Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
11-08-2024 03:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
-
Size
498KB
-
MD5
88d16eafa3d80cbc183085f120475998
-
SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022
-
SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6
-
SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a
-
SSDEEP
12288:yBIImxhfDKSpPZIo1TzQfNO3xK/AZNPL/nDc/Raowh/u3b:ykpLhZIo1YVuxBzjow9ur
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 64 IoCs
pid Process 2064 vqhtbzl.exe 2868 vqhtbzl.exe 1444 curysko.exe 2656 curysko.exe 2720 vbumplp.exe 2596 vbumplp.exe 2536 cjpekaz.exe 1056 cjpekaz.exe 2216 mueoxdf.exe 1784 mueoxdf.exe 1716 umdolkj.exe 2020 umdolkj.exe 2000 extzznp.exe 2788 extzznp.exe 276 tipmibs.exe 1216 tipmibs.exe 1288 dpujbaz.exe 1468 dpujbaz.exe 1672 qjizmme.exe 2956 qjizmme.exe 2176 ykhztth.exe 1592 ykhztth.exe 320 nedmchk.exe 2108 nedmchk.exe 1892 axjcotw.exe 2484 axjcotw.exe 2720 kizmjwc.exe 2900 kizmjwc.exe 1572 wkfcujh.exe 2460 wkfcujh.exe 848 kxorafg.exe 1772 kxorafg.exe 1964 tamcniu.exe 2364 tamcniu.exe 2096 gcsjzuy.exe 1768 gcsjzuy.exe 1000 qbwprtg.exe 2388 qbwprtg.exe 1320 gfekvyd.exe 1040 gfekvyd.exe 2964 qtxzlgq.exe 3044 qtxzlgq.exe 2752 qiuecot.exe 2740 qiuecot.exe 592 dzphlwy.exe 1552 dzphlwy.exe 2304 qxskuew.exe 2744 qxskuew.exe 2488 zlthsej.exe 2496 zlthsej.exe 2208 mcncamp.exe 1744 mcncamp.exe 1624 zsifjuu.exe 2520 zsifjuu.exe 1476 jdypwxa.exe 2000 jdypwxa.exe 2008 zhgkacx.exe 1700 zhgkacx.exe 788 jsvuvge.exe 1740 jsvuvge.exe 2796 wiqxeoj.exe 1512 wiqxeoj.exe 1724 gtnhrrp.exe 2140 gtnhrrp.exe -
Loads dropped DLL 64 IoCs
pid Process 2136 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe 2136 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe 2064 vqhtbzl.exe 2868 vqhtbzl.exe 2868 vqhtbzl.exe 1444 curysko.exe 2656 curysko.exe 2656 curysko.exe 2720 vbumplp.exe 2596 vbumplp.exe 2596 vbumplp.exe 2536 cjpekaz.exe 1056 cjpekaz.exe 1056 cjpekaz.exe 2216 mueoxdf.exe 1784 mueoxdf.exe 1784 mueoxdf.exe 2020 umdolkj.exe 2020 umdolkj.exe 2788 extzznp.exe 2788 extzznp.exe 1216 tipmibs.exe 1216 tipmibs.exe 1468 dpujbaz.exe 1468 dpujbaz.exe 2956 qjizmme.exe 2956 qjizmme.exe 1592 ykhztth.exe 1592 ykhztth.exe 2108 nedmchk.exe 2108 nedmchk.exe 2484 axjcotw.exe 2484 axjcotw.exe 2900 kizmjwc.exe 2900 kizmjwc.exe 2460 wkfcujh.exe 2460 wkfcujh.exe 1772 kxorafg.exe 1772 kxorafg.exe 2364 tamcniu.exe 2364 tamcniu.exe 1768 gcsjzuy.exe 1768 gcsjzuy.exe 2388 qbwprtg.exe 2388 qbwprtg.exe 1040 gfekvyd.exe 1040 gfekvyd.exe 1440 dsacuon.exe 1440 dsacuon.exe 2740 qiuecot.exe 2740 qiuecot.exe 1552 dzphlwy.exe 1552 dzphlwy.exe 2744 qxskuew.exe 2744 qxskuew.exe 2496 zlthsej.exe 2496 zlthsej.exe 1744 mcncamp.exe 1744 mcncamp.exe 2520 zsifjuu.exe 2520 zsifjuu.exe 2000 jdypwxa.exe 2000 jdypwxa.exe 1700 zhgkacx.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\tcrvwlv.exe glwsncq.exe File created C:\Windows\SysWOW64\quacazc.exe Process not Found File opened for modification C:\Windows\SysWOW64\mdjfpoj.exe Process not Found File created C:\Windows\SysWOW64\amsmfij.exe Process not Found File opened for modification C:\Windows\SysWOW64\vnwnwmk.exe Process not Found File created C:\Windows\SysWOW64\dkkcmvj.exe rmhzvvl.exe File created C:\Windows\SysWOW64\tllxepb.exe guivwpw.exe File opened for modification C:\Windows\SysWOW64\oegsypb.exe bglpqpw.exe File created C:\Windows\SysWOW64\oazypet.exe bjewheo.exe File opened for modification C:\Windows\SysWOW64\boyposk.exe boyposk.exe File opened for modification C:\Windows\SysWOW64\krosdia.exe xbtpuac.exe File opened for modification C:\Windows\SysWOW64\okygzrv.exe Process not Found File created C:\Windows\SysWOW64\iqtblje.exe Process not Found File opened for modification C:\Windows\SysWOW64\tfhmuby.exe Process not Found File opened for modification C:\Windows\SysWOW64\rqtmcaz.exe rqtmcaz.exe File created C:\Windows\SysWOW64\lhxzamt.exe btfjkng.exe File opened for modification C:\Windows\SysWOW64\unsgcmo.exe Process not Found File created C:\Windows\SysWOW64\qoapmhe.exe dqfmehz.exe File opened for modification C:\Windows\SysWOW64\emistao.exe Process not Found File opened for modification C:\Windows\SysWOW64\ufqnmml.exe ufqnmml.exe File opened for modification C:\Windows\SysWOW64\nhrdxdw.exe dectkaq.exe File opened for modification C:\Windows\SysWOW64\cjcitza.exe cjcitza.exe File opened for modification C:\Windows\SysWOW64\eezzdre.exe uqgcnsy.exe File created C:\Windows\SysWOW64\jcmsidw.exe xwupmmk.exe File opened for modification C:\Windows\SysWOW64\okygzrv.exe Process not Found File opened for modification C:\Windows\SysWOW64\dgblctl.exe Process not Found File opened for modification C:\Windows\SysWOW64\jdypwxa.exe zsifjuu.exe File created C:\Windows\SysWOW64\sjvncuy.exe igglprs.exe File opened for modification C:\Windows\SysWOW64\iiaxotr.exe Process not Found File opened for modification C:\Windows\SysWOW64\zcykobm.exe Process not Found File created C:\Windows\SysWOW64\dvhtmpc.exe thhvwpp.exe File created C:\Windows\SysWOW64\brkozny.exe oesztkz.exe File opened for modification C:\Windows\SysWOW64\yxabiuy.exe yxabiuy.exe File opened for modification