Analysis
-
max time kernel
40s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
26-07-2024 18:45
Behavioral task
behavioral1
Sample
7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
22 signatures
150 seconds
General
-
Target
7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe
-
Size
171KB
-
MD5
7544d64ca2ddfbd3650ceb2ea0942c43
-
SHA1
dfb8791a5ecab52beb2c800df416837adf40f334
-
SHA256
5db59eed776246fc75ceab615fdfc20ab11472ffb4d4fd5edd3bcc24c64e223a
-
SHA512
6ac0297caca4328249840593a8054a383cef7bfcf3c78c5d9faeb777feece5c7e540220d9ba51960de5db3e292b493422ebd2379be77b580e896da6de4ad1145
-
SSDEEP
1536:9ybiCx1bCV1LCHLWcB099lSaRO3SzQgEe6dmtq:9M3qIWcqbR+Scgf
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" bbuqdtv.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" bbuqdtv.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" bbuqdtv.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbuqdtv.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" bbuqdtv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" bbuqdtv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" bbuqdtv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" bbuqdtv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" bbuqdtv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" bbuqdtv.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" bbuqdtv.exe Set value (int) \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe -
Disables Task Manager via registry modification
-
Deletes itself 1 IoCs
pid Process 8652 bbuqdtv.exe -
Executes dropped EXE 64 IoCs
pid Process 2876 qgnbrhr.exe 5096 qjhqrk.exe 4656 yqnqjngj.exe 1564 rulbbjs.exe 3380 nrrqdxfg.exe 3700 poope.exe 2164 qtqzuc.exe 780 stqfxu.exe 532 ewkdjw.exe 4336 bzdwuzh.exe 4400 hpvtikv.exe 4800 junzmerz.exe 4276 kgtnn.exe 4788 yrrhghlu.exe 2000 xjehbl.exe 4440 tuhadug.exe 4688 nbqwqt.exe 3048 sktogkx.exe 2560 knjug.exe 3548 bdoqleuw.exe 1960 npxiko.exe 3840 mnbogjde.exe 4860 fdomh.exe 4820 llgwq.exe 4344 qvwqmj.exe 4432 ojscjjqo.exe 4804 gfxbi.exe 1764 vqxqoby.exe 3616 jbibvw.exe 3448 sclsu.exe 2212 sncuqb.exe 4940 vmouhzh.exe 3292 twzpbekl.exe 4420 hukcr.exe 5500 nzdgwrrh.exe 5548 mxited.exe 5588 nvodq.exe 5620 ojqyn.exe 5660 hswrqd.exe 5692 gbawth.exe 5724 ttejauq.exe 5756 rzjet.exe 5796 mdloxc.exe 5828 zbrpnxk.exe 5860 carbel.exe 5896 xtimez.exe 5928 opislr.exe 5964 exccq.exe 5996 swczm.exe 6036 ztaaq.exe 6076 nbrkyp.exe 6124 dnpwkw.exe 2104 wnsnj.exe 464 xcdjxd.exe 5264 ppcntp.exe 5184 kjiomihn.exe 3408 aoyvv.exe 1700 pqfic.exe 5088 swfbg.exe 5344 diapcndm.exe 5440 cjokfqax.exe 3464 niqdem.exe 1576 hlymgtp.exe 5540 qrniqbep.exe -
resource yara_rule behavioral2/memory/4188-0-0x0000000031420000-0x000000003143B000-memory.dmp upx behavioral2/memory/4188-1-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/4188-4-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/4188-10-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/4188-8-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/2876-13-0x0000000031420000-0x000000003143B000-memory.dmp upx behavioral2/memory/4188-5-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/files/0x00070000000234f8-17.dat upx behavioral2/memory/4188-9-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/5096-24-0x0000000031420000-0x000000003143B000-memory.dmp upx behavioral2/memory/4656-31-0x0000000031420000-0x000000003143B000-memory.dmp upx behavioral2/memory/4188-36-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/4188-37-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/3380-43-0x0000000031420000-0x000000003143B000-memory.dmp upx behavioral2/memory/4188-40-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/3700-48-0x0000000031420000-0x000000003143B000-memory.dmp upx behavioral2/memory/2164-53-0x0000000031420000-0x000000003143B000-memory.dmp upx behavioral2/memory/780-58-0x0000000031420000-0x000000003143B000-memory.dmp upx behavioral2/memory/4188-64-0x0000000031420000-0x000000003143B000-memory.dmp upx behavioral2/memory/4188-62-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/4188-60-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/4188-73-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/4336-74-0x0000000031420000-0x000000003143B000-memory.dmp upx behavioral2/memory/2876-77-0x0000000031420000-0x000000003143B000-memory.dmp upx behavioral2/memory/4188-81-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/5096-83-0x0000000031420000-0x000000003143B000-memory.dmp upx behavioral2/memory/4188-79-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/4276-91-0x0000000031420000-0x000000003143B000-memory.dmp upx behavioral2/memory/4656-90-0x0000000031420000-0x000000003143B000-memory.dmp upx behavioral2/memory/4788-97-0x0000000031420000-0x000000003143B000-memory.dmp upx behavioral2/memory/1564-96-0x0000000031420000-0x000000003143B000-memory.dmp upx behavioral2/memory/3380-102-0x0000000031420000-0x000000003143B000-memory.dmp upx behavioral2/memory/3700-106-0x0000000031420000-0x000000003143B000-memory.dmp upx behavioral2/memory/2164-111-0x0000000031420000-0x000000003143B000-memory.dmp upx behavioral2/memory/3048-118-0x0000000031420000-0x000000003143B000-memory.dmp upx behavioral2/memory/780-117-0x0000000031420000-0x000000003143B000-memory.dmp upx behavioral2/memory/532-122-0x0000000031420000-0x000000003143B000-memory.dmp upx behavioral2/memory/4400-132-0x0000000031420000-0x000000003143B000-memory.dmp upx behavioral2/memory/1960-133-0x0000000031420000-0x000000003143B000-memory.dmp