Analysis
-
max time kernel
150s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
26-09-2024 05:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f7a1a4ec8ee1f0504378264b77c200cf_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
f7a1a4ec8ee1f0504378264b77c200cf_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
f7a1a4ec8ee1f0504378264b77c200cf_JaffaCakes118.exe
-
Size
792KB
-
MD5
f7a1a4ec8ee1f0504378264b77c200cf
-
SHA1
afafcaff5c683e70324298d6fe75fdbaba506296
-
SHA256
6d1d41b1f4df5c76e9f8a82469471cc9eb623c08fda2be0554c3e20ccd775af1
-
SHA512
d6d1c8d8775d8d6c52548f8765200320d79ffe01948ec5629c961b227bd8024ff7dfeb9c0610797cbebed845eab3cbfe5096bbaf6e43e6719192c07e6aceb174
-
SSDEEP
12288:27lo5CZDPH2fpcx/c6V2NNHbScrXOL+ikJvRg597+QKUvrISSLqD3/HsN:e/DPHFx/cmqY7kJ59aIDq7
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks BIOS information in registry 2 TTPs 64 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate dzzoezq.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cwapgrc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion awtglok.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate rkgnebh.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion amrgyaw.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion lkkqill.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate vkoesqy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate vlclzza.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate frrzegc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion yvrgqtz.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion udugjob.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate acahohp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate japqaqq.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion gzrbcmu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cwkonyf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cvxehwp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ntcffdu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion vxmkowx.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate dihfqcs.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion sagshkr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate zdffxee.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate mrduxom.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate ntrugjh.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion tsxroid.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate jezxqle.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate zwxijeb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate gpwdwyh.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate laypaas.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate vlvprmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion iwqimig.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate cfonvia.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate ubwwvza.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate ynglkqs.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wysjics.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate ahcoctx.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion hhnxfvf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate rlpcikl.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion xxitobk.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion zizacka.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion uggekwf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate hfqipvb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate hyzloam.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion mwgrhva.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rxyubyd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate upcebro.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion owxwirt.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion qpxuwxi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ieknpmh.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion bwbfbda.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate ydbmmxw.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate bradxmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion lufwcwg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion dzzoezq.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate zmmpltm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate kwlesfp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cwgtsiy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion oabyzad.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion lqtgdvz.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate morkgtc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate jvynhbo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate ollapce.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion jvynhbo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate mwgrhva.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rjaemfd.exe -
Executes dropped EXE 64 IoCs
pid Process 3968 gykhptx.exe 2776 jezxqle.exe 4684 tmfzurj.exe 1392 tepxadq.exe 3324 bmldgbx.exe 756 tilnckc.exe 1372 ozfqrzl.exe 3992 lladpts.exe 3696 gzrbcmu.exe 4788 qyvzulc.exe 1956 qnteltf.exe 4264 inwckzr.exe 968 qzgclfh.exe 5108 acumnpz.exe 1464 naxpwxx.exe 3004 syuxjye.exe 3816 ywrnxrd.exe 3276 vuynqyi.exe 228 iveqtxi.exe 452 sguagbo.exe 4544 ftlqmev.exe 2956 qlbvzvp.exe 760 vxudswc.exe 4780 nmuoggh.exe 2316 lufwcwg.exe 704 nmwmuso.exe 4396 qtkwjsp.exe 2456 yljoqyt.exe 4012 dgdrbvt.exe 312 fbguwva.exe 3832 ihmflnj.exe 960 sdnptik.exe 3568 yphsdek.exe 4856 gqgsklo.exe 2016 iaxichw.exe 2132 lgetszx.exe 4496 sloyjka.exe 4904 aajtnuf.exe 1480 xxitobk.exe 1244 dzzoezq.exe 1664 nroljps.exe 1732 tplbxqr.exe 1248 vkoesqy.exe 3124 dzcrvbd.exe 1696 fyoogad.exe 116 khwjwxj.exe 4908 aitzxgh.exe 1104 nzouggm.exe 956 vanuvvi.exe 1116 chiuhks.exe 3564 nzysmau.exe 3328 sxvizbt.exe 4316 pvciaig.exe 628 sftyteo.exe 856 uliiiwp.exe 4228 iyryoso.exe 3452 sqhdtqq.exe 3912 cptbdpx.exe 676 nlulljy.exe 3880 xgneaez.exe 1428 lqtgdvz.exe 2836 xszwpid.exe 3972 hrltzhl.exe 1076 