Analysis
-
max time kernel
150s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
28-11-2024 22:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
add093e384ff21c31aa42dc77c5a111f_JaffaCakes118.exe
Resource
win7-20240729-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
add093e384ff21c31aa42dc77c5a111f_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
add093e384ff21c31aa42dc77c5a111f_JaffaCakes118.exe
-
Size
318KB
-
MD5
add093e384ff21c31aa42dc77c5a111f
-
SHA1
b864ab4b45979b819f1fce56849fd1f57a4fefd1
-
SHA256
c0017f1a8a644d373a55a351baffaeddca0718deb627e7d0157bfc9a78bbe694
-
SHA512
1e9b67124794ce1a522c9a4a36e9d83718f17e6cc3875f1bdaf726a66da1b79f37a5c89c6e9f996d1ddeaa14b8b9d84055b1cffca589a810a3ddadc2e79c2d85
-
SSDEEP
6144:kfiSMzzsnQ3WL24QFzF77OjcJEVSj090xrG8i6obiV:kfrMzzsnGWyEcCK1rG8Hog
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Executes dropped EXE 64 IoCs
pid Process 2724 oilcg.exe 2824 oilcg.exe 2756 knhum.exe 2864 knhum.exe 2672 yaqjs.exe 2308 yaqjs.exe 1672 feaxb.exe 2416 feaxb.exe 2464 nmwpw.exe 2692 nmwpw.exe 1632 xlaug.exe 3028 xlaug.exe 2188 hsmsy.exe 2204 hsmsy.exe 1756 rrqpj.exe 564 rrqpj.exe 2360 ycpug.exe 2564 ycpug.exe 624 lbsxp.exe 2316 lbsxp.exe 860 vawuz.exe 1428 vawuz.exe 1768 innkf.exe 1760 innkf.exe 2744 tmspx.exe 2724 tmspx.exe 2624 frjkl.exe 2960 frjkl.exe 2908 seaar.exe 2096 seaar.exe 2672 cpqke.exe 2092 cpqke.exe 1920 msfus.exe 1716 msfus.exe 3004 zfpkf.exe 1980 zfpkf.exe 1916 mdsno.exe 3044 mdsno.exe 1548 wrske.exe 2208 wrske.exe 2356 jinnn.exe 2512 jinnn.exe 2392 wvfds.exe 1784 wvfds.exe 1748 fjxsr.exe 1504 fjxsr.exe 1484 pijxb.exe 1764 pijxb.exe 1988 dvbnh.exe 464 dvbnh.exe 2444 qtwqp.exe 2504 qtwqp.exe 2828 asani.exe 2688 asani.exe 2844 kvpyv.exe 2832 kvpyv.exe 2764 tgnii.exe 2816 tgnii.exe 2612 gwhlr.exe 2672 gwhlr.exe 1032 tvcnz.exe 1840 tvcnz.exe 2464 vxsqv.exe 2580 vxsqv.exe -
Loads dropped DLL 64 IoCs
pid Process 1908 add093e384ff21c31aa42dc77c5a111f_JaffaCakes118.exe 1908 add093e384ff21c31aa42dc77c5a111f_JaffaCakes118.exe 2724 oilcg.exe 2824 oilcg.exe 2824 oilcg.exe 2756 knhum.exe 2864 knhum.exe 2864 knhum.exe 2672 yaqjs.exe 2308 yaqjs.exe 2308 yaqjs.exe 1672 feaxb.exe 2416 feaxb.exe 2416 feaxb.exe 2692 nmwpw.exe 2692 nmwpw.exe 3028 xlaug.exe 3028 xlaug.exe 2204 hsmsy.exe 2204 hsmsy.exe 564 rrqpj.exe 564 rrqpj.exe 2564 ycpug.exe 2564 ycpug.exe 2316 lbsxp.exe 2316 lbsxp.exe 1428 vawuz.exe 1428 vawuz.exe 1760 innkf.exe 1760 innkf.exe 2724 tmspx.exe 2724 tmspx.exe 2960 frjkl.exe 2960 frjkl.exe 2096 seaar.exe 2096 seaar.exe 2092 cpqke.exe 2092 cpqke.exe 1716 msfus.exe 1716 msfus.exe 1980 zfpkf.exe 1980 zfpkf.exe 3044 mdsno.exe 3044 mdsno.exe 2208 wrske.exe 2208 wrske.exe 2512 jinnn.exe 2512 jinnn.exe 1784 wvfds.exe 1784 wvfds.exe 1504 fjxsr.exe 1504 fjxsr.exe 1764 pijxb.exe 1764 pijxb.exe 464 dvbnh.exe 464 dvbnh.exe 2504 qtwqp.exe 2504 qtwqp.exe 2688 asani.exe 2688 asani.exe 2832 kvpyv.exe 2832 kvpyv.exe 2816 tgnii.exe 2816 tgnii.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\nemsb.exe dqmvl.exe File created C:\Windows\SysWOW64\sncvy.exe fwhsq.exe File created C:\Windows\SysWOW64\dzlcv.exe rjqzm.exe File opened for modification C:\Windows\SysWOW64\sulso.exe Process not Found File opened for modification C:\Windows\SysWOW64\udruh.exe kacju.exe File created C:\Windows\SysWOW64\akxru.exe nxobo.exe File created C:\Windows\SysWOW64\xxtrb.exe njstd.exe File opened for modification C:\Windows\SysWOW64\ejybe.exe Process not Found File opened for modification C:\Windows\SysWOW64\lfzvj.exe Process not Found File opened for modification C:\Windows\SysWOW64\ssciu.exe Process not Found File opened for modification C:\Windows\SysWOW64\mohkl.exe aubcz.exe File opened for modification C:\Windows\SysWOW64\rlawb.exe Process not Found File created C:\Windows\SysWOW64\zjxsh.exe mtuxy.exe File created C:\Windows\SysWOW64\oxevj.exe yseif.exe File created C:\Windows\SysWOW64\udruh.exe kacju.exe File created C:\Windows\SysWOW64\gnniu.exe wznkw.exe File opened for modification C:\Windows\SysWOW64\cfezt.exe psujn.exe File opened for modification C:\Windows\SysWOW64\olpmd.exe bvujv.exe File created C:\Windows\SysWOW64\frjkl.exe tmspx.exe File opened for modification C:\Windows\SysWOW64\qtblf.exe ervdt.exe File created C:\Windows\SysWOW64\tykbs.exe gahzk.exe File opened for modification C:\Windows\SysWOW64\qcnut.exe dmlrk.exe File created C:\Windows\SysWOW64\ecuzk.exe Process not Found