upx behavioral2/memory/4800-137-0x0000000031420000-0x000000003143B000-memory.dmp upx behavioral2/memory/4276-143-0x0000000031420000-0x000000003143B000-memory.dmp upx behavioral2/memory/4788-149-0x0000000031420000-0x000000003143B000-memory.dmp upx behavioral2/memory/4820-150-0x0000000031420000-0x000000003143B000-memory.dmp upx behavioral2/memory/2000-154-0x0000000031420000-0x000000003143B000-memory.dmp upx behavioral2/memory/4440-159-0x0000000031420000-0x000000003143B000-memory.dmp upx behavioral2/memory/4688-167-0x0000000031420000-0x000000003143B000-memory.dmp upx behavioral2/memory/4804-168-0x0000000031420000-0x000000003143B000-memory.dmp upx behavioral2/memory/4188-161-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/3048-172-0x0000000031420000-0x000000003143B000-memory.dmp upx behavioral2/memory/2560-177-0x0000000031420000-0x000000003143B000-memory.dmp upx behavioral2/memory/3548-182-0x0000000031420000-0x000000003143B000-memory.dmp upx behavioral2/memory/2212-190-0x0000000031420000-0x000000003143B000-memory.dmp upx behavioral2/memory/1960-189-0x0000000031420000-0x000000003143B000-memory.dmp upx behavioral2/memory/3840-195-0x0000000031420000-0x000000003143B000-memory.dmp upx behavioral2/memory/4860-198-0x0000000031420000-0x000000003143B000-memory.dmp upx behavioral2/memory/4820-201-0x0000000031420000-0x000000003143B000-memory.dmp upx behavioral2/memory/5500-304-0x0000000031420000-0x000000003143B000-memory.dmp upx behavioral2/memory/4344-303-0x0000000031420000-0x000000003143B000-memory.dmp upx behavioral2/memory/4432-307-0x0000000031420000-0x000000003143B000-memory.dmp upx behavioral2/memory/4804-310-0x0000000031420000-0x000000003143B000-memory.dmp upx behavioral2/memory/1764-314-0x0000000031420000-0x000000003143B000-memory.dmp upx behavioral2/memory/3616-317-0x0000000031420000-0x000000003143B000-memory.dmp upx behavioral2/memory/3448-320-0x0000000031420000-0x000000003143B000-memory.dmp upx behavioral2/memory/2212-323-0x0000000031420000-0x000000003143B000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" bbuqdtv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" bbuqdtv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" bbuqdtv.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc bbuqdtv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" bbuqdtv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" bbuqdtv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" bbuqdtv.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\iszllj.exe" pvoihg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\jmfewa.exe" ipdhbsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\mbrefv.exe" ymajq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\mmlfipcj.exe" tnodfezb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\cytvfdw.exe" vhnoloj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\kvaptl.exe" jolosttz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\edhqyfm.exe" zyznf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\zqurjar.exe" tqwhbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ojtnho.exe" cwvum.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ebuaon.exe" vrrtxy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\nvodq.exe" mxited.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\fghyemz.exe" navqxrw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\trigjc.exe" faeecdjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\lwtou.exe" oncjbflx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\wrffprdd.exe" bbuqdtv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\xgsmmnw.exe" rbwkoijs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\zbrpnxk.exe" mdloxc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\dcpwhdh.exe" mpmdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\bjxwsra.exe" nhlixeea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ldiddz.exe" sayastxs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\jnlabid.exe" xegohuo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\gcfwsade.exe" jwcclwnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\vprfm.exe" jmqxn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ptbtv.exe" dsmdgwu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ttejauq.exe" gbawth.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\sfzvwv.exe" lyvyf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\eoczf.exe" ymqwxgz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\dtope.exe" qpnyrcqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\sttoc.exe" wprwotwv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\npxiko.exe" bdoqleuw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\xcdjxd.exe" wnsnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\otnugts.exe" nlzko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\pdgzz.exe" ynfxer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ojqyn.exe" nvodq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\uzmcxmj.exe" xjbmmwv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\mpmdi.exe" nvvix.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\tsshpr.exe" pdgzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\dsmdgwu.exe" iszllj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\nssqbp.exe" uegwmssh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\favollfd.exe" gxpzkju.