vbrwcgl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\gvoavjp.exe wwcddkh.exe File created C:\Windows\SysWOW64\qzkaukd.exe gdrimpu.exe File opened for modification C:\Windows\SysWOW64\ahcoctx.exe vukywpy.exe File created C:\Windows\SysWOW64\himgspn.exe wnlwkve.exe File created C:\Windows\SysWOW64\xgneaez.exe nlulljy.exe File created C:\Windows\SysWOW64\hjshoik.exe worwhoc.exe File opened for modification C:\Windows\SysWOW64\dilnlez.exe pyfcifh.exe File opened for modification C:\Windows\SysWOW64\plvfita.exe fpuutzz.exe File opened for modification C:\Windows\SysWOW64\prlmzdk.exe ewkusij.exe File created C:\Windows\SysWOW64\gpwdwyh.exe ypxdhjd.exe File opened for modification C:\Windows\SysWOW64\xsutkgm.exe jqoihpm.exe File opened for modification C:\Windows\SysWOW64\gnaoafh.exe vshwsly.exe File created C:\Windows\SysWOW64\nlulljy.exe cptbdpx.exe File opened for modification C:\Windows\SysWOW64\pdxvscj.exe fpwkdhi.exe File opened for modification C:\Windows\SysWOW64\jjfrhgv.exe zkbuoho.exe File created C:\Windows\SysWOW64\dweinbq.exe shzylpn.exe File opened for modification C:\Windows\SysWOW64\xgbhfcp.exe nhpkvdh.exe File opened for modification C:\Windows\SysWOW64\qnskejc.exe grrsppb.exe File opened for modification C:\Windows\SysWOW64\pnyhmqs.exe hjocdfp.exe File created C:\Windows\SysWOW64\sawwvyx.exe ltbwbjn.exe File created C:\Windows\SysWOW64\znbwlzh.exe svcwfld.exe File created C:\Windows\SysWOW64\zmrtfyy.exe prqixex.exe File opened for modification C:\Windows\SysWOW64\drbpyhc.exe tsxroid.exe File created C:\Windows\SysWOW64\ywrnxrd.exe syuxjye.exe File opened for modification C:\Windows\SysWOW64\vanuvvi.exe nzouggm.exe File opened for modification C:\Windows\SysWOW64\cigcids.exe sjcexek.exe File opened for modification C:\Windows\SysWOW64\ssgpkhy.exe haqjxrf.exe File created C:\Windows\SysWOW64\sagshkr.exe ibtvwlj.exe File created C:\Windows\SysWOW64\szcvjlh.exe hhnxfvf.exe File opened for modification C:\Windows\SysWOW64\rrbxfvc.exe eaguwux.exe File opened for modification C:\Windows\SysWOW64\szcvjlh.exe hhnxfvf.exe File opened for modification C:\Windows\SysWOW64\ewkusij.exe rjaemfd.exe File opened for modification C:\Windows\SysWOW64\acumnpz.exe qzgclfh.exe File created C:\Windows\SysWOW64\yljoqyt.exe qtkwjsp.exe File opened for modification C:\Windows\SysWOW64\ojgeevb.exe eccgtwu.exe File created C:\Windows\SysWOW64\frrzegc.exe sawwvyx.exe File created C:\Windows\SysWOW64\jkdysmu.exe yvrgqtz.exe File opened for modification C:\Windows\SysWOW64\gcndsmh.exe whmllry.exe File opened for modification C:\Windows\SysWOW64\vqwicre.exe oiaqitd.exe File created C:\Windows\SysWOW64\kjefggx.exe acahohp.exe File opened for modification C:\Windows\SysWOW64\cqatruv.exe rvzbkau.exe File opened for modification C:\Windows\SysWOW64\refziko.exe himgspn.exe File created C:\Windows\SysWOW64\ovsewde.exe eoohlex.exe File created C:\Windows\SysWOW64\xnljlno.exe kefgioo.exe File opened for modification C:\Windows\SysWOW64\varuasb.exe leqksya.exe File opened for modification C:\Windows\SysWOW64\fsmaivx.exe sxvkdrq.exe File opened for modification C:\Windows\SysWOW64\sdzldjt.exe fqhvynu.exe File created C:\Windows\SysWOW64\hbyclwc.exe zxnxclz.exe File opened for modification C:\Windows\SysWOW64\ozmhdyh.exe becrxuj.exe File opened for modification C:\Windows\SysWOW64\sjcexek.exe iobuikj.exe File created C:\Windows\SysWOW64\gcndsmh.exe whmllry.exe File opened for modification C:\Windows\SysWOW64\bwbfbda.exe zwxijeb.exe File opened for modification C:\Windows\SysWOW64\sarhufx.exe iankkop.exe File opened for modification C:\Windows\SysWOW64\zmrtfyy.exe prqixex.exe File opened for modification C:\Windows\SysWOW64\hcohbgd.exe xgvwmlu.exe File created C:\Windows\SysWOW64\indidpo.exe bitvmed.exe File created C:\Windows\SysWOW64\qzkipoc.exe ivivgdz.exe File created C:\Windows\SysWOW64\vxudswc.exe qlbvzvp.exe File opened for modification C:\Windows\SysWOW64\hnvdrbm.exe xsutkgm.exe File created C:\Windows\SysWOW64\hfjqhri.exe xgxkpsa.exe File opened for modification C:\Windows\SysWOW64\hkrwyxn.exe wpqmrcn.exe File created C:\Windows\SysWOW64\uiskudb.exe jbonceb.exe File created C:\Windows\SysWOW64\uliiiwp.exe sftyteo.exe File opened for modification C:\Windows\SysWOW64\keakjnb.exe zizacka.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wfrtkwg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jhgfadl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vinzmgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ahcoctx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pyfcifh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xgxkpsa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oxifdtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tpftyqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uttklwr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tdinhos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language phtlmiv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qwatqrc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdxvscj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvecmnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nrfauwr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language esiizbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wbvdqyu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dihfqcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vxmkowx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ylerpcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jbflgzu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntcffdu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gpwdwyh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language naxpwxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language exlyysu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kcfhnlc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kwxshlz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jezxqle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bsuzkon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language laypaas.