Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2024 14:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a26906c09acbcd300aa4a7f237249282_JaffaCakes118.exe
Resource
win7-20241010-en
windows7-x64
20 signatures
150 seconds
Behavioral task
behavioral2
Sample
a26906c09acbcd300aa4a7f237249282_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
20 signatures
150 seconds
General
-
Target
a26906c09acbcd300aa4a7f237249282_JaffaCakes118.exe
-
Size
74KB
-
MD5
a26906c09acbcd300aa4a7f237249282
-
SHA1
294868f580a8cf338ca7fcd2a713b8b6b84434d1
-
SHA256
20165d77c3851851b5df4fa23850bf02ebf990fbb80d387d0007b4ba52ac64a3
-
SHA512
034a75a85e31cc8532823ecdb22f076af386fcda6f750c15e44d13d811d4646bf5b6fd28764e04bb8e1c36c4ec27b1a6fd2b7b3d256a1d36cef3cd108e56daea
-
SSDEEP
1536:IVd5aji/ori2ozCLWpvQxJtdXVIvyU7aSYCQXD:IVd5ajJrolpIxJt3IvX2aiD
Malware Config
Signatures
-
Detected Xorist Ransomware 1 IoCs
resource yara_rule behavioral2/memory/4160-367-0x0000000000400000-0x0000000000414000-memory.dmp family_xorist -
Xorist Ransomware
Xorist is a ransomware first seen in 2020.
-
Xorist family
-
Renames multiple (2190) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Drivers directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\SysWOW64\drivers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\SysWOW64\drivers\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt Pizdec.exe File created C:\Windows\SysWOW64\drivers\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\SysWOW64\drivers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\SysWOW64\drivers\uk-UA\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation a26906c09acbcd300aa4a7f237249282_JaffaCakes118.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe -
Executes dropped EXE 64 IoCs
pid Process 4160 Pizdec.exe 4940 StupitHack.exe 5024 StupitHack.exe 2308 StupitHack.exe 2108 StupitHack.exe 1328 StupitHack.exe 2456 StupitHack.exe 4460 StupitHack.exe 4076 StupitHack.exe 5104 StupitHack.exe 2200 StupitHack.exe 3624 StupitHack.exe 740 StupitHack.exe 1280 StupitHack.exe 3428 StupitHack.exe 4500 StupitHack.exe 2524 StupitHack.exe 2332 StupitHack.exe 2488 StupitHack.exe 968 StupitHack.exe 2160 StupitHack.exe 4412 StupitHack.exe 4948 StupitHack.exe 4308 StupitHack.exe 3536 StupitHack.exe 2004 StupitHack.exe 4584 StupitHack.exe 4444 StupitHack.exe 4240 StupitHack.exe 392 StupitHack.exe 3508 StupitHack.exe 376 StupitHack.exe 428 StupitHack.exe 2180 StupitHack.exe 2076 StupitHack.exe 3772 StupitHack.exe 3548 StupitHack.exe 1612 StupitHack.exe 4552 StupitHack.exe 3160 StupitHack.exe 428 StupitHack.exe 396 StupitHack.exe 816 StupitHack.exe 4416 StupitHack.exe 1844 StupitHack.exe 1560 StupitHack.exe 468 StupitHack.exe 2648 StupitHack.exe 436 StupitHack.exe 1116 StupitHack.exe 4636 StupitHack.exe 944 StupitHack.exe 2436 StupitHack.exe 1928 StupitHack.exe 4388 StupitHack.exe 4300 StupitHack.exe 2108 StupitHack.exe 4720 StupitHack.exe 3164 StupitHack.exe 1328 StupitHack.exe 2180 StupitHack.exe 4412 StupitHack.exe 4532 StupitHack.exe 1724 StupitHack.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MD79PFRQ4de5n55.exe" Pizdec.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\StupitHack.exe Process not Found File created C:\Windows\System32\DriverStore\FileRepository\mdmrock.inf_amd64_9b13bcc1f320d1ad\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\System32\DriverStore\FileRepository\pnpxinternetgatewaydevices.inf_amd64_82b90e51473d48ea\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File opened for modification C:\Windows\SysWOW64\StupitHack.exe Process not Found File created C:\Windows\SysWOW64\StupitHack.exe Process not Found File opened for modification C:\Windows\SysWOW64\StupitHack.exe StupitHack.exe File opened for modification C:\Windows\SysWOW64\StupitHack.exe Process not Found File created C:\Windows\SysWOW64\StupitHack.exe Process not Found File opened for modification C:\Windows\SysWOW64\StupitHack.exe Process not Found File created C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_amd64_9c09bd1df352f065\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\SysWOW64\StupitHack.exe Process not Found File created C:\Windows\SysWOW64\StupitHack.exe Process not Found File opened for modification C:\Windows\SysWOW64\StupitHack.exe Process not Found File created C:\Windows\SysWOW64\StupitHack.exe StupitHack.exe File opened for modification C:\Windows\SysWOW64\StupitHack.exe Process not Found File opened for modification C:\Windows\SysWOW64\StupitHack.exe Process not Found File created C:\Windows\SysWOW64\StupitHack.exe StupitHack.exe File opened for modification C:\Windows\SysWOW64\StupitHack.exe StupitHack.exe File opened for modification C:\Windows\SysWOW64\StupitHack.exe StupitHack.exe File created C:\Windows\SysWOW64\StupitHack.exe Process not Found File opened for modification C:\Windows\SysWOW64\StupitHack.exe