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\fifgv.exe" xymgcvx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\gopno.exe" nssqbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\hwpfz.exe" mxfkimfw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\tnbfigor.exe" bdasyii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\omghxet.exe" ebuaon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\bxhpvbf.exe" pmbznxz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\vyrbmmjd.exe" dntbvk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\kcksxt.exe" wtijpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ppcntp.exe" xcdjxd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\gywzl.exe" vxawljw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ofcra.exe" ioellfiy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\jolosttz.exe" wrffprdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\zssvmd.exe" krumti.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\chpjlnkw.exe" wcfazrlt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\opzqzzj.exe" fpollox.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\vsmhe.exe" npatoev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\tzdau.exe" aergp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\nbrkyp.exe" ztaaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\lajat.exe" lgtlchwj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ughutjv.exe" lttzsgsf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\kkvlirti.exe" qeqfbzvb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ivzykrue.exe" hqnsgpxc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\buptm.exe" zrunt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\qktcc.exe" ivzgg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbuqdtv.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe File opened (read-only) \??\G: 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe File opened (read-only) \??\L: 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe File opened (read-only) \??\M: 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe File opened (read-only) \??\P: 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe File opened (read-only) \??\Q: 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe File opened (read-only) \??\T: 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe File opened (read-only) \??\V: 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe File opened (read-only) \??\Z: 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe File opened (read-only) \??\H: 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe File opened (read-only) \??\K: 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe File opened (read-only) \??\N: 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe File opened (read-only) \??\H: bbuqdtv.exe File opened (read-only) \??\I: 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe File opened (read-only) \??\J: 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe File opened (read-only) \??\R: 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe File opened (read-only) \??\S: 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe File opened (read-only) \??\W: 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe File opened (read-only) \??\X: 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe File opened (read-only) \??\G: bbuqdtv.exe File opened (read-only) \??\O: 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe File opened (read-only) \??\U: 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe File opened (read-only) \??\Y: 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe File opened (read-only) \??\E: bbuqdtv.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\nrrqdxfg.exe rulbbjs.exe File created C:\Windows\SysWOW64\vrgabcmf.exe gusobehx.exe File created C:\Windows\SysWOW64\fghyemz.exe navqxrw.exe File created C:\Windows\SysWOW64\vyrbmmjd.exe dntbvk.exe File created C:\Windows\SysWOW64\rpdsoyr.exe efswv.exe File opened for modification C:\Windows\SysWOW64\rpdsoyr.exe efswv.exe File created C:\Windows\SysWOW64\ernqtero.exe xooylbx.exe File created C:\Windows\SysWOW64\xnsvkj.exe buptm.exe File opened for modification C:\Windows\SysWOW64\bdersm.exe dtope.exe File opened for modification C:\Windows\SysWOW64\htjin.exe dzxaqdcx.exe File created C:\Windows\SysWOW64\ulknyfk.exe jnlabid.exe File opened for modification C:\Windows\SysWOW64\afmnddr.exe feifycz.exe File created C:\Windows\SysWOW64\hqhgii.exe fypunb.exe File opened for modification C:\Windows\SysWOW64\navqxrw.exe kqumq.exe File created C:\Windows\SysWOW64\tgubmvjt.exe aszkk.exe File opened for modification C:\Windows\SysWOW64\grsvhx.exe xzpacyww.exe File created C:\Windows\SysWOW64\nssqbp.exe uegwmssh.exe File created C:\Windows\SysWOW64\tucxckv.exe obpgilg.exe File opened for modification C:\Windows\SysWOW64\feifycz.exe egpyhnp.exe File created C:\Windows\SysWOW64\iskaeqh.exe uzmcxmj.exe File created C:\Windows\SysWOW64\mdloxc.exe rzjet.exe File created C:\Windows\SysWOW64\kjivsf.exe rpdsoyr.exe File opened for modification C:\Windows\SysWOW64\nnoim.exe vwsoob.exe File opened for modification C:\Windows\SysWOW64\bjxwsra.exe nhlixeea.exe File created C:\Windows\SysWOW64\kttlxvht.exe zssvmd.exe File opened for modification C:\Windows\SysWOW64\wvtxxof.exe drragsq.exe File opened for modification C:\Windows\SysWOW64\xklqnmb.exe kcjxutu.exe File opened for modification C:\Windows\SysWOW64\xjbmmwv.exe fyydikaf.exe File opened for modification C:\Windows\SysWOW64\ughutjv.exe