C:\Windows\SysWOW64\ardknqn.exe ardknqn.exe File opened for modification C:\Windows\SysWOW64\iewlasz.exe Process not Found File created C:\Windows\SysWOW64\ekmgjhz.exe Process not Found File opened for modification C:\Windows\SysWOW64\lerciec.exe Process not Found File opened for modification C:\Windows\SysWOW64\epdrqcl.exe rrioiuf.exe File created C:\Windows\SysWOW64\ckjrspi.exe sejtuid.exe File created C:\Windows\SysWOW64\nsikswt.exe aunhjoo.exe File opened for modification C:\Windows\SysWOW64\wcwkyuu.exe jmbiqmp.exe File created C:\Windows\SysWOW64\pixjgtt.exe cjugxtw.exe File opened for modification C:\Windows\SysWOW64\wwyklff.exe wwyklff.exe File opened for modification C:\Windows\SysWOW64\qtxzlgq.exe gfekvyd.exe File opened for modification C:\Windows\SysWOW64\ntvptwp.exe ntvptwp.exe File opened for modification C:\Windows\SysWOW64\rlnmarf.exe rlnmarf.exe File opened for modification C:\Windows\SysWOW64\tgkzlfl.exe tgkzlfl.exe File opened for modification C:\Windows\SysWOW64\aiglqwn.exe Process not Found File opened for modification C:\Windows\SysWOW64\rwqdkxe.exe rwqdkxe.exe File created C:\Windows\SysWOW64\ikevuva.exe yzpkgsl.exe File created C:\Windows\SysWOW64\ebseaub.exe Process not Found File created C:\Windows\SysWOW64\hqpumut.exe Process not Found File created C:\Windows\SysWOW64\ispnvct.exe Process not Found File opened for modification C:\Windows\SysWOW64\hconozg.exe hconozg.exe File opened for modification C:\Windows\SysWOW64\qzwntof.exe qzwntof.exe File created C:\Windows\SysWOW64\ushrlav.exe hbnocsq.exe File opened for modification C:\Windows\SysWOW64\lyqxcbn.exe bvbmhyz.exe File created C:\Windows\SysWOW64\wlwqloi.exe jmtnund.exe File opened for modification C:\Windows\SysWOW64\iewlasz.exe vntrrrb.exe File created C:\Windows\SysWOW64\qiuecot.exe dsacuon.exe File opened for modification C:\Windows\SysWOW64\eagmzmi.exe eagmzmi.exe File opened for modification C:\Windows\SysWOW64\loverde.exe yxabiuy.exe File opened for modification C:\Windows\SysWOW64\jcrjela.exe Process not Found File created C:\Windows\SysWOW64\udtlfra.exe kxtvpjn.exe -
Suspicious use of SetThreadContext 64 IoCs
description pid Process procid_target PID 2144 set thread context of 2136 2144 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe 28 PID 2064 set thread context of 2868 2064 vqhtbzl.exe 30 PID 1444 set thread context of 2656 1444 curysko.exe 32 PID 2720 set thread context of 2596 2720 vbumplp.exe 34 PID 2536 set thread context of 1056 2536 cjpekaz.exe 36 PID 2216 set thread context of 1784 2216 mueoxdf.exe 38 PID 1716 set thread context of 2020 1716 umdolkj.exe 40 PID 2000 set thread context of 2788 2000 extzznp.exe 42 PID 276 set thread context of 1216 276 tipmibs.exe 44 PID 1288 set thread context of 1468 1288 dpujbaz.exe 46 PID 1672 set thread context of 2956 1672 qjizmme.exe 48 PID 2176 set thread context of 1592 2176 ykhztth.exe 50 PID 320 set thread context of 2108 320 nedmchk.exe 52 PID 1892 set thread context of 2484 1892 axjcotw.exe 54 PID 2720 set thread context of 2900 2720 kizmjwc.exe 56 PID 1572 set thread context of 2460 1572 wkfcujh.exe 58 PID 848 set thread context of 1772 848 kxorafg.exe 60 PID 1964 set thread context of 2364 1964 tamcniu.exe 62 PID 2096 set thread context of 1768 2096 gcsjzuy.exe 64 PID 1000 set thread context of 2388 1000 qbwprtg.exe 66 PID 1320 set thread context of 1040 1320 gfekvyd.exe 68 PID 2964 set thread context of 3044 2964 qtxzlgq.exe 121 PID 1688 set thread context of 1440 1688 dsacuon.exe 72 PID 2752 set thread context of 2740 2752 qiuecot.exe 74 PID 592 set thread context of 1552 592 dzphlwy.exe 76 PID 2304 set thread context of 2744 2304 qxskuew.exe 78 PID 2488 set thread context of 2496 2488 zlthsej.exe 80 PID 2208 set thread context of 1744 2208 mcncamp.exe 82 PID 1624 set thread context of 2520 1624 zsifjuu.exe 86 PID 1476 set thread context of 2000 1476 jdypwxa.exe 41 PID 2008 set thread context of 1700 2008 zhgkacx.exe 90 PID 788 set thread context of 1740 788 jsvuvge.exe 92 PID 2796 set thread context of 1512 2796 wiqxeoj.exe 94 PID 1724 set thread context of 2140 1724 gtnhrrp.exe 96 PID 2972 set thread context of 2172 2972 snuxdvc.exe 98 PID 856 set thread context of 2188 856 floalez.exe 100 PID 2360 set thread context of 444 2360 sygqrhg.exe 102 PID 2632 set thread context of 3048 2632 cnzfphl.exe 104 PID 2200 set thread context of 2248 2200 pdbiypr.exe 106 PID 824 set thread context of 1956 824 cuwkgxw.exe 108 PID 2368 set thread context of 1444 2368 psrnpxc.exe 110 PID 1616 set thread context of 316 1616 zvoxcai.exe 112 PID 2684 set thread context of 1260 2684 dtjaljo.exe 114 PID 3008 set thread context of 1548 3008 qnpqevs.exe 116 PID 1408 set thread context of 1688 1408 dihfkrr.exe 118 PID 1696 set thread context of 3036 1696 nhlduqy.exe 120 PID 2652 set thread context of 2840 2652 kidqybk.exe 124 PID 2552 set thread context of 2588 2552 ulsaler.exe 126 PID 2824 set thread context of 2532 2824 kxtvpjn.exe 128 PID 2828 set thread context of 1752 2828 udtlfra.exe 130 PID 2192 set thread context of 1856 2192 hconozg.exe 132 PID 2168 set thread context of 1588 2168 usrqxze.exe 134 PID 2984 set thread context of 276 2984 grmtfhj.exe 136 PID 1692 set thread context of 1120 1692 thhvwpp.exe 138 PID 2120 set thread context of 2276 2120 dvhtmpc.exe 140 PID 784 set thread context of 2896 784 qmkwuxz.exe 142 PID 2360 set thread context of 2720 2360 nnujyil.exe 146 PID 2516 set thread context of 2404 2516 xmggjht.exe 148 PID 2708 set thread context of 2476 2708 htkdtga.exe 150 PID 2264 set thread context of 2844 2264 ukfgcgg.exe 152 PID 2192 set thread context of 2224 2192 haijkod.exe 154 PID 1168 set thread context of 2184 1168 rlxtgrs.exe 156 PID 860 set thread context of 968 860 ebsworp.exe 158 PID 236 set thread context of 2016 236 qdyeaec.exe 160 -
