Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/10/2024, 05:20
Static task
static1
Behavioral task
behavioral1
Sample
1651bcc888424d427c01013e8e798903_JaffaCakes118.dll
Resource
win7-20240903-en
General
-
Target
1651bcc888424d427c01013e8e798903_JaffaCakes118.dll
-
Size
178KB
-
MD5
1651bcc888424d427c01013e8e798903
-
SHA1
9c41ee9dcfc7aef934bda221c5713598a8353107
-
SHA256
c13d67f1836cacca25cf768824de9f481d6cc3e862bcae2bb0e086189cecd03d
-
SHA512
89e3953e7de2f82182ce485d6840693591235bf9a4d58f558d0fee992d74c9ffe8dbf4154f80ad85a19702181475eb478c90f3eb29c345070ebacead6bb9e997
-
SSDEEP
3072:x4yriLc3IcqB0NljYUvfT/SmNp94Z7yifCKXZ5q1n3hApWQrIcH2zAn:1uLRcZBPvukp4lCKXZ5q1Rqr
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Users\\Admin\\AppData\\Local\\vttrectj\\ealerfda.exe" svchost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ealerfda.exe svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ealerfda.exe svchost.exe -
Executes dropped EXE 64 IoCs
pid Process 2108 p7q0EPZi 1544 p7q0EPZi 1920 vfjytefgnhugvybr.exe 1872 vfjytefgnhugvybr.exe 624 vfjytefgnhugvybr.exe 2020 vfjytefgnhugvybr.exe 1796 vfjytefgnhugvybr.exe 2916 vfjytefgnhugvybr.exe 1980 vfjytefgnhugvybr.exe 408 vfjytefgnhugvybr.exe 964 vfjytefgnhugvybr.exe 1320 vfjytefgnhugvybr.exe 864 vfjytefgnhugvybr.exe 2116 vfjytefgnhugvybr.exe 1424 vfjytefgnhugvybr.exe 1292 vfjytefgnhugvybr.exe 236 vfjytefgnhugvybr.exe 1360 vfjytefgnhugvybr.exe 896 vfjytefgnhugvybr.exe 2208 vfjytefgnhugvybr.exe 2488 vfjytefgnhugvybr.exe 2336 vfjytefgnhugvybr.exe 2176 vfjytefgnhugvybr.exe 2708 vfjytefgnhugvybr.exe 2812 vfjytefgnhugvybr.exe 2828 vfjytefgnhugvybr.exe 1740 vfjytefgnhugvybr.exe 2008 vfjytefgnhugvybr.exe 680 vfjytefgnhugvybr.exe 2524 vfjytefgnhugvybr.exe 1704 vfjytefgnhugvybr.exe 2988 vfjytefgnhugvybr.exe 2876 vfjytefgnhugvybr.exe 2868 vfjytefgnhugvybr.exe 1980 vfjytefgnhugvybr.exe 1624 vfjytefgnhugvybr.exe 1804 vfjytefgnhugvybr.exe 1296 vfjytefgnhugvybr.exe 904 vfjytefgnhugvybr.exe 2852 vfjytefgnhugvybr.exe 1552 vfjytefgnhugvybr.exe 836 vfjytefgnhugvybr.exe 2288 vfjytefgnhugvybr.exe 1448 vfjytefgnhugvybr.exe 2972 vfjytefgnhugvybr.exe 1680 vfjytefgnhugvybr.exe 2992 vfjytefgnhugvybr.exe 1504 vfjytefgnhugvybr.exe 2980 vfjytefgnhugvybr.exe 2632 vfjytefgnhugvybr.exe 2924 vfjytefgnhugvybr.exe 292 vfjytefgnhugvybr.exe 2416 vfjytefgnhugvybr.exe 2824 vfjytefgnhugvybr.exe 3012 vfjytefgnhugvybr.exe 2612 vfjytefgnhugvybr.exe 2592 vfjytefgnhugvybr.exe 1920 vfjytefgnhugvybr.exe 1568 vfjytefgnhugvybr.exe 1508 vfjytefgnhugvybr.exe 2568 vfjytefgnhugvybr.exe 3020 vfjytefgnhugvybr.exe 1796 vfjytefgnhugvybr.exe 2908 vfjytefgnhugvybr.exe -
Loads dropped DLL 64 IoCs
pid Process 1756 regsvr32.exe 1756 regsvr32.exe 2108 p7q0EPZi 1544 p7q0EPZi 1544 p7q0EPZi 1920 vfjytefgnhugvybr.exe 1872 vfjytefgnhugvybr.exe 624 vfjytefgnhugvybr.exe 2020 vfjytefgnhugvybr.exe 1796 vfjytefgnhugvybr.exe 2916 vfjytefgnhugvybr.exe 1980 vfjytefgnhugvybr.exe 408 vfjytefgnhugvybr.exe 964 vfjytefgnhugvybr.exe 1320 vfjytefgnhugvybr.exe 864 vfjytefgnhugvybr.exe 2116 vfjytefgnhugvybr.exe 1424 vfjytefgnhugvybr.exe 1292 vfjytefgnhugvybr.exe 236 vfjytefgnhugvybr.exe 1360 vfjytefgnhugvybr.exe 896 vfjytefgnhugvybr.exe 2208 vfjytefgnhugvybr.exe 2488 vfjytefgnhugvybr.exe 2336 vfjytefgnhugvybr.exe 2176 vfjytefgnhugvybr.exe 2708 vfjytefgnhugvybr.exe 2812 vfjytefgnhugvybr.exe 2828 vfjytefgnhugvybr.exe 1740 vfjytefgnhugvybr.exe 2008 vfjytefgnhugvybr.exe 680 vfjytefgnhugvybr.exe 2524 vfjytefgnhugvybr.exe 1704 vfjytefgnhugvybr.exe 2988 vfjytefgnhugvybr.exe 2876 vfjytefgnhugvybr.exe 2868 vfjytefgnhugvybr.exe 1980 vfjytefgnhugvybr.exe 1624 vfjytefgnhugvybr.exe 1804 vfjytefgnhugvybr.exe 1296 vfjytefgnhugvybr.exe 904 vfjytefgnhugvybr.exe 2852 vfjytefgnhugvybr.exe 1552 vfjytefgnhugvybr.exe 836 vfjytefgnhugvybr.exe 2288 vfjytefgnhugvybr.exe 1448 vfjytefgnhugvybr.exe 2972 vfjytefgnhugvybr.exe 1680 vfjytefgnhugvybr.exe 2992 vfjytefgnhugvybr.exe 1504 vfjytefgnhugvybr.exe 2980 vfjytefgnhugvybr.exe 2632 vfjytefgnhugvybr.exe 2924 vfjytefgnhugvybr.exe 292 vfjytefgnhugvybr.exe 2416 vfjytefgnhugvybr.exe 2824 vfjytefgnhugvybr.exe 3012 vfjytefgnhugvybr.exe 2612 vfjytefgnhugvybr.exe 2592 vfjytefgnhugvybr.exe 1920 vfjytefgnhugvybr.exe 1568 vfjytefgnhugvybr.exe 1508 vfjytefgnhugvybr.exe 2568 vfjytefgnhugvybr.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\EalErfda = "C:\\Users\\Admin\\AppData\\Local\\vttrectj\\ealerfda.exe" svchost.exe -
