Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28-11-2024 15:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe
-
Size
320KB
-
MD5
acd2661a71a229c77c63cb260657e995
-
SHA1
8d6190883e231a946abd5c03822b85ff8c16f2b7
-
SHA256
f283e2639468c3343b59de6d939db0cca34bb9351c3c213c02165ff70bf052cf
-
SHA512
9362c7d22bc78a6ae351d0771be9e1a4739a4557a4991c97ce4990cea16035dfb110dff1ce8362b55e0e3e184f617321e59c5428f42e6d7641d0cf419c7b9639
-
SSDEEP
6144:kfiSMzzsnQ3WL24QFzF77OjcJEVSj090xrG8i6obi1:kfrMzzsnGWyEcCK1rG8HoA
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Executes dropped EXE 64 IoCs
pid Process 2752 htawi.exe 2612 htawi.exe 536 obwxd.exe 1048 obwxd.exe 2060 yaaun.exe 2128 yaaun.exe 2460 gbzuc.exe 2684 gbzuc.exe 2656 lvfcn.exe 688 lvfcn.exe 1928 vfcma.exe 2468 vfcma.exe 2096 ckezs.exe 996 ckezs.exe 2580 njqxc.exe 2200 njqxc.exe 1652 zzlal.exe 1792 zzlal.exe 1704 mygct.exe 2204 mygct.exe 2452 wehar.exe 884 wehar.exe 1728 jzypx.exe 2664 jzypx.exe 3044 tycni.exe 2704 tycni.exe 896 gofpq.exe 1488 gofpq.exe 2272 qzval.exe 2404 qzval.exe 2988 buvkt.exe 2368 buvkt.exe 2792 nocae.exe 2932 nocae.exe 644 xzrka.exe 1324 xzrka.exe 1288 kmaag.exe 3032 kmaag.exe 1524 uxqkt.exe 1628 uxqkt.exe 408 eznvg.exe 1144 eznvg.exe 1200 oyrsy.exe 2428 oyrsy.exe 1188 bljie.exe 2280 bljie.exe 2268 lwysr.exe 1568 lwysr.exe 2912 ymtva.exe 1100 ymtva.exe 2860 ixifv.exe 2652 ixifv.exe 1816 vkavb.exe 2680 vkavb.exe 1500 ibvyk.exe 896 ibvyk.exe 2012 slkix.exe 2068 slkix.exe 2520 coits.exe 1972 coits.exe 2676 pjriy.exe 1976 pjriy.exe 2116 zidgi.exe 2448 zidgi.exe -
Loads dropped DLL 64 IoCs
pid Process 2904 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe 2904 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe 2752 htawi.exe 2612 htawi.exe 2612 htawi.exe 536 obwxd.exe 1048 obwxd.exe 1048 obwxd.exe 2060 yaaun.exe 2128 yaaun.exe 2128 yaaun.exe 2460 gbzuc.exe 2684 gbzuc.exe 2684 gbzuc.exe 2656 lvfcn.exe 688 lvfcn.exe 688 lvfcn.exe 1928 vfcma.exe 2468 vfcma.exe 2468 vfcma.exe 996 ckezs.exe 996 ckezs.exe 2200 njqxc.exe 2200 njqxc.exe 1792 zzlal.exe 1792 zzlal.exe 2204 mygct.exe 2204 mygct.exe 884 wehar.exe 884 wehar.exe 2664 jzypx.exe 2664 jzypx.exe 2704 tycni.exe 2704 tycni.exe 1488 gofpq.exe 1488 gofpq.exe 2404 qzval.exe 2404 qzval.exe 2368 buvkt.exe 2368 buvkt.exe 2932 nocae.exe 2932 nocae.exe 1324 xzrka.exe 1324 xzrka.exe 3032 kmaag.exe 3032 kmaag.exe 1628 uxqkt.exe 1628 uxqkt.exe 1144 eznvg.exe 1144 eznvg.exe 2428 oyrsy.exe 2428 oyrsy.exe 2280 bljie.exe 2280 bljie.exe 1568 lwysr.exe 1568 lwysr.exe 1100 ymtva.exe 1100 ymtva.exe 2652 ixifv.exe 2652 ixifv.exe 2680 vkavb.exe 2680 vkavb.exe 896 ibvyk.exe 896 ibvyk.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\cgeak.exe pijxb.exe File created C:\Windows\SysWOW64\gwhlr.exe xtsae.exe File opened for modification C:\Windows\SysWOW64\jckkm.exe zruar.exe File created C:\Windows\SysWOW64\jbtap.exe Process not Found File opened for modification C:\Windows\SysWOW64\tycni.exe jzypx.exe File created C:\Windows\SysWOW64\zkdns.exe qhndf.exe File opened for modification C:\Windows\SysWOW64\rbehl.exe iudsv.exe File created C:\Windows\SysWOW64\vvvvd.exe fqvaz.exe File opened for modification C:\Windows\SysWOW64\wlkbe.exe jyaly.exe File created C:\Windows\SysWOW64\ggvtj.exe stddd.exe File opened for modification C:\Windows\SysWOW64\oewlo.exe bgbif.exe File created C:\Windows\SysWOW64\qtwqp.exe cgeak.exe File opened for modification C:\Windows\SysWOW64\aqgjn.exe nvwth.exe File opened for modification C:\Windows\SysWOW64\rbdok.exe hzoew.exe File created C:\Windows\SysWOW64\qzval.exe gofpq.exe File opened for modification C:\Windows\SysWOW64\iyfqa.exe vhcnr.exe File opened for modification C:\Windows\SysWOW64\rlpjo.exe eygti.exe File created C:\Windows\SysWOW64\xlxsg.exe nxfdq.exe File opened for modification C:\Windows\SysWOW64\aqrnf.exe Process not Found File created C:\Windows\SysWOW64\yydwh.exe