27c94a4becbd6f0f35af5a8aa12475cd0827c09307cd3aa9cfcfb04103aef209

Analysis

max time kernel
125s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d56a0c5c4f40f1d08cb920f4d255beea_JaffaCakes118.exe
Size

136KB
MD5

d56a0c5c4f40f1d08cb920f4d255beea
SHA1

bfc7d99c3d49c32b975ee209dce4050cfa0d0255
SHA256

27c94a4becbd6f0f35af5a8aa12475cd0827c09307cd3aa9cfcfb04103aef209
SHA512

61ca24d422a984558eae37f24ab20a835ed2f7677bddbdd9d1aaeb335d34c6dded7b4f24dd263722aa3ea7548bbf558e727c90c1758784132d5e87e7268d7e05
SSDEEP

1536:gR6XqqElo6jEzoa8AmwmQM3IyvbnWkakKm9mbvGOOO0u4rY9bbTNo+g7jp/367oo:NQra8ADkWZnOORAmHC+wp/3vACiHBs4

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\ngasgib\StubPath = "C:\\Windows\\system32\\ngasgib.exe"	rtdtvbna.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\smsft	dnkap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\ngasgib	rtdtvbna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\nmdnxgnc\StubPath = "C:\\Windows\\system32\\nmdnxgnc.exe"	pfin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\yamtlm\StubPath = "C:\\Windows\\system32\\yamtlm.exe"	yvlxt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\pvimbe\StubPath = "C:\\Windows\\system32\\pvimbe.exe"	ycrwk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\mjvn	nfxhuhn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\vuif	jqmnuxeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\qktktdid\StubPath = "C:\\Windows\\system32\\qktktdid.exe"	vqjshsju.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\xajpmld\StubPath = "C:\\Windows\\system32\\xajpmld.exe"	asppmlxa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\odyjbw\StubPath = "C:\\Windows\\system32\\odyjbw.exe"	rtjoht.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\ukthb	yycko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\yamtlm	yvlxt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\ukthb\StubPath = "C:\\Windows\\system32\\ukthb.exe"	yycko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\agdmsuee	meynu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\fdvlvsax\StubPath = "C:\\Windows\\system32\\fdvlvsax.exe"	nlbpyjsg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\xehv\StubPath = "C:\\Windows\\system32\\xehv.exe"	pqcawc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\ugvbuwv\StubPath = "C:\\Windows\\system32\\ugvbuwv.exe"	oojbimo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\etotgh	kcaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\douwyj\StubPath = "C:\\Windows\\system32\\douwyj.exe"	dmfked.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\vuif\StubPath = "C:\\Windows\\system32\\vuif.exe"	jqmnuxeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\lgomd\StubPath = "C:\\Windows\\system32\\lgomd.exe"	tlxvmdsl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\ajrg\StubPath = "C:\\Windows\\system32\\ajrg.exe"	lichll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\pjxut	olrdbfh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\douwyj	dmfked.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\gbeg\StubPath = "C:\\Windows\\system32\\gbeg.exe"	faflnwh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\ruod\StubPath = "C:\\Windows\\system32\\ruod.exe"	gnoxu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\ynyxfv\StubPath = "C:\\Windows\\system32\\ynyxfv.exe"	guwi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\lgomd	tlxvmdsl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\rhsborpv	kscv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\lrrxmfwm\StubPath = "C:\\Windows\\system32\\lrrxmfwm.exe"	ymonit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\arkn\StubPath = "C:\\Windows\\system32\\arkn.exe"	uynefmmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\yuhuuy\StubPath = "C:\\Windows\\system32\\yuhuuy.exe"	mroun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\agdmsuee\StubPath = "C:\\Windows\\system32\\agdmsuee.exe"	meynu.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\pvimbe	ycrwk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\xajpmld	asppmlxa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\rhsborpv\StubPath = "C:\\Windows\\system32\\rhsborpv.exe"	kscv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\smsft\StubPath = "C:\\Windows\\system32\\smsft.exe"	dnkap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\nmdnxgnc	pfin.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\pqlahcb	ridx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\etotgh\StubPath = "C:\\Windows\\system32\\etotgh.exe"	kcaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\odyjbw	rtjoht.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\vstd	d56a0c5c4f40f1d08cb920f4d255beea_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\xehv	pqcawc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\gsocail	pwncl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\cten\StubPath = "C:\\Windows\\system32\\cten.exe"	yvigha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\gsocail\StubPath = "C:\\Windows\\system32\\gsocail.exe"	pwncl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\ugvbuwv	oojbimo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\cten	yvigha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\gwmi\StubPath = "C:\\Windows\\system32\\gwmi.exe"	xluote.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\yuhuuy	mroun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\luhlieiq\StubPath = "C:\\Windows\\system32\\luhlieiq.exe"	ckmlpny.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\gbeg	faflnwh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\pjxut\StubPath = "C:\\Windows\\system32\\pjxut.exe"	olrdbfh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\xfssc	kcasuwis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\pqlahcb\StubPath = "C:\\Windows\\system32\\pqlahcb.exe"	ridx.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\luhlieiq	ckmlpny.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\mjvn\StubPath = "C:\\Windows\\system32\\mjvn.exe"	nfxhuhn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\fdvlvsax	nlbpyjsg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\vstd\StubPath = "C:\\Windows\\system32\\vstd.exe"	d56a0c5c4f40f1d08cb920f4d255beea_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\qktktdid	vqjshsju.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\arkn	uynefmmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\gwmi	xluote.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\lrrxmfwm	ymonit.exe