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abeppbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lyqxcbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipyoijw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qjizmme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language orlzgml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zguhyou.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tploczr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pieuaxn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrrngw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntiieqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qmkwuxz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bklhtai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imuddzd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ommcrzl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fueynmy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sepname.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xkanitf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language udtlfra.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iqbespb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cjpekaz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qyviqfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fforlhx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxmivm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdxgmzi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sygqrhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sygqrhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zdnlvqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppkynt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mjhwkef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ulsaler.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iudsvlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kxorafg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kidqybk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mesdbpq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bvgqpnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sxsciop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language usrqxze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vrgwxoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8BD5643A-9D25-4CF4-ACF7-B643A7DFF8B7}\TypeLib\ = "{A0F0FD66-5D37-4959-8B3E-7F76ABAE04CD}" 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AEC2553-4818-4756-A2CB-D0D38FEBDEE1}\TypeLib\ = "{A0F0FD66-5D37-4959-8B3E-7F76ABAE04CD}" 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0AEC2553-4818-4756-A2CB-D0D38FEBDEE1}\ = "Class1" 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0AEC2553-4818-4756-A2CB-D0D38FEBDEE1}\ProxyStubClsid 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{A0F0FD66-5D37-4959-8B3E-7F76ABAE04CD}\1.0\HELPDIR 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8BD5643A-9D25-4CF4-ACF7-B643A7DFF8B7}\ = "mdsaaaaad" 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F7814234-0237-4DFC-9D71-0F36D48D09D0}\ProgID 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\adadadada.Class2 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\adadadada.Class1\Clsid\ = "{D34601CE-E784-4328-9E28-A65E6F1D2BCD}" 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4A175F7B-0C86-4EFA-A235-F498F2892A89}\TypeLib\ = "{A0F0FD66-5D37-4959-8B3E-7F76ABAE04CD}" 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8BD5643A-9D25-4CF4-ACF7-B643A7DFF8B7}\TypeLib 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F7814234-0237-4DFC-9D71-0F36D48D09D0}\VERSION 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4A175F7B-0C86-4EFA-A235-F498F2892A89}\TypeLib 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4A175F7B-0C86-4EFA-A235-F498F2892A89} 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9C3BE5F8-0CAF-4464-9BBD-B9FD25B15E00}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\adadadada.Class2\Clsid\ = "{F7814234-0237-4DFC-9D71-0F36D48D09D0}" 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{A0F0FD66-5D37-4959-8B3E-7F76ABAE04CD}\1.0\FLAGS 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4A175F7B-0C86-4EFA-A235-F498F2892A89}\TypeLib 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\adadadada.mdsaaaaad\Clsid\ = "{9C3BE5F8-0CAF-4464-9BBD-B9FD25B15E00}" 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8BD5643A-9D25-4CF4-ACF7-B643A7DFF8B7}\ProxyStubClsid 