b73e84cf69f8edb46fd2c2e525212d8fa394dc44468f22d803a39f0c54ea6eb4

Analysis

max time kernel
149s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2024, 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8595d4ea0b2b0f18d5eaa880ad1171d_JaffaCakes118.exe
Size

375KB
MD5

c8595d4ea0b2b0f18d5eaa880ad1171d
SHA1

e855923cb17b222b8eb7efcd57adbc070369bdeb
SHA256

b73e84cf69f8edb46fd2c2e525212d8fa394dc44468f22d803a39f0c54ea6eb4
SHA512

916e0ea1dcbc856b6e4fd93b7b1b97c9d13713fe13f2e8ee1a6852d97b28bc6e64de7cd70140bd979ecf3ba59b145a65121038ac317c5f3eaab5a3bafb2bfa42
SSDEEP

6144:E93TqouetsvlJ4DGBdJ2YpJ3qOe4yufYspgrGQVUAt5OCHmQRGRCnpGI:EFlu88z4yB//3qO5yx1rGrAt5OCHjgC/

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 50 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ7H566I-S237-466F-OX45-Y71C8YE725M0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe restart"	gyikfghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ7H566I-S237-466F-OX45-Y71C8YE725M0}	gyikfghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ7H566I-S237-466F-OX45-Y71C8YE725M0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe restart"	gyikfghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ7H566I-S237-466F-OX45-Y71C8YE725M0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe restart"	gyikfghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ7H566I-S237-466F-OX45-Y71C8YE725M0}	gyikfghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ7H566I-S237-466F-OX45-Y71C8YE725M0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe restart"	gyikfghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ7H566I-S237-466F-OX45-Y71C8YE725M0}	gyikfghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ7H566I-S237-466F-OX45-Y71C8YE725M0}	gyikfghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ7H566I-S237-466F-OX45-Y71C8YE725M0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe restart"	gyikfghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ7H566I-S237-466F-OX45-Y71C8YE725M0}	gyikfghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ7H566I-S237-466F-OX45-Y71C8YE725M0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe restart"	gyikfghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ7H566I-S237-466F-OX45-Y71C8YE725M0}	gyikfghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ7H566I-S237-466F-OX45-Y71C8YE725M0}	gyikfghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ7H566I-S237-466F-OX45-Y71C8YE725M0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe restart"	gyikfghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ7H566I-S237-466F-OX45-Y71C8YE725M0}	c8595d4ea0b2b0f18d5eaa880ad1171d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ7H566I-S237-466F-OX45-Y71C8YE725M0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe restart"	gyikfghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ7H566I-S237-466F-OX45-Y71C8YE725M0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe restart"	gyikfghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ7H566I-S237-466F-OX45-Y71C8YE725M0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe restart"	gyikfghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ7H566I-S237-466F-OX45-Y71C8YE725M0}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ7H566I-S237-466F-OX45-Y71C8YE725M0}	gyikfghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ7H566I-S237-466F-OX45-Y71C8YE725M0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe restart"	gyikfghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ7H566I-S237-466F-OX45-Y71C8YE725M0}	gyikfghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ7H566I-S237-466F-OX45-Y71C8YE725M0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe restart"	gyikfghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ7H566I-S237-466F-OX45-Y71C8YE725M0}	gyikfghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ7H566I-S237-466F-OX45-Y71C8YE725M0}\StubPath = "C:\\Windows\\InstallDir33\\gyikfghg.exe restart"	c8595d4ea0b2b0f18d5eaa880ad1171d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ7H566I-S237-466F-OX45-Y71C8YE725M0}	gyikfghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ7H566I-S237-466F-OX45-Y71C8YE725M0}\StubPath = "C:\\Windows\\InstallDir33\\gyikfghg.exe restart"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ7H566I-S237-466F-OX45-Y71C8YE725M0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe restart"	gyikfghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ7H566I-S237-466F-OX45-Y71C8YE725M0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe restart"	gyikfghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ7H566I-S237-466F-OX45-Y71C8YE725M0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe restart"	gyikfghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ7H566I-S237-466F-OX45-Y71C8YE725M0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe restart"	gyikfghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ7H566I-S237-466F-OX45-Y71C8YE725M0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe restart"	gyikfghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ7H566I-S237-466F-OX45-Y71C8YE725M0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe restart"	gyikfghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ7H566I-S237-466F-OX45-Y71C8YE725M0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe restart"	gyikfghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ7H566I-S237-466F-OX45-Y71C8YE725M0}	gyikfghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ7H566I-S237-466F-OX45-Y71C8YE725M0}	gyikfghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ7H566I-S237-466F-OX45-Y71C8YE725M0}	gyikfghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ7H566I-S237-466F-OX45-Y71C8YE725M0}	gyikfghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ7H566I-S237-466F-OX45-Y71C8YE725M0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe restart"	gyikfghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ7H566I-S237-466F-OX45-Y71C8YE725M0}	gyikfghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ7H566I-S237-466F-OX45-Y71C8YE725M0}	gyikfghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ7H566I-S237-466F-OX45-Y71C8YE725M0}	gyikfghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ7H566I-S237-466F-OX45-Y71C8YE725M0}	gyikfghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ7H566I-S237-466F-OX45-Y71C8YE725M0}	gyikfghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ7H566I-S237-466F-OX45-Y71C8YE725M0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe restart"	gyikfghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ7H566I-S237-466F-OX45-Y71C8YE725M0}	gyikfghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ7H566I-S237-466F-OX45-Y71C8YE725M0}	gyikfghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ7H566I-S237-466F-OX45-Y71C8YE725M0}	gyikfghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ7H566I-S237-466F-OX45-Y71C8YE725M0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe restart"	gyikfghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{IQ7H566I-S237-466F-OX45-Y71C8YE725M0}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe restart"	gyikfghg.exe

