49ed4585a1eeecf36fa7f8bbf29f5061499c87b6fb4d81f7274ee101f9c96759

Analysis

max time kernel
143s
max time network
128s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15/09/2024, 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e16e69b4f83ffd653cd7a61bf91e06b6_JaffaCakes118.exe
Size

112KB
MD5

e16e69b4f83ffd653cd7a61bf91e06b6
SHA1

5cdb8c240b4f5e8b9a8c12fcb61e949b6f221d70
SHA256

49ed4585a1eeecf36fa7f8bbf29f5061499c87b6fb4d81f7274ee101f9c96759
SHA512

730944b3f3c5555e15cd0123f72140099028d87b255e4d03efdc6b7291dcc2ef8c1e93a12a12899cc54d5110596f2939b85da15f1ef7850fcdabd45a021c9e1d
SSDEEP

3072:kSCKd4da3sopm0V0p5Uq8esbyaJUuJDUa/dDcUh:kSX2osd/2byaJRn/WUh

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 59 IoCs

pid	Process
2616	ygflyyze.exe
2664	ygflyyze.exe
2652	tqhyhhtq.exe
2800	tqhyhhtq.exe
2636	kehwmwch.exe
2544	kehwmwch.exe
2176	hugwnvpo.exe
2884	hugwnvpo.exe
2392	cawriseo.exe
2856	cawriseo.exe
2872	yboeldqp.exe
3024	yboeldqp.exe
1156	qiobqszh.exe
1772	qiobqszh.exe
2188	njyhmdlq.exe
1080	njyhmdlq.exe
1384	pqmrbvum.exe
1752	pqmrbvum.exe
608	pinkdhed.exe
1344	pinkdhed.exe
1132	ypornbtq.exe
2608	ypornbtq.exe
1620	vevroigx.exe
1588	vevroigx.exe
2300	sfoekmsg.exe
876	sfoekmsg.exe
1564	vmuhadtc.exe
2216	vmuhadtc.exe
1648	wlixyigx.exe
2808	wlixyigx.exe
2780	cmqsonml.exe
2640	cmqsonml.exe
2648	ehtcjote.exe
2548	ehtcjote.exe
2536	grlsbkbc.exe
2600	grlsbkbc.exe
924	labnshhq.exe
2556	labnshhq.exe
1296	frhcpmul.exe
2840	frhcpmul.exe
2912	fgeihuxz.exe
540	fgeihuxz.exe
520	ezfsbphq.exe
3016	ezfsbphq.exe
2960	gytiytvl.exe
2324	gytiytvl.exe
2004	mvqymmcx.exe
2292	mvqymmcx.exe
2132	gchspkjw.exe
1712	gchspkjw.exe
840	fuqljftf.exe
1008	fuqljftf.exe
608	funvjais.exe
892	funvjais.exe
1040	mypaaltq.exe
2100	mypaaltq.exe
2252	mqytuyvz.exe
1620	mqytuyvz.exe
1636	jrigqjhi.exe