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9D41FAEC-CD03-4685-9B52-229FB3DDF406}\ProxyStubClsid 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{A0F0FD66-5D37-4959-8B3E-7F76ABAE04CD}\1.0 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9D41FAEC-CD03-4685-9B52-229FB3DDF406}\TypeLib 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BD5643A-9D25-4CF4-ACF7-B643A7DFF8B7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F7814234-0237-4DFC-9D71-0F36D48D09D0}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9D41FAEC-CD03-4685-9B52-229FB3DDF406}\ProxyStubClsid32 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BD5643A-9D25-4CF4-ACF7-B643A7DFF8B7}\TypeLib 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BD5643A-9D25-4CF4-ACF7-B643A7DFF8B7} 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BD5643A-9D25-4CF4-ACF7-B643A7DFF8B7}\TypeLib\Version = "1.0" 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9C3BE5F8-0CAF-4464-9BBD-B9FD25B15E00}\Implemented Categories 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8BD5643A-9D25-4CF4-ACF7-B643A7DFF8B7}\ProxyStubClsid32 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8BD5643A-9D25-4CF4-ACF7-B643A7DFF8B7}\TypeLib\Version = "1.0" 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AEC2553-4818-4756-A2CB-D0D38FEBDEE1}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9C3BE5F8-0CAF-4464-9BBD-B9FD25B15E00}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe" 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D34601CE-E784-4328-9E28-A65E6F1D2BCD}\VERSION\ = "1.0" 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4A175F7B-0C86-4EFA-A235-F498F2892A89}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F7814234-0237-4DFC-9D71-0F36D48D09D0}\ = "adadadada.Class2" 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D34601CE-E784-4328-9E28-A65E6F1D2BCD} 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\adadadada.Class1 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0AEC2553-4818-4756-A2CB-D0D38FEBDEE1}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}" 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0AEC2553-4818-4756-A2CB-D0D38FEBDEE1}\TypeLib\Version = "1.0" 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4A175F7B-0C86-4EFA-A235-F498F2892A89}\ProxyStubClsid32 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9D41FAEC-CD03-4685-9B52-229FB3DDF406}\TypeLib\Version = "1.0" 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0AEC2553-4818-4756-A2CB-D0D38FEBDEE1}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\adadadada.Class2\Clsid 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4A175F7B-0C86-4EFA-A235-F498F2892A89}\ProxyStubClsid 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{A0F0FD66-5D37-4959-8B3E-7F76ABAE04CD}\1.0\0 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9D41FAEC-CD03-4685-9B52-229FB3DDF406}\TypeLib\Version = "1.0" 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0AEC2553-4818-4756-A2CB-D0D38FEBDEE1}\ProxyStubClsid32 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AEC2553-4818-4756-A2CB-D0D38FEBDEE1} 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9D41FAEC-CD03-4685-9B52-229FB3DDF406} 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{A0F0FD66-5D37-4959-8B3E-7F76ABAE04CD}\1.0\0\win32 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9C3BE5F8-0CAF-4464-9BBD-B9FD25B15E00}\ = "adadadada.mdsaaaaad" 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9C3BE5F8-0CAF-4464-9BBD-B9FD25B15E00}\ProgID 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9C3BE5F8-0CAF-4464-9BBD-B9FD25B15E00}\VERSION 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F7814234-0237-4DFC-9D71-0F36D48D09D0} 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9D41FAEC-CD03-4685-9B52-229FB3DDF406}\ = "Class2" 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{A0F0FD66-5D37-4959-8B3E-7F76ABAE04CD}\1.0\FLAGS\ = "0" 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8BD5643A-9D25-4CF4-ACF7-B643A7DFF8B7}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9D41FAEC-CD03-4685-9B52-229FB3DDF406}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9D41FAEC-CD03-4685-9B52-229FB3DDF406}\TypeLib\ = "{A0F0FD66-5D37-4959-8B3E-7F76ABAE04CD}" 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8BD5643A-9D25-4CF4-ACF7-B643A7DFF8B7}\ = "_mdsaaaaad" 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\adadadada.mdsaaaaad\ = "adadadada.mdsaaaaad" 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4A175F7B-0C86-4EFA-A235-F498F2892A89}\TypeLib\Version = "1.0" 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 2144 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe 2064 vqhtbzl.exe 1444 curysko.exe 2720 vbumplp.exe 2536 cjpekaz.exe 2216 mueoxdf.exe 1716 umdolkj.exe 2000 extzznp.exe 276 tipmibs.exe 1288 dpujbaz.exe 1672 qjizmme.exe 2176 ykhztth.exe 320 nedmchk.exe 1892 axjcotw.exe 2720 kizmjwc.exe 1572 wkfcujh.exe 848 kxorafg.exe 1964 tamcniu.exe 2096 gcsjzuy.exe 1000 qbwprtg.exe 1320 gfekvyd.exe 2964 qtxzlgq.exe 1688 dsacuon.exe 2752 qiuecot.exe 592 dzphlwy.exe 2304 qxskuew.exe 2488 zlthsej.exe 2208 mcncamp.exe 1624 zsifjuu.exe 1476 jdypwxa.exe 2008 zhgkacx.exe 788 jsvuvge.exe 2796 wiqxeoj.exe 1724 gtnhrrp.exe 2972 snuxdvc.exe 856 floalez.exe 2360 sygqrhg.exe 2632 cnzfphl.exe 2200 pdbiypr.exe 824 cuwkgxw.exe 2368 psrnpxc.exe 1616 zvoxcai.exe 2684 dtjaljo.exe 3008 qnpqevs.exe 1408 dihfkrr.exe 1696 nhlduqy.exe 2652 kidqybk.exe 2552 ulsaler.exe 2824 kxtvpjn.exe 2828 udtlfra.exe 2192 hconozg.exe 2168 usrqxze.exe 2984 grmtfhj.exe 1692 thhvwpp.exe 2120 dvhtmpc.exe 784 qmkwuxz.exe 2360 nnujyil.exe 2516 xmggjht.exe 2708 htkdtga.exe 2264 ukfgcgg.exe 2192 haijkod.exe 1168 rlxtgrs.exe 860 ebsworp.exe 236 qdyeaec.