Executes dropped EXE 46 IoCs

pid	Process
4656	gyikfghg.exe
3452	gyikfghg.exe
3644	gyikfghg.exe
2716	gyikfghg.exe
3100	gyikfghg.exe
4588	gyikfghg.exe
2020	gyikfghg.exe
4632	gyikfghg.exe
2996	gyikfghg.exe
1840	gyikfghg.exe
1744	gyikfghg.exe
3956	gyikfghg.exe
4712	gyikfghg.exe
1756	gyikfghg.exe
5032	gyikfghg.exe
4240	gyikfghg.exe
4032	gyikfghg.exe
3248	gyikfghg.exe
4480	gyikfghg.exe
2356	gyikfghg.exe
1444	gyikfghg.exe
5116	gyikfghg.exe
2444	gyikfghg.exe
660	gyikfghg.exe
1312	gyikfghg.exe
3932	gyikfghg.exe
2712	gyikfghg.exe
1600	gyikfghg.exe
5088	gyikfghg.exe
2728	gyikfghg.exe
2716	gyikfghg.exe
3644	gyikfghg.exe
3736	gyikfghg.exe
632	gyikfghg.exe
4608	gyikfghg.exe
1856	gyikfghg.exe
3936	gyikfghg.exe
2044	gyikfghg.exe
1936	gyikfghg.exe
852	gyikfghg.exe
828	gyikfghg.exe
4712	gyikfghg.exe
2448	gyikfghg.exe
3748	gyikfghg.exe
4032	gyikfghg.exe
5088	gyikfghg.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3792-1-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/3792-0-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/3792-3-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/3792-4-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/3792-7-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/3792-6-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/2180-10-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/3792-11-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/3792-12-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/3452-21-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/3452-20-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/3452-22-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/3452-25-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/3452-26-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/2716-39-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/2716-40-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/4588-53-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/4588-54-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/4632-67-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/4632-68-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/1840-81-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/1840-82-0x0000000010000000-0x000000001031C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir33\\gyikfghg.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir33\\gyikfghg.exe"	c8595d4ea0b2b0f18d5eaa880ad1171d_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir33\\gyikfghg.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir33\\gyikfghg.exe"	c8595d4ea0b2b0f18d5eaa880ad1171d_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir33\\gyikfghg.exe"	gyikfghg.exe