owgmu.exe File opened for modification C:\Windows\SysWOW64\imraa.exe vriku.exe File opened for modification C:\Windows\SysWOW64\klxvn.exe xjroc.exe File opened for modification C:\Windows\SysWOW64\ldkla.exe hbwwo.exe File created C:\Windows\SysWOW64\qgkql.exe atjvp.exe File created C:\Windows\SysWOW64\qfdcu.exe Process not Found File opened for modification C:\Windows\SysWOW64\kmaag.exe xzrka.exe File opened for modification C:\Windows\SysWOW64\jokhl.exe tckmp.exe File opened for modification C:\Windows\SysWOW64\nrksi.exe lomhv.exe File opened for modification C:\Windows\SysWOW64\vplkn.exe levza.exe File opened for modification C:\Windows\SysWOW64\orlzg.exe barxx.exe File created C:\Windows\SysWOW64\dlsar.exe Process not Found File created C:\Windows\SysWOW64\cdfxc.exe pnkut.exe File opened for modification C:\Windows\SysWOW64\ozbya.exe elbjk.exe File created C:\Windows\SysWOW64\bljqi.exe ouona.exe File opened for modification C:\Windows\SysWOW64\mgfzb.exe csejd.exe File created C:\Windows\SysWOW64\erfpo.exe rwwzi.exe File created C:\Windows\SysWOW64\jojxr.exe tkjcn.exe File created C:\Windows\SysWOW64\ybfoi.exe ldkla.exe File opened for modification C:\Windows\SysWOW64\eukze.exe rwhwv.exe File created C:\Windows\SysWOW64\fqgpm.exe vgqmz.exe File created C:\Windows\SysWOW64\mupap.exe zhxcj.exe File opened for modification C:\Windows\SysWOW64\xktul.exe Process not Found File opened for modification C:\Windows\SysWOW64\rulsp.exe eeipg.exe File opened for modification C:\Windows\SysWOW64\vknxp.exe jukug.exe File created C:\Windows\SysWOW64\zbzbz.exe Process not Found File created C:\Windows\SysWOW64\cyfqy.exe Process not Found File created C:\Windows\SysWOW64\bznhj.exe oisfa.exe File opened for modification C:\Windows\SysWOW64\ntnec.exe adsct.exe File opened for modification C:\Windows\SysWOW64\uuotx.exe fpnyb.exe File opened for modification C:\Windows\SysWOW64\ittuy.exe vgjek.exe File opened for modification C:\Windows\SysWOW64\zsynw.exe Process not Found File opened for modification C:\Windows\SysWOW64\mitqf.exe Process not Found File opened for modification C:\Windows\SysWOW64\bljie.exe oyrsy.exe File opened for modification C:\Windows\SysWOW64\ergwl.exe Process not Found File opened for modification C:\Windows\SysWOW64\inrmd.exe Process not Found File created C:\Windows\SysWOW64\tdfpd.exe Process not Found File created C:\Windows\SysWOW64\njqxc.exe ckezs.exe File created C:\Windows\SysWOW64\rlpjo.exe eygti.exe File opened for modification C:\Windows\SysWOW64\diexc.exe qoxhq.exe File created C:\Windows\SysWOW64\eueen.exe Process not Found File created C:\Windows\SysWOW64\hkxge.exe Process not Found File opened for modification C:\Windows\SysWOW64\knvuj.exe Process not Found File created C:\Windows\SysWOW64\bljie.exe oyrsy.exe File created C:\Windows\SysWOW64\rmkpv.exe fopmn.exe -
Suspicious use of SetThreadContext 64 IoCs
description pid Process procid_target PID 2968 set thread context of 2904 2968 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe 30 PID 2752 set thread context of 2612 2752 htawi.exe 32 PID 536 set thread context of 1048 536 obwxd.exe 34 PID 2060 set thread context of 2128 2060 yaaun.exe 36 PID 2460 set thread context of 2684 2460 gbzuc.exe 38 PID 2656 set thread context of 688 2656 lvfcn.exe 40 PID 1928 set thread context of 2468 1928 vfcma.exe 42 PID 2096 set thread context of 996 2096 ckezs.exe 44 PID 2580 set thread context of 2200 2580 njqxc.exe 46 PID 1652 set thread context of 1792 1652 zzlal.exe 48 PID 1704 set thread context of 2204 1704 mygct.exe 50 PID 2452 set thread context of 884 2452 wehar.exe 52 PID 1728 set thread context of 2664 1728 jzypx.exe 54 PID 3044 set thread context of 2704 3044 tycni.exe 56 PID 896 set thread context of 1488 896 gofpq.exe 58 PID 2272 set thread context of 2404 2272 qzval.exe 60 PID 2988 set thread context of 2368 2988 buvkt.exe 62 PID 