Drops file in Drivers directory 34 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\services	gnoxu.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	guwi.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	ymonit.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	xluote.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	pfin.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	tlxvmdsl.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	lichll.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	yvigha.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	jqmnuxeh.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	ckmlpny.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	olrdbfh.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	dmfked.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	yvlxt.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	asppmlxa.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	pqcawc.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	faflnwh.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	nlbpyjsg.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	kscv.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	kcasuwis.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	meynu.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	d56a0c5c4f40f1d08cb920f4d255beea_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	dnkap.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	rtjoht.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	uynefmmk.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	ridx.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	ycrwk.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	pwncl.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	oojbimo.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	rtdtvbna.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	kcaf.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	yycko.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	vqjshsju.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	mroun.exe
File opened for modification	C:\Windows\system32\drivers\etc\services	nfxhuhn.exe

Checks computer location settings 2 TTPs 34 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	oojbimo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	ymonit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	dnkap.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	xluote.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	jqmnuxeh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	nlbpyjsg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	pqcawc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	yvigha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	uynefmmk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	olrdbfh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	nfxhuhn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	asppmlxa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	kscv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	kcasuwis.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	kcaf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	ckmlpny.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	rtjoht.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	pfin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	mroun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	ycrwk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	meynu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	d56a0c5c4f40f1d08cb920f4d255beea_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	tlxvmdsl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	pwncl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	faflnwh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	gnoxu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	vqjshsju.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	guwi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	yvlxt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	lichll.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	rtdtvbna.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	ridx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	dmfked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	yycko.exe