Suspicious use of SetThreadContext 24 IoCs

description	pid	Process	procid_target
PID 4536 set thread context of 3792	4536	c8595d4ea0b2b0f18d5eaa880ad1171d_JaffaCakes118.exe	86
PID 4656 set thread context of 3452	4656	gyikfghg.exe	101
PID 3644 set thread context of 2716	3644	gyikfghg.exe	105
PID 3100 set thread context of 4588	3100	gyikfghg.exe	109
PID 2020 set thread context of 4632	2020	gyikfghg.exe	113
PID 2996 set thread context of 1840	2996	gyikfghg.exe	122
PID 1744 set thread context of 3956	1744	gyikfghg.exe	131
PID 4712 set thread context of 1756	4712	gyikfghg.exe	135
PID 5032 set thread context of 4240	5032	gyikfghg.exe	139
PID 4032 set thread context of 3248	4032	gyikfghg.exe	143
PID 4480 set thread context of 2356	4480	gyikfghg.exe	147
PID 1444 set thread context of 5116	1444	gyikfghg.exe	152
PID 2444 set thread context of 660	2444	gyikfghg.exe	156
PID 1312 set thread context of 3932	1312	gyikfghg.exe	160
PID 2712 set thread context of 1600	2712	gyikfghg.exe	164
PID 5088 set thread context of 2728	5088	gyikfghg.exe	168
PID 2716 set thread context of 3644	2716	gyikfghg.exe	172
PID 3736 set thread context of 632	3736	gyikfghg.exe	176
PID 4608 set thread context of 1856	4608	gyikfghg.exe	180
PID 3936 set thread context of 2044	3936	gyikfghg.exe	184
PID 1936 set thread context of 852	1936	gyikfghg.exe	188
PID 828 set thread context of 4712	828	gyikfghg.exe	192
PID 2448 set thread context of 3748	2448	gyikfghg.exe	196
PID 4032 set thread context of 5088	4032	gyikfghg.exe	200

Drops file in Windows directory 25 IoCs

description	ioc	Process
File created	C:\Windows\InstallDir33\gyikfghg.exe	gyikfghg.exe
File created	C:\Windows\InstallDir33\gyikfghg.exe	gyikfghg.exe
File created	C:\Windows\InstallDir33\gyikfghg.exe	gyikfghg.exe
File created	C:\Windows\InstallDir33\gyikfghg.exe	c8595d4ea0b2b0f18d5eaa880ad1171d_JaffaCakes118.exe
File opened for modification	C:\Windows\InstallDir33\gyikfghg.exe	c8595d4ea0b2b0f18d5eaa880ad1171d_JaffaCakes118.exe
File created	C:\Windows\InstallDir33\gyikfghg.exe	gyikfghg.exe
File created	C:\Windows\InstallDir33\gyikfghg.exe	gyikfghg.exe
File created	C:\Windows\InstallDir33\gyikfghg.exe	gyikfghg.exe
File created	C:\Windows\InstallDir33\gyikfghg.exe	gyikfghg.exe
File created	C:\Windows\InstallDir33\gyikfghg.exe	gyikfghg.exe
File created	C:\Windows\InstallDir33\gyikfghg.exe	gyikfghg.exe
File created	C:\Windows\InstallDir33\gyikfghg.exe	gyikfghg.exe
File created	C:\Windows\InstallDir33\gyikfghg.exe	gyikfghg.exe
File created	C:\Windows\InstallDir33\gyikfghg.exe	gyikfghg.exe
File created	C:\Windows\InstallDir33\gyikfghg.exe	gyikfghg.exe
File created	C:\Windows\InstallDir33\gyikfghg.exe	gyikfghg.exe
File created	C:\Windows\InstallDir33\gyikfghg.exe	gyikfghg.exe
File created	C:\Windows\InstallDir33\gyikfghg.exe	gyikfghg.exe
File created	C:\Windows\InstallDir33\gyikfghg.exe	gyikfghg.exe
File created	C:\Windows\InstallDir33\gyikfghg.exe	gyikfghg.exe
File created	C:\Windows\InstallDir33\gyikfghg.exe	gyikfghg.exe
File created	C:\Windows\InstallDir33\gyikfghg.exe	gyikfghg.exe
File created	C:\Windows\InstallDir33\gyikfghg.exe	gyikfghg.exe
File created	C:\Windows\InstallDir33\gyikfghg.exe	gyikfghg.exe
File created	C:\Windows\InstallDir33\gyikfghg.exe	gyikfghg.exe