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language teklnjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbqspaw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vanuvvi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bcwsqri.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language keakjnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ovsewde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ondnzbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crzjdet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jgllhnq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language memhyqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language byjdzix.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnuqkxq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tcotctg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rnkmbch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gahaaxb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gnaoafh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qyvzulc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iyryoso.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cigcids.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kdgryzl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hfqipvb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iaxichw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language znbwlzh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vktxivn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sxvizbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language elmczpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flpakln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xomtcnw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wjdjifn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tftfifi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jxwzgnu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kgotvxc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language elydgkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jqoihpm.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\nIzFZPGtyhad = "O|\x7fAkm]OIHUtptEN" pofkqpy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\hhfoIxTe = "b|jj@f}efEuCh_xBN" bzugykc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\hwhvrkc = "wRgvUCeB~DGsiYg^RAEPNTNHr{m" japqaqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\vySOgzgj = "govLHTq{fRDAVD\x7f" gscdojo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\hwhvrkc = "gRwvUCeAnDWsiYg^RAEPNTNHr{m" csvytat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\hwhvrkc = "URwvUCeB\\DWsiYg^RAEPNTNHr{m" wqwtsve.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\vySOgzgj = "govyHLq{fRbbksS" hvkbcuv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\hwhvrkc = "|RwvUCeCuDWsiYg^RAEPNTNHr{m" lpbssfs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\hwhvrkc = "rRgvUCeA{DGsiYg^RAEPNTNHr{m" ragaknq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\QKeMwmSnisjAb = "\x7f\\PjxwnDM~b\\eVwQvtRB|" egjlbyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\hwhvrkc = "XRWvUCe@QDwsiYg^RAEPNTNHr{m" lrxpexq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\PGOffmLkjj = "CQ\x7fx~JnlJNtSEG_AM]GrSdi" oalmcpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\hhfoIxTe = "b|jj@f}efEuCh_xBN" chiuhks.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\nIzFZPGtyhad = "O|\x7fAkm]OIHUtptEN" cqatruv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\vySOgzgj = "govPXPq{fQdh[Cb" uylanza.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\vySOgzgj = "govjhHq{fQKbj{Q" vkoesqy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\hwhvrkc = "DRgvUCeBMDGsiYg^RAEPNTNHr{m" uiskudb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\vwkbmv = "[CoT`p]kfTHtaDhvVO}Fj`" jhgfadl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\nIzFZPGtyhad = "O|\x7fAkm]OIHUtptEN" tewoelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\nIzFZPGtyhad = "O|\x7fAkm]OIHUtptEN" ozmhdyh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\vwkbmv = "[CoT`p]kfTHtaDhvVO}Fjb" cptbdpx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\PGOffmLkjj = "CQ\x7fx~JnlJNtSEG_AM]GrSdi" bznapil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\nIzFZPGtyhad = "O|\x7fAkm]OIHUtptEN" xeadhse.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\hwhvrkc = "`RwvUCeAiDWsiYg^RAEPNTNHr{m" kajqgpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\vySOgzgj = "govHXTq{fPXHOlj" tfwrzhv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\hwhvrkc = "`RWvUCe@iDwsiYg^RAEPNTNHr{m" vjovbks.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\kbzn = "|pims{raNfKIiL\\rkrfh[cHyAc]" wjsvond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\PGOffmLkjj = "CQ\x7fx~JnlJNtSEG_AM]GrSdi" kevntun.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\vySOgzgj = "govDxTq{fRmPAR[" jbjuqnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\nIzFZPGtyhad = "O|\x7fAkm]OIHUtptEN" ljqiccf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\hhfoIxTe = "b|jj@f}efEuCh_xBN" tymmoqz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\PGOffmLkjj = "CQ\x7fx~JnlJNtSEG_AM]GrSdi" xgxkpsa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\nIzFZPGtyhad = "O|\x7fAkm]OIHUtptEN" fbxrwrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\hwhvrkc = "RRgvUCe@[DGsiYg^RAEPNTNHr{m" dbmaans.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\hwhvrkc = "PRgvUCe@YDGsiYg^RAEPNTNHr{m" vxmkowx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\hwhvrkc = "cRgvUCeBjDGsiYg^RAEPNTNHr{m" mqzaegr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\vySOgzgj = "govixHq{fPM[zk{" dzcrvbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\hwhvrkc = "iRwvUCeA`DWsiYg^RAEPNTNHr{m" evzjxcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\hwhvrkc = "NRwvUCeBGDWsiYg^RAEPNTNHr{m" uqwvjpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\QKeMwmSnisjAb = "\x7f\\PjxwnDM~b\\eVwQvtRB|" hjshoik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\kbzn = "|pims{raNfKIiL\\rkrfh[cHyAc]" ojlirkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\PGOffmLkjj = "CQ\x7fx~JnlJNtSEG_AM]GrSdi" bcwsqri.