Executes dropped EXE 34 IoCs

pid	Process
4232	vqjshsju.exe
4388	asppmlxa.exe
2520	pqcawc.exe
2900	tlxvmdsl.exe
1652	pwncl.exe
2668	lichll.exe
3280	faflnwh.exe
3360	kscv.exe
3068	oojbimo.exe
5028	yvigha.exe
3860	kcasuwis.exe
3832	gnoxu.exe
2016	rtdtvbna.exe
2932	guwi.exe
4344	ymonit.exe
3440	uynefmmk.exe
2724	ridx.exe
4264	dnkap.exe
4740	kcaf.exe
2884	rtjoht.exe
1608	xluote.exe
4984	pfin.exe
5028	olrdbfh.exe
1504	mroun.exe
4656	dmfked.exe
1140	yvlxt.exe
4164	yycko.exe
4580	ycrwk.exe
1652	meynu.exe
2612	nfxhuhn.exe
3404	jqmnuxeh.exe
1304	nlbpyjsg.exe
640	ckmlpny.exe
3196	icxlcyh.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\jqmnuxeh.exe	nfxhuhn.exe
File created	C:\Windows\SysWOW64\ridx.exe	uynefmmk.exe
File created	C:\Windows\SysWOW64\xluote.exe	rtjoht.exe
File created	C:\Windows\SysWOW64\olrdbfh.exe	pfin.exe
File created	C:\Windows\SysWOW64\meynu.exe	ycrwk.exe
File created	C:\Windows\SysWOW64\kscv.exe	faflnwh.exe
File opened for modification	C:\Windows\SysWOW64\rtjoht.exe	kcaf.exe
File created	C:\Windows\SysWOW64\dmfked.exe	mroun.exe
File opened for modification	C:\Windows\SysWOW64\nfxhuhn.exe	meynu.exe
File created	C:\Windows\SysWOW64\gbeg.exe	faflnwh.exe
File opened for modification	C:\Windows\SysWOW64\gnoxu.exe	kcasuwis.exe
File created	C:\Windows\SysWOW64\arkn.exe	uynefmmk.exe
File created	C:\Windows\SysWOW64\rtjoht.exe	kcaf.exe
File created	C:\Windows\SysWOW64\jqmnuxeh.exe	nfxhuhn.exe
File created	C:\Windows\SysWOW64\nlbpyjsg.exe	jqmnuxeh.exe
File created	C:\Windows\SysWOW64\icxlcyh.exe	ckmlpny.exe
File created	C:\Windows\SysWOW64\vqjshsju.exe	d56a0c5c4f40f1d08cb920f4d255beea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\kscv.exe	faflnwh.exe
File created	C:\Windows\SysWOW64\cten.exe	yvigha.exe
File created	C:\Windows\SysWOW64\xfssc.exe	kcasuwis.exe
File opened for modification	C:\Windows\SysWOW64\ckmlpny.exe	nlbpyjsg.exe
File created	C:\Windows\SysWOW64\vstd.exe	d56a0c5c4f40f1d08cb920f4d255beea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\asppmlxa.exe	vqjshsju.exe
File created	C:\Windows\SysWOW64\xehv.exe	pqcawc.exe
File created	C:\Windows\SysWOW64\odyjbw.exe	rtjoht.exe
File opened for modification	C:\Windows\SysWOW64\yycko.exe	yvlxt.exe
File created	C:\Windows\SysWOW64\fdvlvsax.exe	nlbpyjsg.exe
File created	C:\Windows\SysWOW64\lichll.exe	pwncl.exe
File created	C:\Windows\SysWOW64\yvigha.exe	oojbimo.exe
File opened for modification	C:\Windows\SysWOW64\xluote.exe	rtjoht.exe
File created	C:\Windows\SysWOW64\yycko.exe	yvlxt.exe
File created	C:\Windows\SysWOW64\vuif.exe	jqmnuxeh.exe
File opened for modification	C:\Windows\SysWOW64\tlxvmdsl.exe	pqcawc.exe
File created	C:\Windows\SysWOW64\gnoxu.exe	kcasuwis.exe
File created	C:\Windows\SysWOW64\uynefmmk.exe	ymonit.exe
File created	C:\Windows\SysWOW64\ukthb.exe	yycko.exe
File opened for modification	C:\Windows\SysWOW64\yvigha.exe	oojbimo.exe
File created	C:\Windows\SysWOW64\kcaf.exe	dnkap.exe
File created	C:\Windows\SysWOW64\mjvn.exe	nfxhuhn.exe
File opened for modification	C:\Windows\SysWOW64\ridx.exe	uynefmmk.exe
File opened for modification	C:\Windows\SysWOW64\vqjshsju.exe	d56a0c5c4f40f1d08cb920f4d255beea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\pwncl.exe	tlxvmdsl.exe
File opened for modification	C:\Windows\SysWOW64\mroun.exe	olrdbfh.exe
File opened for modification	C:\Windows\SysWOW64\ycrwk.exe	yycko.exe
File opened for modification	C:\Windows\SysWOW64\nlbpyjsg.exe	jqmnuxeh.exe
File created	C:\Windows\SysWOW64\guwi.exe	rtdtvbna.exe
File created	C:\Windows\SysWOW64\lgomd.exe	tlxvmdsl.exe
File created	C:\Windows\SysWOW64\nmdnxgnc.exe	pfin.exe
File opened for modification	C:\Windows\SysWOW64\yvlxt.exe	dmfked.exe
File opened for modification	C:\Windows\SysWOW64\lichll.exe	pwncl.exe
File opened for modification	C:\Windows\SysWOW64\kcasuwis.exe	yvigha.exe
File created	C:\Windows\SysWOW64\rtdtvbna.exe	gnoxu.exe
File opened for modification	C:\Windows\SysWOW64\rtdtvbna.exe	gnoxu.exe
File created	C:\Windows\SysWOW64\asppmlxa.exe	vqjshsju.exe
File created	C:\Windows\SysWOW64\ajrg.exe	lichll.exe
File opened for modification	C:\Windows\SysWOW64\ymonit.exe	guwi.exe
File opened for modification	C:\Windows\SysWOW64\uynefmmk.exe	ymonit.exe
File created	C:\Windows\SysWOW64\oojbimo.exe	kscv.exe
File created	C:\Windows\SysWOW64\ruod.exe	gnoxu.exe
File created	C:\Windows\SysWOW64\ynyxfv.exe	guwi.exe
File created	C:\Windows\SysWOW64\smsft.exe	dnkap.exe
File created	C:\Windows\SysWOW64\gwmi.exe	xluote.exe
