Analysis
-
max time kernel
88s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-09-2024 05:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f7a1a4ec8ee1f0504378264b77c200cf_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
f7a1a4ec8ee1f0504378264b77c200cf_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
f7a1a4ec8ee1f0504378264b77c200cf_JaffaCakes118.exe
-
Size
792KB
-
MD5
f7a1a4ec8ee1f0504378264b77c200cf
-
SHA1
afafcaff5c683e70324298d6fe75fdbaba506296
-
SHA256
6d1d41b1f4df5c76e9f8a82469471cc9eb623c08fda2be0554c3e20ccd775af1
-
SHA512
d6d1c8d8775d8d6c52548f8765200320d79ffe01948ec5629c961b227bd8024ff7dfeb9c0610797cbebed845eab3cbfe5096bbaf6e43e6719192c07e6aceb174
-
SSDEEP
12288:27lo5CZDPH2fpcx/c6V2NNHbScrXOL+ikJvRg597+QKUvrISSLqD3/HsN:e/DPHFx/cmqY7kJ59aIDq7
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks BIOS information in registry 2 TTPs 64 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate pmdtvqk.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion tbruzan.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate vtemtup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate itepbwy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion fgcltne.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate yymphny.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate sojxeig.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate dcpyzpm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate cavjrlr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate otqbggn.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate hfunhrb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate qpmrdtc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion urapnhh.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate xykprtm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate zcvovra.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate zaikemn.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion nlmqkaf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate ihjgsyr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion obqhyjw.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion tzinnip.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate qkrnczf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion upgkrmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate lnobfyk.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate f7a1a4ec8ee1f0504378264b77c200cf_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion lxpgihc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate dxlniln.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate jxjvdij.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion paumbyk.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate cjnxhvg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate mkpxhyt.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion gfvcwry.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion jgtirqt.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate sqnabtz.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate imfcoka.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate wptaslz.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate akycpqv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate magfpkc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate zibnxer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wfigryo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion tfhmuby.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate otdhnvf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate erxlpws.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate inwqdom.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate akjfbxu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate ytiuiem.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ghlvobv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate npszmha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate xxmvyny.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate yblvlce.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion uzreszo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate ppfrgak.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate xafjpcq.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion yrpeppj.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate tbruzan.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion bacudhm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate cwwljsr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate wfigryo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion xykprtm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rlbojqr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate kljiktf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion pirqcwo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate inrmdqi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate ghlvobv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion dziwzae.exe -
Executes dropped EXE 64 IoCs
pid Process 2900 gfpzbci.exe 1452 dziwzae.exe 1396 urthgsu.exe 2972 hapujnk.exe 2016 tnhcres.exe 2124 xayujjm.exe 900 hoaxlqx.exe 1952 mtuxymu.exe 2388 ailhfrf.exe 2648 sqkfyua.exe 2956 jxjvdij.exe 2772 rtuaood.exe 1684 ldoimir.exe 1372 vrqlvxc.exe 1344 pmdtvqk.exe 2364 rdranhh.exe 584 otqbggn.exe 1836 vbnluqg.exe 2088 zveyfjw.exe 2348 rbdokxn.exe 2920 qfplgow.exe 1276 yrpeppj.exe 1620 rpormza.exe 2192 rlbojqr.exe 1744 wyuwcaw.exe 2716 gunpkvw.exe 1800 nbihekg.exe 2476 yxjrleh.exe 2692 iizchiv.exe 2256 hejpqty.exe 680 ucerzbd.exe 2428 eftcuek.exe 2552 paumbyk.exe 1616 bymzkcf.exe 1808 lyqxcbn.exe 1752 ytiuiem.exe 1932 ivxxvas.exe 1796 sujcgya.exe 920 zcxuawj.exe 1540 waeutvo.exe 1784 jyyxjdu.exe 1968 wptaslz.exe 2672 dwpseaj.exe 1428 leksyqk.exe 1936 smxklfu.exe 2676 denqxvw.exe 2852 kljiktf.exe 2332 mkpxhyt.exe 1996 zbraqyy.exe 1136 hfunhrb.exe 2164 reglsij.exe 1600 tzinnip.exe 1260 ssjypdz.exe 2096 ptcllgl.exe 2636 pirqcwo.exe 2696 rsrousw.exe 2700 zaegoig.exe 1236 jzqdzgn.exe 2820 gaaqdkz.exe 2288 qvbbkea.exe 932 qrnghdq.exe 892 xsmgwkm.exe 2248 rcoobmi.exe 1020 mprrwmp.exe -
Loads dropped DLL 64 IoCs