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\hwhvrkc = "dRwvUCe@mDWsiYg^RAEPNTNHr{m" aajtnuf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\nIzFZPGtyhad = "O|\x7fAkm]OIHUtptEN" kefgioo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\vySOgzgj = "govGXLq{fSTXMIV" vbrwcgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\hwhvrkc = "DRWvUCe@MDwsiYg^RAEPNTNHr{m" iurpvrq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\vySOgzgj = "gov\x7fHHq{fS\\_jir" iyryoso.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\hhfoIxTe = "b|jj@f}efEuCh_xBN" zjkdtmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\QKeMwmSnisjAb = "\x7f\\PjxwnDM~b\\eVwQvtRB|" lefzten.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\nIzFZPGtyhad = "O|\x7fAkm]OIHUtptEN" uhxorzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\hwhvrkc = "VRwvUCe@_DWsiYg^RAEPNTNHr{m" iveqtxi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\nIzFZPGtyhad = "O|\x7fAkm]OIHUtptEN" gjddrvj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\hwhvrkc = "FRgvUCeAODGsiYg^RAEPNTNHr{m" hfqipvb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\hhfoIxTe = "b|jj@f}efEuCh_xBN" lvccsbw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\kbzn = "|pims{raNfKIiL\\rkrfh[cHyAc]" qpxuwxi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\hwhvrkc = "fRgvUCeAoDGsiYg^RAEPNTNHr{m" ksbbfnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\PGOffmLkjj = "CQ\x7fx~JnlJNtSEG_AM]GrSdi" lpbssfs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\vySOgzgj = "gov{h\\q{fS]RiOq" mwgrhva.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\kbzn = "|pims{raNfKIiL\\rkrfh[cHyAc]" cvwpmpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\PGOffmLkjj = "CQ\x7fx~JnlJNtSEG_AM]GrSdi" vktxivn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\vwkbmv = "[CoT`p]kfTHtaDhvVO}Fjb" qzkaukd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\vySOgzgj = "govjxDq{fRobGay" bafggkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\hwhvrkc = "uRgvUCeC|DGsiYg^RAEPNTNHr{m" ahtsqhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6B4EC4B-1154-B58E-1154-B58E1154B58E}\vySOgzgj = "govex@q{fRp`_Yb" wbtaceo.exe -
NTFS ADS 64 IoCs
description ioc Process File opened for modification C:\ProgramData\TEMP:3DAA471A mubmwox.exe File opened for modification C:\ProgramData\TEMP:3DAA471A yphsdek.exe File opened for modification C:\ProgramData\TEMP:3DAA471A nzouggm.exe File opened for modification C:\ProgramData\TEMP:3DAA471A rndfazj.exe File opened for modification C:\ProgramData\TEMP:3DAA471A ynglkqs.exe File opened for modification C:\ProgramData\TEMP:3DAA471A ajgdgky.exe File opened for modification C:\ProgramData\TEMP:3DAA471A kbraxpk.exe File opened for modification C:\ProgramData\TEMP:3DAA471A cvwpmpq.exe File opened for modification C:\ProgramData\TEMP:3DAA471A lufwcwg.exe File opened for modification C:\ProgramData\TEMP:3DAA471A wqdmawf.exe File opened for modification C:\ProgramData\TEMP:3DAA471A vnksjbi.exe File opened for modification C:\ProgramData\TEMP:3DAA471A sloofoh.exe File opened for modification C:\ProgramData\TEMP:3DAA471A fwhtwcf.exe File opened for modification C:\ProgramData\TEMP:3DAA471A gnaoafh.exe File opened for modification C:\ProgramData\TEMP:3DAA471A oxifdtb.exe File opened for modification C:\ProgramData\TEMP:3DAA471A bhupgdb.exe File opened for modification C:\ProgramData\TEMP:3DAA471A exlyysu.exe File opened for modification C:\ProgramData\TEMP:3DAA471A htyuqad.exe File opened for modification C:\ProgramData\TEMP:3DAA471A lyypydi.exe File opened for modification C:\ProgramData\TEMP:3DAA471A aazvuuy.exe File opened for modification C:\ProgramData\TEMP:3DAA471A cjvdhct.exe File opened for modification C:\ProgramData\TEMP:3DAA471A dwairzb.exe File opened for modification C:\ProgramData\TEMP:3DAA471A byjndmq.exe File opened for modification C:\ProgramData\TEMP:3DAA471A rrbcfje.exe File opened for modification C:\ProgramData\TEMP:3DAA471A dqlkddb.exe File opened for modification C:\ProgramData\TEMP:3DAA471A dcgertj.exe File opened for modification C:\ProgramData\TEMP:3DAA471A xgvwmlu.exe File opened for modification C:\ProgramData\TEMP:3DAA471A hfjqhri.exe File opened for modification C:\ProgramData\TEMP:3DAA471A xnljlno.exe File opened for modification C:\ProgramData\TEMP:3DAA471A mzwaiam.exe File opened for modification C:\ProgramData\TEMP:3DAA471A cxeattq.exe File opened for modification C:\ProgramData\TEMP:3DAA471A vfafzmg.exe File opened for modification C:\ProgramData\TEMP:3DAA471A zizacka.exe File opened for modification C:\ProgramData\TEMP:3DAA471A fsiaexe.exe File opened for modification C:\ProgramData\TEMP:3DAA471A oehceoz.exe File opened for modification C:\ProgramData\TEMP:3DAA471A xgxkpsa.exe File opened for modification C:\ProgramData\TEMP:3DAA471A glmqeaz.exe File opened for modification C:\ProgramData\TEMP:3DAA471A eoohlex.exe File opened for modification C:\ProgramData\TEMP:3DAA471A eeokihp.exe File opened for modification C:\ProgramData\TEMP:3DAA471A bitvmed.exe File opened for modification C:\ProgramData\TEMP:3DAA471A ynlewhm.exe File opened for modification C:\ProgramData\TEMP:3DAA471A yzyeoxp.exe File opened for modification C:\ProgramData\TEMP:3DAA471A qzkipoc.exe File opened for modification C:\ProgramData\TEMP:3DAA471A fcjuvlp.exe File opened for modification C:\ProgramData\TEMP:3DAA471A xjeprvq.exe File opened for modification C:\ProgramData\TEMP:3DAA471A kefgioo.exe File opened for modification C:\ProgramData\TEMP:3DAA471A qzkaukd.exe File opened for modification C:\ProgramData\TEMP:3DAA471A wemrctl.exe File opened for modification C:\ProgramData\TEMP:3DAA471A yzhlyiq.exe File opened for modification C:\ProgramData\TEMP:3DAA471A sagshkr.exe File opened for modification C:\ProgramData\TEMP:3DAA471A ojlirkt.exe File opened for modification C:\ProgramData\TEMP:3DAA471A jbflgzu.exe File opened for modification C:\ProgramData\TEMP:3DAA471A jdzxrmr.exe File opened for modification C:\ProgramData\TEMP:3DAA471A cwkonyf.exe File opened for modification C:\ProgramData\TEMP:3DAA471A csvytat.exe File opened for modification C:\ProgramData\TEMP:3DAA471A gfsnvim.exe File opened for modification C:\ProgramData\TEMP:3DAA471A indidpo.exe File opened for modification C:\ProgramData\TEMP:3DAA471A tftfifi.exe File opened for modification C:\ProgramData\TEMP:3DAA471A itjoagm.exe File opened for modification C:\ProgramData\TEMP:3DAA471A mwgrhva.exe File opened for modification C:\ProgramData\TEMP:3DAA471A wnfaumr.exe File opened for modification C:\ProgramData\TEMP:3DAA471A xaenfut.exe File opened for modification C:\ProgramData\TEMP:3DAA471A zjkdtmf.exe File opened for modification C:\ProgramData\TEMP:3DAA471A nqzgbwq.