File opened for modification	C:\Windows\SysWOW64\guwi.exe	rtdtvbna.exe
File created	C:\Windows\SysWOW64\yvlxt.exe	dmfked.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oojbimo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dnkap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yycko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nlbpyjsg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ckmlpny.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lichll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	faflnwh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvigha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	guwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvlxt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asppmlxa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kcasuwis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mroun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rtdtvbna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ridx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rtjoht.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pfin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dmfked.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tlxvmdsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pwncl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uynefmmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	olrdbfh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icxlcyh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d56a0c5c4f40f1d08cb920f4d255beea_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pqcawc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kcaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xluote.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	meynu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ymonit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ycrwk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfxhuhn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jqmnuxeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vqjshsju.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kscv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gnoxu.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	4656	d56a0c5c4f40f1d08cb920f4d255beea_JaffaCakes118.exe
Token: SeSystemtimePrivilege	4656	d56a0c5c4f40f1d08cb920f4d255beea_JaffaCakes118.exe
Token: SeSystemtimePrivilege	4656	d56a0c5c4f40f1d08cb920f4d255beea_JaffaCakes118.exe
Token: SeSystemtimePrivilege	4656	d56a0c5c4f40f1d08cb920f4d255beea_JaffaCakes118.exe
Token: SeSystemtimePrivilege	4232	vqjshsju.exe
Token: SeSystemtimePrivilege	4232	vqjshsju.exe
Token: SeSystemtimePrivilege	4232	vqjshsju.exe
Token: SeSystemtimePrivilege	4232	vqjshsju.exe
Token: SeSystemtimePrivilege	4388	asppmlxa.exe
Token: SeSystemtimePrivilege	4388	asppmlxa.exe
Token: SeSystemtimePrivilege	4388	asppmlxa.exe
Token: SeSystemtimePrivilege	4388	asppmlxa.exe
Token: SeSystemtimePrivilege	2520	pqcawc.exe
Token: SeSystemtimePrivilege	2520	pqcawc.exe
Token: SeSystemtimePrivilege	2520	pqcawc.exe
Token: SeSystemtimePrivilege	2520	pqcawc.exe
Token: SeSystemtimePrivilege	2900	tlxvmdsl.exe
Token: SeSystemtimePrivilege	2900	tlxvmdsl.exe
Token: SeSystemtimePrivilege	2900	tlxvmdsl.exe
Token: SeSystemtimePrivilege	2900	tlxvmdsl.exe
Token: SeSystemtimePrivilege	1652	pwncl.exe
Token: SeSystemtimePrivilege	1652	pwncl.exe
Token: SeSystemtimePrivilege	1652	pwncl.exe
Token: SeSystemtimePrivilege	1652	pwncl.exe
Token: SeSystemtimePrivilege	2668	lichll.exe
Token: SeSystemtimePrivilege	2668	lichll.exe
Token: SeSystemtimePrivilege	2668	lichll.exe
Token: SeSystemtimePrivilege	2668	lichll.exe
Token: SeSystemtimePrivilege	3280	faflnwh.exe
Token: SeSystemtimePrivilege	3280	faflnwh.exe
Token: SeSystemtimePrivilege	3280	faflnwh.exe
Token: SeSystemtimePrivilege	3280	faflnwh.exe
Token: SeSystemtimePrivilege	3360	kscv.exe
Token: SeSystemtimePrivilege	3360	kscv.exe
Token: SeSystemtimePrivilege	3360	kscv.exe
Token: SeSystemtimePrivilege	3360	kscv.exe
Token: SeSystemtimePrivilege	3068	oojbimo.exe
Token: SeSystemtimePrivilege	3068	oojbimo.exe
Token: SeSystemtimePrivilege	3068	oojbimo.exe
Token: SeSystemtimePrivilege	3068	oojbimo.exe
Token: SeSystemtimePrivilege	5028	yvigha.exe
Token: SeSystemtimePrivilege	5028	yvigha.exe
Token: SeSystemtimePrivilege	5028	yvigha.exe
Token: SeSystemtimePrivilege	5028	yvigha.exe