File opened for modification C:\Windows\SysWOW64\xejgq.exe Process not Found File created C:\Windows\SysWOW64\uelih.exe Process not Found File opened for modification C:\Windows\SysWOW64\flipz.exe snfmq.exe File opened for modification C:\Windows\SysWOW64\innuw.exe votso.exe File created C:\Windows\SysWOW64\rkcco.exe etzaf.exe File created C:\Windows\SysWOW64\ctbwa.exe pdgur.exe File created C:\Windows\SysWOW64\uegwt.exe Process not Found File created C:\Windows\SysWOW64\hymee.exe Process not Found File created C:\Windows\SysWOW64\bmter.exe ovqbj.exe File created C:\Windows\SysWOW64\wupjp.exe Process not Found File opened for modification C:\Windows\SysWOW64\ceawf.exe sfwyv.exe File created C:\Windows\SysWOW64\wggsu.exe nsgdw.exe File created C:\Windows\SysWOW64\bjhlu.exe rysbh.exe File created C:\Windows\SysWOW64\dvfun.exe tkqjs.exe File opened for modification C:\Windows\SysWOW64\jyyxj.exe xwshq.exe File opened for modification C:\Windows\SysWOW64\jyxmg.exe wiujx.exe File opened for modification C:\Windows\SysWOW64\uelih.exe Process not Found File created C:\Windows\SysWOW64\eurhl.exe rhzkf.exe File opened for modification C:\Windows\SysWOW64\aeqbw.exe krqgs.exe File opened for modification C:\Windows\SysWOW64\ebzpd.exe rcwnv.exe File created C:\Windows\SysWOW64\hgytz.exe vesdo.exe File created C:\Windows\SysWOW64\nwyzj.exe dtjpv.exe File opened for modification C:\Windows\SysWOW64\nftcz.exe Process not Found File created C:\Windows\SysWOW64\aubcz.exe nwyzj.exe File created C:\Windows\SysWOW64\dgcqi.exe yphna.exe File created C:\Windows\SysWOW64\msfus.exe cpqke.exe File created C:\Windows\SysWOW64\uikqm.exe ioeba.exe File opened for modification C:\Windows\SysWOW64\htfik.exe vrzby.exe File created C:\Windows\SysWOW64\jombc.exe tjegy.exe File opened for modification C:\Windows\SysWOW64\cqobu.exe qzlzl.exe File created C:\Windows\SysWOW64\uevzf.exe hjdja.exe File created C:\Windows\SysWOW64\ryflv.exe Process not Found File created C:\Windows\SysWOW64\lywif.exe yhugx.exe File opened for modification C:\Windows\SysWOW64\fdnie.exe sntfv.exe File created C:\Windows\SysWOW64\lpdvl.exe yqibd.exe File opened for modification C:\Windows\SysWOW64\zgzpa.exe Process not Found File opened for modification C:\Windows\SysWOW64\wwkea.exe Process not Found File opened for modification C:\Windows\SysWOW64\iroot.exe Process not Found File created C:\Windows\SysWOW64\yaqjs.exe knhum.exe File opened for modification C:\Windows\SysWOW64\wvfds.exe jinnn.exe File opened for modification C:\Windows\SysWOW64\kpprx.exe ajpth.exe -
Suspicious use of SetThreadContext 64 IoCs
description pid Process procid_target PID 376 set thread context of 1908 376 add093e384ff21c31aa42dc77c5a111f_JaffaCakes118.exe 30 PID 2724 set thread context of 2824 2724 oilcg.exe 32 PID 2756 set thread context of 2864 2756 knhum.exe 34 PID 2672 set thread context of 2308 2672 yaqjs.exe 36 PID 1672 set thread context of 2416 1672 feaxb.exe 38 PID 2464 set thread context of 2692 2464 nmwpw.exe 40 PID 1632 set thread context of 3028 1632 xlaug.exe 42 PID 2188 set thread context of 2204 2188 hsmsy.exe 44 PID 1756 set thread context of 564 1756 rrqpj.exe 46 PID 2360 set thread context of 2564 2360 ycpug.exe 48 PID 624 set thread context of 2316 624 lbsxp.exe 50 PID 860 set thread context of 1428 860 vawuz.exe 52 PID 1768 set thread context of 1760 1768 innkf.exe 54 PID 2744 set thread context of 2724 2744 tmspx.exe 56 PID 2624 set thread context of 2960 2624 frjkl.exe 58 PID 2908 set thread context of 2096 2908 seaar.exe 60 PID 2672 set thread context of 2092 2672 cpqke.exe 62 PID 1920 set thread context of 1716 1920 msfus.exe 64 PID 3004 set thread context of 1980 3004 zfpkf.exe 66 PID 1916 set thread context of 3044 1916 mdsno.exe 68 PID 1548 set thread context of 2208 1548 wrske.exe 70 PID 2356 set thread context of 2512 2356 jinnn.exe 72 PID 2392 set thread context of 1784 2392 wvfds.exe 74 PID 1748 set thread context of 1504 1748 fjxsr.exe 76 PID 1484 set thread context of 1764 1484 pijxb.exe 78 PID 1988 set thread context of 464 1988 dvbnh.exe 80 PID 2444 set thread context of 2504 2444 qtwqp.exe 82 PID 2828 set thread context of 2688 2828 asani.exe 84 PID 2844 set thread context of 2832 2844 kvpyv.exe 86 PID 2764 set thread context of 2816 2764 tgnii.exe 88 PID 2612 set thread context of 2672 2612 gwhlr.exe 90 PID 1032 set thread context of 1840 1032 tvcnz.exe 92 PID 2464 