Loads dropped DLL 64 IoCs

pid	Process
2992	e16e69b4f83ffd653cd7a61bf91e06b6_JaffaCakes118.exe
2992	e16e69b4f83ffd653cd7a61bf91e06b6_JaffaCakes118.exe
2616	ygflyyze.exe
2664	ygflyyze.exe
2664	ygflyyze.exe
2652	tqhyhhtq.exe
2800	tqhyhhtq.exe
2800	tqhyhhtq.exe
2636	kehwmwch.exe
2544	kehwmwch.exe
2544	kehwmwch.exe
2176	hugwnvpo.exe
2884	hugwnvpo.exe
2884	hugwnvpo.exe
2856	cawriseo.exe
2856	cawriseo.exe
3024	yboeldqp.exe
3024	yboeldqp.exe
1772	qiobqszh.exe
1772	qiobqszh.exe
1080	njyhmdlq.exe
1080	njyhmdlq.exe
1752	pqmrbvum.exe
1752	pqmrbvum.exe
1344	pinkdhed.exe
1344	pinkdhed.exe
2608	ypornbtq.exe
2608	ypornbtq.exe
1588	vevroigx.exe
1588	vevroigx.exe
876	sfoekmsg.exe
876	sfoekmsg.exe
2216	vmuhadtc.exe
2216	vmuhadtc.exe
2808	wlixyigx.exe
2808	wlixyigx.exe
2640	cmqsonml.exe
2640	cmqsonml.exe
2548	ehtcjote.exe
2548	ehtcjote.exe
2600	grlsbkbc.exe
2600	grlsbkbc.exe
2556	labnshhq.exe
2556	labnshhq.exe
2840	frhcpmul.exe
2840	frhcpmul.exe
540	fgeihuxz.exe
540	fgeihuxz.exe
3016	ezfsbphq.exe
3016	ezfsbphq.exe
2324	gytiytvl.exe
2324	gytiytvl.exe
2292	mvqymmcx.exe
2292	mvqymmcx.exe
1712	gchspkjw.exe
1712	gchspkjw.exe
1008	fuqljftf.exe
1008	fuqljftf.exe
892	funvjais.exe
892	funvjais.exe
2100	mypaaltq.exe
2100	mypaaltq.exe
1620	mqytuyvz.exe
1620	mqytuyvz.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\cawriseo.exe	hugwnvpo.exe
File opened for modification	C:\Windows\SysWOW64\frhcpmul.exe	labnshhq.exe
File opened for modification	C:\Windows\SysWOW64\ehtcjote.exe	cmqsonml.exe
File created	C:\Windows\SysWOW64\grlsbkbc.exe	ehtcjote.exe
File created	C:\Windows\SysWOW64\labnshhq.exe	grlsbkbc.exe
File opened for modification	C:\Windows\SysWOW64\labnshhq.exe	grlsbkbc.exe
File opened for modification	C:\Windows\SysWOW64\ezfsbphq.exe	fgeihuxz.exe
File opened for modification	C:\Windows\SysWOW64\gchspkjw.exe	mvqymmcx.exe
File opened for modification	C:\Windows\SysWOW64\hugwnvpo.exe	kehwmwch.exe
File created	C:\Windows\SysWOW64\ezfsbphq.exe	fgeihuxz.exe
File created	C:\Windows\SysWOW64\gchspkjw.exe	mvqymmcx.exe
File opened for modification	C:\Windows\SysWOW64\tqhyhhtq.exe	ygflyyze.exe
File created	C:\Windows\SysWOW64\qiobqszh.exe	yboeldqp.exe
File created	C:\Windows\SysWOW64\vevroigx.exe	ypornbtq.exe
File created	C:\Windows\SysWOW64\ehtcjote.exe	cmqsonml.exe
File opened for modification	C:\Windows\SysWOW64\gytiytvl.exe	ezfsbphq.exe
File created	C:\Windows\SysWOW64\jrigqjhi.exe	mqytuyvz.exe
File opened for modification	C:\Windows\SysWOW64\njyhmdlq.exe	qiobqszh.exe
File created	C:\Windows\SysWOW64\pqmrbvum.exe	njyhmdlq.exe
File created	C:\Windows\SysWOW64\pinkdhed.exe	pqmrbvum.exe
File opened for modification	C:\Windows\SysWOW64\ypornbtq.exe	pinkdhed.exe