2792 set thread context of 2932 2792 nocae.exe 64 PID 644 set thread context of 1324 644 xzrka.exe 66 PID 1288 set thread context of 3032 1288 kmaag.exe 68 PID 1524 set thread context of 1628 1524 uxqkt.exe 70 PID 408 set thread context of 1144 408 eznvg.exe 72 PID 1200 set thread context of 2428 1200 oyrsy.exe 74 PID 1188 set thread context of 2280 1188 bljie.exe 76 PID 2268 set thread context of 1568 2268 lwysr.exe 78 PID 2860 set thread context of 2652 2860 ixifv.exe 82 PID 1816 set thread context of 2680 1816 vkavb.exe 84 PID 1500 set thread context of 896 1500 ibvyk.exe 86 PID 2012 set thread context of 2068 2012 slkix.exe 88 PID 2520 set thread context of 1972 2520 coits.exe 90 PID 2676 set thread context of 1976 2676 pjriy.exe 92 PID 2116 set thread context of 2448 2116 zidgi.exe 94 PID 2356 set thread context of 1856 2356 myyir.exe 96 PID 2096 set thread context of 2112 2096 wjnte.exe 98 PID 1068 set thread context of 2580 1068 glddz.exe 100 PID 1160 set thread context of 1280 1160 tkggi.exe 102 PID 1188 set thread context of 2052 1188 gxpwo.exe 104 PID 2756 set thread context of 2276 2756 qafgb.exe 106 PID 1840 set thread context of 2616 1840 azrdt.exe 108 PID 2452 set thread context of 2788 2452 nbxtf.exe 110 PID 572 set thread context of 988 572 xabqp.exe 112 PID 2132 set thread context of 936 2132 kvsgv.exe 114 PID 2108 set thread context of 2920 2108 uxirq.exe 116 PID 2832 set thread context of 2596 2832 eixbd.exe 118 PID 1404 set thread context of 2084 1404 rvprj.exe 120 PID 1928 set thread context of 2208 1928 byebw.exe 122 PID 2140 set thread context of 2372 2140 lxiyp.exe 124 PID 2960 set thread context of 2552 2960 yzooa.exe 126 PID 1720 set thread context of 1200 1720 lxrrj.exe 128 PID 348 set thread context of 1748 348 yomus.exe 130 PID 2044 set thread context of 1712 2044 cehwa.exe 132 PID 2968 set thread context of 1744 2968 mpehv.exe 134 PID 2784 set thread context of 2860 2784 zfzje.exe 136 PID 2892 set thread context of 2752 2892 jqomr.exe 138 PID 840 set thread context of 2336 840 wdgjx.exe 140 PID 2108 set thread context of 2712 2108 gfvms.exe 142 PID 2812 set thread context of 2716 2812 tafjy.exe 144 PID 1164 set thread context of 1600 1164 ddcul.exe 146 PID 2232 set thread context of 1260 2232 qtxxu.exe 148 PID 2004 set thread context of 1940 2004 aemzh.exe 150 PID 3008 set thread context of 708 3008 nvhcy.exe 152 PID 2564 set thread context of 1704 2564 atkeg.exe 154 PID 2072 set thread context of 2756 2072 kwzpt.exe 156 PID 2964 set thread context of 2556 2964 xjjez.exe 158 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rdpuw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chpvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smgsk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xpklu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language npgol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjqde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hgxbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language itvin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hlwsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gycah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qqpit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oordz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gcsjz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jtftm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xtsae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfmik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wkivv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uvxjs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lzygk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fksnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jefww.