set thread context of 2580 2464 vxsqv.exe 94 PID 3036 set thread context of 2516 3036 ikjna.exe 96 PID 1016 set thread context of 2492 1016 vjeqj.exe 98 PID 840 set thread context of 2404 840 flttw.exe 100 PID 1552 set thread context of 980 1552 pwrdr.exe 102 PID 2100 set thread context of 2348 2100 cjabx.exe 104 PID 1484 set thread context of 1996 1484 mlqdk.exe 106 PID 1708 set thread context of 2952 1708 znwtw.exe 108 PID 876 set thread context of 3020 876 manic.exe 110 PID 2632 set thread context of 2644 2632 zctyv.exe 112 PID 2796 set thread context of 2384 2796 jfjji.exe 114 PID 3016 set thread context of 1044 3016 vdllr.exe 116 PID 2536 set thread context of 2224 2536 gdqjb.exe 118 PID 2468 set thread context of 1616 2468 sfwyv.exe 120 PID 2992 set thread context of 2892 2992 ceawf.exe 122 PID 348 set thread context of 544 348 siirj.exe 124 PID 756 set thread context of 1600 756 cwjgz.exe 126 PID 2392 set thread context of 1212 2392 pndji.exe 128 PID 1440 set thread context of 1740 1440 cpkyt.exe 130 PID 2012 set thread context of 1596 2012 mowwm.exe 132 PID 2452 set thread context of 2740 2452 cawri.exe 134 PID 2804 set thread context of 1312 2804 oucgb.exe 136 PID 2732 set thread context of 2684 2732 yfrro.exe 138 PID 2076 set thread context of 2872 2076 lsjhu.exe 140 PID 2548 set thread context of 1228 2548 vcyrh.exe 142 PID 2072 set thread context of 1944 2072 ittuy.exe 144 PID 2460 set thread context of 1032 2460 vjwwh.exe 146 PID 472 set thread context of 2456 472 fulhu.exe 148 PID 2528 set thread context of 2396 2528 ptpee.exe 150 PID 2152 set thread context of 1660 2152 zenpz.exe 152 PID 1476 set thread context of 1788 1476 muiri.exe 154 PID 2936 set thread context of 992 2936 zlcur.exe 156 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mdxqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qtblf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language malrd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language snfmq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gbmwp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qwlpt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abrhq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jlqxk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yaeug.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fnrrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ovqbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yaqjs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjekm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upxuo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fnrrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fcvke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zgwmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language akobr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vrzby.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unpck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xhaoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qzlzl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ugque.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aczka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vnlqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uevzf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language innkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timxi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gubax.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fmjko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gnyxh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qhojc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pbotj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zqpiz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language snhqu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language klejp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 376 add093e384ff21c31aa42dc77c5a111f_JaffaCakes118.exe Token: SeDebugPrivilege 2724 oilcg.exe Token: SeDebugPrivilege 2756 knhum.exe Token: SeDebugPrivilege 2672 yaqjs.exe Token: SeDebugPrivilege 1672 feaxb.exe Token: SeDebugPrivilege 2464 nmwpw.exe Token: SeDebugPrivilege 1632 xlaug.exe Token: SeDebugPrivilege 2188 hsmsy.exe Token: SeDebugPrivilege 1756 rrqpj.exe Token: SeDebugPrivilege 2360 ycpug.exe Token: SeDebugPrivilege 624 lbsxp.exe Token: SeDebugPrivilege 860 