWOW64\zxplezdx.exeC:\Windows\system32\zxplezdx.exe79⤵
- Adds Run key to start application
PID:1112 -
C:\Windows\SysWOW64\bmormvbb.exeC:\Windows\system32\bmormvbb.exe80⤵PID:4576
-
C:\Windows\SysWOW64\zucto.exeC:\Windows\system32\zucto.exe81⤵PID:4800
-
C:\Windows\SysWOW64\cqqssaw.exeC:\Windows\system32\cqqssaw.exe82⤵PID:1708
-
C:\Windows\SysWOW64\gbfuczg.exeC:\Windows\system32\gbfuczg.exe83⤵
- Drops file in System32 directory
PID:4264 -
C:\Windows\SysWOW64\hgtrvhk.exeC:\Windows\system32\hgtrvhk.exe84⤵
- Drops file in System32 directory
PID:920 -
C:\Windows\SysWOW64\itxgz.exeC:\Windows\system32\itxgz.exe85⤵
- Adds Run key to start application
PID:740 -
C:\Windows\SysWOW64\vsuqn.exeC:\Windows\system32\vsuqn.exe86⤵PID:5140
-
C:\Windows\SysWOW64\qmrcdp.exeC:\Windows\system32\qmrcdp.exe87⤵PID:5180
-
C:\Windows\SysWOW64\kgqbog.exeC:\Windows\system32\kgqbog.exe88⤵PID:5224
-
C:\Windows\SysWOW64\sqykp.exeC:\Windows\system32\sqykp.exe89⤵PID:5260
-
C:\Windows\SysWOW64\rgaxl.exeC:\Windows\system32\rgaxl.exe90⤵PID:5292
-
C:\Windows\SysWOW64\pqbfz.exeC:\Windows\system32\pqbfz.exe91⤵PID:5324
-
C:\Windows\SysWOW64\lgppk.exeC:\Windows\system32\lgppk.exe92⤵
- Drops file in System32 directory
PID:5356 -
C:\Windows\SysWOW64\dmvmy.exeC:\Windows\system32\dmvmy.exe93⤵
- Adds Run key to start application
PID:5392 -
C:\Windows\SysWOW64\ozimcsg.exeC:\Windows\system32\ozimcsg.exe94⤵PID:5424
-
C:\Windows\SysWOW64\wveskdib.exeC:\Windows\system32\wveskdib.exe95⤵
- Drops file in System32 directory
PID:5456 -
C:\Windows\SysWOW64\bawoh.exeC:\Windows\system32\bawoh.exe96⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:5492 -
C:\Windows\SysWOW64\ovlyhda.exeC:\Windows\system32\ovlyhda.exe97⤵PID:5528
-
C:\Windows\SysWOW64\skreln.exeC:\Windows\system32\skreln.exe98⤵PID:5560
-
C:\Windows\SysWOW64\onidkr.exeC:\Windows\system32\onidkr.exe99⤵PID:5592
-
C:\Windows\SysWOW64\xmbztt.exeC:\Windows\system32\xmbztt.exe100⤵PID:5632
-
C:\Windows\SysWOW64\cpeea.exeC:\Windows\system32\cpeea.exe101⤵PID:5664
-
C:\Windows\SysWOW64\lgkld.exeC:\Windows\system32\lgkld.exe102⤵
- Drops file in System32 directory
PID:5704 -
C:\Windows\SysWOW64\obprvtes.exeC:\Windows\system32\obprvtes.exe103⤵PID:5736
-
C:\Windows\SysWOW64\pffwzd.exeC:\Windows\system32\pffwzd.exe104⤵PID:6032
-
C:\Windows\SysWOW64\craxyi.exeC:\Windows\system32\craxyi.exe105⤵
- Drops file in System32 directory
PID:6860 -
C:\Windows\SysWOW64\cppgba.exeC:\Windows\system32\cppgba.exe106⤵
- Drops file in System32 directory
PID:7028 -
C:\Windows\SysWOW64\zcorzdt.exeC:\Windows\system32\zcorzdt.exe107⤵PID:7092
-
C:\Windows\SysWOW64\nxqefv.exeC:\Windows\system32\nxqefv.exe108⤵
- Drops file in System32 directory
PID:6056 -
C:\Windows\SysWOW64\aabaoo.exeC:\Windows\system32\aabaoo.exe109⤵PID:5628
-
C:\Windows\SysWOW64\dmfwo.exeC:\Windows\system32\dmfwo.exe110⤵
- Drops file in System32 directory
PID:6104 -
C:\Windows\SysWOW64\piuuft.exeC:\Windows\system32\piuuft.exe111⤵PID:5352
-
C:\Windows\SysWOW64\pplwzq.exeC:\Windows\system32\pplwzq.exe112⤵PID:5512
-
C:\Windows\SysWOW64\sjsonwk.exeC:\Windows\system32\sjsonwk.exe113⤵PID:6152
-
C:\Windows\SysWOW64\fmaif.exeC:\Windows\system32\fmaif.exe114⤵PID:6812
-
C:\Windows\SysWOW64\rbfemufe.exeC:\Windows\system32\rbfemufe.exe115⤵
- Adds Run key to start application
PID:6876 -
C:\Windows\SysWOW64\yfplypn.exeC:\Windows\system32\yfplypn.exe116⤵PID:6460
-
C:\Windows\SysWOW64\ecrktnnl.exeC:\Windows\system32\ecrktnnl.exe117⤵PID:6580
-
C:\Windows\SysWOW64\vngzdrnj.exeC:\Windows\system32\vngzdrnj.exe118⤵PID:7120
-
C:\Windows\SysWOW64\ugbmp.exeC:\Windows\system32\ugbmp.exe119⤵
- Drops file in System32 directory
PID:7012 -
C:\Windows\SysWOW64\vizhzka.exeC:\Windows\system32\vizhzka.exe120⤵PID:6388
-
C:\Windows\SysWOW64\xzsprny.exeC:\Windows\system32\xzsprny.exe121⤵PID:6304
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-