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrrj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vznkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zklxm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ypjue.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ptenl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gofpq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ostbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language enfjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language olyxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cpoci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jefww.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dgopr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wxijx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eznvg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language byebw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rqbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mkakk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfcma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uxqkt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aovwu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ycbga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2968 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe Token: SeDebugPrivilege 2752 htawi.exe Token: SeDebugPrivilege 536 obwxd.exe Token: SeDebugPrivilege 2060 yaaun.exe Token: SeDebugPrivilege 2460 gbzuc.exe Token: SeDebugPrivilege 2656 lvfcn.exe Token: SeDebugPrivilege 1928 vfcma.exe Token: SeDebugPrivilege 2096 ckezs.exe Token: SeDebugPrivilege 2580 njqxc.exe Token: SeDebugPrivilege 1652 zzlal.exe Token: SeDebugPrivilege 1704 mygct.exe Token: SeDebugPrivilege 2452 wehar.exe Token: SeDebugPrivilege 1728 jzypx.exe Token: SeDebugPrivilege 3044 tycni.exe Token: SeDebugPrivilege 896 gofpq.exe Token: SeDebugPrivilege 2272 qzval.exe Token: SeDebugPrivilege 2988 buvkt.exe Token: SeDebugPrivilege 2792 nocae.exe Token: SeDebugPrivilege 644 xzrka.exe Token: SeDebugPrivilege 1288 kmaag.exe Token: SeDebugPrivilege 1524 uxqkt.exe Token: SeDebugPrivilege 408 eznvg.exe Token: SeDebugPrivilege 1200 oyrsy.exe Token: SeDebugPrivilege 1188 bljie.exe Token: SeDebugPrivilege 2268 lwysr.exe Token: SeDebugPrivilege 2860 ixifv.exe Token: SeDebugPrivilege 1816 vkavb.exe Token: SeDebugPrivilege 1500 ibvyk.exe Token: SeDebugPrivilege 2012 slkix.exe Token: SeDebugPrivilege 2520 coits.exe Token: SeDebugPrivilege 2676 pjriy.exe Token: SeDebugPrivilege 2116 zidgi.exe Token: SeDebugPrivilege 2356 myyir.exe Token: SeDebugPrivilege 2096 wjnte.exe Token: SeDebugPrivilege 1068 glddz.exe Token: SeDebugPrivilege 1160 tkggi.exe Token: SeDebugPrivilege 1188 gxpwo.exe Token: SeDebugPrivilege 2756 qafgb.exe Token: SeDebugPrivilege 1840 azrdt.exe Token: SeDebugPrivilege 2452 nbxtf.exe Token: SeDebugPrivilege 572 xabqp.exe Token: SeDebugPrivilege 2132 kvsgv.exe Token: SeDebugPrivilege 2108 uxirq.exe Token: SeDebugPrivilege 2832 eixbd.exe Token: SeDebugPrivilege 1404 rvprj.exe Token: SeDebugPrivilege 1928 byebw.exe Token: SeDebugPrivilege 2140 lxiyp.exe Token: SeDebugPrivilege 2960 yzooa.exe Token: SeDebugPrivilege 1720 lxrrj.exe Token: SeDebugPrivilege 348 yomus.exe Token: SeDebugPrivilege 2044 cehwa.exe Token: SeDebugPrivilege 2968 mpehv.exe Token: SeDebugPrivilege 2784 zfzje.exe Token: SeDebugPrivilege 2892 jqomr.exe Token: SeDebugPrivilege 840 wdgjx.exe Token: SeDebugPrivilege 2108 gfvms.exe Token: SeDebugPrivilege 2812 tafjy.exe Token: SeDebugPrivilege 1164 ddcul.exe Token: SeDebugPrivilege 2232 qtxxu.exe Token: SeDebugPrivilege 2004 aemzh.exe Token: SeDebugPrivilege 3008 nvhcy.exe Token: SeDebugPrivilege 2564 atkeg.exe Token: SeDebugPrivilege 2072 kwzpt.exe Token: SeDebugPrivilege 2964 xjjez.