vawuz.exe Token: SeDebugPrivilege 1768 innkf.exe Token: SeDebugPrivilege 2744 tmspx.exe Token: SeDebugPrivilege 2624 frjkl.exe Token: SeDebugPrivilege 2908 seaar.exe Token: SeDebugPrivilege 2672 cpqke.exe Token: SeDebugPrivilege 1920 msfus.exe Token: SeDebugPrivilege 3004 zfpkf.exe Token: SeDebugPrivilege 1916 mdsno.exe Token: SeDebugPrivilege 1548 wrske.exe Token: SeDebugPrivilege 2356 jinnn.exe Token: SeDebugPrivilege 2392 wvfds.exe Token: SeDebugPrivilege 1748 fjxsr.exe Token: SeDebugPrivilege 1484 pijxb.exe Token: SeDebugPrivilege 1988 dvbnh.exe Token: SeDebugPrivilege 2444 qtwqp.exe Token: SeDebugPrivilege 2828 asani.exe Token: SeDebugPrivilege 2844 kvpyv.exe Token: SeDebugPrivilege 2764 tgnii.exe Token: SeDebugPrivilege 2612 gwhlr.exe Token: SeDebugPrivilege 1032 tvcnz.exe Token: SeDebugPrivilege 2464 vxsqv.exe Token: SeDebugPrivilege 3036 ikjna.exe Token: SeDebugPrivilege 1016 vjeqj.exe Token: SeDebugPrivilege 840 flttw.exe Token: SeDebugPrivilege 1552 pwrdr.exe Token: SeDebugPrivilege 2100 cjabx.exe Token: SeDebugPrivilege 1484 mlqdk.exe Token: SeDebugPrivilege 1708 znwtw.exe Token: SeDebugPrivilege 876 manic.exe Token: SeDebugPrivilege 2632 zctyv.exe Token: SeDebugPrivilege 2796 jfjji.exe Token: SeDebugPrivilege 3016 vdllr.exe Token: SeDebugPrivilege 2536 gdqjb.exe Token: SeDebugPrivilege 2468 sfwyv.exe Token: SeDebugPrivilege 2992 ceawf.exe Token: SeDebugPrivilege 348 siirj.exe Token: SeDebugPrivilege 756 cwjgz.exe Token: SeDebugPrivilege 2392 pndji.exe Token: SeDebugPrivilege 1440 cpkyt.exe Token: SeDebugPrivilege 2012 mowwm.exe Token: SeDebugPrivilege 2452 cawri.exe Token: SeDebugPrivilege 2804 oucgb.exe Token: SeDebugPrivilege 2732 yfrro.exe Token: SeDebugPrivilege 2076 lsjhu.exe Token: SeDebugPrivilege 2548 vcyrh.exe Token: SeDebugPrivilege 2072 ittuy.exe Token: SeDebugPrivilege 2460 vjwwh.exe Token: SeDebugPrivilege 472 fulhu.exe Token: SeDebugPrivilege 2528 ptpee.exe Token: SeDebugPrivilege 2152 zenpz.exe Token: SeDebugPrivilege 1476 muiri.exe Token: SeDebugPrivilege 2936 zlcur.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 376 add093e384ff21c31aa42dc77c5a111f_JaffaCakes118.exe 2724 oilcg.exe 2756 knhum.exe 2672 yaqjs.exe 1672 feaxb.exe 2464 nmwpw.exe 1632 xlaug.exe 2188 hsmsy.exe 1756 rrqpj.exe 2360 ycpug.exe 624 lbsxp.exe 860 vawuz.exe 1768 innkf.exe 2744 tmspx.exe 2624 frjkl.exe 2908 seaar.exe 2672 cpqke.exe 1920 msfus.exe 3004 zfpkf.exe 1916 mdsno.exe 1548 wrske.exe 2356 jinnn.exe 2392 wvfds.exe 1748 fjxsr.exe 1484 pijxb.exe 1988 dvbnh.exe 2444 qtwqp.exe 2828 asani.exe 2844 kvpyv.exe 2764 tgnii.exe 2612 gwhlr.exe 1032 tvcnz.exe 2464 vxsqv.exe 3036 ikjna.exe 1016 vjeqj.exe 840 flttw.exe 1552 pwrdr.exe 2100 cjabx.exe 1484 mlqdk.exe 1708 znwtw.exe 876 manic.exe 2632 zctyv.exe 2796 jfjji.exe 3016 vdllr.exe 2536 gdqjb.exe 2468 sfwyv.exe 2992 ceawf.exe 348 siirj.exe 756 cwjgz.exe 2392 pndji.exe 1440 cpkyt.exe 2012 mowwm.exe 2452 cawri.exe 2804 oucgb.exe 2732 yfrro.exe 2076 lsjhu.exe 2548 vcyrh.exe 2072 ittuy.exe 2460 vjwwh.exe 472 fulhu.exe 2528 ptpee.exe 2152 zenpz.exe 1476 muiri.exe 2936 zlcur.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 376 wrote to memory of 1908 376 add093e384ff21c31aa42dc77c5a111f_JaffaCakes118.exe 30 PID 376 wrote to memory of 1908 376 add093e384ff21c31aa42dc77c5a111f_JaffaCakes118.exe 30 PID 376 wrote to memory of 1908 376 add093e384ff21c31aa42dc77c5a111f_JaffaCakes118.exe 30 PID 376 wrote to memory of 1908 376 add093e384ff21c31aa42dc77c5a111f_JaffaCakes118.exe 30 PID 376 wrote to memory of 1908 376 add093e384ff21c31aa42dc77c5a111f_JaffaCakes118.exe 30 PID 376 wrote to memory of 1908 376 add093e384ff21c31aa42dc77c5a111f_JaffaCakes118.exe 30 PID 1908 wrote to memory of 2724 1908 add093e384ff21c31aa42dc77c5a111f_JaffaCakes118.exe 31 PID 1908 wrote to memory of 2724 1908 add093e384ff21c31aa42dc77c5a111f_JaffaCakes118.exe 31 PID 1908 wrote to memory of 2724 1908 add093e384ff21c31aa42dc77c5a111f_JaffaCakes118.exe 31 PID 1908 wrote to memory of 2724 1908 add093e384ff21c31aa42dc77c5a111f_JaffaCakes118.exe 31 PID 2724 wrote to memory of 2824 2724 oilcg.exe 32 PID 2724 wrote to memory of 2824 2724 oilcg.exe 32 PID 2724 wrote to memory of 2824 2724 oilcg.exe 32 PID 2724 wrote to memory of 2824 2724 oilcg.exe 32 PID 2724 wrote to memory of 2824 2724 oilcg.exe 32 PID 2724 wrote to memory of 2824 2724 oilcg.exe 32 PID 2824 wrote to memory of 2756 2824 oilcg.exe 33 PID 2824 wrote to