pid Process 2876 f7a1a4ec8ee1f0504378264b77c200cf_JaffaCakes118.exe 2876 f7a1a4ec8ee1f0504378264b77c200cf_JaffaCakes118.exe 2900 gfpzbci.exe 2900 gfpzbci.exe 1452 dziwzae.exe 1452 dziwzae.exe 1396 urthgsu.exe 1396 urthgsu.exe 2972 hapujnk.exe 2972 hapujnk.exe 2016 tnhcres.exe 2016 tnhcres.exe 2124 xayujjm.exe 2124 xayujjm.exe 900 hoaxlqx.exe 900 hoaxlqx.exe 1952 mtuxymu.exe 1952 mtuxymu.exe 2388 ailhfrf.exe 2388 ailhfrf.exe 2648 sqkfyua.exe 2648 sqkfyua.exe 2956 jxjvdij.exe 2956 jxjvdij.exe 2772 rtuaood.exe 2772 rtuaood.exe 1684 ldoimir.exe 1684 ldoimir.exe 1372 vrqlvxc.exe 1372 vrqlvxc.exe 1344 pmdtvqk.exe 1344 pmdtvqk.exe 2364 rdranhh.exe 2364 rdranhh.exe 584 otqbggn.exe 584 otqbggn.exe 1836 vbnluqg.exe 1836 vbnluqg.exe 2088 zveyfjw.exe 2088 zveyfjw.exe 2348 rbdokxn.exe 2348 rbdokxn.exe 2920 qfplgow.exe 2920 qfplgow.exe 1276 yrpeppj.exe 1276 yrpeppj.exe 1620 rpormza.exe 1620 rpormza.exe 2192 rlbojqr.exe 2192 rlbojqr.exe 1744 wyuwcaw.exe 1744 wyuwcaw.exe 2716 gunpkvw.exe 2716 gunpkvw.exe 1800 nbihekg.exe 1800 nbihekg.exe 2476 yxjrleh.exe 2476 yxjrleh.exe 2692 iizchiv.exe 2692 iizchiv.exe 2256 hejpqty.exe 2256 hejpqty.exe 680 ucerzbd.exe 680 ucerzbd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\zveyfjw.exe vbnluqg.exe File opened for modification C:\Windows\SysWOW64\gunpkvw.exe wyuwcaw.exe File created C:\Windows\SysWOW64\ucerzbd.exe hejpqty.exe File created C:\Windows\SysWOW64\zbraqyy.exe mkpxhyt.exe File created C:\Windows\SysWOW64\atoqaoi.exe qmctppb.exe File created C:\Windows\SysWOW64\zvsubzj.exe xwleeuv.exe File created C:\Windows\SysWOW64\zcxuawj.exe sujcgya.exe File opened for modification C:\Windows\SysWOW64\qvbbkea.exe gaaqdkz.exe File opened for modification C:\Windows\SysWOW64\chgvbja.exe pfzaexq.exe File created C:\Windows\SysWOW64\mdeyrzq.exe eyulzon.exe File created C:\Windows\SysWOW64\pirqcwo.exe ptcllgl.exe File opened for modification C:\Windows\SysWOW64\jnqrplu.exe mprrwmp.exe File opened for modification C:\Windows\SysWOW64\ihjgsyr.exe dcpyzpm.exe File opened for modification C:\Windows\SysWOW64\mvsxras.exe japuwae.exe File opened for modification C:\Windows\SysWOW64\pgypbpx.exe qnpehun.exe File opened for modification C:\Windows\SysWOW64\eftcuek.exe ucerzbd.exe File opened for modification C:\Windows\SysWOW64\ptcllgl.exe ssjypdz.exe File created C:\Windows\SysWOW64\rdranhh.exe pmdtvqk.exe File created C:\Windows\SysWOW64\jyyxjdu.exe waeutvo.exe File created C:\Windows\SysWOW64\zaikemn.exe urapnhh.exe File opened for modification C:\Windows\SysWOW64\ozrhbdq.exe jiumfpf.exe File opened for modification C:\Windows\SysWOW64\lxsklob.exe tfhmuby.exe File created C:\Windows\SysWOW64\wadbrzf.exe otibfkd.exe File created C:\Windows\SysWOW64\ilvmppa.exe ihjgsyr.exe File created C:\Windows\SysWOW64\rwimkcf.exe xafjpcq.exe File created C:\Windows\SysWOW64\qorwepp.exe rwimkcf.exe File opened for modification C:\Windows\SysWOW64\mhooqsl.exe kmmlvsf.exe File created C:\Windows\SysWOW64\raoxurt.exe jwdsdgq.exe File created C:\Windows\SysWOW64\hapujnk.exe urthgsu.exe File created C:\Windows\SysWOW64\qrnghdq.exe qvbbkea.exe File opened for modification C:\Windows\SysWOW64\qmctppb.exe gbnvkzz.exe File opened for modification C:\Windows\SysWOW64\welkjit.exe uriioif.exe File created C:\Windows\SysWOW64\mrgdqrv.exe iacqudk.exe File created C:\Windows\SysWOW64\qerzmmy.exe ekczynk.exe File opened for modification C:\Windows\SysWOW64\tzinnip.exe reglsij.exe File created C:\Windows\SysWOW64\akycpqv.exe tgwpgfs.exe File created C:\Windows\SysWOW64\wdqxzjd.exe xkpffwt.exe File opened for modification C:\Windows\SysWOW64\baureaw.exe gxpjeho.exe File opened for modification C:\Windows\SysWOW64\hfunhrb.exe zbraqyy.exe File created C:\Windows\SysWOW64\mjhwkef.exe mrgdqrv.exe File created C:\Windows\SysWOW64\welkjit.exe uriioif.exe File opened for modification C:\Windows\SysWOW64\iizchiv.exe yxjrleh.exe File opened for modification C:\Windows\SysWOW64\yymphny.exe ulspodl.exe File opened for modification C:\Windows\SysWOW64\ytiuiem.exe lyqxcbn.exe File created C:\Windows\SysWOW64\xpyylcn.exe scnysbi.exe File created C:\Windows\SysWOW64\axivlwd.exe vkonsmy.exe File opened for modification C:\Windows\SysWOW64\gfpzbci.exe f7a1a4ec8ee1f0504378264b77c200cf_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\cwwljsr.exe axivlwd.exe File created C:\Windows\SysWOW64\wlfgogr.exe rylyuwm.exe File opened for modification C:\Windows\SysWOW64\rwimkcf.exe xafjpcq.exe File opened for modification C:\Windows\SysWOW64\urthgsu.exe dziwzae.exe File opened for modification C:\Windows\SysWOW64\lyqxcbn.exe bymzkcf.exe File opened for modification C:\Windows\SysWOW64\yvpnrfl.exe wdqxzjd.exe File created C:\Windows\SysWOW64\dsvcsfo.exe ynjuyvb.exe File created C:\Windows\SysWOW64\paumbyk.exe eftcuek.exe File created C:\Windows\SysWOW64\jiumfpf.exe ciycznt.exe File opened for modification C:\Windows\SysWOW64\qorwepp.exe rwimkcf.exe File opened for modification C:\Windows\SysWOW64\zvsubzj.exe xwleeuv.exe File created C:\Windows\SysWOW64\kmmlvsf.exe ltdttfv.exe File created C:\Windows\SysWOW64\mvsxras.exe japuwae.exe File opened for modification C:\Windows\SysWOW64\ruivjcy.exe mhooqsl.exe File opened for modification C:\Windows\SysWOW64\xayujjm.exe tnhcres.exe File created C:\Windows\SysWOW64\rpormza.exe yrpeppj.exe File opened for modification C:\Windows\SysWOW64\atoqaoi.exe qmctppb.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ucerzbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pmgwzpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mvsxras.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zopgvep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhcres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vkonsmy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ummhlyn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xykprtm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smxklfu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xafjpcq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kmmlvsf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jgtirqt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chnozzb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fbgqftv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mhooqsl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language urthgsu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbnluqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sjokqye.