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 2968 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe 2752 htawi.exe 536 obwxd.exe 2060 yaaun.exe 2460 gbzuc.exe 2656 lvfcn.exe 1928 vfcma.exe 2096 ckezs.exe 2580 njqxc.exe 1652 zzlal.exe 1704 mygct.exe 2452 wehar.exe 1728 jzypx.exe 3044 tycni.exe 896 gofpq.exe 2272 qzval.exe 2988 buvkt.exe 2792 nocae.exe 644 xzrka.exe 1288 kmaag.exe 1524 uxqkt.exe 408 eznvg.exe 1200 oyrsy.exe 1188 bljie.exe 2268 lwysr.exe 2860 ixifv.exe 1816 vkavb.exe 1500 ibvyk.exe 2012 slkix.exe 2520 coits.exe 2676 pjriy.exe 2116 zidgi.exe 2356 myyir.exe 2096 wjnte.exe 1068 glddz.exe 1160 tkggi.exe 1188 gxpwo.exe 2756 qafgb.exe 1840 azrdt.exe 2452 nbxtf.exe 572 xabqp.exe 2132 kvsgv.exe 2108 uxirq.exe 2832 eixbd.exe 1404 rvprj.exe 1928 byebw.exe 2140 lxiyp.exe 2960 yzooa.exe 1720 lxrrj.exe 348 yomus.exe 2044 cehwa.exe 2968 mpehv.exe 2784 zfzje.exe 2892 jqomr.exe 840 wdgjx.exe 2108 gfvms.exe 2812 tafjy.exe 1164 ddcul.exe 2232 qtxxu.exe 2004 aemzh.exe 3008 nvhcy.exe 2564 atkeg.exe 2072 kwzpt.exe 2964 xjjez.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2968 wrote to memory of 2904 2968 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe 30 PID 2968 wrote to memory of 2904 2968 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe 30 PID 2968 wrote to memory of 2904 2968 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe 30 PID 2968 wrote to memory of 2904 2968 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe 30 PID 2968 wrote to memory of 2904 2968 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe 30 PID 2968 wrote to memory of 2904 2968 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe 30 PID 2904 wrote to memory of 2752 2904 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe 31 PID 2904 wrote to memory of 2752 2904 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe 31 PID 2904 wrote to memory of 2752 2904 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe 31 PID 2904 wrote to memory of 2752 2904 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe 31 PID 2752 wrote to memory of 2612 2752 htawi.exe 32 PID 2752 wrote to memory of 2612 2752 htawi.exe 32 PID 2752 wrote to memory of 2612 2752 htawi.exe 32 PID 2752 wrote to memory of 2612 2752 htawi.exe 32 PID 2752 wrote to memory of 2612 2752 htawi.exe 32 PID 2752 wrote to memory of 2612 2752 htawi.exe 32 PID 2612 wrote to memory of 536 2612 htawi.exe 33 PID 2612 wrote to memory of 536 2612 htawi.exe 33 PID 2612 wrote to memory of 536 2612 htawi.exe 33 PID 2612 wrote to memory of 536 2612 htawi.exe 33 PID 536 wrote to memory of 1048 536 obwxd.exe 34 PID 536 wrote to memory of 1048 536 obwxd.exe 34 PID 536 wrote to memory of 1048 536 obwxd.exe 34 PID 536 wrote to memory of 1048 536 obwxd.exe 34 PID 536 wrote to memory of 1048 536 obwxd.exe 34 PID 536 wrote to memory of 1048 536 obwxd.exe 34 PID 1048 wrote to memory of 2060 1048 obwxd.exe 35 PID 1048 wrote to memory of 2060 1048 obwxd.exe 35 PID 1048 wrote to memory of 2060 1048 obwxd.exe 35 PID 1048 wrote to memory of 2060 1048 obwxd.exe 35 PID 2060 wrote to memory of 2128 2060 yaaun.exe 36 PID 2060 wrote to memory of 2128 2060 yaaun.exe 36 PID 2060 wrote to memory of 2128 2060 yaaun.exe 36 PID 2060 wrote to memory of 2128 2060 yaaun.exe 36 PID 2060 wrote to memory of 2128 2060 yaaun.exe 36 PID 2060 wrote to memory of 2128 2060 yaaun.exe 36 PID 2128 wrote to memory of 2460 2128 yaaun.exe 37 PID 2128 wrote to memory of 2460 2128 yaaun.exe 37 PID 2128 wrote to memory of 2460 2128 yaaun.exe 37 PID 2128 wrote to memory of 2460 2128 yaaun.exe 37 PID 2460 wrote to memory of 2684 2460 gbzuc.exe 38 PID 2460 wrote to memory of 2684 2460 gbzuc.exe 38 PID 2460 wrote to memory of 2684 2460 gbzuc.exe 38 PID 2460 wrote to memory of 2684 2460 gbzuc.exe 38 PID 2460 wrote to memory of 2684 2460 gbzuc.exe 38 PID 2460 wrote to memory of 2684 2460 gbzuc.exe 38 PID 2684 wrote to memory of 2656 2684 gbzuc.exe 39 PID 2684 wrote to memory of 2656 2684 gbzuc.exe 39 PID 2684 wrote to memory of 2656 2684 gbzuc.exe 39 PID 2684 wrote to memory of 