memory of 2756 2824 oilcg.exe 33 PID 2824 wrote to memory of 2756 2824 oilcg.exe 33 PID 2824 wrote to memory of 2756 2824 oilcg.exe 33 PID 2756 wrote to memory of 2864 2756 knhum.exe 34 PID 2756 wrote to memory of 2864 2756 knhum.exe 34 PID 2756 wrote to memory of 2864 2756 knhum.exe 34 PID 2756 wrote to memory of 2864 2756 knhum.exe 34 PID 2756 wrote to memory of 2864 2756 knhum.exe 34 PID 2756 wrote to memory of 2864 2756 knhum.exe 34 PID 2864 wrote to memory of 2672 2864 knhum.exe 35 PID 2864 wrote to memory of 2672 2864 knhum.exe 35 PID 2864 wrote to memory of 2672 2864 knhum.exe 35 PID 2864 wrote to memory of 2672 2864 knhum.exe 35 PID 2672 wrote to memory of 2308 2672 yaqjs.exe 36 PID 2672 wrote to memory of 2308 2672 yaqjs.exe 36 PID 2672 wrote to memory of 2308 2672 yaqjs.exe 36 PID 2672 wrote to memory of 2308 2672 yaqjs.exe 36 PID 2672 wrote to memory of 2308 2672 yaqjs.exe 36 PID 2672 wrote to memory of 2308 2672 yaqjs.exe 36 PID 2308 wrote to memory of 1672 2308 yaqjs.exe 37 PID 2308 wrote to memory of 1672 2308 yaqjs.exe 37 PID 2308 wrote to memory of 1672 2308 yaqjs.exe 37 PID 2308 wrote to memory of 1672 2308 yaqjs.exe 37 PID 1672 wrote to memory of 2416 1672 feaxb.exe 38 PID 1672 wrote to memory of 2416 1672 feaxb.exe 38 PID 1672 wrote to memory of 2416 1672 feaxb.exe 38 PID 1672 wrote to memory of 2416 1672 feaxb.exe 38 PID 1672 wrote to memory of 2416 1672 feaxb.exe 38 PID 1672 wrote to memory of 2416 1672 feaxb.exe 38 PID 2416 wrote to memory of 2464 2416 feaxb.exe 39 PID 2416 wrote to memory of 2464 2416 feaxb.exe 39 PID 2416 wrote to memory of 2464 2416 feaxb.exe 39 PID 2416 wrote to memory of 2464 2416 feaxb.exe 39 PID 2464 wrote to memory of 2692 2464 nmwpw.exe 40 PID 2464 wrote to memory of 2692 2464 nmwpw.exe 40 PID 2464 wrote to memory of 2692 2464 nmwpw.exe 40 PID 2464 wrote to memory of 2692 2464 nmwpw.exe 40 PID 2464 wrote to memory of 2692 2464 nmwpw.exe 40 PID 2464 wrote to memory of 2692 2464 nmwpw.exe 40 PID 2692 wrote to memory of 1632 2692 nmwpw.exe 41 PID 2692 wrote to memory of 1632 2692 nmwpw.exe 41 PID 2692 wrote to memory of 1632 2692 nmwpw.exe 41 PID 2692 wrote to memory of 1632 2692 nmwpw.exe 41 PID 1632 wrote to memory of 3028 1632 xlaug.exe 42 PID 1632 wrote to memory of 3028 1632 xlaug.exe 42 PID 1632 wrote to memory of 3028 1632 xlaug.exe 42 PID 1632 wrote to memory of 3028 1632 xlaug.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\add093e384ff21c31aa42dc77c5a111f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\add093e384ff21c31aa42dc77c5a111f_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Users\Admin\AppData\Local\Temp\add093e384ff21c31aa42dc77c5a111f_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\add093e384ff21c31aa42dc77c5a111f_JaffaCakes118.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\oilcg.exeC:\Windows\system32\oilcg.exe 484 "C:\Users\Admin\AppData\Local\Temp\add093e384ff21c31aa42dc77c5a111f_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\oilcg.exeC:\Windows\SysWOW64\oilcg.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\knhum.exeC:\Windows\system32\knhum.exe 460 "C:\Windows\SysWOW64\oilcg.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\knhum.exeC:\Windows\SysWOW64\knhum.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\yaqjs.exeC:\Windows\system32\yaqjs.exe 516 "C:\Windows\SysWOW64\knhum.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\yaqjs.exeC:\Windows\SysWOW64\yaqjs.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\feaxb.exeC:\Windows\system32\feaxb.exe 524 "C:\Windows\SysWOW64\yaqjs.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\feaxb.exeC:\Windows\SysWOW64\feaxb.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\nmwpw.exeC:\Windows\system32\nmwpw.exe 468 "C:\Windows\SysWOW64\feaxb.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\nmwpw.exeC:\Windows\SysWOW64\nmwpw.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\xlaug.exeC:\Windows\system32\xlaug.exe 516 "C:\Windows\SysWOW64\nmwpw.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\xlaug.exeC:\Windows\SysWOW64\xlaug.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3028 -
C:\Windows\SysWOW64\hsmsy.exeC:\Windows\system32\hsmsy.exe 520 "C:\Windows\SysWOW64\xlaug.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2188 -
C:\Windows\SysWOW64\hsmsy.exeC:\Windows\SysWOW64\hsmsy.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2204 -