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zibnxer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wppvowl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dncxaqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eftcuek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rsrousw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jzqdzgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qmctppb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yrpeppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qerzmmy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ccqvbeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yydetby.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language curnvrq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yymphny.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zbraqyy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jnqrplu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hwxeumj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bizybun.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mkpxhyt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxpgihc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qkrnczf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dcpyzpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rtuaood.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gunpkvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zeochgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language waeutvo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ikzrtxw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gdhrahd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hsrumpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zveyfjw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wyuwcaw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language denqxvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gxpjeho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uochdde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vtemtup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qgnljxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xawtmsi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tcthzpw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxsklob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ynjuyvb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sqnabtz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inrmdqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cavjrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language akjfbxu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ilvmppa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffqfgoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ivxxvas.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\hPCbeqhygE = "q{fSVnB{j" iizchiv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\hPCbeqhygE = "q{fPH_HCJ" fvguerb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\gncnkjsIgcrp = "]GrSdiO|\x7fAkm]OIHUtptENgovgxL" mjhwkef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\tzzkQBT = "qDWsiYg^RAEPNTNHr{" jgtirqt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\InprocServer32\ = "%ProgramFiles(x86)%\\Windows Photo Viewer\\PhotoAcq.dll" f7a1a4ec8ee1f0504378264b77c200cf_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\gncnkjsIgcrp = "]GrSdiO|\x7fAkm]OIHUtptENgovmHH" jyyxjdu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\tzzkQBT = "\\DWsiYg^RAEPNTNHr{" yydetby.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\gncnkjsIgcrp = "]GrSdiO|\x7fAkm]OIHUtptENgovSxD" axuqkhy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\bcyXsUj = "mCQ\x7fx~JnlJNtSEG_AM" zwykecv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\wVzncFuhslIB = "kfTHtaDhvVO}FjboRwvUCe@" wptaslz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\hPCbeqhygE = "q{fSk@alk" rsrousw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\tzzkQBT = "sDWsiYg^RAEPNTNHr{" wppvowl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\gncnkjsIgcrp = "]GrSdiO|\x7fAkm]OIHUtptENgov~HL" jgtirqt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\tzzkQBT = "]DWsiYg^RAEPNTNHr{" ozrhbdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\gncnkjsIgcrp = "]GrSdiO|\x7fAkm]OIHUtptENgovdhD" qnpehun.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\hPCbeqhygE = "q{fRalqF|" jxjvdij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\bcyXsUj = "mCQ\x7fx~JnlJNtSEG_AM" rbdokxn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\tzzkQBT = "}DWsiYg^RAEPNTNHr{" pirqcwo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\tzzkQBT = "bDWsiYg^RAEPNTNHr{" rjotdoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\hPCbeqhygE = "q{fPiJAou" rwimkcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\hPCbeqhygE = "q{fSkV_DC" uppjaru.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\gncnkjsIgcrp = "]GrSdiO|\x7fAkm]OIHUtptENgoviHL" fkdrtxf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\tzzkQBT = "JDWsiYg^RAEPNTNHr{" xykprtm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\qkYVOqWmf = "\x7f\\PjxwnDM~b\\eVwQvtRB||pims{ra" apcctmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\CEfcfnc = "@f}efEuCh_xBN[CoT`p]" sqkfyua.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\hPCbeqhygE = "q{fPalpQs" qerzmmy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\CEfcfnc = "@f}efEuCh_xBN[CoT`p]" pxchwic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\hPCbeqhygE = "q{fSXHC\x7fP" gfpzbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\gncnkjsIgcrp = "]GrSdiO|\x7fAkm]OIHUtptENgovaXH" sujcgya.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\hPCbeqhygE = "q{fSUMR\x7fh" gfvcwry.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\gncnkjsIgcrp = "]GrSdiO|\x7fAkm]OIHUtptENgovIxH" vrqlvxc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\hPCbeqhygE = "q{fQwZ\\^x" leksyqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\gncnkjsIgcrp = "]GrSdiO|\x7fAkm]OIHUtptENgovsXL" sojxeig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\hPCbeqhygE = "q{fRCF}\x7fb" vtemtup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\gncnkjsIgcrp = "]GrSdiO|\x7fAkm]OIHUtptENgov_XD" bswblxb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\wVzncFuhslIB = "kfTHtaDhvVO}FjaqRwvUCeC" aliyhey.