lttzsgsf.exe File created C:\Windows\SysWOW64\cvanq.exe utvpwzbu.exe File created C:\Windows\SysWOW64\didqicp.exe tgubmvjt.exe File opened for modification C:\Windows\SysWOW64\liabhba.exe nepuzbel.exe File created C:\Windows\SysWOW64\pcogegse.exe openozh.exe File created C:\Windows\SysWOW64\jblii.exe szmzijl.exe File opened for modification C:\Windows\SysWOW64\bxhpvbf.exe pmbznxz.exe File opened for modification C:\Windows\SysWOW64\hclhrpbm.exe ccpod.exe File opened for modification C:\Windows\SysWOW64\wmghg.exe gsyrx.exe File created C:\Windows\SysWOW64\utvpwzbu.exe ugqqviz.exe File created C:\Windows\SysWOW64\mnbogjde.exe npxiko.exe File created C:\Windows\SysWOW64\kdyon.exe dgyaj.exe File created C:\Windows\SysWOW64\ipdhbsw.exe tucxckv.exe File opened for modification C:\Windows\SysWOW64\hyphzt.exe opzqzzj.exe File created C:\Windows\SysWOW64\ituupaat.exe tqgmbqh.exe File opened for modification C:\Windows\SysWOW64\hpvtikv.exe bzdwuzh.exe File opened for modification C:\Windows\SysWOW64\xjehbl.exe yrrhghlu.exe File created C:\Windows\SysWOW64\zbgasaa.exe nlwvukwi.exe File created C:\Windows\SysWOW64\npatoev.exe tvapxf.exe File opened for modification C:\Windows\SysWOW64\ikmooqw.exe amevxji.exe File created C:\Windows\SysWOW64\nrnfgzz.exe ofcra.exe File created C:\Windows\SysWOW64\joanzr.exe cwbik.exe File opened for modification C:\Windows\SysWOW64\wuhmexe.exe lmmtqhqh.exe File opened for modification C:\Windows\SysWOW64\hukcr.exe twzpbekl.exe File opened for modification C:\Windows\SysWOW64\lxouo.exe xklqnmb.exe File opened for modification C:\Windows\SysWOW64\egpyhnp.exe hwpfz.exe File created C:\Windows\SysWOW64\izrafq.exe ivzykrue.exe File created C:\Windows\SysWOW64\ddulxc.exe vvqlpd.exe File created C:\Windows\SysWOW64\tfqnada.exe frymobws.exe File opened for modification C:\Windows\SysWOW64\shffrn.exe trggkb.exe File created C:\Windows\SysWOW64\ypxqpfj.exe gopno.exe File opened for modification C:\Windows\SysWOW64\rbwkoijs.exe rokwm.exe File opened for modification C:\Windows\SysWOW64\hnadntn.exe sxbvk.exe File opened for modification C:\Windows\SysWOW64\krrdh.exe gekwh.exe File created C:\Windows\SysWOW64\vrrtxy.exe wvtxxof.exe File opened for modification C:\Windows\SysWOW64\jzdous.exe htjin.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dsmdgwu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llgwq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mltlyalr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmghg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bpoufvb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gekwh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hpvtikv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kjivsf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ywfyqltm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qpnyrcqk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvmt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gcfwsade.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vqxqoby.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jbibvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dzqnniy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cytvfdw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wuhmexe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gusobehx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language carbel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language blceiujb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mxfkimfw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kvaptl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language veciwbpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bkeeew.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppcntp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language liabhba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language krumti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language szmcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tqgmbqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language twzpbekl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vhnoloj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aptylu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hswrqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language afmnddr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ughutjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language umqbiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bdoqleuw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oboqajb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language swdsewuo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bxhpvbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ymajq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbuqdtv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnadntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvodq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rzjet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language navqxrw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language krrdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hptmfgvs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language golxhbmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language letkxcot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xjbmmwv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbikrgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttejauq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yamcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bvliby.