File opened for modification	C:\Windows\SysWOW64\fuqljftf.exe	gchspkjw.exe
File opened for modification	C:\Windows\SysWOW64\mypaaltq.exe	funvjais.exe
File opened for modification	C:\Windows\SysWOW64\mqytuyvz.exe	mypaaltq.exe
File created	C:\Windows\SysWOW64\cmqsonml.exe	wlixyigx.exe
File created	C:\Windows\SysWOW64\frhcpmul.exe	labnshhq.exe
File created	C:\Windows\SysWOW64\gytiytvl.exe	ezfsbphq.exe
File created	C:\Windows\SysWOW64\ygflyyze.exe	e16e69b4f83ffd653cd7a61bf91e06b6_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\kehwmwch.exe	tqhyhhtq.exe
File opened for modification	C:\Windows\SysWOW64\qiobqszh.exe	yboeldqp.exe
File opened for modification	C:\Windows\SysWOW64\grlsbkbc.exe	ehtcjote.exe
File created	C:\Windows\SysWOW64\mypaaltq.exe	funvjais.exe
File opened for modification	C:\Windows\SysWOW64\yboeldqp.exe	cawriseo.exe
File opened for modification	C:\Windows\SysWOW64\wlixyigx.exe	vmuhadtc.exe
File opened for modification	C:\Windows\SysWOW64\fgeihuxz.exe	frhcpmul.exe
File created	C:\Windows\SysWOW64\fuqljftf.exe	gchspkjw.exe
File opened for modification	C:\Windows\SysWOW64\jrigqjhi.exe	mqytuyvz.exe
File created	C:\Windows\SysWOW64\tqhyhhtq.exe	ygflyyze.exe
File opened for modification	C:\Windows\SysWOW64\pinkdhed.exe	pqmrbvum.exe
File created	C:\Windows\SysWOW64\vmuhadtc.exe	sfoekmsg.exe
File opened for modification	C:\Windows\SysWOW64\funvjais.exe	fuqljftf.exe
File opened for modification	C:\Windows\SysWOW64\vmuhadtc.exe	sfoekmsg.exe
File created	C:\Windows\SysWOW64\mvqymmcx.exe	gytiytvl.exe
File created	C:\Windows\SysWOW64\yboeldqp.exe	cawriseo.exe
File opened for modification	C:\Windows\SysWOW64\mvqymmcx.exe	gytiytvl.exe
File created	C:\Windows\SysWOW64\funvjais.exe	fuqljftf.exe
File opened for modification	C:\Windows\SysWOW64\ygflyyze.exe	e16e69b4f83ffd653cd7a61bf91e06b6_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\cawriseo.exe	hugwnvpo.exe
File created	C:\Windows\SysWOW64\ypornbtq.exe	pinkdhed.exe
File created	C:\Windows\SysWOW64\fgeihuxz.exe	frhcpmul.exe
File opened for modification	C:\Windows\SysWOW64\kehwmwch.exe	tqhyhhtq.exe
File opened for modification	C:\Windows\SysWOW64\pqmrbvum.exe	njyhmdlq.exe
File opened for modification	C:\Windows\SysWOW64\vevroigx.exe	ypornbtq.exe
File created	C:\Windows\SysWOW64\wlixyigx.exe	vmuhadtc.exe
File created	C:\Windows\SysWOW64\mqytuyvz.exe	mypaaltq.exe
File created	C:\Windows\SysWOW64\njyhmdlq.exe	qiobqszh.exe
File created	C:\Windows\SysWOW64\hugwnvpo.exe	kehwmwch.exe
File created	C:\Windows\SysWOW64\sfoekmsg.exe	vevroigx.exe
File opened for modification	C:\Windows\SysWOW64\sfoekmsg.exe	vevroigx.exe
File opened for modification	C:\Windows\SysWOW64\cmqsonml.exe	wlixyigx.exe