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c8595d4ea0b2b0f18d5eaa880ad1171d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c8595d4ea0b2b0f18d5eaa880ad1171d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyikfghg.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	gyikfghg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	gyikfghg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	c8595d4ea0b2b0f18d5eaa880ad1171d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	c8595d4ea0b2b0f18d5eaa880ad1171d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	gyikfghg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	gyikfghg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	gyikfghg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	gyikfghg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	gyikfghg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	gyikfghg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	gyikfghg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	gyikfghg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	gyikfghg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	gyikfghg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	gyikfghg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	gyikfghg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	gyikfghg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	gyikfghg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	gyikfghg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	gyikfghg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	gyikfghg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	c8595d4ea0b2b0f18d5eaa880ad1171d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	gyikfghg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	gyikfghg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	gyikfghg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	gyikfghg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	gyikfghg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	gyikfghg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	gyikfghg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	gyikfghg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	gyikfghg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	gyikfghg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	gyikfghg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	gyikfghg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	gyikfghg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	c8595d4ea0b2b0f18d5eaa880ad1171d_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	gyikfghg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	gyikfghg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	gyikfghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	c8595d4ea0b2b0f18d5eaa880ad1171d_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	gyikfghg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	gyikfghg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	gyikfghg.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4536	c8595d4ea0b2b0f18d5eaa880ad1171d_JaffaCakes118.exe