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\hPCbeqhygE = "q{fS[\\HSq" otqbggn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\tzzkQBT = "gDWsiYg^RAEPNTNHr{" leksyqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\tzzkQBT = "KDWsiYg^RAEPNTNHr{" jnqrplu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\hPCbeqhygE = "q{fQgLHBh" ozrhbdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\tzzkQBT = "EDWsiYg^RAEPNTNHr{" inwqdom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\hPCbeqhygE = "q{fQ[aJK\x7f" ulspodl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\wVzncFuhslIB = "kfTHtaDhvVO}FjajRwvUCeC" ynjuyvb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\CEfcfnc = "@f}efEuCh_xBN[CoT`p]" mtuxymu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\wVzncFuhslIB = "kfTHtaDhvVO}FjcjRwvUCeA" uppjaru.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\hPCbeqhygE = "q{fRumP~F" czwavqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\qkYVOqWmf = "\x7f\\PjxwnDM~b\\eVwQvtRB||pims{ra" ghlvobv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\gncnkjsIgcrp = "]GrSdiO|\x7fAkm]OIHUtptENgovfhD" lxsklob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\wVzncFuhslIB = "kfTHtaDhvVO}FjcxRwvUCeA" qkrnczf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\bcyXsUj = "mCQ\x7fx~JnlJNtSEG_AM" wgzxnto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\gncnkjsIgcrp = "]GrSdiO|\x7fAkm]OIHUtptENgovXx@" czwavqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\bcyXsUj = "mCQ\x7fx~JnlJNtSEG_AM" hoaxlqx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\wVzncFuhslIB = "kfTHtaDhvVO}FjcHRwvUCeA" sdxmsgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\wVzncFuhslIB = "kfTHtaDhvVO}Fjc^RwvUCeA" erxlpws.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\tzzkQBT = "iDWsiYg^RAEPNTNHr{" wfigryo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\bcyXsUj = "mCQ\x7fx~JnlJNtSEG_AM" jgtirqt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\CEfcfnc = "@f}efEuCh_xBN[CoT`p]" bkyjhte.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\hPCbeqhygE = "q{fRgMd|K" ilzieuh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\bcyXsUj = "mCQ\x7fx~JnlJNtSEG_AM" nymemwr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\gncnkjsIgcrp = "]GrSdiO|\x7fAkm]OIHUtptENgovph@" tcthzpw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\bcyXsUj = "mCQ\x7fx~JnlJNtSEG_AM" mhooqsl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\CEfcfnc = "@f}efEuCh_xBN[CoT`p]" sqnabtz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\hPCbeqhygE = "q{fRIwUmz" xafjpcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\gncnkjsIgcrp = "]GrSdiO|\x7fAkm]OIHUtptENgov}H@" inrmdqi.exe -
NTFS ADS 64 IoCs
description ioc Process File opened for modification C:\ProgramData\TEMP:3DAA471A uochdde.exe File opened for modification C:\ProgramData\TEMP:3DAA471A wjdzsgg.exe File opened for modification C:\ProgramData\TEMP:3DAA471A fxmnzff.exe File opened for modification C:\ProgramData\TEMP:3DAA471A rylyuwm.exe File opened for modification C:\ProgramData\TEMP:3DAA471A ilvmppa.exe File opened for modification C:\ProgramData\TEMP:3DAA471A dziwzae.exe File opened for modification C:\ProgramData\TEMP:3DAA471A reglsij.exe File opened for modification C:\ProgramData\TEMP:3DAA471A ixdqqnx.exe File opened for modification C:\ProgramData\TEMP:3DAA471A chgvbja.exe File opened for modification C:\ProgramData\TEMP:3DAA471A mgmhjix.exe File opened for modification C:\ProgramData\TEMP:3DAA471A dsairfl.exe File opened for modification C:\ProgramData\TEMP:3DAA471A mdeyrzq.exe File opened for modification C:\ProgramData\TEMP:3DAA471A xwleeuv.exe File opened for modification C:\ProgramData\TEMP:3DAA471A fbgqftv.exe File opened for modification C:\ProgramData\TEMP:3DAA471A lxsklob.exe File opened for modification C:\ProgramData\TEMP:3DAA471A yxjrleh.exe File opened for modification C:\ProgramData\TEMP:3DAA471A hfunhrb.exe File opened for modification C:\ProgramData\TEMP:3DAA471A ekczynk.exe File opened for modification C:\ProgramData\TEMP:3DAA471A ilzieuh.exe File opened for modification C:\ProgramData\TEMP:3DAA471A curnvrq.exe File opened for modification C:\ProgramData\TEMP:3DAA471A hapujnk.exe File opened for modification C:\ProgramData\TEMP:3DAA471A rtuaood.exe File opened for modification C:\ProgramData\TEMP:3DAA471A otqbggn.exe File opened for modification C:\ProgramData\TEMP:3DAA471A rcoobmi.exe File opened for modification C:\ProgramData\TEMP:3DAA471A pgypbpx.exe File opened for modification C:\ProgramData\TEMP:3DAA471A chnozzb.exe File opened for modification C:\ProgramData\TEMP:3DAA471A xlpeqmn.exe File opened for modification C:\ProgramData\TEMP:3DAA471A xayujjm.exe File opened for modification C:\ProgramData\TEMP:3DAA471A bacudhm.exe File opened for modification C:\ProgramData\TEMP:3DAA471A zeedwmg.exe File opened for modification C:\ProgramData\TEMP:3DAA471A ozrhbdq.exe File opened for modification C:\ProgramData\TEMP:3DAA471A ihjgsyr.exe File opened for modification C:\ProgramData\TEMP:3DAA471A zeochgd.exe File opened for modification C:\ProgramData\TEMP:3DAA471A vrqlvxc.exe File opened for modification C:\ProgramData\TEMP:3DAA471A kqhqxou.exe File opened for modification C:\ProgramData\TEMP:3DAA471A gunpkvw.exe File opened for modification C:\ProgramData\TEMP:3DAA471A yydetby.exe File opened for modification C:\ProgramData\TEMP:3DAA471A hsrumpa.exe File opened for modification C:\ProgramData\TEMP:3DAA471A qnpehun.exe File opened for modification C:\ProgramData\TEMP:3DAA471A ivxxvas.exe File opened for modification C:\ProgramData\TEMP:3DAA471A gbnvkzz.exe File opened for modification C:\ProgramData\TEMP:3DAA471A dcpyzpm.exe File opened for modification C:\ProgramData\TEMP:3DAA471A cjnxhvg.exe File opened for modification C:\ProgramData\TEMP:3DAA471A inwqdom.exe File opened for modification C:\ProgramData\TEMP:3DAA471A dwpseaj.exe File opened for modification C:\ProgramData\TEMP:3DAA471A zaikemn.exe File opened for modification C:\ProgramData\TEMP:3DAA471A rlbojqr.exe File opened for modification C:\ProgramData\TEMP:3DAA471A gsjbqdz.exe File opened for modification C:\ProgramData\TEMP:3DAA471A cltqaju.exe File opened for modification C:\ProgramData\TEMP:3DAA471A iqvjheh.exe File opened for modification C:\ProgramData\TEMP:3DAA471A zcvovra.exe File opened for modification C:\ProgramData\TEMP:3DAA471A gdhrahd.exe File opened for modification C:\ProgramData\TEMP:3DAA471A sojxeig.exe File opened for modification C:\ProgramData\TEMP:3DAA471A wadbrzf.exe File opened for modification C:\ProgramData\TEMP:3DAA471A bkyjhte.exe File opened for modification C:\ProgramData\TEMP:3DAA471A xrlzmfw.exe File opened for modification C:\ProgramData\TEMP:3DAA471A jznholv.exe File opened for modification C:\ProgramData\TEMP:3DAA471A axivlwd.exe File opened for modification C:\ProgramData\TEMP:3DAA471A cwwljsr.exe File opened for modification C:\ProgramData\TEMP:3DAA471A ikzrtxw.exe File opened for modification C:\ProgramData\TEMP:3DAA471A xxmvyny.exe File opened for modification C:\ProgramData\TEMP:3DAA471A gfvcwry.exe File opened for modification C:\ProgramData\TEMP:3DAA471A xsquvvh.exe File opened for modification C:\ProgramData\TEMP:3DAA471A japuwae.