Suspicious use of SetThreadContext 30 IoCs

description	pid	Process	procid_target
PID 1988 set thread context of 2992	1988	e16e69b4f83ffd653cd7a61bf91e06b6_JaffaCakes118.exe	30
PID 2616 set thread context of 2664	2616	ygflyyze.exe	32
PID 2652 set thread context of 2800	2652	tqhyhhtq.exe	34
PID 2636 set thread context of 2544	2636	kehwmwch.exe	36
PID 2176 set thread context of 2884	2176	hugwnvpo.exe	38
PID 2392 set thread context of 2856	2392	cawriseo.exe	40
PID 2872 set thread context of 3024	2872	yboeldqp.exe	42
PID 1156 set thread context of 1772	1156	qiobqszh.exe	44
PID 2188 set thread context of 1080	2188	njyhmdlq.exe	46
PID 1384 set thread context of 1752	1384	pqmrbvum.exe	48
PID 608 set thread context of 1344	608	pinkdhed.exe	50
PID 1132 set thread context of 2608	1132	ypornbtq.exe	52
PID 1620 set thread context of 1588	1620	vevroigx.exe	54
PID 2300 set thread context of 876	2300	sfoekmsg.exe	56
PID 1564 set thread context of 2216	1564	vmuhadtc.exe	58
PID 1648 set thread context of 2808	1648	wlixyigx.exe	60
PID 2780 set thread context of 2640	2780	cmqsonml.exe	62
PID 2648 set thread context of 2548	2648	ehtcjote.exe	64
PID 2536 set thread context of 2600	2536	grlsbkbc.exe	66
PID 924 set thread context of 2556	924	labnshhq.exe	68
PID 1296 set thread context of 2840	1296	frhcpmul.exe	70
PID 2912 set thread context of 540	2912	fgeihuxz.exe	72
PID 520 set thread context of 3016	520	ezfsbphq.exe	74
PID 2960 set thread context of 2324	2960	gytiytvl.exe	76
PID 2004 set thread context of 2292	2004	mvqymmcx.exe	78
PID 2132 set thread context of 1712	2132	gchspkjw.exe	80
PID 840 set thread context of 1008	840	fuqljftf.exe	82
PID 608 set thread context of 892	608	funvjais.exe	84
PID 1040 set thread context of 2100	1040	mypaaltq.exe	86
PID 2252 set thread context of 1620	2252	mqytuyvz.exe	88