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2144 wrote to memory of 2136 2144 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe 28 PID 2144 wrote to memory of 2136 2144 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe 28 PID 2144 wrote to memory of 2136 2144 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe 28 PID 2144 wrote to memory of 2136 2144 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe 28 PID 2144 wrote to memory of 2136 2144 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe 28 PID 2144 wrote to memory of 2136 2144 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe 28 PID 2144 wrote to memory of 2136 2144 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe 28 PID 2144 wrote to memory of 2136 2144 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe 28 PID 2144 wrote to memory of 2136 2144 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe 28 PID 2144 wrote to memory of 2136 2144 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe 28 PID 2144 wrote to memory of 2136 2144 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe 28 PID 2136 wrote to memory of 2064 2136 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe 29 PID 2136 wrote to memory of 2064 2136 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe 29 PID 2136 wrote to memory of 2064 2136 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe 29 PID 2136 wrote to memory of 2064 2136 88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe 29 PID 2064 wrote to memory of 2868 2064 vqhtbzl.exe 30 PID 2064 wrote to memory of 2868 2064 vqhtbzl.exe 30 PID 2064 wrote to memory of 2868 2064 vqhtbzl.exe 30 PID 2064 wrote to memory of 2868 2064 vqhtbzl.exe 30 PID 2064 wrote to memory of 2868 2064 vqhtbzl.exe 30 PID 2064 wrote to memory of 2868 2064 vqhtbzl.exe 30 PID 2064 wrote to memory of 2868 2064 vqhtbzl.exe 30 PID 2064 wrote to memory of 2868 2064 vqhtbzl.exe 30 PID 2064 wrote to memory of 2868 2064 vqhtbzl.exe 30 PID 2064 wrote to memory of 2868 2064 vqhtbzl.exe 30 PID 2064 wrote to memory of 2868 2064 vqhtbzl.exe 30 PID 2868 wrote to memory of 1444 2868 vqhtbzl.exe 31 PID 2868 wrote to memory of 1444 2868 vqhtbzl.exe 31 PID 2868 wrote to memory of 1444 2868 vqhtbzl.exe 31 PID 2868 wrote to memory of 1444 2868 vqhtbzl.exe 31 PID 1444 wrote to memory of 2656 1444 curysko.exe 32 PID 1444 wrote to memory of 2656 1444 curysko.exe 32 PID 1444 wrote to memory of 2656 1444 curysko.exe 32 PID 1444 wrote to memory of 2656 1444 curysko.exe 32 PID 1444 wrote to memory of 2656 1444 curysko.exe 32 PID 1444 wrote to memory of 2656 1444 curysko.exe 32 PID 1444 wrote to memory of 2656 1444 curysko.exe 32 PID 1444 wrote to memory of 2656 1444 curysko.exe 32 PID 1444 wrote to memory of 2656 1444 curysko.exe 32 PID 1444 wrote to memory of 2656 1444 curysko.exe 32 PID 1444 wrote to memory of 2656 1444 curysko.exe 32 PID 2656 wrote to memory of 2720 2656 curysko.exe 55 PID 2656 wrote to memory of 2720 2656 curysko.exe 55 PID 2656 wrote to memory of 2720 2656 curysko.exe 55 PID 2656 wrote to memory of 2720 2656 curysko.exe 55 PID 2720 wrote to memory of 2596 2720 vbumplp.exe 34 PID 2720 wrote to memory of 2596 2720 vbumplp.exe 34 PID 2720 wrote to memory of 2596 2720 vbumplp.exe 34 PID 2720 wrote to memory of 2596 2720 vbumplp.exe 34 PID 2720 wrote to memory of 2596 2720 vbumplp.exe 34 PID 2720 wrote to memory of 2596 2720 vbumplp.exe 34 PID 2720 wrote to memory of 2596 2720 vbumplp.exe 34 PID 2720 wrote to memory of 2596 2720 vbumplp.exe 34 PID 2720 wrote to memory of 2596 2720 vbumplp.exe 34 PID 2720 wrote to memory of 2596 2720 vbumplp.exe 34 PID 2720 wrote to memory of 2596 2720 vbumplp.exe 34 PID 2596 wrote to memory of 2536 2596 vbumplp.exe 35 PID 2596 wrote to memory of 2536 2596 vbumplp.exe 35 PID 2596 wrote to memory of 2536 2596 vbumplp.exe 35 PID 2596 wrote to memory of 2536 2596 vbumplp.exe 35 PID 2536 wrote to memory of 1056 2536 cjpekaz.exe 36 PID 2536 wrote to memory of 1056 2536 cjpekaz.exe 36 PID 2536 wrote to memory of 1056 2536 cjpekaz.exe 36 PID 2536 wrote to memory of 1056 2536 cjpekaz.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Users\Admin\AppData\Local\Temp\88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\vqhtbzl.exeC:\Windows\system32\vqhtbzl.exe 488 "C:\Users\Admin\AppData\Local\Temp\88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\vqhtbzl.exe"C:\Windows\SysWOW64\vqhtbzl.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\curysko.exeC:\Windows\system32\curysko.exe 528 "C:\Windows\SysWOW64\vqhtbzl.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\curysko.exe"C:\Windows\SysWOW64\curysko.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\vbumplp.exeC:\Windows\system32\vbumplp.exe 528 "C:\Windows\SysWOW64\curysko.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\vbumplp.exe"C:\Windows\SysWOW64\vbumplp.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\cjpekaz.exeC:\Windows\system32\cjpekaz.exe 540 "C:\Windows\SysWOW64\vbumplp.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\cjpekaz.exe"C:\Windows\SysWOW64\cjpekaz.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1056 -