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aergp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fdomh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mxited.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lwtou.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ajojip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cwbik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nagrtbio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language grsvhx.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4188 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe 4188 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe 4188 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe 4188 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe 4188 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe 4188 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe 8652 bbuqdtv.exe 8652 bbuqdtv.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4188 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe Token: SeDebugPrivilege 4188 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe Token: SeDebugPrivilege 4188 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe Token: SeDebugPrivilege 4188 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe Token: SeDebugPrivilege 4188 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe Token: SeDebugPrivilege 4188 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe Token: SeDebugPrivilege 4188 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe Token: SeDebugPrivilege 4188 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe Token: SeDebugPrivilege 2876 qgnbrhr.exe Token: SeDebugPrivilege 4188 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe Token: SeDebugPrivilege 4188 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe Token: SeDebugPrivilege 4188 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe Token: SeDebugPrivilege 4188 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe Token: SeDebugPrivilege 5096 qjhqrk.exe Token: SeDebugPrivilege 4656 yqnqjngj.exe Token: SeDebugPrivilege 1564 rulbbjs.exe Token: SeDebugPrivilege 3380 nrrqdxfg.exe Token: SeDebugPrivilege 3700 poope.exe Token: SeDebugPrivilege 2164 qtqzuc.exe Token: SeDebugPrivilege 780 stqfxu.exe Token: SeDebugPrivilege 532 ewkdjw.exe Token: SeDebugPrivilege 4336 bzdwuzh.exe Token: SeDebugPrivilege 4400 hpvtikv.exe Token: SeDebugPrivilege 4800 junzmerz.exe Token: SeDebugPrivilege 4276 kgtnn.exe Token: SeDebugPrivilege 4788 yrrhghlu.exe Token: SeDebugPrivilege 2000 xjehbl.exe Token: SeDebugPrivilege 4440 tuhadug.exe Token: SeDebugPrivilege 4688 nbqwqt.exe Token: SeDebugPrivilege 3048 sktogkx.exe Token: SeDebugPrivilege 2560 knjug.exe Token: SeDebugPrivilege 3548 bdoqleuw.exe Token: SeDebugPrivilege 1960 npxiko.exe Token: SeDebugPrivilege 3840 mnbogjde.exe Token: SeDebugPrivilege 4860 fdomh.exe Token: SeDebugPrivilege 4820 llgwq.exe Token: SeDebugPrivilege 4344 qvwqmj.exe Token: SeDebugPrivilege 4432 ojscjjqo.exe Token: SeDebugPrivilege 4804 gfxbi.exe Token: SeDebugPrivilege 1764 vqxqoby.exe Token: SeDebugPrivilege 3616 jbibvw.exe Token: SeDebugPrivilege 3448 sclsu.exe Token: SeDebugPrivilege 2212 sncuqb.exe Token: SeDebugPrivilege 4940 vmouhzh.exe Token: SeDebugPrivilege 3292 twzpbekl.exe Token: SeDebugPrivilege 4188 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe Token: SeDebugPrivilege 4188 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe Token: SeDebugPrivilege 4188 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe Token: SeDebugPrivilege 4188 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe Token: SeDebugPrivilege 4188 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe Token: SeDebugPrivilege 4188 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe Token: SeDebugPrivilege 4188 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe Token: SeDebugPrivilege 4188 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe Token: SeDebugPrivilege 4188 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe Token: SeDebugPrivilege 4188 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe Token: SeDebugPrivilege 4188 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe Token: SeDebugPrivilege 4420 hukcr.exe Token: SeDebugPrivilege 5500 nzdgwrrh.exe Token: SeDebugPrivilege 5548 mxited.exe Token: SeDebugPrivilege 5588 nvodq.exe Token: SeDebugPrivilege 5620 ojqyn.exe Token: SeDebugPrivilege 5660 hswrqd.exe Token: SeDebugPrivilege 5692 gbawth.exe Token: SeDebugPrivilege 5724 ttejauq.