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: 33 2876 f7a1a4ec8ee1f0504378264b77c200cf_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2876 f7a1a4ec8ee1f0504378264b77c200cf_JaffaCakes118.exe Token: 33 2900 gfpzbci.exe Token: SeIncBasePriorityPrivilege 2900 gfpzbci.exe Token: 33 1452 dziwzae.exe Token: SeIncBasePriorityPrivilege 1452 dziwzae.exe Token: 33 1396 urthgsu.exe Token: SeIncBasePriorityPrivilege 1396 urthgsu.exe Token: 33 2972 hapujnk.exe Token: SeIncBasePriorityPrivilege 2972 hapujnk.exe Token: 33 2016 tnhcres.exe Token: SeIncBasePriorityPrivilege 2016 tnhcres.exe Token: 33 2124 xayujjm.exe Token: SeIncBasePriorityPrivilege 2124 xayujjm.exe Token: 33 900 hoaxlqx.exe Token: SeIncBasePriorityPrivilege 900 hoaxlqx.exe Token: 33 1952 mtuxymu.exe Token: SeIncBasePriorityPrivilege 1952 mtuxymu.exe Token: 33 2388 ailhfrf.exe Token: SeIncBasePriorityPrivilege 2388 ailhfrf.exe Token: 33 2648 sqkfyua.exe Token: SeIncBasePriorityPrivilege 2648 sqkfyua.exe Token: 33 2956 jxjvdij.exe Token: SeIncBasePriorityPrivilege 2956 jxjvdij.exe Token: 33 2772 rtuaood.exe Token: SeIncBasePriorityPrivilege 2772 rtuaood.exe Token: 33 1684 ldoimir.exe Token: SeIncBasePriorityPrivilege 1684 ldoimir.exe Token: 33 1372 vrqlvxc.exe Token: SeIncBasePriorityPrivilege 1372 vrqlvxc.exe Token: 33 1344 pmdtvqk.exe Token: SeIncBasePriorityPrivilege 1344 pmdtvqk.exe Token: 33 2364 rdranhh.exe Token: SeIncBasePriorityPrivilege 2364 rdranhh.exe Token: 33 584 otqbggn.exe Token: SeIncBasePriorityPrivilege 584 otqbggn.exe Token: 33 1836 vbnluqg.exe Token: SeIncBasePriorityPrivilege 1836 vbnluqg.exe Token: 33 2088 zveyfjw.exe Token: SeIncBasePriorityPrivilege 2088 zveyfjw.exe Token: 33 2348 rbdokxn.exe Token: SeIncBasePriorityPrivilege 2348 rbdokxn.exe Token: 33 2920 qfplgow.exe Token: SeIncBasePriorityPrivilege 2920 qfplgow.exe Token: 33 1276 yrpeppj.exe Token: SeIncBasePriorityPrivilege 1276 yrpeppj.exe Token: 33 1620 rpormza.exe Token: SeIncBasePriorityPrivilege 1620 rpormza.exe Token: 33 2192 rlbojqr.exe Token: SeIncBasePriorityPrivilege 2192 rlbojqr.exe Token: 33 1744 wyuwcaw.exe Token: SeIncBasePriorityPrivilege 1744 wyuwcaw.exe Token: 33 2716 gunpkvw.exe Token: SeIncBasePriorityPrivilege 2716 gunpkvw.exe Token: 33 1800 nbihekg.exe Token: SeIncBasePriorityPrivilege 1800 nbihekg.exe Token: 33 2476 yxjrleh.exe Token: SeIncBasePriorityPrivilege 2476 yxjrleh.exe Token: 33 2692 iizchiv.exe Token: SeIncBasePriorityPrivilege 2692 iizchiv.exe Token: 33 2256 hejpqty.exe Token: SeIncBasePriorityPrivilege 2256 hejpqty.exe Token: 33 680 ucerzbd.exe Token: SeIncBasePriorityPrivilege 680 ucerzbd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2876 wrote to memory of 2900 2876 f7a1a4ec8ee1f0504378264b77c200cf_JaffaCakes118.exe 30 PID 2876 wrote to memory of 2900 2876 f7a1a4ec8ee1f0504378264b77c200cf_JaffaCakes118.exe 30 PID 2876 wrote to memory of 2900 2876 f7a1a4ec8ee1f0504378264b77c200cf_JaffaCakes118.exe 30 PID 2876 wrote to memory of 2900 2876 f7a1a4ec8ee1f0504378264b77c200cf_JaffaCakes118.exe 30 PID 2900 wrote to memory of 1452 2900 gfpzbci.exe 31 PID 2900 wrote to memory of 1452 2900 gfpzbci.exe 31 PID 2900 wrote to memory of 1452 2900 gfpzbci.exe 31 PID 2900 wrote to memory of 1452 2900 gfpzbci.exe 31 PID 1452 wrote to memory of 1396 1452 dziwzae.exe 32 PID 1452 wrote to memory of 1396 1452 dziwzae.exe 32 PID 1452 wrote to memory of 1396 1452 dziwzae.exe 32 PID 1452 wrote to memory of 1396 1452 dziwzae.exe 32 PID 1396 wrote to memory of 2972 1396 urthgsu.exe 33 PID 1396 wrote to memory of 2972 1396 urthgsu.exe 33 PID 1396 wrote to memory of 2972 1396 urthgsu.exe 33 PID 1396 wrote to memory of 2972 1396 urthgsu.exe 33 PID 2972 wrote to memory of 2016 2972 hapujnk.exe 34 PID 2972 wrote to memory of 2016 2972 hapujnk.exe 34 PID 2972 wrote to memory of 2016 2972 hapujnk.exe 34 PID 2972 wrote to memory of 2016 2972 hapujnk.exe 34 PID 2016 wrote to memory of 2124 2016 tnhcres.exe 35 PID 2016 wrote to memory of 2124 2016 tnhcres.exe 35 PID 2016 wrote to memory of 2124 2016 tnhcres.exe 35 PID 2016 wrote to memory of 2124 2016 tnhcres.exe 35 PID 2124 wrote to memory of 900 2124 xayujjm.exe 36 PID 2124 wrote to memory of 900 2124 xayujjm.exe 36 PID 2124 wrote to memory of 900 2124 xayujjm.exe 36 PID 2124 wrote to memory of 900 2124 xayujjm.exe 36 PID 900 wrote to memory of 1952 900 hoaxlqx.exe 37 PID 900 wrote to memory of 1952 900 hoaxlqx.exe 37 PID 900 wrote to memory of 1952 900 hoaxlqx.exe 37 PID 900 wrote to memory of 1952 900 hoaxlqx.exe 37 PID 1952 wrote to memory of 2388 1952 mtuxymu.exe 38 PID 1952 wrote to memory of 2388 1952 mtuxymu.exe 38 PID 1952 wrote to memory of 2388 1952 mtuxymu.exe 38 PID 1952 wrote to memory of 2388 1952 mtuxymu.exe 38 PID 2388 wrote to memory of 2648 2388 ailhfrf.exe 39 PID 2388 wrote to memory of 2648 2388 ailhfrf.exe 39 PID 2388 wrote to memory of 2648 2388 ailhfrf.exe 39 PID 2388 wrote to memory of 2648 2388 ailhfrf.exe 39 PID 2648 wrote to memory of 2956 2648 sqkfyua.exe 40 PID 2648 wrote to memory of 2956 2648 sqkfyua.exe 40 PID 2648 wrote to memory of 2956 2648 sqkfyua.exe 40 PID 2648 wrote to memory of 2956 2648 sqkfyua.exe 40 PID 2956 wrote to memory of 2772 2956 jxjvdij.exe 41 PID 2956 wrote to memory of 2772 2956 jxjvdij.exe 41 PID 2956 wrote to memory of 2772 2956 jxjvdij.exe 41 PID 2956 wrote to memory of 2772 2956 jxjvdij.exe 41 PID 2772 wrote to memory of 1684 2772 rtuaood.exe 42 PID 2772 wrote to memory of 1684 2772 rtuaood.exe 42 PID 2772 wrote to memory of 1684 2772 rtuaood.exe 42 PID 2772 wrote to memory of 1684 2772 rtuaood.exe 42 PID 1684 wrote to memory of 1372 1684 ldoimir.exe 43 PID 1684 wrote to memory of 1372 1684 ldoimir.exe 43 PID 1684 wrote to memory of 1372 1684 ldoimir.exe 43 PID 1684 wrote to memory of 1372 1684 ldoimir.exe 43 PID 1372 wrote to memory of 1344 1372 vrqlvxc.exe 44 PID 1372 wrote to memory of 1344 1372 vrqlvxc.exe 44 PID 1372 wrote to memory of 1344 1372 vrqlvxc.exe 44 PID 1372 wrote to memory of 1344 1372 vrqlvxc.exe 44 PID 1344 wrote to memory of 2364 1344 pmdtvqk.exe 45 PID 1344 wrote to memory of 2364 1344 pmdtvqk.exe 45 PID 1344 wrote to memory of 2364 1344 pmdtvqk.exe 45 PID 1344 wrote to memory of 2364 1344 pmdtvqk.