Process not Found File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_PackageResource\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File opened for modification C:\Windows\SysWOW64\StupitHack.exe Process not Found File created C:\Windows\SysWOW64\StupitHack.exe Process not Found File created C:\Windows\SysWOW64\StupitHack.exe Process not Found File created C:\Windows\SysWOW64\StupitHack.exe Process not Found File opened for modification C:\Windows\SysWOW64\StupitHack.exe StupitHack.exe File opened for modification C:\Windows\SysWOW64\StupitHack.exe StupitHack.exe File created C:\Windows\System32\DriverStore\FileRepository\e2xw10x64.inf_amd64_04c2ae40613a06ff\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\SysWOW64\StupitHack.exe Process not Found File created C:\Windows\SysWOW64\StupitHack.exe Process not Found File created C:\Windows\SysWOW64\StupitHack.exe Process not Found File opened for modification C:\Windows\SysWOW64\StupitHack.exe Process not Found File created C:\Windows\SysWOW64\StupitHack.exe StupitHack.exe File opened for modification C:\Windows\SysWOW64\StupitHack.exe StupitHack.exe File opened for modification C:\Windows\SysWOW64\StupitHack.exe StupitHack.exe File created C:\Windows\SysWOW64\StupitHack.exe Process not Found File opened for modification C:\Windows\SysWOW64\StupitHack.exe Process not Found File opened for modification C:\Windows\SysWOW64\StupitHack.exe Process not Found File created C:\Windows\SysWOW64\StupitHack.exe Process not Found File opened for modification C:\Windows\SysWOW64\StupitHack.exe Process not Found File opened for modification C:\Windows\SysWOW64\StupitHack.exe StupitHack.exe File created C:\Windows\SysWOW64\MUI\0C0A\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForSome\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File opened for modification C:\Windows\SysWOW64\StupitHack.exe Process not Found File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\SysWOW64\StupitHack.exe StupitHack.exe File opened for modification C:\Windows\SysWOW64\StupitHack.exe StupitHack.exe File created C:\Windows\SysWOW64\StupitHack.exe Process not Found File opened for modification C:\Windows\SysWOW64\StupitHack.exe Process not Found File opened for modification C:\Windows\SysWOW64\StupitHack.exe Process not Found File opened for modification C:\Windows\SysWOW64\StupitHack.exe Process not Found File opened for modification C:\Windows\SysWOW64\StupitHack.exe Process not Found File created C:\Windows\SysWOW64\StupitHack.exe Process not Found File created C:\Windows\SysWOW64\StupitHack.exe Process not Found File created C:\Windows\SysWOW64\StupitHack.exe Process not Found File opened for modification C:\Windows\SysWOW64\StupitHack.exe Process not Found File opened for modification C:\Windows\SysWOW64\StupitHack.exe StupitHack.exe File opened for modification C:\Windows\SysWOW64\StupitHack.exe StupitHack.exe File opened for modification C:\Windows\SysWOW64\StupitHack.exe Process not Found File opened for modification C:\Windows\SysWOW64\StupitHack.exe StupitHack.exe File created C:\Windows\SysWOW64\Com\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\SysWOW64\StupitHack.exe StupitHack.exe File opened for modification C:\Windows\SysWOW64\StupitHack.exe Process not Found -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pcfhhknppceehkpc.bmp" Pizdec.exe -
resource yara_rule behavioral2/files/0x0007000000023c72-4.dat upx behavioral2/memory/4160-12-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/4160-367-0x0000000000400000-0x0000000000414000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\GameBar_AppList.targetsize-48_altform-unplated.png Pizdec.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\Assets\ValueProp_Shadow.png Pizdec.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\ja-jp\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-180.png Pizdec.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MedTile.scale-400_contrast-black.png Pizdec.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\ThirdPartyNotices\ThirdPartyNotices.html Pizdec.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-140.png Pizdec.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\en-GB\View3d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-ae\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreWideTile.scale-200.png Pizdec.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-64.png Pizdec.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RIPPLE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\RotateVerticallyOverlay.png Pizdec.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupMedTile.scale-100.png Pizdec.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-100.png Pizdec.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\BadgeLogo.scale-100_contrast-white.png Pizdec.exe File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\ImmersiveControl_Button_Click_Sound.wav Pizdec.