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4188 wrote to memory of 2876 4188 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe 85 PID 4188 wrote to memory of 2876 4188 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe 85 PID 4188 wrote to memory of 2876 4188 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe 85 PID 4188 wrote to memory of 764 4188 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe 8 PID 4188 wrote to memory of 772 4188 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe 9 PID 4188 wrote to memory of 332 4188 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe 13 PID 4188 wrote to memory of 2828 4188 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe 50 PID 4188 wrote to memory of 2880 4188 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe 51 PID 4188 wrote to memory of 2032 4188 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe 53 PID 4188 wrote to memory of 3400 4188 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe 56 PID 4188 wrote to memory of 3524 4188 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe 57 PID 4188 wrote to memory of 3712 4188 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe 58 PID 4188 wrote to memory of 3808 4188 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe 59 PID 4188 wrote to memory of 3872 4188 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe 60 PID 2876 wrote to memory of 5096 2876 qgnbrhr.exe 86 PID 2876 wrote to memory of 5096 2876 qgnbrhr.exe 86 PID 2876 wrote to memory of 5096 2876 qgnbrhr.exe 86 PID 4188 wrote to memory of 3960 4188 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe 61 PID 4188 wrote to memory of 4120 4188 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe 62 PID 4188 wrote to memory of 1456 4188 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe 74 PID 4188 wrote to memory of 4628 4188 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe 75 PID 4188 wrote to memory of 3564 4188 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe 82 PID 4188 wrote to memory of 3560 4188 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe 83 PID 4188 wrote to memory of 2876 4188 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe 85 PID 4188 wrote to memory of 2876 4188 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe 85 PID 5096 wrote to memory of 4656 5096 qjhqrk.exe 87 PID 5096 wrote to memory of 4656 5096 qjhqrk.exe 87 PID 5096 wrote to memory of 4656 5096 qjhqrk.exe 87 PID 4656 wrote to memory of 1564 4656 yqnqjngj.exe 88 PID 4656 wrote to memory of 1564 4656 yqnqjngj.exe 88 PID 4656 wrote to memory of 1564 4656 yqnqjngj.exe 88 PID 1564 wrote to memory of 3380 1564 rulbbjs.exe 89 PID 1564 wrote to memory of 3380 1564 rulbbjs.exe 89 PID 1564 wrote to memory of 3380 1564 rulbbjs.exe 89 PID 3380 wrote to memory of 3700 3380 nrrqdxfg.exe 90 PID 3380 wrote to memory of 3700 3380 nrrqdxfg.exe 90 PID 3380 wrote to memory of 3700 3380 nrrqdxfg.exe 90 PID 3700 wrote to memory of 2164 3700 poope.exe 91 PID 3700 wrote to memory of 2164 3700 poope.exe 91 PID 3700 wrote to memory of 2164 3700 poope.exe 91 PID 2164 wrote to memory of 780 2164 qtqzuc.exe 92 PID 2164 wrote to memory of 780 2164 qtqzuc.exe 92 PID 2164 wrote to memory of 780 2164 qtqzuc.exe 92 PID 780 wrote to memory of 532 780 stqfxu.exe 94 PID 780 wrote to memory of 532 780 stqfxu.exe 94 PID 780 wrote to memory of 532 780 stqfxu.exe 94 PID 532 wrote to memory of 4336 532 ewkdjw.exe 96 PID 532 wrote to memory of 4336 532 ewkdjw.exe 96 PID 532 wrote to memory of 4336 532 ewkdjw.exe 96 PID 4336 wrote to memory of 4400 4336 bzdwuzh.exe 97 PID 4336 wrote to memory of 4400 4336 bzdwuzh.exe 97 PID 4336 wrote to memory of 4400 4336 bzdwuzh.exe 97 PID 4400 wrote to memory of 4800 4400 hpvtikv.exe 99 PID 4400 wrote to memory of 4800 4400 hpvtikv.exe 99 PID 4400 wrote to memory of 4800 4400 hpvtikv.exe 99 PID 4800 wrote to memory of 4276 4800 junzmerz.exe 100 PID 4800 wrote to memory of 4276 4800 junzmerz.exe 100 PID 4800 wrote to memory of 4276 4800 junzmerz.exe 100 PID 4276 wrote to memory of 4788 4276 kgtnn.exe 101 PID 4276 wrote to memory of 4788 4276 kgtnn.exe 101 PID 4276 wrote to memory of 4788 4276 kgtnn.exe 101 PID 4788 wrote to memory of 2000 4788 yrrhghlu.exe 102 PID 4788 wrote to memory of 2000 4788 yrrhghlu.exe 102 PID 4788 wrote to memory of 2000 4788 yrrhghlu.exe 102 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbuqdtv.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:764
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:332
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2828
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2880
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2032
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3400
-
C:\Users\Admin\AppData\Local\Temp\7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7544d64ca2ddfbd3650ceb2ea0942c43_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4188 -
C:\Windows\SysWOW64\qgnbrhr.exeC:\Windows\system32\qgnbrhr.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\qjhqrk.exeC:\Windows\system32\qjhqrk.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\yqnqjngj.exeC:\Windows\system32\yqnqjngj.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\SysWOW64\rulbbjs.exeC:\Windows\system32\rulbbjs.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\nrrqdxfg.exeC:\Windows\system32\nrrqdxfg.exe7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\SysWOW64\poope.exeC:\Windows\system32\poope.exe8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\SysWOW64\qtqzuc.exeC:\Windows\system32\qtqzuc.exe9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\stqfxu.exeC:\Windows\system32\stqfxu.exe10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\SysWOW64\ewkdjw.exeC:\Windows\system32\ewkdjw.exe11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\SysWOW64\bzdwuzh.exeC:\Windows\system32\bzdwuzh.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\SysWOW64\hpvtikv.exeC:\Windows\system32\hpvtikv.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\SysWOW64\junzmerz.exeC:\Windows\system32\junzmerz.exe14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\SysWOW64\kgtnn.exeC:\Windows\system32\kgtnn.exe15⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Windows\SysWOW64\yrrhghlu.exeC:\Windows\system32\yrrhghlu.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\SysWOW64\xjehbl.exeC:\Windows\system32\xjehbl.exe17⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2000 -