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7a1a4ec8ee1f0504378264b77c200cf_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f7a1a4ec8ee1f0504378264b77c200cf_JaffaCakes118.exe"1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\gfpzbci.exeC:\Windows\system32\gfpzbci.exe 716 "C:\Users\Admin\AppData\Local\Temp\f7a1a4ec8ee1f0504378264b77c200cf_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\dziwzae.exeC:\Windows\system32\dziwzae.exe 632 "C:\Windows\SysWOW64\gfpzbci.exe"3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\urthgsu.exeC:\Windows\system32\urthgsu.exe 640 "C:\Windows\SysWOW64\dziwzae.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\hapujnk.exeC:\Windows\system32\hapujnk.exe 636 "C:\Windows\SysWOW64\urthgsu.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\tnhcres.exeC:\Windows\system32\tnhcres.exe 648 "C:\Windows\SysWOW64\hapujnk.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\xayujjm.exeC:\Windows\system32\xayujjm.exe 644 "C:\Windows\SysWOW64\tnhcres.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\hoaxlqx.exeC:\Windows\system32\hoaxlqx.exe 656 "C:\Windows\SysWOW64\xayujjm.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\SysWOW64\mtuxymu.exeC:\Windows\system32\mtuxymu.exe 652 "C:\Windows\SysWOW64\hoaxlqx.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\ailhfrf.exeC:\Windows\system32\ailhfrf.exe 708 "C:\Windows\SysWOW64\mtuxymu.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\sqkfyua.exeC:\Windows\system32\sqkfyua.exe 660 "C:\Windows\SysWOW64\ailhfrf.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\jxjvdij.exeC:\Windows\system32\jxjvdij.exe 692 "C:\Windows\SysWOW64\sqkfyua.exe"12⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\rtuaood.exeC:\Windows\system32\rtuaood.exe 664 "C:\Windows\SysWOW64\jxjvdij.exe"13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\ldoimir.exeC:\Windows\system32\ldoimir.exe 700 "C:\Windows\SysWOW64\rtuaood.exe"14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\vrqlvxc.exeC:\Windows\system32\vrqlvxc.exe 668 "C:\Windows\SysWOW64\ldoimir.exe"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\pmdtvqk.exeC:\Windows\system32\pmdtvqk.exe 712 "C:\Windows\SysWOW64\vrqlvxc.exe"16⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\SysWOW64\rdranhh.exeC:\Windows\system32\rdranhh.exe 672 "C:\Windows\SysWOW64\pmdtvqk.exe"17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2364 -
C:\Windows\SysWOW64\otqbggn.exeC:\Windows\system32\otqbggn.exe 744 "C:\Windows\SysWOW64\rdranhh.exe"18⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:584 -
C:\Windows\SysWOW64\vbnluqg.exeC:\Windows\system32\vbnluqg.exe 676 "C:\Windows\SysWOW64\otqbggn.exe"19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1836 -
C:\Windows\SysWOW64\zveyfjw.exeC:\Windows\system32\zveyfjw.exe 720 "C:\Windows\SysWOW64\vbnluqg.exe"20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2088 -
C:\Windows\SysWOW64\rbdokxn.exeC:\Windows\system32\rbdokxn.exe 680 "C:\Windows\SysWOW64\zveyfjw.exe"21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2348 -
C:\Windows\SysWOW64\qfplgow.exeC:\Windows\system32\qfplgow.exe 728 "C:\Windows\SysWOW64\rbdokxn.exe"22⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2920 -
C:\Windows\SysWOW64\yrpeppj.exeC:\Windows\system32\yrpeppj.exe 688 "C:\Windows\SysWOW64\qfplgow.exe"23⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1276 -
C:\Windows\SysWOW64\rpormza.exeC:\Windows\system32\rpormza.exe 576 "C:\Windows\SysWOW64\yrpeppj.exe"24⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1620 -
C:\Windows\SysWOW64\rlbojqr.exeC:\Windows\system32\rlbojqr.exe 736 "C:\Windows\SysWOW64\rpormza.exe"25⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:2192 -
C:\Windows\SysWOW64\wyuwcaw.exeC:\Windows\system32\wyuwcaw.exe 760 "C:\Windows\SysWOW64\rlbojqr.exe"26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1744 -
C:\Windows\SysWOW64\gunpkvw.exeC:\Windows\system32\gunpkvw.exe 784 "C:\Windows\SysWOW64\wyuwcaw.exe"27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:2716 -
C:\Windows\SysWOW64\nbihekg.exeC:\Windows\system32\nbihekg.exe 820 "C:\Windows\SysWOW64\gunpkvw.exe"28⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1800 -
C:\Windows\SysWOW64\yxjrleh.exeC:\Windows\system32\yxjrleh.exe 788 "C:\Windows\SysWOW64\nbihekg.exe"29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:2476 -
C:\Windows\SysWOW64\iizchiv.exeC:\Windows\system32\iizchiv.exe 764 "C:\Windows\SysWOW64\yxjrleh.exe"30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2692 -
C:\Windows\SysWOW64\hejpqty.exeC:\Windows\system32\hejpqty.exe 800 "C:\Windows\SysWOW64\iizchiv.exe"31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2256 -
C:\Windows\SysWOW64\ucerzbd.exeC:\Windows\system32\ucerzbd.exe 768 "C:\Windows\SysWOW64\hejpqty.exe"32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:680 -
C:\Windows\SysWOW64\eftcuek.exeC:\Windows\system32\eftcuek.exe 836 "C:\Windows\SysWOW64\ucerzbd.exe"33⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2428 -
C:\Windows\SysWOW64\paumbyk.exeC:\Windows\system32\paumbyk.exe 772 "C:\Windows\SysWOW64\eftcuek.exe"34⤵
- Checks BIOS information in registry
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\bymzkcf.exeC:\Windows\system32\bymzkcf.exe 848 "C:\Windows\SysWOW64\paumbyk.exe"35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1616 -
C:\Windows\SysWOW64\lyqxcbn.exeC:\Windows\system32\lyqxcbn.exe 852 "C:\Windows\SysWOW64\bymzkcf.exe"36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1808 -
C:\Windows\SysWOW64\ytiuiem.exeC:\Windows\system32\ytiuiem.exe 844 "C:\Windows\SysWOW64\lyqxcbn.exe"37⤵
- Checks BIOS information in registry