System Location Discovery: System Language Discovery 1 TTPs 60 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ygflyyze.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fgeihuxz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e16e69b4f83ffd653cd7a61bf91e06b6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	frhcpmul.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ygflyyze.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ypornbtq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gytiytvl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ezfsbphq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sfoekmsg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wlixyigx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmqsonml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grlsbkbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	labnshhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pinkdhed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmuhadtc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	labnshhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tqhyhhtq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cawriseo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ehtcjote.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fuqljftf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fuqljftf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mqytuyvz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mqytuyvz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kehwmwch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kehwmwch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cawriseo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	njyhmdlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	funvjais.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yboeldqp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	frhcpmul.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mvqymmcx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mvqymmcx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	njyhmdlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ehtcjote.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grlsbkbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gchspkjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qiobqszh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vevroigx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vevroigx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wlixyigx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ezfsbphq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gchspkjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e16e69b4f83ffd653cd7a61bf91e06b6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tqhyhhtq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hugwnvpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pqmrbvum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmuhadtc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	funvjais.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mypaaltq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yboeldqp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pqmrbvum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sfoekmsg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmqsonml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fgeihuxz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hugwnvpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mypaaltq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qiobqszh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pinkdhed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ypornbtq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gytiytvl.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
1988	e16e69b4f83ffd653cd7a61bf91e06b6_JaffaCakes118.exe
2616	ygflyyze.exe
2652	tqhyhhtq.exe
2636	kehwmwch.exe
2176	hugwnvpo.exe
2392	cawriseo.exe
2872	yboeldqp.exe
1156	qiobqszh.exe
2188	njyhmdlq.exe
1384	pqmrbvum.exe
608	pinkdhed.exe
1132	ypornbtq.exe
1620	vevroigx.exe
2300	sfoekmsg.exe
1564	vmuhadtc.exe
1648	wlixyigx.exe
2780	cmqsonml.exe
2648	ehtcjote.exe
2536	grlsbkbc.exe
924	labnshhq.exe
1296	frhcpmul.exe
2912	fgeihuxz.exe
520	ezfsbphq.exe
2960	gytiytvl.exe
2004	mvqymmcx.exe
2132	gchspkjw.exe
840	fuqljftf.exe
608	funvjais.exe
1040	mypaaltq.exe
2252	mqytuyvz.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 2992	1988	e16e69b4f83ffd653cd7a61bf91e06b6_JaffaCakes118.exe	30
PID 1988 wrote to memory of 2992	1988	e16e69b4f83ffd653cd7a61bf91e06b6_JaffaCakes118.exe	30
PID 1988 wrote to memory of 2992	1988	e16e69b4f83ffd653cd7a61bf91e06b6_JaffaCakes118.exe	30
PID 1988 wrote to memory of 2992	1988	e16e69b4f83ffd653cd7a61bf91e06b6_JaffaCakes118.exe	30
PID 1988 wrote to memory of 2992	1988	e16e69b4f83ffd653cd7a61bf91e06b6_JaffaCakes118.exe	30
PID 1988 wrote to memory of 2992	1988	e16e69b4f83ffd653cd7a61bf91e06b6_JaffaCakes118.exe	30
PID 2992 wrote to memory of 2616	2992	e16e69b4f83ffd653cd7a61bf91e06b6_JaffaCakes118.exe	31
PID 2992 wrote to memory of 2616	2992	e16e69b4f83ffd653cd7a61bf91e06b6_JaffaCakes118.exe	31
PID 2992 wrote to memory of 2616	2992	e16e69b4f83ffd653cd7a61bf91e06b6_JaffaCakes118.exe	31
PID 2992 wrote to memory of 2616	2992	e16e69b4f83ffd653cd7a61bf91e06b6_JaffaCakes118.exe	31
PID 2616 wrote to memory of 2664	2616	ygflyyze.exe	32
PID 2616 wrote to memory of 2664	2616	ygflyyze.exe	32
PID 2616 wrote to memory of 2664	2616	ygflyyze.exe	32
PID 2616 wrote to memory of 2664	2616	ygflyyze.exe	32
PID 2616 wrote to memory of 2664	2616	ygflyyze.exe	32
PID 2616 wrote to memory of 2664	2616	ygflyyze.exe	32
PID 2664 wrote to memory of 2652	2664	ygflyyze.exe	33
PID 2664 wrote to memory of 2652	2664	ygflyyze.exe	33
PID 2664 wrote to memory of 2652	2664	ygflyyze.exe	33
PID 2664 wrote to memory of 2652	2664	ygflyyze.exe	33
PID 2652 wrote to memory of 2800	2652	tqhyhhtq.exe	34
PID 2652 wrote to memory of 2800	2652	tqhyhhtq.exe	34
PID 2652 wrote to memory of 2800	2652	tqhyhhtq.exe	34
PID 2652 wrote to memory of 2800	2652	tqhyhhtq.exe	34
PID 2652 wrote to memory of 2800	2652	tqhyhhtq.exe	34
PID 2652 wrote to memory of 2800	2652	tqhyhhtq.exe	34
PID 2800 wrote to memory of 2636	2800	tqhyhhtq.exe	35
PID 2800 wrote to memory of 2636	2800	tqhyhhtq.exe	35
PID 2800 wrote to memory of 2636	2800	tqhyhhtq.exe	35
PID 2800 wrote to memory of 2636	2800	tqhyhhtq.exe	35
PID 2636 wrote to memory of 2544	2636	kehwmwch.exe	36
PID 2636 wrote to memory of 2544	2636	kehwmwch.exe	36
PID 2636 wrote to memory of 2544	2636	kehwmwch.exe	36
PID 2636 wrote to memory of 2544	2636	kehwmwch.exe	36
PID 2636 wrote to memory of 2544	2636	kehwmwch.exe	36
PID 2636 wrote to memory of 2544	2636	kehwmwch.exe	36
PID 2544 wrote to memory of 2176	2544	kehwmwch.exe	37
PID 2544 wrote to memory of 2176	2544	kehwmwch.exe	37
PID 2544 wrote to memory of 2176	2544	kehwmwch.exe	37
PID 2544 wrote to memory of 2176	2544	kehwmwch.exe	37
PID 2176 wrote to memory of 2884	2176	hugwnvpo.exe	38
PID 2176 wrote to memory of 2884	2176	hugwnvpo.exe	38
PID 2176 wrote to memory of 2884	2176	hugwnvpo.exe	38
PID 2176 wrote to memory of 2884	2176	hugwnvpo.exe	38
PID 2176 wrote to memory of 2884	2176	hugwnvpo.exe	38
PID 2176 wrote to memory of 2884	2176	hugwnvpo.exe	38
PID 2884 wrote to memory of 2392	2884	hugwnvpo.exe	39
PID 2884 wrote to memory of 2392	2884	hugwnvpo.exe	39
PID 2884 wrote to memory of 2392	2884	hugwnvpo.exe	39
PID 2884 wrote to memory of 2392	2884	hugwnvpo.exe	39
PID 2392 wrote to memory of 2856	2392	cawriseo.exe	40
PID 2392 wrote to memory of 2856	2392	cawriseo.exe	40
PID 2392 wrote to memory of 2856	2392	cawriseo.exe	40
PID 2392 wrote to memory of 2856	2392	cawriseo.exe	40
PID 2392 wrote to memory of 2856	2392	cawriseo.exe	40
PID 2392 wrote to memory of 2856	2392	cawriseo.exe	40
PID 2856 wrote to memory of 2872	2856	cawriseo.exe	41
PID 2856 wrote to memory of 2872	2856	cawriseo.exe	41
PID 2856 wrote to memory of 2872	2856	cawriseo.exe	41
PID 2856 wrote to memory of 2872	2856	cawriseo.exe	41
PID 2872 wrote to memory of 3024	2872	yboeldqp.exe	42
PID 2872 wrote to memory of 3024	2872	yboeldqp.exe	42
PID 2872 wrote to memory of 3024	2872	yboeldqp.exe	42
PID 2872 wrote to memory of 3024	2872	yboeldqp.exe	42