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: 33 3944 f7a1a4ec8ee1f0504378264b77c200cf_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 3944 f7a1a4ec8ee1f0504378264b77c200cf_JaffaCakes118.exe Token: 33 3968 gykhptx.exe Token: SeIncBasePriorityPrivilege 3968 gykhptx.exe Token: 33 2776 jezxqle.exe Token: SeIncBasePriorityPrivilege 2776 jezxqle.exe Token: 33 4684 tmfzurj.exe Token: SeIncBasePriorityPrivilege 4684 tmfzurj.exe Token: 33 1392 tepxadq.exe Token: SeIncBasePriorityPrivilege 1392 tepxadq.exe Token: 33 3324 bmldgbx.exe Token: SeIncBasePriorityPrivilege 3324 bmldgbx.exe Token: 33 756 tilnckc.exe Token: SeIncBasePriorityPrivilege 756 tilnckc.exe Token: 33 1372 ozfqrzl.exe Token: SeIncBasePriorityPrivilege 1372 ozfqrzl.exe Token: 33 3992 lladpts.exe Token: SeIncBasePriorityPrivilege 3992 lladpts.exe Token: 33 3696 gzrbcmu.exe Token: SeIncBasePriorityPrivilege 3696 gzrbcmu.exe Token: 33 4788 qyvzulc.exe Token: SeIncBasePriorityPrivilege 4788 qyvzulc.exe Token: 33 1956 qnteltf.exe Token: SeIncBasePriorityPrivilege 1956 qnteltf.exe Token: 33 4264 inwckzr.exe Token: SeIncBasePriorityPrivilege 4264 inwckzr.exe Token: 33 968 qzgclfh.exe Token: SeIncBasePriorityPrivilege 968 qzgclfh.exe Token: 33 5108 acumnpz.exe Token: SeIncBasePriorityPrivilege 5108 acumnpz.exe Token: 33 1464 naxpwxx.exe Token: SeIncBasePriorityPrivilege 1464 naxpwxx.exe Token: 33 3004 syuxjye.exe Token: SeIncBasePriorityPrivilege 3004 syuxjye.exe Token: 33 3816 ywrnxrd.exe Token: SeIncBasePriorityPrivilege 3816 ywrnxrd.exe Token: 33 3276 vuynqyi.exe Token: SeIncBasePriorityPrivilege 3276 vuynqyi.exe Token: 33 228 iveqtxi.exe Token: SeIncBasePriorityPrivilege 228 iveqtxi.exe Token: 33 452 sguagbo.exe Token: SeIncBasePriorityPrivilege 452 sguagbo.exe Token: 33 4544 ftlqmev.exe Token: SeIncBasePriorityPrivilege 4544 ftlqmev.exe Token: 33 2956 qlbvzvp.exe Token: SeIncBasePriorityPrivilege 2956 qlbvzvp.exe Token: 33 3376 ftnoard.exe Token: SeIncBasePriorityPrivilege 3376 ftnoard.exe Token: 33 4780 nmuoggh.exe Token: SeIncBasePriorityPrivilege 4780 nmuoggh.exe Token: 33 2316 lufwcwg.exe Token: SeIncBasePriorityPrivilege 2316 lufwcwg.exe Token: 33 704 nmwmuso.exe Token: SeIncBasePriorityPrivilege 704 nmwmuso.exe Token: 33 4396 qtkwjsp.exe Token: SeIncBasePriorityPrivilege 4396 qtkwjsp.exe Token: 33 2456 yljoqyt.exe Token: SeIncBasePriorityPrivilege 2456 yljoqyt.exe Token: 33 4012 dgdrbvt.exe Token: SeIncBasePriorityPrivilege 4012 dgdrbvt.exe Token: 33 312 fbguwva.exe Token: SeIncBasePriorityPrivilege 312 fbguwva.exe Token: 33 3832 ihmflnj.exe Token: SeIncBasePriorityPrivilege 3832 ihmflnj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3944 wrote to memory of 3968 3944 f7a1a4ec8ee1f0504378264b77c200cf_JaffaCakes118.exe 82 PID 3944 wrote to memory of 3968 3944 f7a1a4ec8ee1f0504378264b77c200cf_JaffaCakes118.exe 82 PID 3944 wrote to memory of 3968 3944 f7a1a4ec8ee1f0504378264b77c200cf_JaffaCakes118.exe 82 PID 3968 wrote to memory of 2776 3968 gykhptx.exe 83 PID 3968 wrote to memory of 2776 3968 gykhptx.exe 83 PID 3968 wrote to memory of 2776 3968 gykhptx.exe 83 PID 2776 wrote to memory of 4684 2776 jezxqle.exe 84 PID 2776 wrote to memory of 4684 2776 jezxqle.exe 84 PID 2776 wrote to memory of 4684 2776 jezxqle.exe 84 PID 4684 wrote to memory of 1392 4684 tmfzurj.exe 85 PID 4684 wrote to memory of 1392 4684 tmfzurj.exe 85 PID 4684 wrote to memory of 1392 4684 tmfzurj.exe 85 PID 1392 wrote to memory of 3324 1392 tepxadq.exe 86 PID 1392 wrote to memory of 3324 1392 tepxadq.exe 86 PID 1392 wrote to memory of 3324 1392 tepxadq.exe 86 PID 3324 wrote to memory of 756 3324 bmldgbx.exe 87 PID 3324 wrote to memory of 756 3324 bmldgbx.exe 87 PID 3324 wrote to memory of 756 3324 bmldgbx.exe 87 PID 756 wrote to memory of 1372 756 tilnckc.exe 88 PID 756 wrote to memory of 1372 756 tilnckc.exe 88 PID 756 wrote to memory of 1372 756 tilnckc.exe 88 PID 1372 wrote to memory of 3992 1372 ozfqrzl.exe 89 PID 1372 wrote to memory of 3992 1372 ozfqrzl.exe 89 PID 1372 wrote to memory of 3992 1372 ozfqrzl.exe 89 PID 3992 wrote to memory of 3696 3992 lladpts.exe 90 PID 3992 wrote to memory of 3696 3992 lladpts.exe 90 PID 3992 wrote to memory of 3696 3992 lladpts.exe 90 PID 3696 wrote to memory of 4788 3696 gzrbcmu.exe 91 PID 3696 wrote to memory of 4788 3696 gzrbcmu.exe 91 PID 3696 wrote to memory of 4788 3696 gzrbcmu.exe 91 PID 4788 wrote to memory of 1956 4788 qyvzulc.exe 92 PID 4788 wrote to memory of 1956 4788 qyvzulc.exe 92 PID 4788 wrote to memory of 1956 4788 qyvzulc.exe 92 PID 1956 wrote to memory of 4264 1956 qnteltf.exe 93 PID 1956 wrote to memory of 4264 1956 qnteltf.exe 93 PID 1956 wrote to memory of 4264 1956 qnteltf.exe 93 PID 4264 wrote to memory of 968 4264 inwckzr.exe 94 PID 4264 wrote to memory of 968 4264 inwckzr.exe 94 PID 4264 wrote to memory of 968 4264 inwckzr.exe 94 PID 968 wrote to memory of 5108 968 qzgclfh.exe 95 PID 968 wrote to memory of 5108 968 qzgclfh.exe 95 PID 968 wrote to memory of 5108 968 qzgclfh.exe 95 PID 5108 wrote to memory of 1464 5108 acumnpz.exe 96 PID 5108 wrote to memory of 1464 5108 acumnpz.exe 96 PID 5108 wrote to memory of 1464 5108 acumnpz.exe 96 PID 1464 wrote to memory of 3004 1464 naxpwxx.exe 99 PID 1464 wrote to memory of 3004 1464 naxpwxx.exe 99 PID 1464 wrote to memory of 3004 1464 naxpwxx.exe 99 PID 3004 wrote to memory of 3816 3004 syuxjye.exe 100 PID 3004 wrote to memory of 3816 3004 syuxjye.exe 100 PID 3004 wrote to memory of 3816 3004 syuxjye.exe 100 PID 3816 wrote to memory of 3276 3816 ywrnxrd.exe 101 PID 3816 wrote to memory of 3276 3816 ywrnxrd.exe 101 PID 3816 wrote to memory of 3276 3816 ywrnxrd.exe 101 PID 3276 wrote to memory of 228 3276 vuynqyi.exe 103 PID 3276 wrote to memory of 228 3276 vuynqyi.exe 103 PID 3276 wrote to memory of 228 3276 vuynqyi.exe 103 PID 228 wrote to memory of 452 228 iveqtxi.exe 105 PID 228 wrote to memory of 452 228 iveqtxi.exe 105 PID 228 wrote to memory of 452 228 iveqtxi.exe 105 PID 452 wrote to memory of 4544 452 sguagbo.exe 106 PID 452 wrote to memory of 4544 452 sguagbo.exe 106 PID 452 wrote to memory of 4544 452 sguagbo.exe 106 PID 4544 wrote to memory of 2956 4544 ftlqmev.