C:\Windows\SysWOW64\mueoxdf.exeC:\Windows\system32\mueoxdf.exe 532 "C:\Windows\SysWOW64\cjpekaz.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2216 -
C:\Windows\SysWOW64\mueoxdf.exe"C:\Windows\SysWOW64\mueoxdf.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1784 -
C:\Windows\SysWOW64\umdolkj.exeC:\Windows\system32\umdolkj.exe 528 "C:\Windows\SysWOW64\mueoxdf.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1716 -
C:\Windows\SysWOW64\umdolkj.exe"C:\Windows\SysWOW64\umdolkj.exe"14⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2020 -
C:\Windows\SysWOW64\extzznp.exeC:\Windows\system32\extzznp.exe 536 "C:\Windows\SysWOW64\umdolkj.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2000 -
C:\Windows\SysWOW64\extzznp.exe"C:\Windows\SysWOW64\extzznp.exe"16⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\tipmibs.exeC:\Windows\system32\tipmibs.exe 528 "C:\Windows\SysWOW64\extzznp.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:276 -
C:\Windows\SysWOW64\tipmibs.exe"C:\Windows\SysWOW64\tipmibs.exe"18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1216 -
C:\Windows\SysWOW64\dpujbaz.exeC:\Windows\system32\dpujbaz.exe 528 "C:\Windows\SysWOW64\tipmibs.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1288 -
C:\Windows\SysWOW64\dpujbaz.exe"C:\Windows\SysWOW64\dpujbaz.exe"20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1468 -
C:\Windows\SysWOW64\qjizmme.exeC:\Windows\system32\qjizmme.exe 540 "C:\Windows\SysWOW64\dpujbaz.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1672 -
C:\Windows\SysWOW64\qjizmme.exe"C:\Windows\SysWOW64\qjizmme.exe"22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2956 -
C:\Windows\SysWOW64\ykhztth.exeC:\Windows\system32\ykhztth.exe 540 "C:\Windows\SysWOW64\qjizmme.exe"23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2176 -
C:\Windows\SysWOW64\ykhztth.exe"C:\Windows\SysWOW64\ykhztth.exe"24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1592 -
C:\Windows\SysWOW64\nedmchk.exeC:\Windows\system32\nedmchk.exe 540 "C:\Windows\SysWOW64\ykhztth.exe"25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:320 -
C:\Windows\SysWOW64\nedmchk.exe"C:\Windows\SysWOW64\nedmchk.exe"26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2108 -
C:\Windows\SysWOW64\axjcotw.exeC:\Windows\system32\axjcotw.exe 532 "C:\Windows\SysWOW64\nedmchk.exe"27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1892 -
C:\Windows\SysWOW64\axjcotw.exe"C:\Windows\SysWOW64\axjcotw.exe"28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2484 -
C:\Windows\SysWOW64\kizmjwc.exeC:\Windows\system32\kizmjwc.exe 536 "C:\Windows\SysWOW64\axjcotw.exe"29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2720 -
C:\Windows\SysWOW64\kizmjwc.exe"C:\Windows\SysWOW64\kizmjwc.exe"30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2900 -
C:\Windows\SysWOW64\wkfcujh.exeC:\Windows\system32\wkfcujh.exe 548 "C:\Windows\SysWOW64\kizmjwc.exe"31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1572 -
C:\Windows\SysWOW64\wkfcujh.exe"C:\Windows\SysWOW64\wkfcujh.exe"32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2460 -
C:\Windows\SysWOW64\kxorafg.exeC:\Windows\system32\kxorafg.exe 540 "C:\Windows\SysWOW64\wkfcujh.exe"33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:848 -
C:\Windows\SysWOW64\kxorafg.exe"C:\Windows\SysWOW64\kxorafg.exe"34⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1772 -
C:\Windows\SysWOW64\tamcniu.exeC:\Windows\system32\tamcniu.exe 536 "C:\Windows\SysWOW64\kxorafg.exe"35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1964 -
C:\Windows\SysWOW64\tamcniu.exe"C:\Windows\SysWOW64\tamcniu.exe"36⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2364 -
C:\Windows\SysWOW64\gcsjzuy.exeC:\Windows\system32\gcsjzuy.exe 544 "C:\Windows\SysWOW64\tamcniu.exe"37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2096 -
C:\Windows\SysWOW64\gcsjzuy.exe"C:\Windows\SysWOW64\gcsjzuy.exe"38⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1768 -
C:\Windows\SysWOW64\qbwprtg.exeC:\Windows\system32\qbwprtg.exe 532 "C:\Windows\SysWOW64\gcsjzuy.exe"39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1000 -
C:\Windows\SysWOW64\qbwprtg.exe"C:\Windows\SysWOW64\qbwprtg.exe"40⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2388 -
C:\Windows\SysWOW64\gfekvyd.exeC:\Windows\system32\gfekvyd.exe 536 "C:\Windows\SysWOW64\qbwprtg.exe"41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1320 -
C:\Windows\SysWOW64\gfekvyd.exe"C:\Windows\SysWOW64\gfekvyd.exe"42⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1040 -