2656 2684 gbzuc.exe 39 PID 2656 wrote to memory of 688 2656 lvfcn.exe 40 PID 2656 wrote to memory of 688 2656 lvfcn.exe 40 PID 2656 wrote to memory of 688 2656 lvfcn.exe 40 PID 2656 wrote to memory of 688 2656 lvfcn.exe 40 PID 2656 wrote to memory of 688 2656 lvfcn.exe 40 PID 2656 wrote to memory of 688 2656 lvfcn.exe 40 PID 688 wrote to memory of 1928 688 lvfcn.exe 41 PID 688 wrote to memory of 1928 688 lvfcn.exe 41 PID 688 wrote to memory of 1928 688 lvfcn.exe 41 PID 688 wrote to memory of 1928 688 lvfcn.exe 41 PID 1928 wrote to memory of 2468 1928 vfcma.exe 42 PID 1928 wrote to memory of 2468 1928 vfcma.exe 42 PID 1928 wrote to memory of 2468 1928 vfcma.exe 42 PID 1928 wrote to memory of 2468 1928 vfcma.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Users\Admin\AppData\Local\Temp\acd2661a71a229c77c63cb260657e995_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\htawi.exeC:\Windows\system32\htawi.exe 472 "C:\Users\Admin\AppData\Local\Temp\acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\htawi.exeC:\Windows\SysWOW64\htawi.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\obwxd.exeC:\Windows\system32\obwxd.exe 520 "C:\Windows\SysWOW64\htawi.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\obwxd.exeC:\Windows\SysWOW64\obwxd.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\yaaun.exeC:\Windows\system32\yaaun.exe 528 "C:\Windows\SysWOW64\obwxd.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\yaaun.exeC:\Windows\SysWOW64\yaaun.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\gbzuc.exeC:\Windows\system32\gbzuc.exe 452 "C:\Windows\SysWOW64\yaaun.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\gbzuc.exeC:\Windows\SysWOW64\gbzuc.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\lvfcn.exeC:\Windows\system32\lvfcn.exe 528 "C:\Windows\SysWOW64\gbzuc.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\lvfcn.exeC:\Windows\SysWOW64\lvfcn.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\SysWOW64\vfcma.exeC:\Windows\system32\vfcma.exe 528 "C:\Windows\SysWOW64\lvfcn.exe"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\vfcma.exeC:\Windows\SysWOW64\vfcma.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2468 -
C:\Windows\SysWOW64\ckezs.exeC:\Windows\system32\ckezs.exe 452 "C:\Windows\SysWOW64\vfcma.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2096 -
C:\Windows\SysWOW64\ckezs.exeC:\Windows\SysWOW64\ckezs.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:996 -
C:\Windows\SysWOW64\njqxc.exeC:\Windows\system32\njqxc.exe 452 "C:\Windows\SysWOW64\ckezs.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2580 -
C:\Windows\SysWOW64\njqxc.exeC:\Windows\SysWOW64\njqxc.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2200 -
C:\Windows\SysWOW64\zzlal.exeC:\Windows\system32\zzlal.exe 520 "C:\Windows\SysWOW64\njqxc.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1652 -
C:\Windows\SysWOW64\zzlal.exeC:\Windows\SysWOW64\zzlal.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1792 -
C:\Windows\SysWOW64\mygct.exeC:\Windows\system32\mygct.exe 528 "C:\Windows\SysWOW64\zzlal.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1704 -
C:\Windows\SysWOW64\mygct.exeC:\Windows\SysWOW64\mygct.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2204 -
C:\Windows\SysWOW64\wehar.exeC:\Windows\system32\wehar.exe 528 "C:\Windows\SysWOW64\mygct.exe"23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2452 -
C:\Windows\SysWOW64\wehar.exeC:\Windows\SysWOW64\wehar.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:884 -
C:\Windows\SysWOW64\jzypx.exeC:\Windows\system32\jzypx.exe 528 "C:\Windows\SysWOW64\wehar.exe"25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1728 -
C:\Windows\SysWOW64\jzypx.exeC:\Windows\SysWOW64\jzypx.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2664 -
C:\Windows\SysWOW64\tycni.exeC:\Windows\system32\tycni.exe 528 "C:\Windows\SysWOW64\jzypx.exe"27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3044 -