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\cs-cz\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-96_altform-unplated.png Pizdec.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-36_altform-lightunplated.png Pizdec.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-72_altform-unplated.png Pizdec.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sv-se\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupLargeTile.scale-100.png Pizdec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_email.gif Pizdec.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons.png Pizdec.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\MedTile.scale-125_contrast-white.png Pizdec.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailLargeTile.scale-150.png Pizdec.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-72.png Pizdec.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ro-ro\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File opened for modification C:\Program Files\7-Zip\Lang\vi.txt Pizdec.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-180.png Pizdec.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.scale-200.png Pizdec.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-40.png Pizdec.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\de-de\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-32.png Pizdec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\adobe_sign_tag_retina.png Pizdec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\text_2x.png Pizdec.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-il\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosSmallTile.contrast-black_scale-125.png Pizdec.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedStoreLogo.scale-100.png Pizdec.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-60_altform-unplated.png Pizdec.exe File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\AppxMetadata\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-256.png Pizdec.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\README_en_GB.txt Pizdec.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_TileMediumSquare.scale-100.png Pizdec.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\Klondike.Large.png Pizdec.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-64_contrast-black.png Pizdec.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\node_modules\reactxp-experimental-navigation\NavigationExperimental\assets\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-150_contrast-black.png Pizdec.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.scale-200.png Pizdec.exe File created C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\es\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fi-fi\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square71x71\PaintSmallTile.scale-150.png Pizdec.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ScreenSketchSquare310x310Logo.scale-100_contrast-white.png Pizdec.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\WinSxS\amd64_microsoft-windows-i..hancementmanagement_31bf3856ad364e35_10.0.19041.264_none_262bc7b233c1d05e\r\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-directui.resources_31bf3856ad364e35_10.0.19041.1_da-dk_7e0110fe948bf9e4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vmwp.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d9215e46435b05ba\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-rasconnectionmanager_31bf3856ad364e35_10.0.19041.1_none_15114cf4ffe3136a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-w..s-service.resources_31bf3856ad364e35_10.0.19041.1_de-de_186d4d64f2d75743\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk Pizdec.exe File created C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-debug.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_8db8f5dd3a6a6b3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-c..rlauncher.resources_31bf3856ad364e35_10.0.19041.1_de-de_50d963028d3c601f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-defrag-adminui_31bf3856ad364e35_10.0.19041.746_none_770f598aef14382e\r\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-n..orkstatus.resources_31bf3856ad364e35_10.0.19041.1_en-us_371f6e25bf6cea98\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-shenzhouttsvoicecommon_31bf3856ad364e35_10.0.19041.1052_none_f102642afd21e47a\f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-mediafoundation-mfsvr_31bf3856ad364e35_10.0.19041.153_none_a6fd395b4e3ef24e\f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-n..ider-infrastructure_31bf3856ad364e35_10.0.19041.546_none_946b321b2260f332\r\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.GetDiagInput.Resources\v4.0_1.0.0.0_fr_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\WinSxS\wow64_windows-application..