C:\Windows\SysWOW64\rrqpj.exeC:\Windows\system32\rrqpj.exe 528 "C:\Windows\SysWOW64\hsmsy.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1756 -
C:\Windows\SysWOW64\rrqpj.exeC:\Windows\SysWOW64\rrqpj.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:564 -
C:\Windows\SysWOW64\ycpug.exeC:\Windows\system32\ycpug.exe 516 "C:\Windows\SysWOW64\rrqpj.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2360 -
C:\Windows\SysWOW64\ycpug.exeC:\Windows\SysWOW64\ycpug.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2564 -
C:\Windows\SysWOW64\lbsxp.exeC:\Windows\system32\lbsxp.exe 528 "C:\Windows\SysWOW64\ycpug.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:624 -
C:\Windows\SysWOW64\lbsxp.exeC:\Windows\SysWOW64\lbsxp.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2316 -
C:\Windows\SysWOW64\vawuz.exeC:\Windows\system32\vawuz.exe 516 "C:\Windows\SysWOW64\lbsxp.exe"23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:860 -
C:\Windows\SysWOW64\vawuz.exeC:\Windows\SysWOW64\vawuz.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1428 -
C:\Windows\SysWOW64\innkf.exeC:\Windows\system32\innkf.exe 516 "C:\Windows\SysWOW64\vawuz.exe"25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1768 -
C:\Windows\SysWOW64\innkf.exeC:\Windows\SysWOW64\innkf.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1760 -
C:\Windows\SysWOW64\tmspx.exeC:\Windows\system32\tmspx.exe 520 "C:\Windows\SysWOW64\innkf.exe"27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2744 -
C:\Windows\SysWOW64\tmspx.exeC:\Windows\SysWOW64\tmspx.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\frjkl.exeC:\Windows\system32\frjkl.exe 520 "C:\Windows\SysWOW64\tmspx.exe"29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2624 -
C:\Windows\SysWOW64\frjkl.exeC:\Windows\SysWOW64\frjkl.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2960 -
C:\Windows\SysWOW64\seaar.exeC:\Windows\system32\seaar.exe 520 "C:\Windows\SysWOW64\frjkl.exe"31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2908 -
C:\Windows\SysWOW64\seaar.exeC:\Windows\SysWOW64\seaar.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2096 -
C:\Windows\SysWOW64\cpqke.exeC:\Windows\system32\cpqke.exe 516 "C:\Windows\SysWOW64\seaar.exe"33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2672 -
C:\Windows\SysWOW64\cpqke.exeC:\Windows\SysWOW64\cpqke.exe34⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2092 -
C:\Windows\SysWOW64\msfus.exeC:\Windows\system32\msfus.exe 520 "C:\Windows\SysWOW64\cpqke.exe"35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1920 -
C:\Windows\SysWOW64\msfus.exeC:\Windows\SysWOW64\msfus.exe36⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1716 -
C:\Windows\SysWOW64\zfpkf.exeC:\Windows\system32\zfpkf.exe 520 "C:\Windows\SysWOW64\msfus.exe"37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3004 -
C:\Windows\SysWOW64\zfpkf.exeC:\Windows\SysWOW64\zfpkf.exe38⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1980 -
C:\Windows\SysWOW64\mdsno.exeC:\Windows\system32\mdsno.exe 532 "C:\Windows\SysWOW64\zfpkf.exe"39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1916 -
C:\Windows\SysWOW64\mdsno.exeC:\Windows\SysWOW64\mdsno.exe40⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3044 -
C:\Windows\SysWOW64\wrske.exeC:\Windows\system32\wrske.exe 520 "C:\Windows\SysWOW64\mdsno.exe"41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1548 -
C:\Windows\SysWOW64\wrske.exeC:\Windows\SysWOW64\wrske.exe42⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2208 -
C:\Windows\SysWOW64\jinnn.exeC:\Windows\system32\jinnn.exe 520 "C:\Windows\SysWOW64\wrske.exe"43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2356 -
C:\Windows\SysWOW64\jinnn.exeC:\Windows\SysWOW64\jinnn.exe44⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2512 -
C:\Windows\SysWOW64\wvfds.exeC:\Windows\system32\wvfds.exe 520 "C:\Windows\SysWOW64\jinnn.exe"45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2392 -
C:\Windows\SysWOW64\wvfds.exeC:\Windows\SysWOW64\wvfds.exe46⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1784 -
C:\Windows\SysWOW64\fjxsr.exeC:\Windows\system32\fjxsr.exe 516 "C:\Windows\SysWOW64\wvfds.exe"47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1748 -
C:\Windows\SysWOW64\fjxsr.exeC:\Windows\SysWOW64\fjxsr.exe48⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1504 -