4536	c8595d4ea0b2b0f18d5eaa880ad1171d_JaffaCakes118.exe
4656	gyikfghg.exe
4656	gyikfghg.exe
3644	gyikfghg.exe
3644	gyikfghg.exe
3100	gyikfghg.exe
3100	gyikfghg.exe
2020	gyikfghg.exe
2020	gyikfghg.exe
2996	gyikfghg.exe
2996	gyikfghg.exe
1744	gyikfghg.exe
1744	gyikfghg.exe
4712	gyikfghg.exe
4712	gyikfghg.exe
5032	gyikfghg.exe
5032	gyikfghg.exe
4032	gyikfghg.exe
4032	gyikfghg.exe
4480	gyikfghg.exe
4480	gyikfghg.exe
1444	gyikfghg.exe
1444	gyikfghg.exe
2444	gyikfghg.exe
2444	gyikfghg.exe
1312	gyikfghg.exe
1312	gyikfghg.exe
2712	gyikfghg.exe
2712	gyikfghg.exe
5088	gyikfghg.exe
5088	gyikfghg.exe
2716	gyikfghg.exe
2716	gyikfghg.exe
3736	gyikfghg.exe
3736	gyikfghg.exe
4608	gyikfghg.exe
4608	gyikfghg.exe
3936	gyikfghg.exe
3936	gyikfghg.exe
1936	gyikfghg.exe
1936	gyikfghg.exe
828	gyikfghg.exe
828	gyikfghg.exe
2448	gyikfghg.exe
2448	gyikfghg.exe
4032	gyikfghg.exe
4032	gyikfghg.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
3792	c8595d4ea0b2b0f18d5eaa880ad1171d_JaffaCakes118.exe
3452	gyikfghg.exe
2716	gyikfghg.exe
4588	gyikfghg.exe
4632	gyikfghg.exe
1840	gyikfghg.exe
3956	gyikfghg.exe
1756	gyikfghg.exe
4240	gyikfghg.exe
3248	gyikfghg.exe
2356	gyikfghg.exe
5116	gyikfghg.exe
660	gyikfghg.exe
3932	gyikfghg.exe
1600	gyikfghg.exe
2728	gyikfghg.exe
3644	gyikfghg.exe
632	gyikfghg.exe
1856	gyikfghg.exe
2044	gyikfghg.exe
852	gyikfghg.exe
4712	gyikfghg.exe
3748	gyikfghg.exe
5088	gyikfghg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4536 wrote to memory of 3600	4536	c8595d4ea0b2b0f18d5eaa880ad1171d_JaffaCakes118.exe	84
PID 4536 wrote to memory of 3600	4536	c8595d4ea0b2b0f18d5eaa880ad1171d_JaffaCakes118.exe	84
PID 4536 wrote to memory of 3600	4536	c8595d4ea0b2b0f18d5eaa880ad1171d_JaffaCakes118.exe	84
PID 4536 wrote to memory of 3600	4536	c8595d4ea0b2b0f18d5eaa880ad1171d_JaffaCakes118.exe	84
PID 4536 wrote to memory of 3600	4536	c8595d4ea0b2b0f18d5eaa880ad1171d_JaffaCakes118.exe	84
PID 4536 wrote to memory of 3600	4536	c8595d4ea0b2b0f18d5eaa880ad1171d_JaffaCakes118.exe	84
PID 4536 wrote to memory of 4152	4536	c8595d4ea0b2b0f18d5eaa880ad1171d_JaffaCakes118.exe	85
PID 4536 wrote to memory of 4152	4536	c8595d4ea0b2b0f18d5eaa880ad1171d_JaffaCakes118.exe	85
PID 4536 wrote to memory of 4152	4536	c8595d4ea0b2b0f18d5eaa880ad1171d_JaffaCakes118.exe	85
PID 4536 wrote to memory of 4152	4536	c8595d4ea0b2b0f18d5eaa880ad1171d_JaffaCakes118.exe	85
PID 4536 wrote to memory of 4152	4536	c8595d4ea0b2b0f18d5eaa880ad1171d_JaffaCakes118.exe	85
PID 4536 wrote to memory of 4152	4536	c8595d4ea0b2b0f18d5eaa880ad1171d_JaffaCakes118.exe	85
PID 4536 wrote to memory of 3792	4536	c8595d4ea0b2b0f18d5eaa880ad1171d_JaffaCakes118.exe	86
PID 4536 wrote to memory of 3792	4536	c8595d4ea0b2b0f18d5eaa880ad1171d_JaffaCakes118.exe	86
PID 4536 wrote to memory of 3792	4536	c8595d4ea0b2b0f18d5eaa880ad1171d_JaffaCakes118.exe	86