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\ivxxvas.exeC:\Windows\system32\ivxxvas.exe 776 "C:\Windows\SysWOW64\ytiuiem.exe"38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:1932 -
C:\Windows\SysWOW64\sujcgya.exeC:\Windows\system32\sujcgya.exe 832 "C:\Windows\SysWOW64\ivxxvas.exe"39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1796 -
C:\Windows\SysWOW64\zcxuawj.exeC:\Windows\system32\zcxuawj.exe 840 "C:\Windows\SysWOW64\sujcgya.exe"40⤵
- Executes dropped EXE
PID:920 -
C:\Windows\SysWOW64\waeutvo.exeC:\Windows\system32\waeutvo.exe 864 "C:\Windows\SysWOW64\zcxuawj.exe"41⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1540 -
C:\Windows\SysWOW64\jyyxjdu.exeC:\Windows\system32\jyyxjdu.exe 748 "C:\Windows\SysWOW64\waeutvo.exe"42⤵
- Executes dropped EXE
- Modifies registry class
PID:1784 -
C:\Windows\SysWOW64\wptaslz.exeC:\Windows\system32\wptaslz.exe 884 "C:\Windows\SysWOW64\jyyxjdu.exe"43⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Modifies registry class
PID:1968 -
C:\Windows\SysWOW64\dwpseaj.exeC:\Windows\system32\dwpseaj.exe 792 "C:\Windows\SysWOW64\wptaslz.exe"44⤵
- Executes dropped EXE
- NTFS ADS
PID:2672 -
C:\Windows\SysWOW64\leksyqk.exeC:\Windows\system32\leksyqk.exe 796 "C:\Windows\SysWOW64\dwpseaj.exe"45⤵
- Executes dropped EXE
- Modifies registry class
PID:1428 -
C:\Windows\SysWOW64\smxklfu.exeC:\Windows\system32\smxklfu.exe 704 "C:\Windows\SysWOW64\leksyqk.exe"46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1936 -
C:\Windows\SysWOW64\denqxvw.exeC:\Windows\system32\denqxvw.exe 804 "C:\Windows\SysWOW64\smxklfu.exe"47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2676 -
C:\Windows\SysWOW64\kljiktf.exeC:\Windows\system32\kljiktf.exe 812 "C:\Windows\SysWOW64\denqxvw.exe"48⤵
- Checks BIOS information in registry
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\mkpxhyt.exeC:\Windows\system32\mkpxhyt.exe 600 "C:\Windows\SysWOW64\kljiktf.exe"49⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2332 -
C:\Windows\SysWOW64\zbraqyy.exeC:\Windows\system32\zbraqyy.exe 724 "C:\Windows\SysWOW64\mkpxhyt.exe"50⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1996 -
C:\Windows\SysWOW64\hfunhrb.exeC:\Windows\system32\hfunhrb.exe 860 "C:\Windows\SysWOW64\zbraqyy.exe"51⤵
- Checks BIOS information in registry
- Executes dropped EXE
- NTFS ADS
PID:1136 -
C:\Windows\SysWOW64\reglsij.exeC:\Windows\system32\reglsij.exe 828 "C:\Windows\SysWOW64\hfunhrb.exe"52⤵
- Executes dropped EXE
- Drops file in System32 directory
- NTFS ADS
PID:2164 -
C:\Windows\SysWOW64\tzinnip.exeC:\Windows\system32\tzinnip.exe 808 "C:\Windows\SysWOW64\reglsij.exe"53⤵
- Checks BIOS information in registry
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\ssjypdz.exeC:\Windows\system32\ssjypdz.exe 756 "C:\Windows\SysWOW64\tzinnip.exe"54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1260 -
C:\Windows\SysWOW64\ptcllgl.exeC:\Windows\system32\ptcllgl.exe 880 "C:\Windows\SysWOW64\ssjypdz.exe"55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2096 -
C:\Windows\SysWOW64\pirqcwo.exeC:\Windows\system32\pirqcwo.exe 896 "C:\Windows\SysWOW64\ptcllgl.exe"56⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\rsrousw.exeC:\Windows\system32\rsrousw.exe 872 "C:\Windows\SysWOW64\pirqcwo.exe"57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2696 -
C:\Windows\SysWOW64\zaegoig.exeC:\Windows\system32\zaegoig.exe 816 "C:\Windows\SysWOW64\rsrousw.exe"58⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\jzqdzgn.exeC:\Windows\system32\jzqdzgn.exe 780 "C:\Windows\SysWOW64\zaegoig.exe"59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1236 -
C:\Windows\SysWOW64\gaaqdkz.exeC:\Windows\system32\gaaqdkz.exe 824 "C:\Windows\SysWOW64\jzqdzgn.exe"60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2820 -
C:\Windows\SysWOW64\qvbbkea.exeC:\Windows\system32\qvbbkea.exe 904 "C:\Windows\SysWOW64\gaaqdkz.exe"61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2288 -
C:\Windows\SysWOW64\qrnghdq.exeC:\Windows\system32\qrnghdq.exe 908 "C:\Windows\SysWOW64\qvbbkea.exe"62⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\xsmgwkm.exeC:\Windows\system32\xsmgwkm.exe 740 "C:\Windows\SysWOW64\qrnghdq.exe"63⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\rcoobmi.exeC:\Windows\system32\rcoobmi.exe 752 "C:\Windows\SysWOW64\xsmgwkm.exe"64⤵
- Executes dropped EXE
- NTFS ADS
PID:2248 -
C:\Windows\SysWOW64\mprrwmp.exeC:\Windows\system32\mprrwmp.exe 924 "C:\Windows\SysWOW64\rcoobmi.exe"65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1020 -
C:\Windows\SysWOW64\jnqrplu.exeC:\Windows\system32\jnqrplu.exe 972 "C:\Windows\SysWOW64\mprrwmp.exe"66⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\lxpgihc.exeC:\Windows\system32\lxpgihc.exe 856 "C:\Windows\SysWOW64\jnqrplu.exe"67⤵
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
PID:1488 -
C:\Windows\SysWOW64\tbruzan.exeC:\Windows\system32\tbruzan.exe 912 "C:\Windows\SysWOW64\lxpgihc.exe"68⤵
- Checks BIOS information in registry
PID:1868 -
C:\Windows\SysWOW64\fvguerb.exeC:\Windows\system32\fvguerb.exe 984 "C:\Windows\SysWOW64\tbruzan.exe"69⤵
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\bacudhm.exeC:\Windows\system32\bacudhm.exe 956 "C:\Windows\SysWOW64\fvguerb.exe"70⤵
- Checks BIOS information in registry
- NTFS ADS
PID:2396 -
C:\Windows\SysWOW64\gfvcwry.exeC:\Windows\system32\gfvcwry.exe 876 "C:\Windows\SysWOW64\bacudhm.exe"71⤵
- Checks BIOS information in registry
- Modifies registry class
- NTFS ADS
PID:2912 -
C:\Windows\SysWOW64\lrpkqsd.exeC:\Windows\system32\lrpkqsd.exe 996 "C:\Windows\SysWOW64\gfvcwry.exe"72⤵PID:868
-
C:\Windows\SysWOW64\qpmrdtc.exeC:\Windows\system32\qpmrdtc.exe 932 "C:\Windows\SysWOW64\lrpkqsd.exe"73⤵
- Checks BIOS information in registry
PID:1532 -
C:\Windows\SysWOW64\nqefzxo.exeC:\Windows\system32\nqefzxo.exe 988 "C:\Windows\SysWOW64\qpmrdtc.exe"74⤵PID:2244
-
C:\Windows\SysWOW64\sdxmsgb.exeC:\Windows\system32\sdxmsgb.exe 940 "C:\Windows\SysWOW64\nqefzxo.exe"75⤵
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\urapnhh.exeC:\Windows\system32\urapnhh.exe 976 "C:\Windows\SysWOW64\sdxmsgb.exe"76⤵
- Checks BIOS information in registry
- Drops file in System32 directory
PID:2704 -
C:\Windows\SysWOW64\zaikemn.exeC:\Windows\system32\zaikemn.exe 868 "C:\Windows\SysWOW64\urapnhh.exe"77⤵
- Checks BIOS information in registry
- NTFS ADS
PID:1248 -
C:\Windows\SysWOW64\jznholv.exeC:\Windows\system32\jznholv.exe 952 "C:\Windows\SysWOW64\zaikemn.exe"78⤵