Token: SeSystemtimePrivilege	3860	kcasuwis.exe
Token: SeSystemtimePrivilege	3860	kcasuwis.exe
Token: SeSystemtimePrivilege	3860	kcasuwis.exe
Token: SeSystemtimePrivilege	3860	kcasuwis.exe
Token: SeSystemtimePrivilege	3832	gnoxu.exe
Token: SeSystemtimePrivilege	3832	gnoxu.exe
Token: SeSystemtimePrivilege	3832	gnoxu.exe
Token: SeSystemtimePrivilege	3832	gnoxu.exe
Token: SeSystemtimePrivilege	2016	rtdtvbna.exe
Token: SeSystemtimePrivilege	2016	rtdtvbna.exe
Token: SeSystemtimePrivilege	2016	rtdtvbna.exe
Token: SeSystemtimePrivilege	2016	rtdtvbna.exe
Token: SeSystemtimePrivilege	2932	guwi.exe
Token: SeSystemtimePrivilege	2932	guwi.exe
Token: SeSystemtimePrivilege	2932	guwi.exe
Token: SeSystemtimePrivilege	2932	guwi.exe
Token: SeSystemtimePrivilege	4344	ymonit.exe
Token: SeSystemtimePrivilege	4344	ymonit.exe
Token: SeSystemtimePrivilege	4344	ymonit.exe
Token: SeSystemtimePrivilege	4344	ymonit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 4232	4656	d56a0c5c4f40f1d08cb920f4d255beea_JaffaCakes118.exe	92
PID 4656 wrote to memory of 4232	4656	d56a0c5c4f40f1d08cb920f4d255beea_JaffaCakes118.exe	92
PID 4656 wrote to memory of 4232	4656	d56a0c5c4f40f1d08cb920f4d255beea_JaffaCakes118.exe	92
PID 4232 wrote to memory of 4388	4232	vqjshsju.exe	94
PID 4232 wrote to memory of 4388	4232	vqjshsju.exe	94
PID 4232 wrote to memory of 4388	4232	vqjshsju.exe	94
PID 4388 wrote to memory of 2520	4388	asppmlxa.exe	95
PID 4388 wrote to memory of 2520	4388	asppmlxa.exe	95
PID 4388 wrote to memory of 2520	4388	asppmlxa.exe	95
PID 2520 wrote to memory of 2900	2520	pqcawc.exe	97
PID 2520 wrote to memory of 2900	2520	pqcawc.exe	97
PID 2520 wrote to memory of 2900	2520	pqcawc.exe	97
PID 2900 wrote to memory of 1652	2900	tlxvmdsl.exe	127
PID 2900 wrote to memory of 1652	2900	tlxvmdsl.exe	127
PID 2900 wrote to memory of 1652	2900	tlxvmdsl.exe	127
PID 1652 wrote to memory of 2668	1652	pwncl.exe	99
PID 1652 wrote to memory of 2668	1652	pwncl.exe	99
PID 1652 wrote to memory of 2668	1652	pwncl.exe	99
PID 2668 wrote to memory of 3280	2668	lichll.exe	100
PID 2668 wrote to memory of 3280	2668	lichll.exe	100
PID 2668 wrote to memory of 3280	2668	lichll.exe	100
PID 3280 wrote to memory of 3360	3280	faflnwh.exe	102
PID 3280 wrote to memory of 3360	3280	faflnwh.exe	102
PID 3280 wrote to memory of 3360	3280	faflnwh.exe	102
PID 3360 wrote to memory of 3068	3360	kscv.exe	103
PID 3360 wrote to memory of 3068	3360	kscv.exe	103
PID 3360 wrote to memory of 3068	3360	kscv.exe	103
PID 3068 wrote to memory of 5028	3068	oojbimo.exe	119
PID 3068 wrote to memory of 5028	3068	oojbimo.exe	119
PID 3068 wrote to memory of 5028	3068	oojbimo.exe	119
PID 5028 wrote to memory of 3860	5028	yvigha.exe	105
PID 5028 wrote to memory of 3860	5028	yvigha.exe	105
PID 5028 wrote to memory of 3860	5028	yvigha.exe	105
PID 3860 wrote to memory of 3832	3860	kcasuwis.exe	106
PID 3860 wrote to memory of 3832	3860	kcasuwis.exe	106
PID 3860 wrote to memory of 3832	3860	kcasuwis.exe	106
PID 3832 wrote to memory of 2016	3832	gnoxu.exe	107
PID 3832 wrote to memory of 2016	3832	gnoxu.exe	107
PID 3832 wrote to memory of 2016	3832	gnoxu.exe	107
PID 2016 wrote to memory of 2932	2016	rtdtvbna.exe	108
PID 2016 wrote to memory of 2932	2016	rtdtvbna.exe	108
PID 2016 wrote to memory of 2932	2016	rtdtvbna.exe	108
PID 2932 wrote to memory of 4344	2932	guwi.exe	109
PID 2932 wrote to memory of 4344	2932	guwi.exe	109
PID 2932 wrote to memory of 4344	2932	guwi.exe	109
PID 4344 wrote to memory of 3440	4344	ymonit.exe	110
PID 4344 wrote to memory of 3440	4344	ymonit.exe	110
PID 4344 wrote to memory of 3440	4344	ymonit.exe	110
PID 3440 wrote to memory of 2724	3440	uynefmmk.exe	111
PID 3440 wrote to memory of 2724	3440	uynefmmk.exe	111
PID 3440 wrote to memory of 2724	3440	uynefmmk.exe	111
PID 2724 wrote to memory of 4264	2724	ridx.exe	112
PID 2724 wrote to memory of 4264	2724	ridx.exe	112
PID 2724 wrote to memory of 4264	2724	ridx.exe	112
PID 4264 wrote to memory of 4740	4264	dnkap.exe	113
PID 4264 wrote to memory of 4740	4264	dnkap.exe	113
PID 4264 wrote to memory of 4740	4264	dnkap.exe	113
PID 4740 wrote to memory of 2884	4740	kcaf.exe	114
PID 4740 wrote to memory of 2884	4740	kcaf.exe	114
PID 4740 wrote to memory of 2884	4740	kcaf.exe	114
PID 2884 wrote to memory of 1608	2884	rtjoht.exe	117
PID 2884 wrote to memory of 1608	2884	rtjoht.exe	117
PID 2884 wrote to memory of 1608	2884	rtjoht.exe	117
PID 1608 wrote to memory of 4984	1608	xluote.exe	118