-appcontracts-winrt_31bf3856ad364e35_10.0.19041.1081_none_0a512a946737140b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\WinSxS\amd64_vdrvroot.inf.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_35ecf141accffabc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\WinSxS\amd64_windows-defender-service.resources_31bf3856ad364e35_10.0.19041.964_en-us_4d9efc8c65da4384\r\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\WinSxS\amd64_windows-media-speech-winrt.resources_31bf3856ad364e35_10.0.19041.789_da-dk_9bc6f58302dbd449\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_cd2d1cde69f392b4\acr_error.htm Pizdec.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-m..ndation-mftranscode_31bf3856ad364e35_10.0.19041.1_none_75295a6a3248871f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-s..ates-english-update_31bf3856ad364e35_10.0.19041.1_none_7589dc4fe9ce57c8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-x..jectdialog.appxmain_31bf3856ad364e35_10.0.19041.423_none_d93ee361fbbc8f0a\f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\WinSxS\msil_microsoft.iis.power...provider.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_e932e117878b426a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\assembly\GAC_MSIL\UIAutomationTypes.Resources\3.0.0.0_es_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_2d3b6ea159ff4dae\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ui-shellcommon-core_31bf3856ad364e35_10.0.19041.1_none_91b1f58702057373\CellularToast.scale-400_contrast-white.png Pizdec.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-notepad.resources_31bf3856ad364e35_10.0.19041.1_es-es_d3a242796e7e97b0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-s..diosettingshandlers_31bf3856ad364e35_10.0.19041.746_none_bacaf9eec0055626\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\WinSxS\msil_microsoft.virtualiz..nt.common.resources_31bf3856ad364e35_10.0.19041.1_es-es_4211d899b571f102\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-cleanmgr.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b64a50542afd543e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.19041.844_none_d9eb415c5b9dbe4e\Square71x71Logo.contrast-white_scale-200.png Pizdec.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-p..rtmonitor-tcpmondll_31bf3856ad364e35_10.0.19041.264_none_b08e3e3d06047dc4\f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-p..tcpmondll.resources_31bf3856ad364e35_10.0.19041.1_en-us_d5031d9f297f85c2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ast-black.searchapp_31bf3856ad364e35_10.0.19041.1_none_e479c512c8bfeb66\AppListIcon.targetsize-16_altform-unplated.png Pizdec.exe File created C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\pris\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\WinSxS\x86_netfx-mscorrc_res_dll_b03f5f7f11d50a3a_10.0.19041.1_none_b10fc8572d498e50\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\WinSxS\x86_microsoft-windows-p..reensaver.resources_31bf3856ad364e35_10.0.19041.1_de-de_c1b8af4ac86844bc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\WinSxS\amd64_microsoft-onecore-u..lter-mgmt.resources_31bf3856ad364e35_10.0.19041.1_en-us_cfde1148aafaf969\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-fodhelper-ux.resources_31bf3856ad364e35_10.0.19041.1_it-it_eca97e9509560b36\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..gbinaries.resources_31bf3856ad364e35_10.0.19041.1_es-es_e94a5dd9dfbc24b5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\WinSxS\amd64_net819xp.inf.resources_31bf3856ad364e35_10.0.19041.1_it-it_5cfe2c89ee08709a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\WinSxS\amd64_dual_wvmic_guestinterface.inf_31bf3856ad364e35_10.0.19041.1_none_a3750aa62b1952d1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.19041.1_none_1f070c37a19029ff\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\WinSxS\amd64_microsoft.hyperv.schema_31bf3856ad364e35_10.0.19041.488_none_a82f565621f4835e\f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\WinSxS\amd64_microsoft-onecore-c..dexperiencehost-api_31bf3856ad364e35_10.0.19041.264_none_9d11423d6f8d473e\r\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-browserservice-netapi_31bf3856ad364e35_10.0.19041.1_none_e37e715d37185736\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-iis-metabase.resources_31bf3856ad364e35_10.0.19041.1_it-it_cb4893e894e031fb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-s..omponents.resources_31bf3856ad364e35_10.0.19041.1151_en-us_0e8ac7c8d3abe00f\f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-userdataaccess-cemapi_31bf3856ad364e35_10.0.19041.1_none_38bbcecd3c71af70\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\WinSxS\msil_system.web.entity.resources_b77a5c561934e089_10.0.19041.1_de-de_5035e9482686c669\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-i..rvice_mof.