C:\Users\Admin\AppData\Local\Temp\e16e69b4f83ffd653cd7a61bf91e06b6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e16e69b4f83ffd653cd7a61bf91e06b6_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Local\Temp\e16e69b4f83ffd653cd7a61bf91e06b6_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e16e69b4f83ffd653cd7a61bf91e06b6_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\SysWOW64\ygflyyze.exe
    C:\Windows\system32\ygflyyze.exe 476 "C:\Users\Admin\AppData\Local\Temp\e16e69b4f83ffd653cd7a61bf91e06b6_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\SysWOW64\ygflyyze.exe
      476 C:\Users\Admin\AppData\Local\Temp\e16e69b4f83ffd653cd7a61bf91e06b6_JaffaCakes118.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Windows\SysWOW64\tqhyhhtq.exe
        
        C:\Windows\system32\tqhyhhtq.exe 432 "C:\Windows\SysWOW64\ygflyyze.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2652
      - C:\Windows\SysWOW64\tqhyhhtq.exe
        
        432 C:\Windows\SysWOW64\ygflyyze.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\kehwmwch.exe
        
        C:\Windows\system32\kehwmwch.exe 432 "C:\Windows\SysWOW64\tqhyhhtq.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\kehwmwch.exe
        
        432 C:\Windows\SysWOW64\tqhyhhtq.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\SysWOW64\hugwnvpo.exe
        
        C:\Windows\system32\hugwnvpo.exe 436 "C:\Windows\SysWOW64\kehwmwch.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\hugwnvpo.exe
        
        436 C:\Windows\SysWOW64\kehwmwch.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\cawriseo.exe
        
        C:\Windows\system32\cawriseo.exe 456 "C:\Windows\SysWOW64\hugwnvpo.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\cawriseo.exe
        
        456 C:\Windows\SysWOW64\hugwnvpo.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\yboeldqp.exe
        
        C:\Windows\system32\yboeldqp.exe 464 "C:\Windows\SysWOW64\cawriseo.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\yboeldqp.exe
        
        464 C:\Windows\SysWOW64\cawriseo.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\qiobqszh.exe
        
        C:\Windows\system32\qiobqszh.exe 432 "C:\Windows\SysWOW64\yboeldqp.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1156
        
        C:\Windows\SysWOW64\qiobqszh.exe
        
        432 C:\Windows\SysWOW64\yboeldqp.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        C:\Windows\SysWOW64\njyhmdlq.exe
        
        C:\Windows\system32\njyhmdlq.exe 432 "C:\Windows\SysWOW64\qiobqszh.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2188
        
        C:\Windows\SysWOW64\njyhmdlq.exe
        
        432 C:\Windows\SysWOW64\qiobqszh.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1080
        
        C:\Windows\SysWOW64\pqmrbvum.exe
        
        C:\Windows\system32\pqmrbvum.exe 436 "C:\Windows\SysWOW64\njyhmdlq.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1384
        
        C:\Windows\SysWOW64\pqmrbvum.exe
        
        436 C:\Windows\SysWOW64\njyhmdlq.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Windows\SysWOW64\pinkdhed.exe
        
        C:\Windows\system32\pinkdhed.exe 512 "C:\Windows\SysWOW64\pqmrbvum.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:608
        
        C:\Windows\SysWOW64\pinkdhed.exe
        
        512 C:\Windows\SysWOW64\pqmrbvum.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1344
        
        C:\Windows\SysWOW64\ypornbtq.exe
        
        C:\Windows\system32\ypornbtq.exe 460 "C:\Windows\SysWOW64\pinkdhed.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1132
        