C:\Windows\SysWOW64\pijxb.exeC:\Windows\system32\pijxb.exe 520 "C:\Windows\SysWOW64\fjxsr.exe"49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1484 -
C:\Windows\SysWOW64\pijxb.exeC:\Windows\SysWOW64\pijxb.exe50⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1764 -
C:\Windows\SysWOW64\dvbnh.exeC:\Windows\system32\dvbnh.exe 520 "C:\Windows\SysWOW64\pijxb.exe"51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1988 -
C:\Windows\SysWOW64\dvbnh.exeC:\Windows\SysWOW64\dvbnh.exe52⤵
- Executes dropped EXE
- Loads dropped DLL
PID:464 -
C:\Windows\SysWOW64\qtwqp.exeC:\Windows\system32\qtwqp.exe 520 "C:\Windows\SysWOW64\dvbnh.exe"53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2444 -
C:\Windows\SysWOW64\qtwqp.exeC:\Windows\SysWOW64\qtwqp.exe54⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2504 -
C:\Windows\SysWOW64\asani.exeC:\Windows\system32\asani.exe 524 "C:\Windows\SysWOW64\qtwqp.exe"55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2828 -
C:\Windows\SysWOW64\asani.exeC:\Windows\SysWOW64\asani.exe56⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2688 -
C:\Windows\SysWOW64\kvpyv.exeC:\Windows\system32\kvpyv.exe 520 "C:\Windows\SysWOW64\asani.exe"57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2844 -
C:\Windows\SysWOW64\kvpyv.exeC:\Windows\SysWOW64\kvpyv.exe58⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2832 -
C:\Windows\SysWOW64\tgnii.exeC:\Windows\system32\tgnii.exe 516 "C:\Windows\SysWOW64\kvpyv.exe"59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2764 -
C:\Windows\SysWOW64\tgnii.exeC:\Windows\SysWOW64\tgnii.exe60⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2816 -
C:\Windows\SysWOW64\gwhlr.exeC:\Windows\system32\gwhlr.exe 520 "C:\Windows\SysWOW64\tgnii.exe"61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2612 -
C:\Windows\SysWOW64\gwhlr.exeC:\Windows\SysWOW64\gwhlr.exe62⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\tvcnz.exeC:\Windows\system32\tvcnz.exe 516 "C:\Windows\SysWOW64\gwhlr.exe"63⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1032 -
C:\Windows\SysWOW64\tvcnz.exeC:\Windows\SysWOW64\tvcnz.exe64⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\vxsqv.exeC:\Windows\system32\vxsqv.exe 520 "C:\Windows\SysWOW64\tvcnz.exe"65⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2464 -
C:\Windows\SysWOW64\vxsqv.exeC:\Windows\SysWOW64\vxsqv.exe66⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\ikjna.exeC:\Windows\system32\ikjna.exe 520 "C:\Windows\SysWOW64\vxsqv.exe"67⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3036 -
C:\Windows\SysWOW64\ikjna.exeC:\Windows\SysWOW64\ikjna.exe68⤵PID:2516
-
C:\Windows\SysWOW64\vjeqj.exeC:\Windows\system32\vjeqj.exe 520 "C:\Windows\SysWOW64\ikjna.exe"69⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1016 -
C:\Windows\SysWOW64\vjeqj.exeC:\Windows\SysWOW64\vjeqj.exe70⤵PID:2492
-
C:\Windows\SysWOW64\flttw.exeC:\Windows\system32\flttw.exe 520 "C:\Windows\SysWOW64\vjeqj.exe"71⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:840 -
C:\Windows\SysWOW64\flttw.exeC:\Windows\SysWOW64\flttw.exe72⤵PID:2404
-
C:\Windows\SysWOW64\pwrdr.exeC:\Windows\system32\pwrdr.exe 520 "C:\Windows\SysWOW64\flttw.exe"73⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1552 -
C:\Windows\SysWOW64\pwrdr.exeC:\Windows\SysWOW64\pwrdr.exe74⤵PID:980
-
C:\Windows\SysWOW64\cjabx.exeC:\Windows\system32\cjabx.exe 520 "C:\Windows\SysWOW64\pwrdr.exe"75⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2100 -
C:\Windows\SysWOW64\cjabx.exeC:\Windows\SysWOW64\cjabx.exe76⤵PID:2348
-
C:\Windows\SysWOW64\mlqdk.exeC:\Windows\system32\mlqdk.exe 516 "C:\Windows\SysWOW64\cjabx.exe"77⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1484 -
C:\Windows\SysWOW64\mlqdk.exeC:\Windows\SysWOW64\mlqdk.exe78⤵PID:1996
-
C:\Windows\SysWOW64\znwtw.exeC:\Windows\system32\znwtw.exe 520 "C:\Windows\SysWOW64\mlqdk.exe"79⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1708 -
C:\Windows\SysWOW64\znwtw.exeC:\Windows\SysWOW64\znwtw.exe80⤵PID:2952
-
C:\Windows\SysWOW64\manic.exeC:\Windows\system32\manic.exe 520 "C:\Windows\SysWOW64\znwtw.exe"81⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:876 -
C:\Windows\SysWOW64\manic.exeC:\Windows\SysWOW64\manic.exe82⤵PID:3020
-
C:\Windows\SysWOW64\zctyv.exeC:\Windows\system32\zctyv.exe 520 "C:\Windows\SysWOW64\manic.exe"83⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2632 -
C:\Windows\SysWOW64\zctyv.exeC:\Windows\SysWOW64\zctyv.exe84⤵PID:2644