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_1447a2258289b923\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-s..ative-serverbox-isv_31bf3856ad364e35_10.0.19041.1_none_b55c875ed22d28bb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S0f8e494c#\6d056f3fff70a663755a1120dd61d6e3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\WinSxS\msil_microsoft.windowsau...commands.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_770b14145c527c1e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-psmcoreserver_31bf3856ad364e35_10.0.19041.662_none_88b10bbde167d52a\f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-wimgapi.resources_31bf3856ad364e35_10.0.19041.1_en-us_cf48a18a5fdfb544\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\WinSxS\amd64_system.componentmodel.typeconverter_b03f5f7f11d50a3a_4.0.15805.0_none_ca5cbef901aaac52\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-b..servicing.resources_31bf3856ad364e35_10.0.19041.1_it-it_aeca62b57fb4ea0b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-aarsvc_31bf3856ad364e35_10.0.19041.1266_none_e20a2c618eea3856\n\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-p..l-message.resources_31bf3856ad364e35_10.0.19041.1_en-us_f65d4067627622e9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-font-fms.resources_31bf3856ad364e35_10.0.19041.1_pt-pt_baf3b18f122c4a5b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-directui.resources_31bf3856ad364e35_10.0.19041.1023_pt-br_eef506143c1bff6a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-webservices_31bf3856ad364e35_10.0.19041.546_none_f6ca498bc1e24c44\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt Pizdec.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.FileExplorer_cw5n1h2txyewy\Assets\SquareTile44x44.targetsize-96_altform-unplated_contrast-black_devicefamily-colorfulunplated.png Pizdec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StupitHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GCUJCNQFTQMECRU\DefaultIcon Pizdec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GCUJCNQFTQMECRU\shell\open Pizdec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GCUJCNQFTQMECRU\ = "CRYPTED!" Pizdec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GCUJCNQFTQMECRU\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MD79PFRQ4de5n55.exe,0" Pizdec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GCUJCNQFTQMECRU\shell\open\command Pizdec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GCUJCNQFTQMECRU\shell Pizdec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GCUJCNQFTQMECRU\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MD79PFRQ4de5n55.exe" Pizdec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd11143 Pizdec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd11143\ = "GCUJCNQFTQMECRU" Pizdec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GCUJCNQFTQMECRU Pizdec.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1648 wrote to memory of 4160 1648 a26906c09acbcd300aa4a7f237249282_JaffaCakes118.exe 89 PID 1648 wrote to memory of 4160 1648 a26906c09acbcd300aa4a7f237249282_JaffaCakes118.exe 89 PID 1648 wrote to memory of 4160 1648 a26906c09acbcd300aa4a7f237249282_JaffaCakes118.exe 89 PID 1648 wrote to memory of 4940 1648 a26906c09acbcd300aa4a7f237249282_JaffaCakes118.exe 90 PID 1648 wrote to memory of 4940 1648 a26906c09acbcd300aa4a7f237249282_JaffaCakes118.exe 90 PID 1648 wrote to memory of 4940 1648 a26906c09acbcd300aa4a7f237249282_JaffaCakes118.exe 90 PID 1648 wrote to memory of 5092 1648 a26906c09acbcd300aa4a7f237249282_JaffaCakes118.exe 91 PID 1648 wrote to memory of 5092 1648 a26906c09acbcd300aa4a7f237249282_JaffaCakes118.exe 91 PID 1648 wrote to memory of 5092 1648 a26906c09acbcd300aa4a7f237249282_JaffaCakes118.exe 91 PID 4940 wrote to memory of 5024 4940 StupitHack.exe 93 PID 4940 wrote to memory of 5024 4940 StupitHack.exe 93 PID 4940 wrote to memory of 5024 4940 StupitHack.exe 93 PID 5024 wrote to memory of 2308 5024 StupitHack.exe 94 PID 5024 wrote to memory of 2308 5024 StupitHack.exe 94 PID 5024 wrote to memory of 2308 5024 StupitHack.exe 94 PID 2308 wrote to memory of 2108 2308 StupitHack.exe 95 PID 2308 wrote to memory of 2108 2308 StupitHack.exe 95 PID 2308 wrote to memory of 2108 2308 StupitHack.exe 95 PID 2108 wrote to memory of 1328 2108 StupitHack.exe 96 PID 2108 wrote to memory of 1328 2108 StupitHack.exe 96 PID 2108 wrote to memory of 1328 2108 StupitHack.exe 96 PID 1328 wrote to memory of 2456 1328 StupitHack.exe 97 PID 1328 wrote to memory of 2456 1328 StupitHack.exe 97 PID 1328 wrote to memory of 2456 1328 StupitHack.exe 97 PID 2456 wrote to memory of 4460 2456 StupitHack.exe 98 PID 2456 wrote to memory of 4460 2456 StupitHack.exe 98 PID 2456 wrote to memory of 4460 2456 StupitHack.exe 98 PID 4460 wrote