PID 4536 wrote to memory of 3792	4536	c8595d4ea0b2b0f18d5eaa880ad1171d_JaffaCakes118.exe	86
PID 4536 wrote to memory of 3792	4536	c8595d4ea0b2b0f18d5eaa880ad1171d_JaffaCakes118.exe	86
PID 4536 wrote to memory of 3792	4536	c8595d4ea0b2b0f18d5eaa880ad1171d_JaffaCakes118.exe	86
PID 4536 wrote to memory of 3792	4536	c8595d4ea0b2b0f18d5eaa880ad1171d_JaffaCakes118.exe	86
PID 4536 wrote to memory of 3792	4536	c8595d4ea0b2b0f18d5eaa880ad1171d_JaffaCakes118.exe	86
PID 3792 wrote to memory of 2180	3792	c8595d4ea0b2b0f18d5eaa880ad1171d_JaffaCakes118.exe	88
PID 3792 wrote to memory of 2180	3792	c8595d4ea0b2b0f18d5eaa880ad1171d_JaffaCakes118.exe	88
PID 3792 wrote to memory of 2180	3792	c8595d4ea0b2b0f18d5eaa880ad1171d_JaffaCakes118.exe	88
PID 3792 wrote to memory of 2180	3792	c8595d4ea0b2b0f18d5eaa880ad1171d_JaffaCakes118.exe	88
PID 2180 wrote to memory of 4656	2180	svchost.exe	98
PID 2180 wrote to memory of 4656	2180	svchost.exe	98
PID 2180 wrote to memory of 4656	2180	svchost.exe	98
PID 4656 wrote to memory of 1532	4656	gyikfghg.exe	99
PID 4656 wrote to memory of 1532	4656	gyikfghg.exe	99
PID 4656 wrote to memory of 1532	4656	gyikfghg.exe	99
PID 4656 wrote to memory of 1532	4656	gyikfghg.exe	99
PID 4656 wrote to memory of 1532	4656	gyikfghg.exe	99
PID 4656 wrote to memory of 1532	4656	gyikfghg.exe	99
PID 4656 wrote to memory of 4276	4656	gyikfghg.exe	100
PID 4656 wrote to memory of 4276	4656	gyikfghg.exe	100
PID 4656 wrote to memory of 4276	4656	gyikfghg.exe	100
PID 4656 wrote to memory of 4276	4656	gyikfghg.exe	100
PID 4656 wrote to memory of 4276	4656	gyikfghg.exe	100
PID 4656 wrote to memory of 4276	4656	gyikfghg.exe	100
PID 4656 wrote to memory of 3452	4656	gyikfghg.exe	101
PID 4656 wrote to memory of 3452	4656	gyikfghg.exe	101
PID 4656 wrote to memory of 3452	4656	gyikfghg.exe	101
PID 4656 wrote to memory of 3452	4656	gyikfghg.exe	101
PID 4656 wrote to memory of 3452	4656	gyikfghg.exe	101
PID 4656 wrote to memory of 3452	4656	gyikfghg.exe	101
PID 4656 wrote to memory of 3452	4656	gyikfghg.exe	101
PID 4656 wrote to memory of 3452	4656	gyikfghg.exe	101
PID 2180 wrote to memory of 3644	2180	svchost.exe	102
PID 2180 wrote to memory of 3644	2180	svchost.exe	102
PID 2180 wrote to memory of 3644	2180	svchost.exe	102
PID 3644 wrote to memory of 4196	3644	gyikfghg.exe	103
PID 3644 wrote to memory of 4196	3644	gyikfghg.exe	103
PID 3644 wrote to memory of 4196	3644	gyikfghg.exe	103
PID 3644 wrote to memory of 4196	3644	gyikfghg.exe	103
PID 3644 wrote to memory of 4196	3644	gyikfghg.exe	103
PID 3644 wrote to memory of 4196	3644	gyikfghg.exe	103
PID 3644 wrote to memory of 3048	3644	gyikfghg.exe	104
PID 3644 wrote to memory of 3048	3644	gyikfghg.exe	104
PID 3644 wrote to memory of 3048	3644	gyikfghg.exe	104
PID 3644 wrote to memory of 3048	3644	gyikfghg.exe	104
PID 3644 wrote to memory of 3048	3644	gyikfghg.exe	104
PID 3644 wrote to memory of 3048	3644	gyikfghg.exe	104
PID 3644 wrote to memory of 2716	3644	gyikfghg.exe	105
PID 3644 wrote to memory of 2716	3644	gyikfghg.exe	105