C:\Users\Admin\AppData\Local\Temp\d56a0c5c4f40f1d08cb920f4d255beea_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d56a0c5c4f40f1d08cb920f4d255beea_JaffaCakes118.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Windows\SysWOW64\vqjshsju.exe
  "C:\Windows\system32\vqjshsju.exe" 7
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Drops file in Drivers directory
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4232
- - C:\Windows\SysWOW64\asppmlxa.exe
    "C:\Windows\system32\asppmlxa.exe" 7
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Drops file in Drivers directory
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4388
  - - C:\Windows\SysWOW64\pqcawc.exe
      "C:\Windows\system32\pqcawc.exe" 7
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Drops file in Drivers directory
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2520
    - - C:\Windows\SysWOW64\tlxvmdsl.exe
        
        "C:\Windows\system32\tlxvmdsl.exe" 7
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2900
      - C:\Windows\SysWOW64\pwncl.exe
        
        "C:\Windows\system32\pwncl.exe" 7
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\lichll.exe
        
        "C:\Windows\system32\lichll.exe" 7
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\faflnwh.exe
        
        "C:\Windows\system32\faflnwh.exe" 7
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\SysWOW64\kscv.exe
        
        "C:\Windows\system32\kscv.exe" 7
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\Windows\SysWOW64\oojbimo.exe
        
        "C:\Windows\system32\oojbimo.exe" 7
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\SysWOW64\yvigha.exe
        
        "C:\Windows\system32\yvigha.exe" 7
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\kcasuwis.exe
        
        "C:\Windows\system32\kcasuwis.exe" 7
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\Windows\SysWOW64\gnoxu.exe
        
        "C:\Windows\system32\gnoxu.exe" 7
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3832
        
        C:\Windows\SysWOW64\rtdtvbna.exe
        
        "C:\Windows\system32\rtdtvbna.exe" 7
        14⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\guwi.exe
        
        "C:\Windows\system32\guwi.exe" 7
        15⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\ymonit.exe
        
        "C:\Windows\system32\ymonit.exe" 7
        16⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\SysWOW64\uynefmmk.exe
        