C:\Windows\SysWOW64\tycni.exeC:\Windows\SysWOW64\tycni.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2704 -
C:\Windows\SysWOW64\gofpq.exeC:\Windows\system32\gofpq.exe 528 "C:\Windows\SysWOW64\tycni.exe"29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:896 -
C:\Windows\SysWOW64\gofpq.exeC:\Windows\SysWOW64\gofpq.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1488 -
C:\Windows\SysWOW64\qzval.exeC:\Windows\system32\qzval.exe 528 "C:\Windows\SysWOW64\gofpq.exe"31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2272 -
C:\Windows\SysWOW64\qzval.exeC:\Windows\SysWOW64\qzval.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2404 -
C:\Windows\SysWOW64\buvkt.exeC:\Windows\system32\buvkt.exe 532 "C:\Windows\SysWOW64\qzval.exe"33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2988 -
C:\Windows\SysWOW64\buvkt.exeC:\Windows\SysWOW64\buvkt.exe34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2368 -
C:\Windows\SysWOW64\nocae.exeC:\Windows\system32\nocae.exe 536 "C:\Windows\SysWOW64\buvkt.exe"35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2792 -
C:\Windows\SysWOW64\nocae.exeC:\Windows\SysWOW64\nocae.exe36⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2932 -
C:\Windows\SysWOW64\xzrka.exeC:\Windows\system32\xzrka.exe 528 "C:\Windows\SysWOW64\nocae.exe"37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:644 -
C:\Windows\SysWOW64\xzrka.exeC:\Windows\SysWOW64\xzrka.exe38⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1324 -
C:\Windows\SysWOW64\kmaag.exeC:\Windows\system32\kmaag.exe 528 "C:\Windows\SysWOW64\xzrka.exe"39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1288 -
C:\Windows\SysWOW64\kmaag.exeC:\Windows\SysWOW64\kmaag.exe40⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3032 -
C:\Windows\SysWOW64\uxqkt.exeC:\Windows\system32\uxqkt.exe 528 "C:\Windows\SysWOW64\kmaag.exe"41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1524 -
C:\Windows\SysWOW64\uxqkt.exeC:\Windows\SysWOW64\uxqkt.exe42⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1628 -
C:\Windows\SysWOW64\eznvg.exeC:\Windows\system32\eznvg.exe 532 "C:\Windows\SysWOW64\uxqkt.exe"43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:408 -
C:\Windows\SysWOW64\eznvg.exeC:\Windows\SysWOW64\eznvg.exe44⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1144 -
C:\Windows\SysWOW64\oyrsy.exeC:\Windows\system32\oyrsy.exe 528 "C:\Windows\SysWOW64\eznvg.exe"45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1200 -
C:\Windows\SysWOW64\oyrsy.exeC:\Windows\SysWOW64\oyrsy.exe46⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2428 -
C:\Windows\SysWOW64\bljie.exeC:\Windows\system32\bljie.exe 532 "C:\Windows\SysWOW64\oyrsy.exe"47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1188 -
C:\Windows\SysWOW64\bljie.exeC:\Windows\SysWOW64\bljie.exe48⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2280 -
C:\Windows\SysWOW64\lwysr.exeC:\Windows\system32\lwysr.exe 536 "C:\Windows\SysWOW64\bljie.exe"49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2268 -
C:\Windows\SysWOW64\lwysr.exeC:\Windows\SysWOW64\lwysr.exe50⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1568 -
C:\Windows\SysWOW64\ymtva.exeC:\Windows\system32\ymtva.exe 528 "C:\Windows\SysWOW64\lwysr.exe"51⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\ymtva.exeC:\Windows\SysWOW64\ymtva.exe52⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1100 -
C:\Windows\SysWOW64\ixifv.exeC:\Windows\system32\ixifv.exe 528 "C:\Windows\SysWOW64\ymtva.exe"53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2860 -
C:\Windows\SysWOW64\ixifv.exeC:\Windows\SysWOW64\ixifv.exe54⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2652 -
C:\Windows\SysWOW64\vkavb.exeC:\Windows\system32\vkavb.exe 532 "C:\Windows\SysWOW64\ixifv.exe"55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1816 -