to memory of 4076 4460 StupitHack.exe 99 PID 4460 wrote to memory of 4076 4460 StupitHack.exe 99 PID 4460 wrote to memory of 4076 4460 StupitHack.exe 99 PID 4076 wrote to memory of 5104 4076 StupitHack.exe 100 PID 4076 wrote to memory of 5104 4076 StupitHack.exe 100 PID 4076 wrote to memory of 5104 4076 StupitHack.exe 100 PID 5104 wrote to memory of 2200 5104 StupitHack.exe 101 PID 5104 wrote to memory of 2200 5104 StupitHack.exe 101 PID 5104 wrote to memory of 2200 5104 StupitHack.exe 101 PID 2200 wrote to memory of 3624 2200 StupitHack.exe 102 PID 2200 wrote to memory of 3624 2200 StupitHack.exe 102 PID 2200 wrote to memory of 3624 2200 StupitHack.exe 102 PID 3624 wrote to memory of 740 3624 StupitHack.exe 103 PID 3624 wrote to memory of 740 3624 StupitHack.exe 103 PID 3624 wrote to memory of 740 3624 StupitHack.exe 103 PID 740 wrote to memory of 1280 740 StupitHack.exe 104 PID 740 wrote to memory of 1280 740 StupitHack.exe 104 PID 740 wrote to memory of 1280 740 StupitHack.exe 104 PID 1280 wrote to memory of 3428 1280 StupitHack.exe 105 PID 1280 wrote to memory of 3428 1280 StupitHack.exe 105 PID 1280 wrote to memory of 3428 1280 StupitHack.exe 105 PID 3428 wrote to memory of 4500 3428 StupitHack.exe 185 PID 3428 wrote to memory of 4500 3428 StupitHack.exe 185 PID 3428 wrote to memory of 4500 3428 StupitHack.exe 185 PID 4500 wrote to memory of 2524 4500 StupitHack.exe 107 PID 4500 wrote to memory of 2524 4500 StupitHack.exe 107 PID 4500 wrote to memory of 2524 4500 StupitHack.exe 107 PID 2524 wrote to memory of 2332 2524 StupitHack.exe 108 PID 2524 wrote to memory of 2332 2524 StupitHack.exe 108 PID 2524 wrote to memory of 2332 2524 StupitHack.exe 108 PID 2332 wrote to memory of 2488 2332 StupitHack.exe 109 PID 2332 wrote to memory of 2488 2332 StupitHack.exe 109 PID 2332 wrote to memory of 2488 2332 StupitHack.exe 109 PID 2488 wrote to memory of 968 2488 StupitHack.exe 110 PID 2488 wrote to memory of 968 2488 StupitHack.exe 110 PID 2488 wrote to memory of 968 2488 StupitHack.exe 110 PID 968 wrote to memory of 2160 968 StupitHack.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\a26906c09acbcd300aa4a7f237249282_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a26906c09acbcd300aa4a7f237249282_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Users\Admin\AppData\Local\Temp\Pizdec.exe"C:\Users\Admin\AppData\Local\Temp\Pizdec.exe"2⤵
- Drops file in Drivers directory
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:4160
-
-
C:\Users\Admin\AppData\Local\Temp\StupitHack.exe"C:\Users\Admin\AppData\Local\Temp\StupitHack.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"21⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"22⤵
- Executes dropped EXE
PID:4412 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"23⤵
- Executes dropped EXE
PID:4948 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"24⤵
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"25⤵
- Executes dropped EXE
PID:3536 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"26⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4584 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"28⤵
- Executes dropped EXE
PID:4444 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"29⤵
- Executes dropped EXE
PID:4240 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"30⤵
- Executes dropped EXE
PID:392 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"31⤵
- Executes dropped EXE
PID:3508 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"32⤵
- Executes dropped EXE
PID:376 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"33⤵
- Executes dropped EXE
PID:428 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"34⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"35⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"36⤵
- Executes dropped EXE
PID:3772 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"37⤵
- Executes dropped EXE
PID:3548 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"38⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"39⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"40⤵
- Executes dropped EXE
PID:3160 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"41⤵
- Executes dropped EXE
PID:428 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"42⤵
- Executes dropped EXE
PID:396 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"43⤵
- Executes dropped EXE
PID:816 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"44⤵
- Executes dropped EXE
PID:4416 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"45⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1560 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"47⤵
- Executes dropped EXE
PID:468 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"48⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"49⤵
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"50⤵