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7a1a4ec8ee1f0504378264b77c200cf_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f7a1a4ec8ee1f0504378264b77c200cf_JaffaCakes118.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\SysWOW64\gykhptx.exeC:\Windows\system32\gykhptx.exe 1296 "C:\Users\Admin\AppData\Local\Temp\f7a1a4ec8ee1f0504378264b77c200cf_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\SysWOW64\jezxqle.exeC:\Windows\system32\jezxqle.exe 1376 "C:\Windows\SysWOW64\gykhptx.exe"3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\tmfzurj.exeC:\Windows\system32\tmfzurj.exe 1284 "C:\Windows\SysWOW64\jezxqle.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\SysWOW64\tepxadq.exeC:\Windows\system32\tepxadq.exe 1428 "C:\Windows\SysWOW64\tmfzurj.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\bmldgbx.exeC:\Windows\system32\bmldgbx.exe 1288 "C:\Windows\SysWOW64\tepxadq.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Windows\SysWOW64\tilnckc.exeC:\Windows\system32\tilnckc.exe 1316 "C:\Windows\SysWOW64\bmldgbx.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\ozfqrzl.exeC:\Windows\system32\ozfqrzl.exe 1324 "C:\Windows\SysWOW64\tilnckc.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\lladpts.exeC:\Windows\system32\lladpts.exe 1444 "C:\Windows\SysWOW64\ozfqrzl.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\SysWOW64\gzrbcmu.exeC:\Windows\system32\gzrbcmu.exe 1440 "C:\Windows\SysWOW64\lladpts.exe"10⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\SysWOW64\qyvzulc.exeC:\Windows\system32\qyvzulc.exe 1304 "C:\Windows\SysWOW64\gzrbcmu.exe"11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\SysWOW64\qnteltf.exeC:\Windows\system32\qnteltf.exe 1464 "C:\Windows\SysWOW64\qyvzulc.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\inwckzr.exeC:\Windows\system32\inwckzr.exe 1456 "C:\Windows\SysWOW64\qnteltf.exe"13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\SysWOW64\qzgclfh.exeC:\Windows\system32\qzgclfh.exe 1292 "C:\Windows\SysWOW64\inwckzr.exe"14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\SysWOW64\acumnpz.exeC:\Windows\system32\acumnpz.exe 1280 "C:\Windows\SysWOW64\qzgclfh.exe"15⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\SysWOW64\naxpwxx.exeC:\Windows\system32\naxpwxx.exe 1380 "C:\Windows\SysWOW64\acumnpz.exe"16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\syuxjye.exeC:\Windows\system32\syuxjye.exe 1300 "C:\Windows\SysWOW64\naxpwxx.exe"17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\ywrnxrd.exeC:\Windows\system32\ywrnxrd.exe 1452 "C:\Windows\SysWOW64\syuxjye.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Windows\SysWOW64\vuynqyi.exeC:\Windows\system32\vuynqyi.exe 1308 "C:\Windows\SysWOW64\ywrnxrd.exe"19⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\SysWOW64\iveqtxi.exeC:\Windows\system32\iveqtxi.exe 1484 "C:\Windows\SysWOW64\vuynqyi.exe"20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\SysWOW64\sguagbo.exeC:\Windows\system32\sguagbo.exe 1332 "C:\Windows\SysWOW64\iveqtxi.exe"21⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\SysWOW64\ftlqmev.exeC:\Windows\system32\ftlqmev.exe 1356 "C:\Windows\SysWOW64\sguagbo.exe"22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\SysWOW64\qlbvzvp.exeC:\Windows\system32\qlbvzvp.exe 1348 "C:\Windows\SysWOW64\ftlqmev.exe"23⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2956 -
C:\Windows\SysWOW64\vxudswc.exeC:\Windows\system32\vxudswc.exe 1500 "C:\Windows\SysWOW64\qlbvzvp.exe"24⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\ftnoard.exeC:\Windows\system32\ftnoard.exe 1496 "C:\Windows\SysWOW64\vxudswc.exe"25⤵
- Suspicious use of AdjustPrivilegeToken
PID:3376 -
C:\Windows\SysWOW64\nmuoggh.exeC:\Windows\system32\nmuoggh.exe 1360 "C:\Windows\SysWOW64\ftnoard.exe"26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4780 -
C:\Windows\SysWOW64\lufwcwg.exeC:\Windows\system32\lufwcwg.exe 1352 "C:\Windows\SysWOW64\nmuoggh.exe"27⤵
- Checks BIOS information in registry
- Executes dropped EXE
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:2316 -
C:\Windows\SysWOW64\nmwmuso.exeC:\Windows\system32\nmwmuso.exe 1516 "C:\Windows\SysWOW64\lufwcwg.exe"28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:704 -
C:\Windows\SysWOW64\qtkwjsp.exeC:\Windows\system32\qtkwjsp.exe 1312 "C:\Windows\SysWOW64\nmwmuso.exe"29⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4396 -
C:\Windows\SysWOW64\yljoqyt.exeC:\Windows\system32\yljoqyt.exe 1372 "C:\Windows\SysWOW64\qtkwjsp.exe"30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2456 -
C:\Windows\SysWOW64\dgdrbvt.exeC:\Windows\system32\dgdrbvt.exe 1532 "C:\Windows\SysWOW64\yljoqyt.exe"31⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4012 -
C:\Windows\SysWOW64\fbguwva.exeC:\Windows\system32\fbguwva.exe 1344 "C:\Windows\SysWOW64\dgdrbvt.exe"32⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:312 -
C:\Windows\SysWOW64\ihmflnj.exeC:\Windows\system32\ihmflnj.exe 1528 "C:\Windows\SysWOW64\fbguwva.exe"33⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3832 -
C:\Windows\SysWOW64\sdnptik.exeC:\Windows\system32\sdnptik.exe 1540 "C:\Windows\SysWOW64\ihmflnj.exe"34⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\yphsdek.exeC:\Windows\system32\yphsdek.exe 1340 "C:\Windows\SysWOW64\sdnptik.exe"35⤵
- Executes dropped EXE
- NTFS ADS
PID:3568 -