        C:\Windows\SysWOW64\ypornbtq.exe
        
        460 C:\Windows\SysWOW64\pinkdhed.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        C:\Windows\SysWOW64\vevroigx.exe
        
        C:\Windows\system32\vevroigx.exe 440 "C:\Windows\SysWOW64\ypornbtq.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1620
        
        C:\Windows\SysWOW64\vevroigx.exe
        
        440 C:\Windows\SysWOW64\ypornbtq.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1588
        
        C:\Windows\SysWOW64\sfoekmsg.exe
        
        C:\Windows\system32\sfoekmsg.exe 488 "C:\Windows\SysWOW64\vevroigx.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2300
        
        C:\Windows\SysWOW64\sfoekmsg.exe
        
        488 C:\Windows\SysWOW64\vevroigx.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Windows\SysWOW64\vmuhadtc.exe
        
        C:\Windows\system32\vmuhadtc.exe 448 "C:\Windows\SysWOW64\sfoekmsg.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1564
        
        C:\Windows\SysWOW64\vmuhadtc.exe
        
        448 C:\Windows\SysWOW64\sfoekmsg.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Windows\SysWOW64\wlixyigx.exe
        
        C:\Windows\system32\wlixyigx.exe 436 "C:\Windows\SysWOW64\vmuhadtc.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1648
        
        C:\Windows\SysWOW64\wlixyigx.exe
        
        436 C:\Windows\SysWOW64\vmuhadtc.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Windows\SysWOW64\cmqsonml.exe
        
        C:\Windows\system32\cmqsonml.exe 444 "C:\Windows\SysWOW64\wlixyigx.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2780
        
        C:\Windows\SysWOW64\cmqsonml.exe
        
        444 C:\Windows\SysWOW64\wlixyigx.exe
        34⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Windows\SysWOW64\ehtcjote.exe
        
        C:\Windows\system32\ehtcjote.exe 432 "C:\Windows\SysWOW64\cmqsonml.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2648
        
        C:\Windows\SysWOW64\ehtcjote.exe
        
        432 C:\Windows\SysWOW64\cmqsonml.exe
        36⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2548
        
        C:\Windows\SysWOW64\grlsbkbc.exe
        
        C:\Windows\system32\grlsbkbc.exe 452 "C:\Windows\SysWOW64\ehtcjote.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2536
        
        C:\Windows\SysWOW64\grlsbkbc.exe
        
        452 C:\Windows\SysWOW64\ehtcjote.exe
        38⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2600
        
        C:\Windows\SysWOW64\labnshhq.exe
        
        C:\Windows\system32\labnshhq.exe 440 "C:\Windows\SysWOW64\grlsbkbc.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:924
        
        C:\Windows\SysWOW64\labnshhq.exe
        
        440 C:\Windows\SysWOW64\grlsbkbc.exe
        40⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2556
        
        C:\Windows\SysWOW64\frhcpmul.exe
        
        C:\Windows\system32\frhcpmul.exe 444 "C:\Windows\SysWOW64\labnshhq.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1296
        
        C:\Windows\SysWOW64\frhcpmul.exe
        
        444 C:\Windows\SysWOW64\labnshhq.exe
        42⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Windows\SysWOW64\fgeihuxz.exe
        
        C:\Windows\system32\fgeihuxz.exe 384 "C:\Windows\SysWOW64\frhcpmul.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2912
        
        C:\Windows\SysWOW64\fgeihuxz.exe
        
        384 C:\Windows\SysWOW64\frhcpmul.exe
        44⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:540
        
        C:\Windows\SysWOW64\ezfsbphq.exe
        
        C:\Windows\system32\ezfsbphq.exe 444 "C:\Windows\SysWOW64\fgeihuxz.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:520
        
        C:\Windows\SysWOW64\ezfsbphq.exe
        
        444 C:\Windows\SysWOW64\fgeihuxz.exe
        46⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3016
        
        C:\Windows\SysWOW64\gytiytvl.exe
        
        C:\Windows\system32\gytiytvl.exe 452 "C:\Windows\SysWOW64\ezfsbphq.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2960
        