Suspicious use of SetThreadContext 48 IoCs
description pid Process procid_target PID 2108 set thread context of 1544 2108 p7q0EPZi 33 PID 1920 set thread context of 1872 1920 vfjytefgnhugvybr.exe 37 PID 624 set thread context of 2020 624 vfjytefgnhugvybr.exe 39 PID 1796 set thread context of 2916 1796 vfjytefgnhugvybr.exe 41 PID 1980 set thread context of 408 1980 vfjytefgnhugvybr.exe 43 PID 964 set thread context of 1320 964 vfjytefgnhugvybr.exe 45 PID 864 set thread context of 2116 864 vfjytefgnhugvybr.exe 47 PID 1424 set thread context of 1292 1424 vfjytefgnhugvybr.exe 49 PID 236 set thread context of 1360 236 vfjytefgnhugvybr.exe 51 PID 896 set thread context of 2208 896 vfjytefgnhugvybr.exe 53 PID 2488 set thread context of 2336 2488 vfjytefgnhugvybr.exe 55 PID 2176 set thread context of 2708 2176 vfjytefgnhugvybr.exe 57 PID 2812 set thread context of 2828 2812 vfjytefgnhugvybr.exe 59 PID 1740 set thread context of 2008 1740 vfjytefgnhugvybr.exe 61 PID 680 set thread context of 2524 680 vfjytefgnhugvybr.exe 63 PID 1704 set thread context of 2988 1704 vfjytefgnhugvybr.exe 65 PID 2876 set thread context of 2868 2876 vfjytefgnhugvybr.exe 67 PID 1980 set thread context of 1624 1980 vfjytefgnhugvybr.exe 69 PID 1804 set thread context of 1296 1804 vfjytefgnhugvybr.exe 71 PID 904 set thread context of 2852 904 vfjytefgnhugvybr.exe 73 PID 1552 set thread context of 836 1552 vfjytefgnhugvybr.exe 75 PID 2288 set thread context of 1448 2288 vfjytefgnhugvybr.exe 77 PID 2972 set thread context of 1680 2972 vfjytefgnhugvybr.exe 79 PID 2992 set thread context of 1504 2992 vfjytefgnhugvybr.exe 81 PID 2980 set thread context of 2632 2980 vfjytefgnhugvybr.exe 83 PID 2924 set thread context of 292 2924 vfjytefgnhugvybr.exe 85 PID 2416 set thread context of 2824 2416 vfjytefgnhugvybr.exe 87 PID 3012 set thread context of 2612 3012 vfjytefgnhugvybr.exe 89 PID 2592 set thread context of 1920 2592 vfjytefgnhugvybr.exe 91 PID 1568 set thread context of 1508 1568 vfjytefgnhugvybr.exe 93 PID 2568 set thread context of 3020 2568 vfjytefgnhugvybr.exe 95 PID 1796 set thread context of 2908 1796 vfjytefgnhugvybr.exe 97 PID 2152 set thread context of 2476 2152 vfjytefgnhugvybr.exe 99 PID 1664 set thread context of 2480 1664 vfjytefgnhugvybr.exe 101 PID 2388 set thread context of 1120 2388 vfjytefgnhugvybr.exe 103 PID 1736 set thread context of 960 1736 vfjytefgnhugvybr.exe 105 PID 1712 set thread context of 2168 1712 vfjytefgnhugvybr.exe 107 PID 880 set thread context of 1672 880 vfjytefgnhugvybr.exe 109 PID 888 set thread context of 1880 888 vfjytefgnhugvybr.exe 111 PID 2176 set thread context of 2472 2176 jjwjnxqeieywgpvv.exe 123 PID 1904 set thread context of 2024 1904 vfjytefgnhugvybr.exe 125 PID 112 set thread context of 2536 112 vfjytefgnhugvybr.exe 127 PID 2028 set thread context of 2216 2028 vfjytefgnhugvybr.exe 129 PID 2148 set thread context of 2900 2148 vfjytefgnhugvybr.exe 131 PID 2352 set thread context of 1180 2352 vfjytefgnhugvybr.exe 133 PID 2904 set thread context of 448 2904 vfjytefgnhugvybr.exe 135 PID 1512 set thread context of 2504 1512 vfjytefgnhugvybr.exe 137 PID 1584 set thread context of 2496 1584 vfjytefgnhugvybr.exe 139 -
resource yara_rule behavioral1/memory/1544-21-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2108-20-0x0000000000400000-0x0000000000431000-memory.dmp upx behavioral1/memory/1544-18-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1544-14-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1544-13-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1544-12-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1544-17-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1544-57-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1544-93-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1872-108-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2020-128-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2916-146-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