C:\Windows\SysWOW64\tuhadug.exeC:\Windows\system32\tuhadug.exe18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4440 -
C:\Windows\SysWOW64\nbqwqt.exeC:\Windows\system32\nbqwqt.exe19⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4688 -
C:\Windows\SysWOW64\sktogkx.exeC:\Windows\system32\sktogkx.exe20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3048 -
C:\Windows\SysWOW64\knjug.exeC:\Windows\system32\knjug.exe21⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2560 -
C:\Windows\SysWOW64\bdoqleuw.exeC:\Windows\system32\bdoqleuw.exe22⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3548 -
C:\Windows\SysWOW64\npxiko.exeC:\Windows\system32\npxiko.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1960 -
C:\Windows\SysWOW64\mnbogjde.exeC:\Windows\system32\mnbogjde.exe24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3840 -
C:\Windows\SysWOW64\fdomh.exeC:\Windows\system32\fdomh.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4860 -
C:\Windows\SysWOW64\llgwq.exeC:\Windows\system32\llgwq.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4820 -
C:\Windows\SysWOW64\qvwqmj.exeC:\Windows\system32\qvwqmj.exe27⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4344 -
C:\Windows\SysWOW64\ojscjjqo.exeC:\Windows\system32\ojscjjqo.exe28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4432 -
C:\Windows\SysWOW64\gfxbi.exeC:\Windows\system32\gfxbi.exe29⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4804 -
C:\Windows\SysWOW64\vqxqoby.exeC:\Windows\system32\vqxqoby.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1764 -
C:\Windows\SysWOW64\jbibvw.exeC:\Windows\system32\jbibvw.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3616 -
C:\Windows\SysWOW64\sclsu.exeC:\Windows\system32\sclsu.exe32⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3448 -
C:\Windows\SysWOW64\sncuqb.exeC:\Windows\system32\sncuqb.exe33⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2212 -
C:\Windows\SysWOW64\vmouhzh.exeC:\Windows\system32\vmouhzh.exe34⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4940 -
C:\Windows\SysWOW64\twzpbekl.exeC:\Windows\system32\twzpbekl.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3292 -
C:\Windows\SysWOW64\hukcr.exeC:\Windows\system32\hukcr.exe36⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4420 -
C:\Windows\SysWOW64\nzdgwrrh.exeC:\Windows\system32\nzdgwrrh.exe37⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5500 -
C:\Windows\SysWOW64\mxited.exeC:\Windows\system32\mxited.exe38⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5548 -
C:\Windows\SysWOW64\nvodq.exeC:\Windows\system32\nvodq.exe39⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5588 -
C:\Windows\SysWOW64\ojqyn.exeC:\Windows\system32\ojqyn.exe40⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5620 -
C:\Windows\SysWOW64\hswrqd.exeC:\Windows\system32\hswrqd.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5660 -
C:\Windows\SysWOW64\gbawth.exeC:\Windows\system32\gbawth.exe42⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:5692 -
C:\Windows\SysWOW64\ttejauq.exeC:\Windows\system32\ttejauq.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5724 -
C:\Windows\SysWOW64\rzjet.exeC:\Windows\system32\rzjet.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5756 -
C:\Windows\SysWOW64\mdloxc.exeC:\Windows\system32\mdloxc.exe45⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5796 -
C:\Windows\SysWOW64\zbrpnxk.exeC:\Windows\system32\zbrpnxk.exe46⤵
- Executes dropped EXE
PID:5828 -
C:\Windows\SysWOW64\carbel.exeC:\Windows\system32\carbel.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5860 -
C:\Windows\SysWOW64\xtimez.exeC:\Windows\system32\xtimez.exe48⤵
- Executes dropped EXE
PID:5896 -
C:\Windows\SysWOW64\opislr.exeC:\Windows\system32\opislr.exe49⤵
- Executes dropped EXE
PID:5928 -
C:\Windows\SysWOW64\exccq.exeC:\Windows\system32\exccq.exe50⤵
- Executes dropped EXE
PID:5964 -
C:\Windows\SysWOW64\swczm.exeC:\Windows\system32\swczm.exe51⤵
- Executes dropped EXE
PID:5996 -
C:\Windows\SysWOW64\ztaaq.exeC:\Windows\system32\ztaaq.exe52⤵
- Executes dropped EXE
- Adds Run key to start application
PID:6036 -
C:\Windows\SysWOW64\nbrkyp.exeC:\Windows\system32\nbrkyp.exe53⤵
- Executes dropped EXE
PID:6076 -
C:\Windows\SysWOW64\dnpwkw.exeC:\Windows\system32\dnpwkw.exe54⤵
- Executes dropped EXE
PID:6124 -
C:\Windows\SysWOW64\wnsnj.exeC:\Windows\system32\wnsnj.exe55⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2104 -
C:\Windows\SysWOW64\xcdjxd.exeC:\Windows\system32\xcdjxd.exe56⤵
- Executes dropped EXE
- Adds Run key to start application
PID:464 -
C:\Windows\SysWOW64\ppcntp.exeC:\Windows\system32\ppcntp.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5264 -
C:\Windows\SysWOW64\kjiomihn.exeC:\Windows\system32\kjiomihn.exe58⤵
- Executes dropped EXE
PID:5184 -
C:\Windows\SysWOW64\aoyvv.exeC:\Windows\system32\aoyvv.exe59⤵
- Executes dropped EXE
PID:3408 -
C:\Windows\SysWOW64\pqfic.exeC:\Windows\system32\pqfic.exe60⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\swfbg.exeC:\Windows\system32\swfbg.exe61⤵
- Executes dropped EXE
PID:5088 -
C:\Windows\SysWOW64\diapcndm.exeC:\Windows\system32\diapcndm.exe62⤵