C:\Windows\SysWOW64\qtxzlgq.exeC:\Windows\system32\qtxzlgq.exe 540 "C:\Windows\SysWOW64\gfekvyd.exe"43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2964 -
C:\Windows\SysWOW64\qtxzlgq.exe"C:\Windows\SysWOW64\qtxzlgq.exe"44⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\dsacuon.exeC:\Windows\system32\dsacuon.exe 528 "C:\Windows\SysWOW64\qtxzlgq.exe"45⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1688 -
C:\Windows\SysWOW64\dsacuon.exe"C:\Windows\SysWOW64\dsacuon.exe"46⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:1440 -
C:\Windows\SysWOW64\qiuecot.exeC:\Windows\system32\qiuecot.exe 544 "C:\Windows\SysWOW64\dsacuon.exe"47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2752 -
C:\Windows\SysWOW64\qiuecot.exe"C:\Windows\SysWOW64\qiuecot.exe"48⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\dzphlwy.exeC:\Windows\system32\dzphlwy.exe 540 "C:\Windows\SysWOW64\qiuecot.exe"49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:592 -
C:\Windows\SysWOW64\dzphlwy.exe"C:\Windows\SysWOW64\dzphlwy.exe"50⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1552 -
C:\Windows\SysWOW64\qxskuew.exeC:\Windows\system32\qxskuew.exe 540 "C:\Windows\SysWOW64\dzphlwy.exe"51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2304 -
C:\Windows\SysWOW64\qxskuew.exe"C:\Windows\SysWOW64\qxskuew.exe"52⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Windows\SysWOW64\zlthsej.exeC:\Windows\system32\zlthsej.exe 532 "C:\Windows\SysWOW64\qxskuew.exe"53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2488 -
C:\Windows\SysWOW64\zlthsej.exe"C:\Windows\SysWOW64\zlthsej.exe"54⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2496 -
C:\Windows\SysWOW64\mcncamp.exeC:\Windows\system32\mcncamp.exe 540 "C:\Windows\SysWOW64\zlthsej.exe"55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2208 -
C:\Windows\SysWOW64\mcncamp.exe"C:\Windows\SysWOW64\mcncamp.exe"56⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1744 -
C:\Windows\SysWOW64\zsifjuu.exeC:\Windows\system32\zsifjuu.exe 532 "C:\Windows\SysWOW64\mcncamp.exe"57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1624 -
C:\Windows\SysWOW64\zsifjuu.exe"C:\Windows\SysWOW64\zsifjuu.exe"58⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2520 -
C:\Windows\SysWOW64\jdypwxa.exeC:\Windows\system32\jdypwxa.exe 540 "C:\Windows\SysWOW64\zsifjuu.exe"59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1476 -
C:\Windows\SysWOW64\jdypwxa.exe"C:\Windows\SysWOW64\jdypwxa.exe"60⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2000 -
C:\Windows\SysWOW64\zhgkacx.exeC:\Windows\system32\zhgkacx.exe 540 "C:\Windows\SysWOW64\jdypwxa.exe"61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2008 -
C:\Windows\SysWOW64\zhgkacx.exe"C:\Windows\SysWOW64\zhgkacx.exe"62⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1700 -
C:\Windows\SysWOW64\jsvuvge.exeC:\Windows\system32\jsvuvge.exe 532 "C:\Windows\SysWOW64\zhgkacx.exe"63⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:788 -
C:\Windows\SysWOW64\jsvuvge.exe"C:\Windows\SysWOW64\jsvuvge.exe"64⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\wiqxeoj.exeC:\Windows\system32\wiqxeoj.exe 540 "C:\Windows\SysWOW64\jsvuvge.exe"65⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2796 -
C:\Windows\SysWOW64\wiqxeoj.exe"C:\Windows\SysWOW64\wiqxeoj.exe"66⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\gtnhrrp.exeC:\Windows\system32\gtnhrrp.exe 536 "C:\Windows\SysWOW64\wiqxeoj.exe"67⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1724 -
C:\Windows\SysWOW64\gtnhrrp.exe"C:\Windows\SysWOW64\gtnhrrp.exe"68⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\snuxdvc.exeC:\Windows\system32\snuxdvc.exe 532 "C:\Windows\SysWOW64\gtnhrrp.exe"69⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2972 -
C:\Windows\SysWOW64\snuxdvc.exe"C:\Windows\SysWOW64\snuxdvc.exe"70⤵PID:2172
-
C:\Windows\SysWOW64\floalez.exeC:\Windows\system32\floalez.exe 532 "C:\Windows\SysWOW64\snuxdvc.exe"71⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:856 -
C:\Windows\SysWOW64\floalez.exe"C:\Windows\SysWOW64\floalez.exe"72⤵PID:2188
-
C:\Windows\SysWOW64\sygqrhg.exeC:\Windows\system32\sygqrhg.exe 540 "C:\Windows\SysWOW64\floalez.exe"73⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2360 -
C:\Windows\SysWOW64\sygqrhg.exe"C:\Windows\SysWOW64\sygqrhg.exe"74⤵
- System Location Discovery: System Language Discovery
PID:444 -
C:\Windows\SysWOW64\cnzfphl.exeC:\Windows\system32\cnzfphl.exe 536 "C:\Windows\SysWOW64\sygqrhg.exe"75⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2632 -
C:\Windows\SysWOW64\cnzfphl.exe"C:\Windows\SysWOW64\cnzfphl.exe"76⤵PID:3048
-
C:\Windows\SysWOW64\pdbiypr.exeC:\Windows\system32\pdbiypr.exe 528 "C:\Windows\SysWOW64\cnzfphl.exe"77⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2200 -
C:\Windows\SysWOW64\pdbiypr.exe"C:\Windows\SysWOW64\pdbiypr.exe"78⤵PID:2248
-
C:\Windows\SysWOW64\cuwkgxw.exeC:\Windows\system32\cuwkgxw.exe 540 "C:\Windows\SysWOW64\pdbiypr.exe"79⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:824 -
C:\Windows\SysWOW64\cuwkgxw.exe"C:\Windows\SysWOW64\cuwkgxw.exe"80⤵PID:1956
-