C:\Windows\SysWOW64\gqgsklo.exeC:\Windows\system32\gqgsklo.exe 1328 "C:\Windows\SysWOW64\yphsdek.exe"36⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\iaxichw.exeC:\Windows\system32\iaxichw.exe 1392 "C:\Windows\SysWOW64\gqgsklo.exe"37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2016 -
C:\Windows\SysWOW64\lgetszx.exeC:\Windows\system32\lgetszx.exe 1336 "C:\Windows\SysWOW64\iaxichw.exe"38⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\sloyjka.exeC:\Windows\system32\sloyjka.exe 1400 "C:\Windows\SysWOW64\lgetszx.exe"39⤵
- Executes dropped EXE
PID:4496 -
C:\Windows\SysWOW64\aajtnuf.exeC:\Windows\system32\aajtnuf.exe 1408 "C:\Windows\SysWOW64\sloyjka.exe"40⤵
- Executes dropped EXE
- Modifies registry class
PID:4904 -
C:\Windows\SysWOW64\xxitobk.exeC:\Windows\system32\xxitobk.exe 1564 "C:\Windows\SysWOW64\aajtnuf.exe"41⤵
- Checks BIOS information in registry
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\dzzoezq.exeC:\Windows\system32\dzzoezq.exe 1412 "C:\Windows\SysWOW64\xxitobk.exe"42⤵
- Checks BIOS information in registry
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\nroljps.exeC:\Windows\system32\nroljps.exe 1580 "C:\Windows\SysWOW64\dzzoezq.exe"43⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\tplbxqr.exeC:\Windows\system32\tplbxqr.exe 1388 "C:\Windows\SysWOW64\nroljps.exe"44⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\vkoesqy.exeC:\Windows\system32\vkoesqy.exe 1588 "C:\Windows\SysWOW64\tplbxqr.exe"45⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Modifies registry class
PID:1248 -
C:\Windows\SysWOW64\dzcrvbd.exeC:\Windows\system32\dzcrvbd.exe 1420 "C:\Windows\SysWOW64\vkoesqy.exe"46⤵
- Executes dropped EXE
- Modifies registry class
PID:3124 -
C:\Windows\SysWOW64\fyoogad.exeC:\Windows\system32\fyoogad.exe 1584 "C:\Windows\SysWOW64\dzcrvbd.exe"47⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\khwjwxj.exeC:\Windows\system32\khwjwxj.exe 1424 "C:\Windows\SysWOW64\fyoogad.exe"48⤵
- Executes dropped EXE
PID:116 -
C:\Windows\SysWOW64\aitzxgh.exeC:\Windows\system32\aitzxgh.exe 1320 "C:\Windows\SysWOW64\khwjwxj.exe"49⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\nzouggm.exeC:\Windows\system32\nzouggm.exe 1436 "C:\Windows\SysWOW64\aitzxgh.exe"50⤵
- Executes dropped EXE
- Drops file in System32 directory
- NTFS ADS
PID:1104 -
C:\Windows\SysWOW64\vanuvvi.exeC:\Windows\system32\vanuvvi.exe 1460 "C:\Windows\SysWOW64\nzouggm.exe"51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:956 -
C:\Windows\SysWOW64\chiuhks.exeC:\Windows\system32\chiuhks.exe 1404 "C:\Windows\SysWOW64\vanuvvi.exe"52⤵
- Executes dropped EXE
- Modifies registry class
PID:1116 -
C:\Windows\SysWOW64\nzysmau.exeC:\Windows\system32\nzysmau.exe 1612 "C:\Windows\SysWOW64\chiuhks.exe"53⤵
- Executes dropped EXE
PID:3564 -
C:\Windows\SysWOW64\sxvizbt.exeC:\Windows\system32\sxvizbt.exe 1620 "C:\Windows\SysWOW64\nzysmau.exe"54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3328 -
C:\Windows\SysWOW64\pvciaig.exeC:\Windows\system32\pvciaig.exe 1616 "C:\Windows\SysWOW64\sxvizbt.exe"55⤵
- Executes dropped EXE
PID:4316 -
C:\Windows\SysWOW64\sftyteo.exeC:\Windows\system32\sftyteo.exe 1636 "C:\Windows\SysWOW64\pvciaig.exe"56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:628 -
C:\Windows\SysWOW64\uliiiwp.exeC:\Windows\system32\uliiiwp.exe 1448 "C:\Windows\SysWOW64\sftyteo.exe"57⤵
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\iyryoso.exeC:\Windows\system32\iyryoso.exe 1468 "C:\Windows\SysWOW64\uliiiwp.exe"58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4228 -
C:\Windows\SysWOW64\sqhdtqq.exeC:\Windows\system32\sqhdtqq.exe 1268 "C:\Windows\SysWOW64\iyryoso.exe"59⤵
- Executes dropped EXE
PID:3452 -
C:\Windows\SysWOW64\cptbdpx.exeC:\Windows\system32\cptbdpx.exe 1384 "C:\Windows\SysWOW64\sqhdtqq.exe"60⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3912 -
C:\Windows\SysWOW64\nlulljy.exeC:\Windows\system32\nlulljy.exe 1368 "C:\Windows\SysWOW64\cptbdpx.exe"61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:676 -
C:\Windows\SysWOW64\xgneaez.exeC:\Windows\system32\xgneaez.exe 1416 "C:\Windows\SysWOW64\nlulljy.exe"62⤵
- Executes dropped EXE
PID:3880 -
C:\Windows\SysWOW64\lqtgdvz.exeC:\Windows\system32\lqtgdvz.exe 1492 "C:\Windows\SysWOW64\xgneaez.exe"63⤵
- Checks BIOS information in registry
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\xszwpid.exeC:\Windows\system32\xszwpid.exe 1508 "C:\Windows\SysWOW64\lqtgdvz.exe"64⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\hrltzhl.exeC:\Windows\system32\hrltzhl.exe 1668 "C:\Windows\SysWOW64\xszwpid.exe"65⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\vbrwcgl.exeC:\Windows\system32\vbrwcgl.exe 1512 "C:\Windows\SysWOW64\hrltzhl.exe"66⤵
- Executes dropped EXE
- Modifies registry class
PID:1076 -
C:\Windows\SysWOW64\iobuikj.exeC:\Windows\system32\iobuikj.exe 1664 "C:\Windows\SysWOW64\vbrwcgl.exe"67⤵
- Drops file in System32 directory
PID:3536 -
C:\Windows\SysWOW64\sjcexek.exeC:\Windows\system32\sjcexek.exe 1480 "C:\Windows\SysWOW64\iobuikj.exe"68⤵
- Drops file in System32 directory
PID:1408 -
C:\Windows\SysWOW64\cigcids.exeC:\Windows\system32\cigcids.exe 1396 "C:\Windows\SysWOW64\sjcexek.exe"69⤵
- System Location Discovery: System Language Discovery
PID:1596 -
C:\Windows\SysWOW64\qvxrozq.exeC:\Windows\system32\qvxrozq.exe 1536 "C:\Windows\SysWOW64\cigcids.exe"70⤵PID:3812
-
C:\Windows\SysWOW64\accpyyy.exeC:\Windows\system32\accpyyy.exe 1488 "C:\Windows\SysWOW64\qvxrozq.exe"71⤵PID:1652
-
C:\Windows\SysWOW64\kbouqxf.exeC:\Windows\system32\kbouqxf.exe 1472 "C:\Windows\SysWOW64\accpyyy.exe"72⤵PID:692
-
C:\Windows\SysWOW64\vudsvnz.exeC:\Windows\system32\vudsvnz.exe 1692 "C:\Windows\SysWOW64\kbouqxf.exe"73⤵PID:2544
-
C:\Windows\SysWOW64\fpwkdhi.exeC:\Windows\system32\fpwkdhi.exe 1700 "C:\Windows\SysWOW64\vudsvnz.exe"74⤵
- Drops file in System32 directory
PID:3336 -
C:\Windows\SysWOW64\pdxvscj.exeC:\Windows\system32\pdxvscj.exe 1432 "C:\Windows\SysWOW64\fpwkdhi.exe"75⤵
- System Location Discovery: System Language Discovery
PID:3952 -
C:\Windows\SysWOW64\ayynawk.exeC:\Windows\system32\ayynawk.exe 1708 "C:\Windows\SysWOW64\pdxvscj.exe"76⤵PID:4368