        C:\Windows\SysWOW64\gytiytvl.exe
        
        452 C:\Windows\SysWOW64\ezfsbphq.exe
        48⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2324
        
        C:\Windows\SysWOW64\mvqymmcx.exe
        
        C:\Windows\system32\mvqymmcx.exe 448 "C:\Windows\SysWOW64\gytiytvl.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2004
        
        C:\Windows\SysWOW64\mvqymmcx.exe
        
        448 C:\Windows\SysWOW64\gytiytvl.exe
        50⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Windows\SysWOW64\gchspkjw.exe
        
        C:\Windows\system32\gchspkjw.exe 484 "C:\Windows\SysWOW64\mvqymmcx.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2132
        
        C:\Windows\SysWOW64\gchspkjw.exe
        
        484 C:\Windows\SysWOW64\mvqymmcx.exe
        52⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1712
        
        C:\Windows\SysWOW64\fuqljftf.exe
        
        C:\Windows\system32\fuqljftf.exe 444 "C:\Windows\SysWOW64\gchspkjw.exe"
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:840
        
        C:\Windows\SysWOW64\fuqljftf.exe
        
        444 C:\Windows\SysWOW64\gchspkjw.exe
        54⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1008
        
        C:\Windows\SysWOW64\funvjais.exe
        
        C:\Windows\system32\funvjais.exe 432 "C:\Windows\SysWOW64\fuqljftf.exe"
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:608
        
        C:\Windows\SysWOW64\funvjais.exe
        
        432 C:\Windows\SysWOW64\fuqljftf.exe
        56⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:892
        
        C:\Windows\SysWOW64\mypaaltq.exe
        
        C:\Windows\system32\mypaaltq.exe 448 "C:\Windows\SysWOW64\funvjais.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1040
        
        C:\Windows\SysWOW64\mypaaltq.exe
        
        448 C:\Windows\SysWOW64\funvjais.exe
        58⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Windows\SysWOW64\mqytuyvz.exe
        
        C:\Windows\system32\mqytuyvz.exe 460 "C:\Windows\SysWOW64\mypaaltq.exe"
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2252
        
        C:\Windows\SysWOW64\mqytuyvz.exe
        
        460 C:\Windows\SysWOW64\mypaaltq.exe
        60⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Windows\SysWOW64\jrigqjhi.exe
        
        C:\Windows\system32\jrigqjhi.exe 456 "C:\Windows\SysWOW64\mqytuyvz.exe"
        61⤵
        Executes dropped EXE
        
        PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\ygflyyze.exe

Filesize
112KB

MD5
e16e69b4f83ffd653cd7a61bf91e06b6

SHA1
5cdb8c240b4f5e8b9a8c12fcb61e949b6f221d70

SHA256
49ed4585a1eeecf36fa7f8bbf29f5061499c87b6fb4d81f7274ee101f9c96759

SHA512
730944b3f3c5555e15cd0123f72140099028d87b255e4d03efdc6b7291dcc2ef8c1e93a12a12899cc54d5110596f2939b85da15f1ef7850fcdabd45a021c9e1d

Download Submit
memory/1156-135-0x0000000010000000-0x0000000010025000-memory.dmp

Filesize
148KB

Download
memory/1384-169-0x0000000010000000-0x0000000010025000-memory.dmp

Filesize
148KB

Download
memory/1988-5-0x0000000010000000-0x0000000010025000-memory.dmp

Filesize
148KB

Download
memory/2176-84-0x0000000010000000-0x0000000010025000-memory.dmp

Filesize
148KB

Download
memory/2188-152-0x0000000010000000-0x0000000010025000-memory.dmp

Filesize
148KB

Download
memory/2392-101-0x0000000010000000-0x0000000010025000-memory.dmp

Filesize
148KB

Download
memory/2616-27-0x0000000010000000-0x0000000010025000-memory.dmp

Filesize
148KB

Download
memory/2636-66-0x0000000010000000-0x0000000010025000-memory.dmp

Filesize
148KB

Download
memory/2652-48-0x0000000010000000-0x0000000010025000-memory.dmp

Filesize
148KB

Download
memory/2664-30-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2664-40-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2872-118-0x0000000010000000-0x0000000010025000-memory.dmp

Filesize
148KB

Download
memory/2992-0-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2992-19-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2992-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2992-4-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2992-8-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2992-7-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download