- Executes dropped EXE
PID:5344 -
C:\Windows\SysWOW64\cjokfqax.exeC:\Windows\system32\cjokfqax.exe63⤵
- Executes dropped EXE
PID:5440 -
C:\Windows\SysWOW64\niqdem.exeC:\Windows\system32\niqdem.exe64⤵
- Executes dropped EXE
PID:3464 -
C:\Windows\SysWOW64\hlymgtp.exeC:\Windows\system32\hlymgtp.exe65⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\qrniqbep.exeC:\Windows\system32\qrniqbep.exe66⤵
- Executes dropped EXE
PID:5540 -
C:\Windows\SysWOW64\ymajq.exeC:\Windows\system32\ymajq.exe67⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:5636 -
C:\Windows\SysWOW64\mbrefv.exeC:\Windows\system32\mbrefv.exe68⤵PID:5720
-
C:\Windows\SysWOW64\fadste.exeC:\Windows\system32\fadste.exe69⤵PID:5868
-
C:\Windows\SysWOW64\fhhvq.exeC:\Windows\system32\fhhvq.exe70⤵PID:6008
-
C:\Windows\SysWOW64\amevxji.exeC:\Windows\system32\amevxji.exe71⤵
- Drops file in System32 directory
PID:6096 -
C:\Windows\SysWOW64\ikmooqw.exeC:\Windows\system32\ikmooqw.exe72⤵PID:916
-
C:\Windows\SysWOW64\ztoyvfn.exeC:\Windows\system32\ztoyvfn.exe73⤵PID:5192
-
C:\Windows\SysWOW64\ivzgg.exeC:\Windows\system32\ivzgg.exe74⤵
- Adds Run key to start application
PID:5456 -
C:\Windows\SysWOW64\qktcc.exeC:\Windows\system32\qktcc.exe75⤵PID:5408
-
C:\Windows\SysWOW64\oxwdyuc.exeC:\Windows\system32\oxwdyuc.exe76⤵PID:5668
-
C:\Windows\SysWOW64\lskwvsz.exeC:\Windows\system32\lskwvsz.exe77⤵PID:6044
-
C:\Windows\SysWOW64\nagrtbio.exeC:\Windows\system32\nagrtbio.exe78⤵
- System Location Discovery: System Language Discovery
PID:5224 -
C:\Windows\SysWOW64\jqyvuyqa.exeC:\Windows\system32\jqyvuyqa.exe79⤵PID:5352
-
C:\Windows\SysWOW64\amoypd.exeC:\Windows\system32\amoypd.exe80⤵PID:5856
-
C:\Windows\SysWOW64\ccpod.exeC:\Windows\system32\ccpod.exe81⤵
- Drops file in System32 directory
PID:5312 -
C:\Windows\SysWOW64\hclhrpbm.exeC:\Windows\system32\hclhrpbm.exe82⤵PID:6004
-
C:\Windows\SysWOW64\taavygy.exeC:\Windows\system32\taavygy.exe83⤵PID:6168
-
C:\Windows\SysWOW64\efswv.exeC:\Windows\system32\efswv.exe84⤵
- Drops file in System32 directory
PID:6204 -
C:\Windows\SysWOW64\rpdsoyr.exeC:\Windows\system32\rpdsoyr.exe85⤵
- Drops file in System32 directory
PID:6236 -
C:\Windows\SysWOW64\kjivsf.exeC:\Windows\system32\kjivsf.exe86⤵
- System Location Discovery: System Language Discovery
PID:6268 -
C:\Windows\SysWOW64\iadqz.exeC:\Windows\system32\iadqz.exe87⤵PID:6316
-
C:\Windows\SysWOW64\nlwvukwi.exeC:\Windows\system32\nlwvukwi.exe88⤵
- Drops file in System32 directory
PID:6356 -
C:\Windows\SysWOW64\zbgasaa.exeC:\Windows\system32\zbgasaa.exe89⤵PID:6388
-
C:\Windows\SysWOW64\otkexc.exeC:\Windows\system32\otkexc.exe90⤵PID:6420
-
C:\Windows\SysWOW64\fsjlogx.exeC:\Windows\system32\fsjlogx.exe91⤵PID:6456
-
C:\Windows\SysWOW64\btcfvzu.exeC:\Windows\system32\btcfvzu.exe92⤵PID:6488
-
C:\Windows\SysWOW64\oboqajb.exeC:\Windows\system32\oboqajb.exe93⤵
- System Location Discovery: System Language Discovery
PID:6520 -
C:\Windows\SysWOW64\aqloqfdc.exeC:\Windows\system32\aqloqfdc.exe94⤵PID:6552
-
C:\Windows\SysWOW64\vdltuq.exeC:\Windows\system32\vdltuq.exe95⤵PID:6584
-
C:\Windows\SysWOW64\jjnjsga.exeC:\Windows\system32\jjnjsga.exe96⤵PID:6616
-
C:\Windows\SysWOW64\sgoqxpq.exeC:\Windows\system32\sgoqxpq.exe97⤵PID:6648
-
C:\Windows\SysWOW64\gnhzmxkz.exeC:\Windows\system32\gnhzmxkz.exe98⤵PID:6680
-
C:\Windows\SysWOW64\dgyaj.exeC:\Windows\system32\dgyaj.exe99⤵
- Drops file in System32 directory
PID:6712 -
C:\Windows\SysWOW64\kdyon.exeC:\Windows\system32\kdyon.exe100⤵PID:6744
-
C:\Windows\SysWOW64\ftdptq.exeC:\Windows\system32\ftdptq.exe101⤵PID:6776
-
C:\Windows\SysWOW64\gempb.exeC:\Windows\system32\gempb.exe102⤵PID:6820
-
C:\Windows\SysWOW64\kunwhl.exeC:\Windows\system32\kunwhl.exe103⤵PID:6860
-
C:\Windows\SysWOW64\xzpacyww.exeC:\Windows\system32\xzpacyww.exe104⤵
- Drops file in System32 directory
PID:6900 -
C:\Windows\SysWOW64\grsvhx.exeC:\Windows\system32\grsvhx.exe105⤵
- System Location Discovery: System Language Discovery
PID:6932 -
C:\Windows\SysWOW64\vhcrx.exeC:\Windows\system32\vhcrx.exe106⤵PID:6964
-
C:\Windows\SysWOW64\wzbdkob.exeC:\Windows\system32\wzbdkob.exe107⤵PID:6996
-
C:\Windows\SysWOW64\nwcjncg.exeC:\Windows\system32\nwcjncg.exe108⤵PID:7028
-
C:\Windows\SysWOW64\yprjb.exeC:\Windows\system32\yprjb.exe109⤵PID:7060
-
C:\Windows\SysWOW64\yamcs.exeC:\Windows\system32\yamcs.exe110⤵
- System Location Discovery: System Language Discovery
PID:7092 -
C:\Windows\SysWOW64\mgfqm.exeC:\Windows\system32\mgfqm.exe111⤵PID:7124
-
C:\Windows\SysWOW64\fznsc.exeC:\Windows\system32\fznsc.exe112⤵PID:7156
-
C:\Windows\SysWOW64\vwsoob.exeC:\Windows\system32\vwsoob.exe113⤵
- Drops file in System32 directory
PID:6200 -
C:\Windows\SysWOW64\nnoim.exeC:\Windows\system32\nnoim.exe114⤵PID:6308
-
C:\Windows\SysWOW64\tnodfezb.exeC:\Windows\system32\tnodfezb.exe115⤵
- Adds Run key to start application
PID:6364 -
C:\Windows\SysWOW64\mmlfipcj.exeC:\Windows\system32\mmlfipcj.exe116⤵PID:6464
-
C:\Windows\SysWOW64\jelwgxk.exeC:\Windows\system32\jelwgxk.exe117⤵PID:3384
-
C:\Windows\SysWOW64\szmcn.exeC:\Windows\system32\szmcn.exe118⤵
- System Location Discovery: System Language Discovery
PID:4324 -
C:\Windows\SysWOW64\imrzzrub.exeC:\Windows\system32\imrzzrub.exe119⤵PID:6500
-
C:\Windows\SysWOW64\uegwmssh.exeC:\Windows\system32\uegwmssh.exe120⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:6580 -
C:\Windows\SysWOW64\nssqbp.exeC:\Windows\system32\nssqbp.exe121⤵
- Adds Run key to start application
PID:6816
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-