/408-162-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1320-179-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2116-193-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2116-198-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1292-215-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2336-263-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2708-277-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2828-297-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2008-315-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2524-332-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2988-353-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2868-364-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1624-377-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2852-404-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1504-451-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2632-466-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/292-479-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2824-492-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1920-518-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/3020-543-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1120-592-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2168-617-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1880-645-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1880-1097-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2472-1116-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2024-1129-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/448-1190-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2504-1203-0x0000000000400000-0x0000000000434000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language p7q0EPZi Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjwjnxqeieywgpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language p7q0EPZi Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfjytefgnhugvybr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BA66D431-82D9-11EF-A6F8-EAF933E40231} = "0" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 IEXPLORE.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 1544 p7q0EPZi Token: SeDebugPrivilege 1544 p7q0EPZi Token: SeSecurityPrivilege 2640 svchost.exe Token: SeSecurityPrivilege 2660 svchost.exe Token: SeDebugPrivilege 2660 svchost.exe Token: SeSecurityPrivilege 1872 vfjytefgnhugvybr.exe Token: SeDebugPrivilege 1872 vfjytefgnhugvybr.exe Token: SeSecurityPrivilege 2020 vfjytefgnhugvybr.exe Token: SeDebugPrivilege 2020 vfjytefgnhugvybr.exe Token: SeSecurityPrivilege 2916 vfjytefgnhugvybr.exe Token: SeDebugPrivilege 2916 vfjytefgnhugvybr.exe Token: SeSecurityPrivilege 408 vfjytefgnhugvybr.exe Token: SeDebugPrivilege 408 vfjytefgnhugvybr.exe Token: SeSecurityPrivilege 1320 vfjytefgnhugvybr.exe Token: SeDebugPrivilege 1320 vfjytefgnhugvybr.exe Token: SeSecurityPrivilege 2116 vfjytefgnhugvybr.exe Token: SeDebugPrivilege 2116 vfjytefgnhugvybr.exe Token: SeSecurityPrivilege 1292 vfjytefgnhugvybr.exe Token: SeDebugPrivilege 1292 vfjytefgnhugvybr.exe Token: SeSecurityPrivilege 1360 vfjytefgnhugvybr.exe Token: SeDebugPrivilege 1360 vfjytefgnhugvybr.exe Token: SeSecurityPrivilege 2208 vfjytefgnhugvybr.exe Token: SeDebugPrivilege 2208 vfjytefgnhugvybr.exe Token: SeSecurityPrivilege 2336 vfjytefgnhugvybr.exe Token: SeDebugPrivilege 2336 vfjytefgnhugvybr.exe Token: SeSecurityPrivilege 2708 vfjytefgnhugvybr.exe Token: SeDebugPrivilege 2708 vfjytefgnhugvybr.exe Token: SeSecurityPrivilege 2828 vfjytefgnhugvybr.exe Token: SeDebugPrivilege 2828 vfjytefgnhugvybr.exe Token: SeSecurityPrivilege 2008 vfjytefgnhugvybr.exe Token: SeDebugPrivilege 2008 vfjytefgnhugvybr.exe Token: SeSecurityPrivilege 2524 vfjytefgnhugvybr.exe Token: SeDebugPrivilege 2524 vfjytefgnhugvybr.exe Token: SeSecurityPrivilege 2988 vfjytefgnhugvybr.exe Token: SeDebugPrivilege 2988 vfjytefgnhugvybr.exe Token: SeSecurityPrivilege 2868 vfjytefgnhugvybr.exe Token: SeDebugPrivilege 2868 vfjytefgnhugvybr.exe Token: SeSecurityPrivilege 1624 vfjytefgnhugvybr.exe Token: SeDebugPrivilege 1624 vfjytefgnhugvybr.exe Token: SeSecurityPrivilege 1296 vfjytefgnhugvybr.exe Token: SeDebugPrivilege 1296 vfjytefgnhugvybr.exe Token: SeSecurityPrivilege 2852 vfjytefgnhugvybr.exe Token: SeDebugPrivilege 2852 vfjytefgnhugvybr.exe Token: SeSecurityPrivilege 836 vfjytefgnhugvybr.exe Token: SeDebugPrivilege 836 vfjytefgnhugvybr.exe Token: SeSecurityPrivilege 1448 vfjytefgnhugvybr.exe Token: SeDebugPrivilege 1448 vfjytefgnhugvybr.exe Token: SeSecurityPrivilege 1680 vfjytefgnhugvybr.exe Token: SeDebugPrivilege 1680 vfjytefgnhugvybr.exe Token: SeSecurityPrivilege 1504 vfjytefgnhugvybr.exe Token: SeDebugPrivilege 1504 vfjytefgnhugvybr.exe Token: SeSecurityPrivilege 2632 vfjytefgnhugvybr.exe Token: SeDebugPrivilege 2632 vfjytefgnhugvybr.exe Token: SeSecurityPrivilege 292 vfjytefgnhugvybr.exe Token: SeDebugPrivilege 292 vfjytefgnhugvybr.exe Token: SeSecurityPrivilege 2824 vfjytefgnhugvybr.exe Token: SeDebugPrivilege 2824 vfjytefgnhugvybr.exe Token: SeSecurityPrivilege 2612 vfjytefgnhugvybr.exe Token: SeDebugPrivilege 2612 vfjytefgnhugvybr.exe Token: SeSecurityPrivilege 1920 vfjytefgnhugvybr.exe Token: SeDebugPrivilege 1920 vfjytefgnhugvybr.exe Token: SeSecurityPrivilege 1508 vfjytefgnhugvybr.exe Token: SeDebugPrivilege 1508 vfjytefgnhugvybr.exe Token: SeSecurityPrivilege 3020 vfjytefgnhugvybr.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2072 IEXPLORE.EXE 2072 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2072 IEXPLORE.EXE 2072 IEXPLORE.EXE 2680 IEXPLORE.EXE 2680 IEXPLORE.EXE 2680 IEXPLORE.EXE 2680 IEXPLORE.EXE 2072 IEXPLORE.EXE 2072 IEXPLORE.EXE 2928 IEXPLORE.EXE 2928 IEXPLORE.EXE 2928 IEXPLORE.EXE 2928 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2012 wrote to memory of 1756 2012 regsvr32.exe 31 PID 2012 wrote to memory of 1756 2012 regsvr32.exe 31 PID 2012 wrote to memory of 1756 2012 regsvr32.exe 31 PID 2012 wrote to memory of 1756 2012 regsvr32.exe 31 PID 2012 wrote to memory of 1756 2012 regsvr32.exe 31 PID 2012 wrote to memory of 1756 2012 regsvr32.exe 31 PID 2012 wrote to memory of 1756 2012 regsvr32.exe 31 PID 1756 wrote to memory of 2108 1756 regsvr32.exe 32 PID 1756 wrote to memory of 2108 1756 regsvr32.exe 32 PID 1756 wrote to memory of 2108 1756 regsvr32.exe 32 PID 1756 wrote to memory of 2108 1756 regsvr32.exe 32 PID 2108 wrote to memory of 1544 2108 p7q0EPZi 33 PID 2108 wrote to memory of 1544 2108 p7q0EPZi 33 PID 2108 wrote to memory of 1544 2108 p7q0EPZi 33 PID 2108 wrote to memory of 1544 2108 p7q0EPZi 33 PID 2108 wrote to memory of 1544 2108 p7q0EPZi 33 PID 2108 wrote to memory of 1544 2108 p7q0EPZi 33 PID 2108 wrote to memory of 1544 2108 p7q0EPZi 33 PID 1544 wrote to memory of 2640 1544 p7q0EPZi 34 PID 1544 wrote to memory of 2640 1544 p7q0EPZi 34 PID 1544 wrote to memory of 2640 1544 p7q0EPZi 34 PID 1544 wrote to memory of 2640 1544 p7q0EPZi 34 PID 1544 wrote to memory of 2640 1544 p7q0EPZi 34 PID 1544 wrote to memory of 2640 1544 p7q0EPZi 34 PID 1544 wrote to memory of 2640 1544 p7q0EPZi 34 PID 1544 wrote to memory of 2640 1544 p7q0EPZi 34 PID 1544 wrote to memory of 2640 1544 p7q0EPZi 34 PID 1544 wrote to memory of 2640 1544 p7q0EPZi 34 PID 1544 wrote to memory of 2660 1544 p7q0EPZi 35 PID 1544 wrote to memory of 2660 1544 p7q0EPZi 35 PID 1544 wrote to memory of 2660 1544 p7q0EPZi 35 PID 1544 wrote to memory of 2660 1544 p7q0EPZi 35 PID 1544 wrote to memory of 2660 1544 p7q0EPZi 35 PID 1544 wrote to memory of 2660 1544 p7q0EPZi 35 PID 1544 wrote to memory of 2660 1544 p7q0EPZi 35 PID 1544 wrote to memory of 2660 1544 p7q0EPZi 35 PID 1544 wrote to memory of 2660 1544 p7q0EPZi 35 PID 1544 wrote to memory of 2660 1544 p7q0EPZi 35 PID 1544 wrote to memory of 1920 1544 p7q0EPZi 36 PID 1544 wrote to memory of 1920 1544 p7q0EPZi 36 PID 1544 wrote to memory of 1920 1544 p7q0EPZi 36 PID 1544 wrote to memory of 1920 1544 p7q0EPZi 36 PID 1920 wrote to memory of 1872 1920 vfjytefgnhugvybr.exe 37 PID 1920 wrote to memory of 1872 1920 vfjytefgnhugvybr.exe 37 PID 1920 wrote to memory of 1872 1920 vfjytefgnhugvybr.exe 37 PID 1920 wrote to memory of 1872 1920 vfjytefgnhugvybr.exe 37 PID 1920 wrote to memory of 1872 1920 vfjytefgnhugvybr.exe 37 PID 1920 wrote to memory of 1872 1920 vfjytefgnhugvybr.exe 37 PID 1920 wrote to memory of 1872 1920 vfjytefgnhugvybr.exe 37 PID 1872 wrote to memory of 624 1872 vfjytefgnhugvybr.exe 38 PID 1872 wrote to memory of 624 1872 vfjytefgnhugvybr.exe 38 PID 1872 wrote to memory of 624 1872 vfjytefgnhugvybr.exe 38 PID 1872 wrote to memory of 624 1872 vfjytefgnhugvybr.exe 38 PID 624 wrote to memory of 2020 624 vfjytefgnhugvybr.exe 39 PID 624 wrote to memory of 2020 624 vfjytefgnhugvybr.exe 39 PID 624 wrote to memory of 2020 624 vfjytefgnhugvybr.exe 39 PID 624 wrote to memory of 2020 624 vfjytefgnhugvybr.exe 39 PID 624 wrote to memory of 2020 624 vfjytefgnhugvybr.exe 39 PID 624 wrote to memory of 2020 624 vfjytefgnhugvybr.exe 39 PID 624 wrote to memory of 2020 624 vfjytefgnhugvybr.exe 39 PID 2020 wrote to memory of 1796 2020 vfjytefgnhugvybr.exe 40 PID 2020 wrote to memory of 1796 2020 vfjytefgnhugvybr.exe 40 PID 2020 wrote to memory of 1796 2020 vfjytefgnhugvybr.exe 40 PID 2020 wrote to memory of 1796 2020 vfjytefgnhugvybr.exe 40
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\1651bcc888424d427c01013e8e798903_JaffaCakes118.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\1651bcc888424d427c01013e8e798903_JaffaCakes118.dll2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Users\Admin\AppData\Local\Temp\p7q0EPZi"p7q0EPZi"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Users\Admin\AppData\Local\Temp\p7q0EPZiC:\Users\Admin\AppData\Local\Temp\p7q0EPZi4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2660
-
-
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exeC:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exeC:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1796 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exeC:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2916 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1980 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exeC:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:408 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:964 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exeC:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1320 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:864 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exeC:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2116 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1424 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exeC:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1292 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:236 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exeC:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1360 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:896 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exeC:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2208 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2488 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exeC:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2336 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2176 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exeC:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2812 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exeC:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2828 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1740 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exeC:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2008 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:680 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exeC:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2524 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate33⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1704 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exeC:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe34⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2988 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate35⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2876 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exeC:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe36⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2868 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate37⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1980 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exeC:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe38⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate39⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1804 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exeC:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe40⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1296 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate41⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:904 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exeC:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe42⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2852 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate43⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1552 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exeC:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe44⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:836 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate45⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2288 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exeC:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe46⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1448 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate47⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2972 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exeC:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe48⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate49⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2992 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exeC:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe50⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1504 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate51⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2980 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exeC:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe52⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2632 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate53⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exeC:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe54⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:292 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate55⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2416 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exeC:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe56⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2824 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate57⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:3012 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exeC:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe58⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2612 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate59⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2592 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exeC:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe60⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1920 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate61⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1568 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exeC:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe62⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1508 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate63⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2568 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exeC:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe64⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3020 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate65⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1796 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exeC:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe66⤵
- Executes dropped EXE
PID:2908 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate67⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2152 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exeC:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe68⤵
- System Location Discovery: System Language Discovery
PID:2476 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate69⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exeC:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe70⤵PID:2480
-
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate71⤵
- Suspicious use of SetThreadContext
PID:2388 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exeC:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe72⤵
- System Location Discovery: System Language Discovery
PID:1120 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate73⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1736 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exeC:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe74⤵PID:960
-
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate75⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1712 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exeC:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe76⤵
- System Location Discovery: System Language Discovery
PID:2168 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate77⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:880 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exeC:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe78⤵PID:1672
-
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate79⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:888 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exeC:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe80⤵PID:1880
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe81⤵PID:2512
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"81⤵PID:3036
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"82⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2072 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2072 CREDAT:275457 /prefetch:283⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2680
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2072 CREDAT:275472 /prefetch:283⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2928
-
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe81⤵PID:2384
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"81⤵
- System Location Discovery: System Language Discovery
PID:2276 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"82⤵PID:1432
-
-
-
C:\Users\Admin\AppData\Local\Temp\jjwjnxqeieywgpvv.exe"C:\Users\Admin\AppData\Local\Temp\jjwjnxqeieywgpvv.exe" elevate81⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2176 -
C:\Users\Admin\AppData\Local\Temp\jjwjnxqeieywgpvv.exeC:\Users\Admin\AppData\Local\Temp\jjwjnxqeieywgpvv.exe82⤵PID:2472
-
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate83⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1904 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exeC:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe84⤵PID:2024
-
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate85⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:112 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exeC:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe86⤵PID:2536
-
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate87⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exeC:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe88⤵PID:2216
-
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate89⤵
- Suspicious use of SetThreadContext
PID:2148 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exeC:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe90⤵
- System Location Discovery: System Language Discovery
PID:2900 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate91⤵
- Suspicious use of SetThreadContext
PID:2352 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exeC:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe92⤵
- System Location Discovery: System Language Discovery
PID:1180 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate93⤵
- Suspicious use of SetThreadContext
PID:2904 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exeC:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe94⤵PID:448
-
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate95⤵
- Suspicious use of SetThreadContext
PID:1512 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exeC:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe96⤵PID:2504
-
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate97⤵
- Suspicious use of SetThreadContext
PID:1584 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exeC:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe98⤵
- System Location Discovery: System Language Discovery
PID:2496 -
C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe"C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate99⤵PID:2140
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5352bf97ab05953ab16502f111a374ef1
SHA13142221b2eedece1bdcb65dad23a410aeeb5df5e
SHA2567fd2d35e763abb8663fba0bc6f4a13f33e9af635a5dfd4e469e08ac534be4f3c
SHA512d083e61b05f4c8e42eeeaa8ef082cc52b2a80b3ea77d4605e81573fd044b5ff3ca0a78d72448071b28647470394042ff193de01ec97d6a5e1ccacbeb4506d03e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5af8fe744f63c896be8adf9e218ef587f
SHA18586a37098200a76daedf229b531e41b0bee8fef
SHA256a8e42295d0269715097f8aa6f481cb30e3c8aad0e87a9dad9027e8763596c405
SHA512b0ea32d030c9510bb7e3db10c10d5602a6d801adca67bc04ac19261b56df9c726d3648d3420224203432328cfcbef9f00068582eec7de6d9b622baf80f19d226
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a0490f1478a5bff28a6e55ae312f3fa1
SHA15d5a56828cfcb3cf52f8540420bce4282d71184c
SHA256434fef6ff97d5fdae762c62918aeaf2b8bb2991818d5c97a6eb702519fcca91d
SHA51252906e2e21d963fab28f8a2ceb0c216174f6e8d84ddb8ca246ec413e8555f27020efd0984a52091a1c02d6be95c910347b5480e1f5cc6f376fbfb90d711f5bd7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD505cab1289e0c82c2677586a6d2addd34
SHA16438c420a3535b0f044d4f73113fbe62b5bb3eb2
SHA2562933e3788ca0ffbb4dc12753728299ca9ce4f1f5fd9cf37491c1f5c37e29156f
SHA5126477e3018a7a669078ac30a112224ccd796e04bcf16d5f9ac55f482e15aa9dc74c1d1efb33fec8df182d2b2efa26ba86b00baad62bb8ca0099cfeccb5f53482b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bc8bfa975330ac9c678fd85e65744725
SHA11fa27e522b02a20839fd38bb812438b7f06fa711
SHA256c2408e939dd11a3b641e40d6fc7fee4ee145cc74de1ae32691d6cef5e5fd739c
SHA51250cee180e19d93b9fd15d453775336d0028818596ce82523abb738ede8e1cf62c2b36bdfe2dd1593018734ebec42b4a605462a921d9f519d185a5d421e4db08f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b4986135a20f378142ee0f2f23dbd12a
SHA1c505f8bacc83d7655d9a560c78b61df9114dad3e
SHA256b9f6236838b5f4f09acf080ae0b7fd369093394f701e02697128565cb04c659b
SHA512a468ffa1a0a545e8471a3dfd6718865f657d086a702e9de5774b2c505afb7c74bb837dfd5242c0c948c42d171c844cf04c2ed769e569ca55971c01c0b13b4daf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD586d3e53e8ccf4b1ea0d1a38e64d98ed6
SHA18c228881194e0603647c2cc4466ff6f167a15100
SHA25644ab65146531ab74fdfd086658f5e68fed0b6ed7313e075f859c57d19e4bba87
SHA5122c21e95798d8cfb94b1c6e5fb7492ca9ec8107f45dd00c49594ac6635b59975a731e88ba3eadc4a89fb689e250d1c2bdbbce38a5311b709bcf3f38c410c5fc17
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e5ef84b1484de5c8617eee4a88fed568
SHA17f34570820bc5a26e3c8edbec858e836715375b5
SHA25634825829383d667414a0684d23531bab2500b0e9a1603d93baa2eb32509a8856
SHA512bd958c7812d51f28e57557024ea2c3ca91fe6e8b1bed2fcf74ce445ee1c735f550ad723d770905c9604cb843854833bbae7be322a023fce91975595dce37ec3e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD547904ae1d1d8d5db898b22b815a57f32
SHA12e90ef7fb6b025d2f4394e5838ed86d2b11f358f
SHA25685541d32a54a611e80e7d8f0bfa46397ef5ae01fab7ecea1db5e954c2c681069
SHA512a09230e15847de68d8a9b571add1553059bfd5a9785388ec4b0564fcb24224687784b5c0df16f6128a9054422d8db0b8357f2f847af920bad22441e9b8bc9866
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
169KB
MD58d7fffdc5fa650429e06d7d7f9b9e639
SHA1f072366e3522f1ae05704410af710f95daab57a9
SHA2566f64930ab0dae493aa7adce4f1b8687b99d3b4a57b52f760acd1de61ce12a8e3
SHA51291c4a6760117be43ecf73e035e1a07009af82a81aafe8f78f86938c341018b49e8f20a7ec71a27882ca31719d42ca764702e0be13a378d53fbc2f4bb910da8cf