-
C:\Windows\SysWOW64\hdisrpm.exeC:\Windows\system32\hdisrpm.exe 1476 "C:\Windows\SysWOW64\ayynawk.exe"77⤵PID:4836
-
C:\Windows\SysWOW64\syblzkv.exeC:\Windows\system32\syblzkv.exe 1764 "C:\Windows\SysWOW64\hdisrpm.exe"78⤵PID:4460
-
C:\Windows\SysWOW64\cucvhew.exeC:\Windows\system32\cucvhew.exe 1576 "C:\Windows\SysWOW64\syblzkv.exe"79⤵PID:1572
-
C:\Windows\SysWOW64\phtlmiv.exeC:\Windows\system32\phtlmiv.exe 1560 "C:\Windows\SysWOW64\cucvhew.exe"80⤵
- System Location Discovery: System Language Discovery
PID:4124 -
C:\Windows\SysWOW64\cfonvia.exeC:\Windows\system32\cfonvia.exe 1504 "C:\Windows\SysWOW64\phtlmiv.exe"81⤵
- Checks BIOS information in registry
PID:1780 -
C:\Windows\SysWOW64\qpuyyis.exeC:\Windows\system32\qpuyyis.exe 1524 "C:\Windows\SysWOW64\cfonvia.exe"82⤵PID:3428
-
C:\Windows\SysWOW64\xwiqsxc.exeC:\Windows\system32\xwiqsxc.exe 1728 "C:\Windows\SysWOW64\qpuyyis.exe"83⤵PID:5084
-
C:\Windows\SysWOW64\kgotvxc.exeC:\Windows\system32\kgotvxc.exe 1592 "C:\Windows\SysWOW64\xwiqsxc.exe"84⤵
- System Location Discovery: System Language Discovery
PID:2292 -
C:\Windows\SysWOW64\vfaygwj.exeC:\Windows\system32\vfaygwj.exe 1552 "C:\Windows\SysWOW64\kgotvxc.exe"85⤵PID:800
-
C:\Windows\SysWOW64\xxqwsmd.exeC:\Windows\system32\xxqwsmd.exe 1600 "C:\Windows\SysWOW64\vfaygwj.exe"86⤵PID:3508
-
C:\Windows\SysWOW64\itjoagm.exeC:\Windows\system32\itjoagm.exe 1596 "C:\Windows\SysWOW64\xxqwsmd.exe"87⤵
- NTFS ADS
PID:1880 -
C:\Windows\SysWOW64\ssvmkfu.exeC:\Windows\system32\ssvmkfu.exe 1752 "C:\Windows\SysWOW64\itjoagm.exe"88⤵PID:2568
-
C:\Windows\SysWOW64\crzjdet.exeC:\Windows\system32\crzjdet.exe 1220 "C:\Windows\SysWOW64\ssvmkfu.exe"89⤵
- System Location Discovery: System Language Discovery
PID:5104 -
C:\Windows\SysWOW64\mmaukyc.exeC:\Windows\system32\mmaukyc.exe 1548 "C:\Windows\SysWOW64\crzjdet.exe"90⤵PID:5052
-
C:\Windows\SysWOW64\awgenyu.exeC:\Windows\system32\awgenyu.exe 1772 "C:\Windows\SysWOW64\mmaukyc.exe"91⤵PID:3352
-
C:\Windows\SysWOW64\haqjxrf.exeC:\Windows\system32\haqjxrf.exe 1632 "C:\Windows\SysWOW64\awgenyu.exe"92⤵
- Drops file in System32 directory
PID:2164 -
C:\Windows\SysWOW64\ssgpkhy.exeC:\Windows\system32\ssgpkhy.exe 1572 "C:\Windows\SysWOW64\haqjxrf.exe"93⤵PID:4272
-
C:\Windows\SysWOW64\fmmfvll.exeC:\Windows\system32\fmmfvll.exe 1640 "C:\Windows\SysWOW64\ssgpkhy.exe"94⤵PID:2428
-
C:\Windows\SysWOW64\mqwkffo.exeC:\Windows\system32\mqwkffo.exe 1604 "C:\Windows\SysWOW64\fmmfvll.exe"95⤵PID:3836
-
C:\Windows\SysWOW64\xjeprvq.exeC:\Windows\system32\xjeprvq.exe 1556 "C:\Windows\SysWOW64\mqwkffo.exe"96⤵
- NTFS ADS
PID:2020 -
C:\Windows\SysWOW64\ibtvwlj.exeC:\Windows\system32\ibtvwlj.exe 1624 "C:\Windows\SysWOW64\xjeprvq.exe"97⤵
- Drops file in System32 directory
PID:1420 -
C:\Windows\SysWOW64\sagshkr.exeC:\Windows\system32\sagshkr.exe 1660 "C:\Windows\SysWOW64\ibtvwlj.exe"98⤵
- Checks BIOS information in registry
- NTFS ADS
PID:3348 -
C:\Windows\SysWOW64\csvytat.exeC:\Windows\system32\csvytat.exe 1652 "C:\Windows\SysWOW64\sagshkr.exe"99⤵
- Modifies registry class
- NTFS ADS
PID:3916 -
C:\Windows\SysWOW64\kajqgpd.exeC:\Windows\system32\kajqgpd.exe 1812 "C:\Windows\SysWOW64\csvytat.exe"100⤵
- Modifies registry class
PID:4564 -
C:\Windows\SysWOW64\xjpsjpu.exeC:\Windows\system32\xjpsjpu.exe 1656 "C:\Windows\SysWOW64\kajqgpd.exe"101⤵PID:3416
-
C:\Windows\SysWOW64\hibytnc.exeC:\Windows\system32\hibytnc.exe 1644 "C:\Windows\SysWOW64\xjpsjpu.exe"102⤵PID:4568
-
C:\Windows\SysWOW64\sarvgee.exeC:\Windows\system32\sarvgee.exe 1684 "C:\Windows\SysWOW64\hibytnc.exe"103⤵PID:4804
-
C:\Windows\SysWOW64\cwkonyf.exeC:\Windows\system32\cwkonyf.exe 1824 "C:\Windows\SysWOW64\sarvgee.exe"104⤵
- Checks BIOS information in registry
- NTFS ADS
PID:3100 -
C:\Windows\SysWOW64\kefgioo.exeC:\Windows\system32\kefgioo.exe 1676 "C:\Windows\SysWOW64\cwkonyf.exe"105⤵
- Drops file in System32 directory
- Modifies registry class
- NTFS ADS
PID:4020 -
C:\Windows\SysWOW64\xnljlno.exeC:\Windows\system32\xnljlno.exe 1688 "C:\Windows\SysWOW64\kefgioo.exe"106⤵
- NTFS ADS
PID:4276 -
C:\Windows\SysWOW64\evzjxcq.exeC:\Windows\system32\evzjxcq.exe 1836 "C:\Windows\SysWOW64\xnljlno.exe"107⤵
- Modifies registry class
PID:4244 -
C:\Windows\SysWOW64\pnogkbs.exeC:\Windows\system32\pnogkbs.exe 1696 "C:\Windows\SysWOW64\evzjxcq.exe"108⤵PID:3532
-
C:\Windows\SysWOW64\aipzrvs.exeC:\Windows\system32\aipzrvs.exe 1680 "C:\Windows\SysWOW64\pnogkbs.exe"109⤵PID:4660
-
C:\Windows\SysWOW64\nvhoxrz.exeC:\Windows\system32\nvhoxrz.exe 1712 "C:\Windows\SysWOW64\aipzrvs.exe"110⤵PID:4772
-
C:\Windows\SysWOW64\udugjob.exeC:\Windows\system32\udugjob.exe 1704 "C:\Windows\SysWOW64\nvhoxrz.exe"111⤵
- Checks BIOS information in registry
PID:2172 -
C:\Windows\SysWOW64\fvkmwed.exeC:\Windows\system32\fvkmwed.exe 1720 "C:\Windows\SysWOW64\udugjob.exe"112⤵PID:5044
-
C:\Windows\SysWOW64\prleezd.exeC:\Windows\system32\prleezd.exe 1864 "C:\Windows\SysWOW64\fvkmwed.exe"113⤵PID:2256
-
C:\Windows\SysWOW64\zmmpltm.exeC:\Windows\system32\zmmpltm.exe 1568 "C:\Windows\SysWOW64\prleezd.exe"114⤵
- Checks BIOS information in registry
PID:4600 -
C:\Windows\SysWOW64\hjocdfp.exeC:\Windows\system32\hjocdfp.exe 1724 "C:\Windows\SysWOW64\zmmpltm.exe"115⤵
- Drops file in System32 directory
PID:2052 -
C:\Windows\SysWOW64\pnyhmqs.exeC:\Windows\system32\pnyhmqs.exe 1736 "C:\Windows\SysWOW64\hjocdfp.exe"116⤵PID:3172
-
C:\Windows\SysWOW64\zizacka.exeC:\Windows\system32\zizacka.exe 1544 "C:\Windows\SysWOW64\pnyhmqs.exe"117⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- NTFS ADS
PID:3852 -
C:\Windows\SysWOW64\keakjnb.exeC:\Windows\system32\keakjnb.exe 1716 "C:\Windows\SysWOW64\zizacka.exe"118⤵
- System Location Discovery: System Language Discovery
PID:1268 -
C:\Windows\SysWOW64\uasurhc.exeC:\Windows\system32\uasurhc.exe 1744 "C:\Windows\SysWOW64\keakjnb.exe"119⤵PID:4744
-
C:\Windows\SysWOW64\fsiaexe.exeC:\Windows\system32\fsiaexe.exe 1756 "C:\Windows\SysWOW64\uasurhc.exe"120⤵
- NTFS ADS
PID:1760 -
C:\Windows\SysWOW64\pruxowl.exeC:\Windows\system32\pruxowl.exe 1608 "C:\Windows\SysWOW64\fsiaexe.exe"121⤵PID:4664
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-