C:\Users\Admin\AppData\Local\Temp\c8595d4ea0b2b0f18d5eaa880ad1171d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c8595d4ea0b2b0f18d5eaa880ad1171d_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:3600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:4152
- C:\Users\Admin\AppData\Local\Temp\c8595d4ea0b2b0f18d5eaa880ad1171d_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\c8595d4ea0b2b0f18d5eaa880ad1171d_JaffaCakes118.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Checks SCSI registry key(s)
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3792
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Windows\InstallDir33\gyikfghg.exe
      "C:\Windows\InstallDir33\gyikfghg.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4656
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:1532
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4276
    - - C:\Windows\InstallDir33\gyikfghg.exe
        
        C:\Windows\InstallDir33\gyikfghg.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:3452
  - - C:\Windows\InstallDir33\gyikfghg.exe
      "C:\Windows\InstallDir33\gyikfghg.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3644
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4196
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3048
    - - C:\Windows\InstallDir33\gyikfghg.exe
        
        C:\Windows\InstallDir33\gyikfghg.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:2716
  - - C:\Windows\InstallDir33\gyikfghg.exe
      "C:\Windows\InstallDir33\gyikfghg.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3100
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:5008
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3532
    - - C:\Windows\InstallDir33\gyikfghg.exe
        
        C:\Windows\InstallDir33\gyikfghg.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:4588
  - - C:\Windows\InstallDir33\gyikfghg.exe
      "C:\Windows\InstallDir33\gyikfghg.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2020
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4652
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:380
    - - C:\Windows\InstallDir33\gyikfghg.exe
        
        C:\Windows\InstallDir33\gyikfghg.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:4632
  - - C:\Windows\InstallDir33\gyikfghg.exe
      "C:\Windows\InstallDir33\gyikfghg.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2996
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4548
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2344
    - - C:\Windows\InstallDir33\gyikfghg.exe
        
        C:\Windows\InstallDir33\gyikfghg.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:1840
  - - C:\Windows\InstallDir33\gyikfghg.exe
      "C:\Windows\InstallDir33\gyikfghg.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1744
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3900
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2272
    - - C:\Windows\InstallDir33\gyikfghg.exe
        
        C:\Windows\InstallDir33\gyikfghg.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:3956
  - - C:\Windows\InstallDir33\gyikfghg.exe
      "C:\Windows\InstallDir33\gyikfghg.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4712
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:1836
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2300
    - - C:\Windows\InstallDir33\gyikfghg.exe
        
        C:\Windows\InstallDir33\gyikfghg.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:1756
  - - C:\Windows\InstallDir33\gyikfghg.exe
      "C:\Windows\InstallDir33\gyikfghg.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5032
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4852
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4080
    - - C:\Windows\InstallDir33\gyikfghg.exe
        
        C:\Windows\InstallDir33\gyikfghg.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:4240
  - - C:\Windows\InstallDir33\gyikfghg.exe
      "C:\Windows\InstallDir33\gyikfghg.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4032
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4704
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3404
    - - C:\Windows\InstallDir33\gyikfghg.exe
        
        C:\Windows\InstallDir33\gyikfghg.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:3248
  - - C:\Windows\InstallDir33\gyikfghg.exe
      "C:\Windows\InstallDir33\gyikfghg.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4480
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4996
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:348
    - - C:\Windows\InstallDir33\gyikfghg.exe
        
        C:\Windows\InstallDir33\gyikfghg.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:2356
  - - C:\Windows\InstallDir33\gyikfghg.exe
      "C:\Windows\InstallDir33\gyikfghg.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1444
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4528
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2304
    - - C:\Windows\InstallDir33\gyikfghg.exe
        
        C:\Windows\InstallDir33\gyikfghg.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:5116
  - - C:\Windows\InstallDir33\gyikfghg.exe
      "C:\Windows\InstallDir33\gyikfghg.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2444
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4540
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:1548
    - - C:\Windows\InstallDir33\gyikfghg.exe
        
        C:\Windows\InstallDir33\gyikfghg.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:660
  - - C:\Windows\InstallDir33\gyikfghg.exe
      "C:\Windows\InstallDir33\gyikfghg.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1312
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2840
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:5072
    - - C:\Windows\InstallDir33\gyikfghg.exe
        
        C:\Windows\InstallDir33\gyikfghg.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:3932
  - - C:\Windows\InstallDir33\gyikfghg.exe
      "C:\Windows\InstallDir33\gyikfghg.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2712
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4544
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4040
    - - C:\Windows\InstallDir33\gyikfghg.exe
        