        "C:\Windows\system32\uynefmmk.exe" 7
        17⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3440
        
        C:\Windows\SysWOW64\ridx.exe
        
        "C:\Windows\system32\ridx.exe" 7
        18⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\SysWOW64\dnkap.exe
        
        "C:\Windows\system32\dnkap.exe" 7
        19⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Windows\SysWOW64\kcaf.exe
        
        "C:\Windows\system32\kcaf.exe" 7
        20⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\rtjoht.exe
        
        "C:\Windows\system32\rtjoht.exe" 7
        21⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\xluote.exe
        
        "C:\Windows\system32\xluote.exe" 7
        22⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\pfin.exe
        
        "C:\Windows\system32\pfin.exe" 7
        23⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4984
        
        C:\Windows\SysWOW64\olrdbfh.exe
        
        "C:\Windows\system32\olrdbfh.exe" 7
        24⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5028
        
        C:\Windows\SysWOW64\mroun.exe
        
        "C:\Windows\system32\mroun.exe" 7
        25⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1504
        
        C:\Windows\SysWOW64\dmfked.exe
        
        "C:\Windows\system32\dmfked.exe" 7
        26⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4656
        
        C:\Windows\SysWOW64\yvlxt.exe
        
        "C:\Windows\system32\yvlxt.exe" 7
        27⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1140
        
        C:\Windows\SysWOW64\yycko.exe
        
        "C:\Windows\system32\yycko.exe" 7
        28⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4164
        
        C:\Windows\SysWOW64\ycrwk.exe
        
        "C:\Windows\system32\ycrwk.exe" 7
        29⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4580
        
        C:\Windows\SysWOW64\meynu.exe
        
        "C:\Windows\system32\meynu.exe" 7
        30⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Windows\SysWOW64\nfxhuhn.exe
        
        "C:\Windows\system32\nfxhuhn.exe" 7
        31⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2612
        
        C:\Windows\SysWOW64\jqmnuxeh.exe
        
        "C:\Windows\system32\jqmnuxeh.exe" 7
        32⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3404
        
        C:\Windows\SysWOW64\nlbpyjsg.exe
        
        "C:\Windows\system32\nlbpyjsg.exe" 7
        33⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1304
        
        C:\Windows\SysWOW64\ckmlpny.exe
        
        "C:\Windows\system32\ckmlpny.exe" 7
        34⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:640
        
        C:\Windows\SysWOW64\icxlcyh.exe
        
        "C:\Windows\system32\icxlcyh.exe" 7
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4344,i,11391966286255097843,10588851088187498028,262144 --variations-seed-version --mojo-platform-channel-handle=4112 /prefetch:8
1⤵
PID:1148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\vqjshsju.exe

Filesize
136KB

MD5
d56a0c5c4f40f1d08cb920f4d255beea

SHA1
bfc7d99c3d49c32b975ee209dce4050cfa0d0255

SHA256
27c94a4becbd6f0f35af5a8aa12475cd0827c09307cd3aa9cfcfb04103aef209

SHA512
61ca24d422a984558eae37f24ab20a835ed2f7677bddbdd9d1aaeb335d34c6dded7b4f24dd263722aa3ea7548bbf558e727c90c1758784132d5e87e7268d7e05

Download Submit
C:\Windows\system32\drivers\etc\services

Filesize
17KB

MD5
258a17ba44674799317a5918a92859fa

SHA1
e8ce488145017017ab2cfc47e1a12721e802b4c3

SHA256
c1723f7f29b224c42f26452c3efa8f80f6ee8500ee78513e0c0732ba55399f7d

SHA512
5bbee0dfee4d26f2690dc475a4135cdd6d59d0b666044c4673285a9d699af1ecf8505ce77a067c998d2c40025df67899ef649b55e77d660eb875c413b8ff8fa4

Download Submit
memory/640-369-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1140-306-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1304-360-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1504-288-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1608-261-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1652-333-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1652-70-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2016-165-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2520-45-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2612-342-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2668-82-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2724-214-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2884-250-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2900-58-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2932-178-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3068-117-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3196-370-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3280-94-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3360-106-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3404-351-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3440-202-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3832-154-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3860-141-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4164-315-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4232-22-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4264-225-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4344-189-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4388-34-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4580-324-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4656-297-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4656-10-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4740-238-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4984-270-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5028-279-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5028-130-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads