Analysis
-
max time kernel
71s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
26-11-2024 14:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a26906c09acbcd300aa4a7f237249282_JaffaCakes118.exe
Resource
win7-20241010-en
windows7-x64
20 signatures
150 seconds
Behavioral task
behavioral2
Sample
a26906c09acbcd300aa4a7f237249282_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
20 signatures
150 seconds
General
-
Target
a26906c09acbcd300aa4a7f237249282_JaffaCakes118.exe
-
Size
74KB
-
MD5
a26906c09acbcd300aa4a7f237249282
-
SHA1
294868f580a8cf338ca7fcd2a713b8b6b84434d1
-
SHA256
20165d77c3851851b5df4fa23850bf02ebf990fbb80d387d0007b4ba52ac64a3
-
SHA512
034a75a85e31cc8532823ecdb22f076af386fcda6f750c15e44d13d811d4646bf5b6fd28764e04bb8e1c36c4ec27b1a6fd2b7b3d256a1d36cef3cd108e56daea
-
SSDEEP
1536:IVd5aji/ori2ozCLWpvQxJtdXVIvyU7aSYCQXD:IVd5ajJrolpIxJt3IvX2aiD
Malware Config
Signatures
-
Detected Xorist Ransomware 1 IoCs
resource yara_rule behavioral1/memory/2776-204-0x0000000000400000-0x0000000000414000-memory.dmp family_xorist -
Xorist Ransomware
Xorist is a ransomware first seen in 2020.
-
Xorist family
-
Renames multiple (2170) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Drivers directory 8 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\SysWOW64\drivers\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\SysWOW64\drivers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt Pizdec.exe File created C:\Windows\SysWOW64\drivers\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\SysWOW64\drivers\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\SysWOW64\drivers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe -
Deletes itself 1 IoCs
pid Process 2864 cmd.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe -
Executes dropped EXE 64 IoCs
pid Process 2776 Pizdec.exe 2104 StupitHack.exe 2408 StupitHack.exe 2480 StupitHack.exe 1256 StupitHack.exe 748 StupitHack.exe 2552 StupitHack.exe 2932 StupitHack.exe 1704 StupitHack.exe 2100 StupitHack.exe 1988 StupitHack.exe 2784 StupitHack.exe 1484 StupitHack.exe 2956 StupitHack.exe 1700 StupitHack.exe 2104 StupitHack.exe 2424 StupitHack.exe 2352 StupitHack.exe 2608 StupitHack.exe 2304 StupitHack.exe 2400 StupitHack.exe 2536 StupitHack.exe 2264 StupitHack.exe 2584 StupitHack.exe 716 StupitHack.exe 520 StupitHack.exe 944 StupitHack.exe 2416 StupitHack.exe 980 StupitHack.exe 2628 StupitHack.exe 1540 StupitHack.exe 1492 StupitHack.exe 1860 StupitHack.exe 1348 StupitHack.exe 296 StupitHack.exe 1736 StupitHack.exe 2036 StupitHack.exe 1596 StupitHack.exe 1684 StupitHack.exe 1288 StupitHack.exe 1796 StupitHack.exe 680 StupitHack.exe 2292 StupitHack.exe 2904 StupitHack.exe 1996 StupitHack.exe 1984 StupitHack.exe 2688 StupitHack.exe 2500 StupitHack.exe 2884 StupitHack.exe 2680 StupitHack.exe 1964 StupitHack.exe 2356 StupitHack.exe 2960 StupitHack.exe 2080 StupitHack.exe 2380 StupitHack.exe 1316 StupitHack.exe 1772 StupitHack.exe 2624 StupitHack.exe 1632 StupitHack.exe 2600 StupitHack.exe 1704 StupitHack.exe 2912 StupitHack.exe 108 StupitHack.exe 1996 StupitHack.exe -
Loads dropped DLL 64 IoCs
pid Process 2888 a26906c09acbcd300aa4a7f237249282_JaffaCakes118.exe 2888 a26906c09acbcd300aa4a7f237249282_JaffaCakes118.exe 2888 a26906c09acbcd300aa4a7f237249282_JaffaCakes118.exe 2104 StupitHack.exe 2408 StupitHack.exe 2480 StupitHack.exe 1256 StupitHack.exe 748 StupitHack.exe 2552 StupitHack.exe 2932 StupitHack.exe 1704 StupitHack.exe 2100 StupitHack.exe 1988 StupitHack.exe 2784 StupitHack.exe 1484 StupitHack.exe 2956 StupitHack.exe 1700 StupitHack.exe 2104 StupitHack.exe 2424 StupitHack.exe 2352 StupitHack.exe 2608 StupitHack.exe 2304 StupitHack.exe 2400 StupitHack.exe 2536 StupitHack.exe 2264 StupitHack.exe 2584 StupitHack.exe 716 StupitHack.exe 520 StupitHack.exe 944 StupitHack.exe 2416 StupitHack.exe 980 StupitHack.exe 2628 StupitHack.exe 1540 StupitHack.exe 1492 StupitHack.exe 1860 StupitHack.exe 1348 StupitHack.exe 296 StupitHack.exe 1736 StupitHack.exe 2036 StupitHack.exe 1596 StupitHack.exe 1684 StupitHack.exe 1288 StupitHack.exe 1796 StupitHack.exe 680 StupitHack.exe 2292 StupitHack.exe 2904 StupitHack.exe 1996 StupitHack.exe 1984 StupitHack.exe 2688 StupitHack.exe 2500 StupitHack.exe 2884 StupitHack.exe 2680 StupitHack.exe 1964 StupitHack.exe 2356 StupitHack.exe 2960 StupitHack.exe 2080 StupitHack.exe 2380 StupitHack.exe 1316 StupitHack.exe 1772 StupitHack.exe 2624 StupitHack.exe 1632 StupitHack.exe 2600 StupitHack.exe 1704 StupitHack.exe 2912 StupitHack.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MD79PFRQ4de5n55.exe" Pizdec.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\StupitHack.exe StupitHack.exe File opened for modification C:\Windows\SysWOW64\StupitHack.exe StupitHack.exe File created C:\Windows\SysWOW64\de-DE\Licenses\eval\EnterpriseN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\SysWOW64\StupitHack.exe StupitHack.exe File opened for modification C:\Windows\SysWOW64\StupitHack.exe StupitHack.exe File opened for modification C:\Windows\SysWOW64\StupitHack.exe Process not Found File opened for modification C:\Windows\SysWOW64\StupitHack.exe StupitHack.exe File opened for modification C:\Windows\SysWOW64\StupitHack.exe StupitHack.exe File created C:\Windows\System32\DriverStore\FileRepository\ph3xibc9.inf_amd64_neutral_ff3a566e4b6ba035\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\System32\DriverStore\FileRepository\prnbr006.inf_amd64_neutral_f156853def526447\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File opened for modification C:\Windows\SysWOW64\StupitHack.exe StupitHack.exe File opened for modification C:\Windows\SysWOW64\StupitHack.exe StupitHack.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_History.help.txt Pizdec.exe File opened for modification C:\Windows\SysWOW64\StupitHack.exe StupitHack.exe File created C:\Windows\SysWOW64\StupitHack.exe StupitHack.exe File created C:\Windows\SysWOW64\StupitHack.exe Process not Found File created C:\Windows\SysWOW64\StupitHack.exe StupitHack.exe File created C:\Windows\SysWOW64\StupitHack.exe StupitHack.exe File created C:\Windows\SysWOW64\InstallShield\setupdir\0c0c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_script_blocks.help.txt Pizdec.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\fr-FR\about_BITS_Cmdlets.help.txt Pizdec.exe File created C:\Windows\SysWOW64\StupitHack.exe StupitHack.exe File created C:\Windows\SysWOW64\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File opened for modification C:\Windows\SysWOW64\StupitHack.exe StupitHack.exe File created C:\Windows\SysWOW64\StupitHack.exe Process not Found File created C:\Windows\SysWOW64\StupitHack.exe StupitHack.exe File opened for modification C:\Windows\SysWOW64\StupitHack.exe StupitHack.exe File created C:\Windows\SysWOW64\StupitHack.exe StupitHack.exe File opened for modification C:\Windows\SysWOW64\StupitHack.exe StupitHack.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_remote_troubleshooting.help.txt Pizdec.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Automatic_Variables.help.txt Pizdec.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Core_Commands.help.txt Pizdec.exe File created C:\Windows\SysWOW64\StupitHack.exe Process not Found File opened for modification C:\Windows\SysWOW64\StupitHack.exe StupitHack.exe File created C:\Windows\SysWOW64\StupitHack.exe StupitHack.exe File created C:\Windows\SysWOW64\StupitHack.exe StupitHack.exe File created C:\Windows\SysWOW64\de-DE\Licenses\eval\ProfessionalE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-shmig-DL\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\System32\DriverStore\FileRepository\prnca00f.inf_amd64_neutral_777b6911d18869b7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\System32\DriverStore\FileRepository\prnlx009.inf_amd64_neutral_d4b76afd08f308fb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_PSSnapins.help.txt Pizdec.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Ref.help.txt Pizdec.exe File created C:\Windows\SysWOW64\StupitHack.exe StupitHack.exe File opened for modification C:\Windows\SysWOW64\StupitHack.exe StupitHack.exe File opened for modification C:\Windows\SysWOW64\StupitHack.exe StupitHack.exe File created C:\Windows\SysWOW64\lt-LT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-Sxs\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Session_Configurations.help.txt Pizdec.exe File created C:\Windows\SysWOW64\StupitHack.exe StupitHack.exe File created C:\Windows\System32\DriverStore\FileRepository\hpoa1so.inf_amd64_neutral_4f1a3f1015001339\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_remote_output.help.txt Pizdec.exe File created C:\Windows\SysWOW64\StupitHack.exe Process not Found File created C:\Windows\SysWOW64\StupitHack.exe StupitHack.exe File created C:\Windows\SysWOW64\en-US\Licenses\_Default\HomePremiumN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Continue.help.txt Pizdec.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_WS-Management_Cmdlets.help.txt Pizdec.exe File created C:\Windows\SysWOW64\StupitHack.exe StupitHack.exe File created C:\Windows\System32\DriverStore\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\SysWOW64\StupitHack.exe StupitHack.exe File created C:\Windows\SysWOW64\StupitHack.exe StupitHack.exe File created C:\Windows\SysWOW64\StupitHack.exe StupitHack.exe File opened for modification C:\Windows\SysWOW64\StupitHack.exe StupitHack.exe File created C:\Windows\SysWOW64\it-IT\Licenses\eval\UltimateE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\SysWOW64\migwiz\dlmanifests\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe -
resource yara_rule behavioral1/files/0x000d000000012263-3.dat upx behavioral1/memory/2776-15-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral1/memory/2776-204-0x0000000000400000-0x0000000000414000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_right_mouseout.png Pizdec.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178460.JPG Pizdec.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02214_.GIF Pizdec.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-last-quarter_partly-cloudy.png Pizdec.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT Pizdec.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01237_.GIF Pizdec.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Oasis\HEADER.GIF Pizdec.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File opened for modification C:\Program Files\7-Zip\Lang\hr.txt Pizdec.exe File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\PREVIEW.GIF Pizdec.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\HEADER.GIF Pizdec.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport_PAL.wmv Pizdec.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21335_.GIF Pizdec.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR37F.GIF Pizdec.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDownArrow.jpg Pizdec.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Program Files (x86)\Windows Sidebar\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt Pizdec.exe File opened for modification C:\Program Files\CompleteRepair.odt Pizdec.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\THMBNAIL.PNG Pizdec.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\icon.png Pizdec.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\6.png Pizdec.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00130_.GIF Pizdec.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF Pizdec.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_Premium.gif Pizdec.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\TAB_ON.GIF Pizdec.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0315580.JPG Pizdec.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01304G.GIF Pizdec.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115839.GIF Pizdec.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_over.png Pizdec.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14882_.GIF Pizdec.exe File created C:\Program Files (x86)\Windows Mail\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Program Files\Windows Mail\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382926.JPG Pizdec.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SpringGreen\TAB_OFF.GIF Pizdec.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_rest.png Pizdec.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\settings.html Pizdec.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Stars.jpg Pizdec.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\PREVIEW.GIF Pizdec.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Program Files (x86)\Windows Sidebar\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\rings-desk.png Pizdec.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386120.JPG Pizdec.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutofSyncIconImages.jpg Pizdec.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\button.gif Pizdec.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_s.png Pizdec.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\delete_over.png Pizdec.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02055_.GIF Pizdec.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\Management.cer Pizdec.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\TECHTOOL.HTM Pizdec.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\16-on-black.gif Pizdec.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309598.JPG Pizdec.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\winsxs\amd64_microsoft-windows-l..epremiume.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aa872ff79993c5bd\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Globalization\v4.0_4.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\winsxs\amd64_microsoft-windows-cryptui-dll.resources_31bf3856ad364e35_6.1.7601.17514_es-es_61539089b51fc4e0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\winsxs\amd64_microsoft-windows-s..ordinator.resources_31bf3856ad364e35_6.1.7601.17514_it-it_c8a2cc139113dac5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\winsxs\amd64_microsoft-windows-s..vault-cpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_f4cd822e26c1b353\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\assembly\GAC_MSIL\TaskScheduler.Resources\6.1.0.0_es_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_remote.help.txt Pizdec.exe File created C:\Windows\inf\ESENT\0410\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\ja\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..tional-codepage-870_31bf3856ad364e35_6.1.7600.16385_none_2adf2efab4e0d9c8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\assembly\GAC_MSIL\System.Windows.Presentation.resources\3.5.0.0_it_b77a5c561934e089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\diagnostics\system\DeviceCenter\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\winsxs\amd64_adp94xx.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_7d1934d0258df2c9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Jscript.resources\8.0.0.0_fr_b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml.XPath.XDocument\v4.0_4.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\winsxs\amd64_microsoft-windows-e..gadgetxml.resources_31bf3856ad364e35_6.1.7600.16385_es-es_901b335e29d329ab\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\winsxs\amd64_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_5c4791cafd126e03\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..l-keyboard-00000843_31bf3856ad364e35_6.1.7600.16385_none_441dca567d53951f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\winsxs\amd64_microsoft-windows-l..omebasicn.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_1a7b58bf239bbd92\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\winsxs\amd64_microsoft-windows-processmodel.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a119d2e3a5767adf\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\Microsoft.NET\Framework\v3.5\1036\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\winsxs\amd64_microsoft-windows-a..iles-help.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ebd6917fd6440ec3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\winsxs\amd64_microsoft-windows-extrac32.resources_31bf3856ad364e35_6.1.7600.16385_es-es_67144e9e0af59827\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\winsxs\amd64_microsoft-windows-enhancedvideorenderer_31bf3856ad364e35_6.1.7601.17514_none_edc8831ae3260955\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\winsxs\amd64_microsoft-windows-openfiles.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d513f7ac93221150\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\assembly\GAC_MSIL\SrpUxSnapIn.resources\6.1.0.0_ja_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Pres#\fee2bbfe0b8f5988a3ab7a9db85c7a30\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\winsxs\amd64_microsoft-windows-help-license.resources_31bf3856ad364e35_6.1.7600.16385_es-es_afb241b6af4af442\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\winsxs\amd64_microsoft-windows-iscsi-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a98b594839a4e5db\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\winsxs\amd64_image.inf_31bf3856ad364e35_6.1.7600.16385_none_c079423a110e8ff9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-heritage_31bf3856ad364e35_6.1.7600.16385_none_5872c0830d0c4747\Windows Ding.wav Pizdec.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-huecycle_31bf3856ad364e35_6.1.7600.16385_none_810df6f57d9f2a73\NavigationRight_SelectionSubpicture.png Pizdec.exe File created C:\Windows\winsxs\amd64_microsoft-windows-d..asks-sync.resources_31bf3856ad364e35_6.1.7600.16385_it-it_d4b0107c52e0a2c9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\winsxs\amd64_microsoft-windows-e..atibility.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e1de9eeb9e402a99\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Serv30e99c02#\aa093ade93079bf7ac8b4446ebd6d935\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\winsxs\amd64_microsoft-windows-t..framework-migration_31bf3856ad364e35_6.1.7600.16385_none_4ce62d7fd1cb54eb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\winsxs\amd64_microsoft-windows-ocsetup.resources_31bf3856ad364e35_6.1.7600.16385_de-de_59042a1524a4660c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sort.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_e4219686d4202553\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p..ystem-web.resources_31bf3856ad364e35_6.1.7600.16385_de-de_63baff6af370f039\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\winsxs\amd64_microsoft-windows-magnify.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_80523aa3c39a0c55\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p..-localspl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1a8ba067c513126e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\winsxs\amd64_microsoft-windows-ime-korean-hwresource_31bf3856ad364e35_6.1.7600.16385_none_ac4a6957c5dbd4bb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\winsxs\amd64_microsoft-windows-n..line-tool.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a3a873c4a692126e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\assembly\GAC_MSIL\System.Configuration.Install.resources\2.0.0.0_it_b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Workflow.Activities\v4.0_4.0.0.0__31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\winsxs\amd64_microsoft-windows-cdosys.resources_31bf3856ad364e35_6.1.7601.17514_hu-hu_a8642385afe86a68\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..gbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8f4e41fd5a0fa4e1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\winsxs\amd64_microsoft-windows-n..35wpfcomp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1c792e5cadcd4c36\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-babygirl_31bf3856ad364e35_6.1.7600.16385_none_b2bd01695c9021fd\content-background.png Pizdec.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8bc7919d3f36cee7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\winsxs\amd64_microsoft-windows-s..es-common.resources_31bf3856ad364e35_6.1.7600.16385_en-us_341e0271bf05fe78\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\winsxs\amd64_devicepairingproxy.resources_31bf3856ad364e35_6.1.7600.16385_it-it_6976fa64f9742bce\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\winsxs\amd64_microsoft-windows-atbroker.resources_31bf3856ad364e35_6.1.7600.16385_it-it_4fd8c47c12328205\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sidebar-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a611a6570549db88\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_fr_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\winsxs\amd64_microsoft-windows-a..vesqmmanifestplugin_31bf3856ad364e35_6.1.7601.17514_none_756ad8eef4d0f1d0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\winsxs\amd64_microsoft-windows-autoplay.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_95114bf53924b486\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\winsxs\amd64_microsoft-windows-l..epremiumn.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_6128609abd76ab18\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-us-component_31bf3856ad364e35_6.1.7601.17514_none_b52573ad8e4c2d89\US-wp6.jpg Pizdec.exe File created C:\Windows\assembly\GAC_MSIL\policy.3.5.System.Data.SqlServerCe.Entity\3.5.0.0__89845dcd8080cc91\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\winsxs\amd64_microsoft-windows-a..ionrecord.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_1193b4bfce8dcbdf\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\winsxs\amd64_microsoft-windows-hlink.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7e00139a18587871\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\winsxs\amd64_microsoft-windows-n..qossnapin.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5d5df012d8c7a97f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\winsxs\amd64_adp94xx.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7d4dd7ec25670124\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd11143 Pizdec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GCUJCNQFTQMECRU\ = "CRYPTED!" Pizdec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GCUJCNQFTQMECRU\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MD79PFRQ4de5n55.exe,0" Pizdec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GCUJCNQFTQMECRU\shell\open Pizdec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GCUJCNQFTQMECRU\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MD79PFRQ4de5n55.exe" Pizdec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd11143\ = "GCUJCNQFTQMECRU" Pizdec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GCUJCNQFTQMECRU Pizdec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GCUJCNQFTQMECRU\DefaultIcon Pizdec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GCUJCNQFTQMECRU\shell\open\command Pizdec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GCUJCNQFTQMECRU\shell Pizdec.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2888 wrote to memory of 2776 2888 a26906c09acbcd300aa4a7f237249282_JaffaCakes118.exe 30 PID 2888 wrote to memory of 2776 2888 a26906c09acbcd300aa4a7f237249282_JaffaCakes118.exe 30 PID 2888 wrote to memory of 2776 2888 a26906c09acbcd300aa4a7f237249282_JaffaCakes118.exe 30 PID 2888 wrote to memory of 2776 2888 a26906c09acbcd300aa4a7f237249282_JaffaCakes118.exe 30 PID 2888 wrote to memory of 2104 2888 a26906c09acbcd300aa4a7f237249282_JaffaCakes118.exe 47 PID 2888 wrote to memory of 2104 2888 a26906c09acbcd300aa4a7f237249282_JaffaCakes118.exe 47 PID 2888 wrote to memory of 2104 2888 a26906c09acbcd300aa4a7f237249282_JaffaCakes118.exe 47 PID 2888 wrote to memory of 2104 2888 a26906c09acbcd300aa4a7f237249282_JaffaCakes118.exe 47 PID 2888 wrote to memory of 2864 2888 a26906c09acbcd300aa4a7f237249282_JaffaCakes118.exe 32 PID 2888 wrote to memory of 2864 2888 a26906c09acbcd300aa4a7f237249282_JaffaCakes118.exe 32 PID 2888 wrote to memory of 2864 2888 a26906c09acbcd300aa4a7f237249282_JaffaCakes118.exe 32 PID 2888 wrote to memory of 2864 2888 a26906c09acbcd300aa4a7f237249282_JaffaCakes118.exe 32 PID 2104 wrote to memory of 2408 2104 StupitHack.exe 34 PID 2104 wrote to memory of 2408 2104 StupitHack.exe 34 PID 2104 wrote to memory of 2408 2104 StupitHack.exe 34 PID 2104 wrote to memory of 2408 2104 StupitHack.exe 34 PID 2408 wrote to memory of 2480 2408 StupitHack.exe 35 PID 2408 wrote to memory of 2480 2408 StupitHack.exe 35 PID 2408 wrote to memory of 2480 2408 StupitHack.exe 35 PID 2408 wrote to memory of 2480 2408 StupitHack.exe 35 PID 2480 wrote to memory of 1256 2480 StupitHack.exe 36 PID 2480 wrote to memory of 1256 2480 StupitHack.exe 36 PID 2480 wrote to memory of 1256 2480 StupitHack.exe 36 PID 2480 wrote to memory of 1256 2480 StupitHack.exe 36 PID 1256 wrote to memory of 748 1256 StupitHack.exe 37 PID 1256 wrote to memory of 748 1256 StupitHack.exe 37 PID 1256 wrote to memory of 748 1256 StupitHack.exe 37 PID 1256 wrote to memory of 748 1256 StupitHack.exe 37 PID 748 wrote to memory of 2552 748 StupitHack.exe 38 PID 748 wrote to memory of 2552 748 StupitHack.exe 38 PID 748 wrote to memory of 2552 748 StupitHack.exe 38 PID 748 wrote to memory of 2552 748 StupitHack.exe 38 PID 2552 wrote to memory of 2932 2552 StupitHack.exe 39 PID 2552 wrote to memory of 2932 2552 StupitHack.exe 39 PID 2552 wrote to memory of 2932 2552 StupitHack.exe 39 PID 2552 wrote to memory of 2932 2552 StupitHack.exe 39 PID 2932 wrote to memory of 1704 2932 StupitHack.exe 92 PID 2932 wrote to memory of 1704 2932 StupitHack.exe 92 PID 2932 wrote to memory of 1704 2932 StupitHack.exe 92 PID 2932 wrote to memory of 1704 2932 StupitHack.exe 92 PID 1704 wrote to memory of 2100 1704 StupitHack.exe 41 PID 1704 wrote to memory of 2100 1704 StupitHack.exe 41 PID 1704 wrote to memory of 2100 1704 StupitHack.exe 41 PID 1704 wrote to memory of 2100 1704 StupitHack.exe 41 PID 2100 wrote to memory of 1988 2100 StupitHack.exe 42 PID 2100 wrote to memory of 1988 2100 StupitHack.exe 42 PID 2100 wrote to memory of 1988 2100 StupitHack.exe 42 PID 2100 wrote to memory of 1988 2100 StupitHack.exe 42 PID 1988 wrote to memory of 2784 1988 StupitHack.exe 96 PID 1988 wrote to memory of 2784 1988 StupitHack.exe 96 PID 1988 wrote to memory of 2784 1988 StupitHack.exe 96 PID 1988 wrote to memory of 2784 1988 StupitHack.exe 96 PID 2784 wrote to memory of 1484 2784 StupitHack.exe 44 PID 2784 wrote to memory of 1484 2784 StupitHack.exe 44 PID 2784 wrote to memory of 1484 2784 StupitHack.exe 44 PID 2784 wrote to memory of 1484 2784 StupitHack.exe 44 PID 1484 wrote to memory of 2956 1484 StupitHack.exe 45 PID 1484 wrote to memory of 2956 1484 StupitHack.exe 45 PID 1484 wrote to memory of 2956 1484 StupitHack.exe 45 PID 1484 wrote to memory of 2956 1484 StupitHack.exe 45 PID 2956 wrote to memory of 1700 2956 StupitHack.exe 46 PID 2956 wrote to memory of 1700 2956 StupitHack.exe 46 PID 2956 wrote to memory of 1700 2956 StupitHack.exe 46 PID 2956 wrote to memory of 1700 2956 StupitHack.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\a26906c09acbcd300aa4a7f237249282_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a26906c09acbcd300aa4a7f237249282_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\Pizdec.exe"C:\Users\Admin\AppData\Local\Temp\Pizdec.exe"2⤵
- Drops file in Drivers directory
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:2776
-
-
C:\Users\Admin\AppData\Local\Temp\StupitHack.exe"C:\Users\Admin\AppData\Local\Temp\StupitHack.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"15⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1700 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"16⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2104 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2424 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2352 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2608 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2304 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2400 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2536 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2264 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2584 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:716 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:520 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:944 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2416 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:980 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2628 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1492 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1860 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1348 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"35⤵
- Executes dropped EXE
- Loads dropped DLL
PID:296 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"36⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1736 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"37⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2036 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"38⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1596 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"39⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1684 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"40⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1288 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"41⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1796 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"42⤵
- Executes dropped EXE
- Loads dropped DLL
PID:680 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"43⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2292 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"44⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2904 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"45⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1996 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"46⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1984 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"47⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2688 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"48⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2500 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"49⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2884 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"50⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"51⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1964 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"52⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2356 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"53⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2960 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"54⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2080 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"55⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2380 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"56⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1316 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"57⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1772 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"58⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2624 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"59⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1632 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"60⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2600 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"61⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1704 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"62⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2912 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"63⤵
- Executes dropped EXE
PID:108 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"64⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"65⤵PID:2784
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"66⤵PID:1984
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"67⤵PID:2656
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"68⤵PID:2500
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"69⤵PID:2888
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"70⤵PID:2716
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"71⤵PID:2840
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"72⤵PID:2732
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"73⤵PID:2644
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"74⤵PID:2352
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"75⤵PID:2232
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"76⤵PID:1304
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"77⤵PID:2528
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"78⤵PID:3056
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"79⤵PID:3068
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"80⤵PID:788
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"81⤵PID:620
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"82⤵PID:1872
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"83⤵PID:2616
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"84⤵PID:3016
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"85⤵PID:940
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"86⤵PID:2436
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"87⤵PID:2136
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"88⤵PID:1936
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"89⤵PID:2140
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"90⤵PID:2984
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"91⤵PID:2944
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"92⤵PID:2832
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"93⤵PID:1984
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"94⤵PID:1240
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"95⤵
- Drops file in System32 directory
PID:2888 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"96⤵PID:1056
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"97⤵PID:2732
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"98⤵
- System Location Discovery: System Language Discovery
PID:2132 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"99⤵PID:2296
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"100⤵PID:2356
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"101⤵PID:3056
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"102⤵PID:1944
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"103⤵PID:2496
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"104⤵PID:1740
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"105⤵PID:956
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"106⤵PID:1288
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"107⤵PID:2388
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"108⤵
- Drops file in System32 directory
PID:1724 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"109⤵PID:2992
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"110⤵PID:1044
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"111⤵PID:884
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"112⤵PID:1656
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"113⤵PID:2784
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"114⤵PID:2696
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"115⤵PID:2868
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"116⤵PID:2004
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"117⤵PID:1952
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"118⤵PID:1856
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"119⤵PID:2196
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"120⤵PID:2188
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"121⤵PID:2424
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-