C:\Windows\SysWOW64\psrnpxc.exeC:\Windows\system32\psrnpxc.exe 536 "C:\Windows\SysWOW64\cuwkgxw.exe"81⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2368 -
C:\Windows\SysWOW64\psrnpxc.exe"C:\Windows\SysWOW64\psrnpxc.exe"82⤵PID:1444
-
C:\Windows\SysWOW64\zvoxcai.exeC:\Windows\system32\zvoxcai.exe 528 "C:\Windows\SysWOW64\psrnpxc.exe"83⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1616 -
C:\Windows\SysWOW64\zvoxcai.exe"C:\Windows\SysWOW64\zvoxcai.exe"84⤵PID:316
-
C:\Windows\SysWOW64\dtjaljo.exeC:\Windows\system32\dtjaljo.exe 532 "C:\Windows\SysWOW64\zvoxcai.exe"85⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2684 -
C:\Windows\SysWOW64\dtjaljo.exe"C:\Windows\SysWOW64\dtjaljo.exe"86⤵PID:1260
-
C:\Windows\SysWOW64\qnpqevs.exeC:\Windows\system32\qnpqevs.exe 536 "C:\Windows\SysWOW64\dtjaljo.exe"87⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3008 -
C:\Windows\SysWOW64\qnpqevs.exe"C:\Windows\SysWOW64\qnpqevs.exe"88⤵PID:1548
-
C:\Windows\SysWOW64\dihfkrr.exeC:\Windows\system32\dihfkrr.exe 544 "C:\Windows\SysWOW64\qnpqevs.exe"89⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1408 -
C:\Windows\SysWOW64\dihfkrr.exe"C:\Windows\SysWOW64\dihfkrr.exe"90⤵PID:1688
-
C:\Windows\SysWOW64\nhlduqy.exeC:\Windows\system32\nhlduqy.exe 532 "C:\Windows\SysWOW64\dihfkrr.exe"91⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1696 -
C:\Windows\SysWOW64\nhlduqy.exe"C:\Windows\SysWOW64\nhlduqy.exe"92⤵PID:3036
-
C:\Windows\SysWOW64\xkanitf.exeC:\Windows\system32\xkanitf.exe 536 "C:\Windows\SysWOW64\nhlduqy.exe"93⤵
- System Location Discovery: System Language Discovery
PID:3044 -
C:\Windows\SysWOW64\xkanitf.exe"C:\Windows\SysWOW64\xkanitf.exe"94⤵PID:484
-
C:\Windows\SysWOW64\kidqybk.exeC:\Windows\system32\kidqybk.exe 540 "C:\Windows\SysWOW64\xkanitf.exe"95⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2652 -
C:\Windows\SysWOW64\kidqybk.exe"C:\Windows\SysWOW64\kidqybk.exe"96⤵PID:2840
-
C:\Windows\SysWOW64\ulsaler.exeC:\Windows\system32\ulsaler.exe 532 "C:\Windows\SysWOW64\kidqybk.exe"97⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2552 -
C:\Windows\SysWOW64\ulsaler.exe"C:\Windows\SysWOW64\ulsaler.exe"98⤵
- System Location Discovery: System Language Discovery
PID:2588 -
C:\Windows\SysWOW64\kxtvpjn.exeC:\Windows\system32\kxtvpjn.exe 528 "C:\Windows\SysWOW64\ulsaler.exe"99⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2824 -
C:\Windows\SysWOW64\kxtvpjn.exe"C:\Windows\SysWOW64\kxtvpjn.exe"100⤵
- Drops file in System32 directory
PID:2532 -
C:\Windows\SysWOW64\udtlfra.exeC:\Windows\system32\udtlfra.exe 536 "C:\Windows\SysWOW64\kxtvpjn.exe"101⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2828 -
C:\Windows\SysWOW64\udtlfra.exe"C:\Windows\SysWOW64\udtlfra.exe"102⤵PID:1752
-
C:\Windows\SysWOW64\hconozg.exeC:\Windows\system32\hconozg.exe 528 "C:\Windows\SysWOW64\udtlfra.exe"103⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2192 -
C:\Windows\SysWOW64\hconozg.exe"C:\Windows\SysWOW64\hconozg.exe"104⤵PID:1856
-
C:\Windows\SysWOW64\usrqxze.exeC:\Windows\system32\usrqxze.exe 544 "C:\Windows\SysWOW64\hconozg.exe"105⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2168 -
C:\Windows\SysWOW64\usrqxze.exe"C:\Windows\SysWOW64\usrqxze.exe"106⤵PID:1588
-
C:\Windows\SysWOW64\grmtfhj.exeC:\Windows\system32\grmtfhj.exe 536 "C:\Windows\SysWOW64\usrqxze.exe"107⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2984 -
C:\Windows\SysWOW64\grmtfhj.exe"C:\Windows\SysWOW64\grmtfhj.exe"108⤵PID:276
-
C:\Windows\SysWOW64\thhvwpp.exeC:\Windows\system32\thhvwpp.exe 540 "C:\Windows\SysWOW64\grmtfhj.exe"109⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1692 -
C:\Windows\SysWOW64\thhvwpp.exe"C:\Windows\SysWOW64\thhvwpp.exe"110⤵
- Drops file in System32 directory
PID:1120 -
C:\Windows\SysWOW64\dvhtmpc.exeC:\Windows\system32\dvhtmpc.exe 540 "C:\Windows\SysWOW64\thhvwpp.exe"111⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2120 -
C:\Windows\SysWOW64\dvhtmpc.exe"C:\Windows\SysWOW64\dvhtmpc.exe"112⤵PID:2276
-
C:\Windows\SysWOW64\qmkwuxz.exeC:\Windows\system32\qmkwuxz.exe 536 "C:\Windows\SysWOW64\dvhtmpc.exe"113⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:784 -
C:\Windows\SysWOW64\qmkwuxz.exe"C:\Windows\SysWOW64\qmkwuxz.exe"114⤵PID:2896
-
C:\Windows\SysWOW64\alotfwh.exeC:\Windows\system32\alotfwh.exe 528 "C:\Windows\SysWOW64\qmkwuxz.exe"115⤵PID:3044
-
C:\Windows\SysWOW64\alotfwh.exe"C:\Windows\SysWOW64\alotfwh.exe"116⤵PID:2512
-
C:\Windows\SysWOW64\nnujyil.exeC:\Windows\system32\nnujyil.exe 536 "C:\Windows\SysWOW64\alotfwh.exe"117⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2360 -
C:\Windows\SysWOW64\nnujyil.exe"C:\Windows\SysWOW64\nnujyil.exe"118⤵PID:2720
-
C:\Windows\SysWOW64\xmggjht.exeC:\Windows\system32\xmggjht.exe 528 "C:\Windows\SysWOW64\nnujyil.exe"119⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2516 -
C:\Windows\SysWOW64\xmggjht.exe"C:\Windows\SysWOW64\xmggjht.exe"120⤵PID:2404
-
C:\Windows\SysWOW64\htkdtga.exeC:\Windows\system32\htkdtga.exe 528 "C:\Windows\SysWOW64\xmggjht.exe"121⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2708
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-