        C:\Windows\InstallDir33\gyikfghg.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:1600
  - - C:\Windows\InstallDir33\gyikfghg.exe
      "C:\Windows\InstallDir33\gyikfghg.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5088
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4320
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:904
    - - C:\Windows\InstallDir33\gyikfghg.exe
        
        C:\Windows\InstallDir33\gyikfghg.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:2728
  - - C:\Windows\InstallDir33\gyikfghg.exe
      "C:\Windows\InstallDir33\gyikfghg.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2716
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3248
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3720
    - - C:\Windows\InstallDir33\gyikfghg.exe
        
        C:\Windows\InstallDir33\gyikfghg.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:3644
  - - C:\Windows\InstallDir33\gyikfghg.exe
      "C:\Windows\InstallDir33\gyikfghg.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3736
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4400
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:228
    - - C:\Windows\InstallDir33\gyikfghg.exe
        
        C:\Windows\InstallDir33\gyikfghg.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:632
  - - C:\Windows\InstallDir33\gyikfghg.exe
      "C:\Windows\InstallDir33\gyikfghg.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4608
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4672
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4392
    - - C:\Windows\InstallDir33\gyikfghg.exe
        
        C:\Windows\InstallDir33\gyikfghg.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:1856
  - - C:\Windows\InstallDir33\gyikfghg.exe
      "C:\Windows\InstallDir33\gyikfghg.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3936
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:1772
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3084
    - - C:\Windows\InstallDir33\gyikfghg.exe
        
        C:\Windows\InstallDir33\gyikfghg.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:2044
  - - C:\Windows\InstallDir33\gyikfghg.exe
      "C:\Windows\InstallDir33\gyikfghg.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1936
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2652
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2848
    - - C:\Windows\InstallDir33\gyikfghg.exe
        
        C:\Windows\InstallDir33\gyikfghg.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:852
  - - C:\Windows\InstallDir33\gyikfghg.exe
      "C:\Windows\InstallDir33\gyikfghg.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:828
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:660
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3240
    - - C:\Windows\InstallDir33\gyikfghg.exe
        
        C:\Windows\InstallDir33\gyikfghg.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:4712
  - - C:\Windows\InstallDir33\gyikfghg.exe
      "C:\Windows\InstallDir33\gyikfghg.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2448
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:5112
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:1512
    - - C:\Windows\InstallDir33\gyikfghg.exe
        
        C:\Windows\InstallDir33\gyikfghg.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:3748
  - - C:\Windows\InstallDir33\gyikfghg.exe
      "C:\Windows\InstallDir33\gyikfghg.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4032
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4656
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3792
    - - C:\Windows\InstallDir33\gyikfghg.exe
        
        C:\Windows\InstallDir33\gyikfghg.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\InstallDir33\gyikfghg.exe

Filesize
375KB

MD5
c8595d4ea0b2b0f18d5eaa880ad1171d

SHA1
e855923cb17b222b8eb7efcd57adbc070369bdeb

SHA256
b73e84cf69f8edb46fd2c2e525212d8fa394dc44468f22d803a39f0c54ea6eb4

SHA512
916e0ea1dcbc856b6e4fd93b7b1b97c9d13713fe13f2e8ee1a6852d97b28bc6e64de7cd70140bd979ecf3ba59b145a65121038ac317c5f3eaab5a3bafb2bfa42

Download Submit
memory/1840-82-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/1840-81-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2020-64-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2180-10-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2716-40-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2716-39-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2996-78-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3100-50-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3452-22-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/3452-26-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/3452-20-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/3452-21-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/3452-25-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/3644-36-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3792-11-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/3792-7-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/3792-12-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/3792-0-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/3792-6-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/3792-3-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/3792-4-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/3792-1-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/4536-5-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4588-54-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/4588-53-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/4632-67-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/4632-68-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/4656-23-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download