-
C:\Windows\SysWOW64\jfjji.exeC:\Windows\system32\jfjji.exe 520 "C:\Windows\SysWOW64\zctyv.exe"85⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2796 -
C:\Windows\SysWOW64\jfjji.exeC:\Windows\SysWOW64\jfjji.exe86⤵PID:2384
-
C:\Windows\SysWOW64\vdllr.exeC:\Windows\system32\vdllr.exe 516 "C:\Windows\SysWOW64\jfjji.exe"87⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3016 -
C:\Windows\SysWOW64\vdllr.exeC:\Windows\SysWOW64\vdllr.exe88⤵PID:1044
-
C:\Windows\SysWOW64\gdqjb.exeC:\Windows\system32\gdqjb.exe 516 "C:\Windows\SysWOW64\vdllr.exe"89⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2536 -
C:\Windows\SysWOW64\gdqjb.exeC:\Windows\SysWOW64\gdqjb.exe90⤵PID:2224
-
C:\Windows\SysWOW64\sfwyv.exeC:\Windows\system32\sfwyv.exe 520 "C:\Windows\SysWOW64\gdqjb.exe"91⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2468 -
C:\Windows\SysWOW64\sfwyv.exeC:\Windows\SysWOW64\sfwyv.exe92⤵
- Drops file in System32 directory
PID:1616 -
C:\Windows\SysWOW64\ceawf.exeC:\Windows\system32\ceawf.exe 520 "C:\Windows\SysWOW64\sfwyv.exe"93⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2992 -
C:\Windows\SysWOW64\ceawf.exeC:\Windows\SysWOW64\ceawf.exe94⤵PID:2892
-
C:\Windows\SysWOW64\siirj.exeC:\Windows\system32\siirj.exe 532 "C:\Windows\SysWOW64\ceawf.exe"95⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:348 -
C:\Windows\SysWOW64\siirj.exeC:\Windows\SysWOW64\siirj.exe96⤵PID:544
-
C:\Windows\SysWOW64\cwjgz.exeC:\Windows\system32\cwjgz.exe 520 "C:\Windows\SysWOW64\siirj.exe"97⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:756 -
C:\Windows\SysWOW64\cwjgz.exeC:\Windows\SysWOW64\cwjgz.exe98⤵PID:1600
-
C:\Windows\SysWOW64\pndji.exeC:\Windows\system32\pndji.exe 520 "C:\Windows\SysWOW64\cwjgz.exe"99⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2392 -
C:\Windows\SysWOW64\pndji.exeC:\Windows\SysWOW64\pndji.exe100⤵PID:1212
-
C:\Windows\SysWOW64\cpkyt.exeC:\Windows\system32\cpkyt.exe 516 "C:\Windows\SysWOW64\pndji.exe"101⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1440 -
C:\Windows\SysWOW64\cpkyt.exeC:\Windows\SysWOW64\cpkyt.exe102⤵PID:1740
-
C:\Windows\SysWOW64\mowwm.exeC:\Windows\system32\mowwm.exe 536 "C:\Windows\SysWOW64\cpkyt.exe"103⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2012 -
C:\Windows\SysWOW64\mowwm.exeC:\Windows\SysWOW64\mowwm.exe104⤵PID:1596
-
C:\Windows\SysWOW64\cawri.exeC:\Windows\system32\cawri.exe 520 "C:\Windows\SysWOW64\mowwm.exe"105⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2452 -
C:\Windows\SysWOW64\cawri.exeC:\Windows\SysWOW64\cawri.exe106⤵PID:2740
-
C:\Windows\SysWOW64\oucgb.exeC:\Windows\system32\oucgb.exe 520 "C:\Windows\SysWOW64\cawri.exe"107⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2804 -
C:\Windows\SysWOW64\oucgb.exeC:\Windows\SysWOW64\oucgb.exe108⤵PID:1312
-
C:\Windows\SysWOW64\yfrro.exeC:\Windows\system32\yfrro.exe 536 "C:\Windows\SysWOW64\oucgb.exe"109⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2732 -
C:\Windows\SysWOW64\yfrro.exeC:\Windows\SysWOW64\yfrro.exe110⤵PID:2684
-
C:\Windows\SysWOW64\lsjhu.exeC:\Windows\system32\lsjhu.exe 516 "C:\Windows\SysWOW64\yfrro.exe"111⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2076 -
C:\Windows\SysWOW64\lsjhu.exeC:\Windows\SysWOW64\lsjhu.exe112⤵PID:2872
-
C:\Windows\SysWOW64\vcyrh.exeC:\Windows\system32\vcyrh.exe 520 "C:\Windows\SysWOW64\lsjhu.exe"113⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2548 -
C:\Windows\SysWOW64\vcyrh.exeC:\Windows\SysWOW64\vcyrh.exe114⤵PID:1228
-
C:\Windows\SysWOW64\ittuy.exeC:\Windows\system32\ittuy.exe 516 "C:\Windows\SysWOW64\vcyrh.exe"115⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2072 -
C:\Windows\SysWOW64\ittuy.exeC:\Windows\SysWOW64\ittuy.exe116⤵PID:1944
-
C:\Windows\SysWOW64\vjwwh.exeC:\Windows\system32\vjwwh.exe 520 "C:\Windows\SysWOW64\ittuy.exe"117⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2460 -
C:\Windows\SysWOW64\vjwwh.exeC:\Windows\SysWOW64\vjwwh.exe118⤵PID:1032
-
C:\Windows\SysWOW64\fulhu.exeC:\Windows\system32\fulhu.exe 516 "C:\Windows\SysWOW64\vjwwh.exe"119⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:472 -
C:\Windows\SysWOW64\fulhu.exeC:\Windows\SysWOW64\fulhu.exe120⤵PID:2456
-
C:\Windows\SysWOW64\ptpee.exeC:\Windows\system32\ptpee.exe 516 "C:\Windows\SysWOW64\fulhu.exe"121⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2528
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-