- NTFS ADS
PID:2308 -
C:\Windows\SysWOW64\otdhnvf.exeC:\Windows\system32\otdhnvf.exe 968 "C:\Windows\SysWOW64\jznholv.exe"79⤵
- Checks BIOS information in registry
PID:948 -
C:\Windows\SysWOW64\tgwpgfs.exeC:\Windows\system32\tgwpgfs.exe 936 "C:\Windows\SysWOW64\otdhnvf.exe"80⤵
- Drops file in System32 directory
PID:1964 -
C:\Windows\SysWOW64\akycpqv.exeC:\Windows\system32\akycpqv.exe 888 "C:\Windows\SysWOW64\tgwpgfs.exe"81⤵
- Checks BIOS information in registry
PID:2792 -
C:\Windows\SysWOW64\cxbflrb.exeC:\Windows\system32\cxbflrb.exe 1036 "C:\Windows\SysWOW64\akycpqv.exe"82⤵PID:568
-
C:\Windows\SysWOW64\cjnxhvg.exeC:\Windows\system32\cjnxhvg.exe 892 "C:\Windows\SysWOW64\cxbflrb.exe"83⤵
- Checks BIOS information in registry
- NTFS ADS
PID:1748 -
C:\Windows\SysWOW64\xkpffwt.exeC:\Windows\system32\xkpffwt.exe 1032 "C:\Windows\SysWOW64\cjnxhvg.exe"84⤵
- Drops file in System32 directory
PID:1036 -
C:\Windows\SysWOW64\wdqxzjd.exeC:\Windows\system32\wdqxzjd.exe 944 "C:\Windows\SysWOW64\xkpffwt.exe"85⤵
- Drops file in System32 directory
PID:1956 -
C:\Windows\SysWOW64\yvpnrfl.exeC:\Windows\system32\yvpnrfl.exe 1056 "C:\Windows\SysWOW64\wdqxzjd.exe"86⤵PID:428
-
C:\Windows\SysWOW64\vkonsmy.exeC:\Windows\system32\vkonsmy.exe 980 "C:\Windows\SysWOW64\yvpnrfl.exe"87⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2812 -
C:\Windows\SysWOW64\axivlwd.exeC:\Windows\system32\axivlwd.exe 928 "C:\Windows\SysWOW64\vkonsmy.exe"88⤵
- Drops file in System32 directory
- NTFS ADS
PID:916 -
C:\Windows\SysWOW64\cwwljsr.exeC:\Windows\system32\cwwljsr.exe 1008 "C:\Windows\SysWOW64\axivlwd.exe"89⤵
- Checks BIOS information in registry
- NTFS ADS
PID:2156 -
C:\Windows\SysWOW64\cltqaju.exeC:\Windows\system32\cltqaju.exe 1028 "C:\Windows\SysWOW64\cwwljsr.exe"90⤵
- NTFS ADS
PID:3060 -
C:\Windows\SysWOW64\zeedwmg.exeC:\Windows\system32\zeedwmg.exe 920 "C:\Windows\SysWOW64\cltqaju.exe"91⤵
- NTFS ADS
PID:1732 -
C:\Windows\SysWOW64\erxlpws.exeC:\Windows\system32\erxlpws.exe 900 "C:\Windows\SysWOW64\zeedwmg.exe"92⤵
- Checks BIOS information in registry
- Modifies registry class
PID:2296 -
C:\Windows\SysWOW64\gbnvkzz.exeC:\Windows\system32\gbnvkzz.exe 1012 "C:\Windows\SysWOW64\erxlpws.exe"93⤵
- Drops file in System32 directory
- NTFS ADS
PID:2500 -
C:\Windows\SysWOW64\qmctppb.exeC:\Windows\system32\qmctppb.exe 1068 "C:\Windows\SysWOW64\gbnvkzz.exe"94⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2804 -
C:\Windows\SysWOW64\atoqaoi.exeC:\Windows\system32\atoqaoi.exe 964 "C:\Windows\SysWOW64\qmctppb.exe"95⤵PID:2892
-
C:\Windows\SysWOW64\iacqudk.exeC:\Windows\system32\iacqudk.exe 992 "C:\Windows\SysWOW64\atoqaoi.exe"96⤵
- Drops file in System32 directory
PID:1284 -
C:\Windows\SysWOW64\mrgdqrv.exeC:\Windows\system32\mrgdqrv.exe 1040 "C:\Windows\SysWOW64\iacqudk.exe"97⤵
- Drops file in System32 directory
PID:1828 -
C:\Windows\SysWOW64\mjhwkef.exeC:\Windows\system32\mjhwkef.exe 732 "C:\Windows\SysWOW64\mrgdqrv.exe"98⤵
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\wfigryo.exeC:\Windows\system32\wfigryo.exe 1020 "C:\Windows\SysWOW64\mjhwkef.exe"99⤵
- Checks BIOS information in registry
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\rdyjuwv.exeC:\Windows\system32\rdyjuwv.exe 1072 "C:\Windows\SysWOW64\wfigryo.exe"100⤵PID:2948
-
C:\Windows\SysWOW64\scnysbi.exeC:\Windows\system32\scnysbi.exe 1016 "C:\Windows\SysWOW64\rdyjuwv.exe"101⤵
- Drops file in System32 directory
PID:3056 -
C:\Windows\SysWOW64\xpyylcn.exeC:\Windows\system32\xpyylcn.exe 1080 "C:\Windows\SysWOW64\scnysbi.exe"102⤵PID:2664
-
C:\Windows\SysWOW64\ikzrtxw.exeC:\Windows\system32\ikzrtxw.exe 1060 "C:\Windows\SysWOW64\xpyylcn.exe"103⤵
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:964 -
C:\Windows\SysWOW64\npszmha.exeC:\Windows\system32\npszmha.exe 1064 "C:\Windows\SysWOW64\ikzrtxw.exe"104⤵
- Checks BIOS information in registry
PID:1464 -
C:\Windows\SysWOW64\rcmhfqf.exeC:\Windows\system32\rcmhfqf.exe 1004 "C:\Windows\SysWOW64\npszmha.exe"105⤵PID:3008
-
C:\Windows\SysWOW64\uppjaru.exeC:\Windows\system32\uppjaru.exe 960 "C:\Windows\SysWOW64\rcmhfqf.exe"106⤵
- Modifies registry class
PID:1384 -
C:\Windows\SysWOW64\ewthlhb.exeC:\Windows\system32\ewthlhb.exe 1048 "C:\Windows\SysWOW64\uppjaru.exe"107⤵PID:2416
-
C:\Windows\SysWOW64\gdhrahd.exeC:\Windows\system32\gdhrahd.exe 1108 "C:\Windows\SysWOW64\ewthlhb.exe"108⤵
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:1756 -
C:\Windows\SysWOW64\iqkuvaj.exeC:\Windows\system32\iqkuvaj.exe 1092 "C:\Windows\SysWOW64\gdhrahd.exe"109⤵PID:1536
-
C:\Windows\SysWOW64\uochdde.exeC:\Windows\system32\uochdde.exe 1052 "C:\Windows\SysWOW64\iqkuvaj.exe"110⤵
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:2720 -
C:\Windows\SysWOW64\fkdrtxf.exeC:\Windows\system32\fkdrtxf.exe 1100 "C:\Windows\SysWOW64\uochdde.exe"111⤵
- Modifies registry class
PID:996 -
C:\Windows\SysWOW64\pfecbso.exeC:\Windows\system32\pfecbso.exe 948 "C:\Windows\SysWOW64\fkdrtxf.exe"112⤵PID:1216
-
C:\Windows\SysWOW64\obqhyjw.exeC:\Windows\system32\obqhyjw.exe 1076 "C:\Windows\SysWOW64\pfecbso.exe"113⤵
- Checks BIOS information in registry
PID:2784 -
C:\Windows\SysWOW64\wjdzsgg.exeC:\Windows\system32\wjdzsgg.exe 1156 "C:\Windows\SysWOW64\obqhyjw.exe"114⤵
- NTFS ADS
PID:1832 -
C:\Windows\SysWOW64\ekczynk.exeC:\Windows\system32\ekczynk.exe 1116 "C:\Windows\SysWOW64\wjdzsgg.exe"115⤵
- Drops file in System32 directory
- NTFS ADS
PID:2964 -
C:\Windows\SysWOW64\qerzmmy.exeC:\Windows\system32\qerzmmy.exe 1176 "C:\Windows\SysWOW64\ekczynk.exe"116⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2380 -
C:\Windows\SysWOW64\sojxeig.exeC:\Windows\system32\sojxeig.exe 1112 "C:\Windows\SysWOW64\qerzmmy.exe"117⤵
- Checks BIOS information in registry
- Modifies registry class
- NTFS ADS
PID:1988 -
C:\Windows\SysWOW64\kgualbw.exeC:\Windows\system32\kgualbw.exe 1184 "C:\Windows\SysWOW64\sojxeig.exe"118⤵PID:1924
-
C:\Windows\SysWOW64\xtdprfv.exeC:\Windows\system32\xtdprfv.exe 1000 "C:\Windows\SysWOW64\kgualbw.exe"119⤵PID:1656
-
C:\Windows\SysWOW64\wppvowl.exeC:\Windows\system32\wppvowl.exe 1096 "C:\Windows\SysWOW64\xtdprfv.exe"120⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1012 -
C:\Windows\SysWOW64\dxlniln.exeC:\Windows\system32\dxlniln.exe 1132 "C:\Windows\SysWOW64\wppvowl.exe"121⤵
- Checks BIOS information in registry
PID:2468
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-