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"51⤵
- Executes dropped EXE
PID:4636 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"52⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"53⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"54⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"55⤵
- Executes dropped EXE
PID:4388 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"56⤵
- Executes dropped EXE
PID:4300 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"57⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"58⤵
- Executes dropped EXE
PID:4720 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"59⤵
- Executes dropped EXE
PID:3164 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"60⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"61⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"62⤵
- Executes dropped EXE
PID:4412 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4532 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"64⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"65⤵PID:4612
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"66⤵PID:3108
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"67⤵PID:4308
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"68⤵PID:2640
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"69⤵PID:712
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"70⤵PID:3192
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"71⤵PID:2800
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"72⤵PID:2304
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"73⤵PID:232
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"74⤵PID:1036
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"75⤵PID:4532
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"76⤵PID:3860
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"77⤵PID:4908
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"78⤵PID:740
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"79⤵PID:4504
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"80⤵PID:1392
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"81⤵PID:4612
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"82⤵PID:1112
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"83⤵PID:4548
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"84⤵PID:1932
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"85⤵PID:744
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"86⤵PID:2864
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"87⤵PID:2428
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"88⤵PID:4488
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"89⤵PID:228
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"90⤵PID:4572
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"91⤵PID:2636
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"92⤵PID:1168
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"93⤵PID:4500
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"94⤵PID:4644
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"95⤵PID:4564
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"96⤵PID:4556
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"97⤵PID:4712
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"98⤵PID:4296
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"99⤵PID:1972
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"100⤵PID:4788
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"101⤵
- Drops file in System32 directory
PID:908 -
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"102⤵PID:2824
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"103⤵PID:4676
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"104⤵PID:680
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"105⤵PID:3696
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"106⤵PID:724
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"107⤵PID:1984
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"108⤵PID:1004
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"109⤵PID:1272
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"110⤵PID:4432
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"111⤵PID:5092
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"112⤵PID:1604
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"113⤵PID:3680
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"114⤵PID:1844
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"115⤵PID:1192
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"116⤵PID:3200
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"117⤵PID:4004
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"118⤵PID:3064
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"119⤵PID:1892
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"120⤵PID:4056
-
C:\Windows\SysWOW64\StupitHack.exe"C:\Windows\system32\StupitHack.exe"121⤵PID:3280
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-