C:\Windows\SysWOW64\vkavb.exeC:\Windows\SysWOW64\vkavb.exe56⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\ibvyk.exeC:\Windows\system32\ibvyk.exe 528 "C:\Windows\SysWOW64\vkavb.exe"57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1500 -
C:\Windows\SysWOW64\ibvyk.exeC:\Windows\SysWOW64\ibvyk.exe58⤵
- Executes dropped EXE
- Loads dropped DLL
PID:896 -
C:\Windows\SysWOW64\slkix.exeC:\Windows\system32\slkix.exe 528 "C:\Windows\SysWOW64\ibvyk.exe"59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2012 -
C:\Windows\SysWOW64\slkix.exeC:\Windows\SysWOW64\slkix.exe60⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\coits.exeC:\Windows\system32\coits.exe 528 "C:\Windows\SysWOW64\slkix.exe"61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2520 -
C:\Windows\SysWOW64\coits.exeC:\Windows\SysWOW64\coits.exe62⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\pjriy.exeC:\Windows\system32\pjriy.exe 528 "C:\Windows\SysWOW64\coits.exe"63⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2676 -
C:\Windows\SysWOW64\pjriy.exeC:\Windows\SysWOW64\pjriy.exe64⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\zidgi.exeC:\Windows\system32\zidgi.exe 528 "C:\Windows\SysWOW64\pjriy.exe"65⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2116 -
C:\Windows\SysWOW64\zidgi.exeC:\Windows\SysWOW64\zidgi.exe66⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\myyir.exeC:\Windows\system32\myyir.exe 528 "C:\Windows\SysWOW64\zidgi.exe"67⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2356 -
C:\Windows\SysWOW64\myyir.exeC:\Windows\SysWOW64\myyir.exe68⤵PID:1856
-
C:\Windows\SysWOW64\wjnte.exeC:\Windows\system32\wjnte.exe 528 "C:\Windows\SysWOW64\myyir.exe"69⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2096 -
C:\Windows\SysWOW64\wjnte.exeC:\Windows\SysWOW64\wjnte.exe70⤵PID:2112
-
C:\Windows\SysWOW64\glddz.exeC:\Windows\system32\glddz.exe 528 "C:\Windows\SysWOW64\wjnte.exe"71⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1068 -
C:\Windows\SysWOW64\glddz.exeC:\Windows\SysWOW64\glddz.exe72⤵PID:2580
-
C:\Windows\SysWOW64\tkggi.exeC:\Windows\system32\tkggi.exe 532 "C:\Windows\SysWOW64\glddz.exe"73⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1160 -
C:\Windows\SysWOW64\tkggi.exeC:\Windows\SysWOW64\tkggi.exe74⤵PID:1280
-
C:\Windows\SysWOW64\gxpwo.exeC:\Windows\system32\gxpwo.exe 528 "C:\Windows\SysWOW64\tkggi.exe"75⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1188 -
C:\Windows\SysWOW64\gxpwo.exeC:\Windows\SysWOW64\gxpwo.exe76⤵PID:2052
-
C:\Windows\SysWOW64\qafgb.exeC:\Windows\system32\qafgb.exe 528 "C:\Windows\SysWOW64\gxpwo.exe"77⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2756 -
C:\Windows\SysWOW64\qafgb.exeC:\Windows\SysWOW64\qafgb.exe78⤵PID:2276
-
C:\Windows\SysWOW64\azrdt.exeC:\Windows\system32\azrdt.exe 528 "C:\Windows\SysWOW64\qafgb.exe"79⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1840 -
C:\Windows\SysWOW64\azrdt.exeC:\Windows\SysWOW64\azrdt.exe80⤵PID:2616
-
C:\Windows\SysWOW64\nbxtf.exeC:\Windows\system32\nbxtf.exe 528 "C:\Windows\SysWOW64\azrdt.exe"81⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2452 -
C:\Windows\SysWOW64\nbxtf.exeC:\Windows\SysWOW64\nbxtf.exe82⤵PID:2788
-
C:\Windows\SysWOW64\xabqp.exeC:\Windows\system32\xabqp.exe 528 "C:\Windows\SysWOW64\nbxtf.exe"83⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:572 -
C:\Windows\SysWOW64\xabqp.exeC:\Windows\SysWOW64\xabqp.exe84⤵PID:988
-
C:\Windows\SysWOW64\kvsgv.exeC:\Windows\system32\kvsgv.exe 528 "C:\Windows\SysWOW64\xabqp.exe"85⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2132 -
C:\Windows\SysWOW64\kvsgv.exeC:\Windows\SysWOW64\kvsgv.exe86⤵PID:936
-
C:\Windows\SysWOW64\uxirq.exeC:\Windows\system32\uxirq.exe 528 "C:\Windows\SysWOW64\kvsgv.exe"87⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2108 -
C:\Windows\SysWOW64\uxirq.exeC:\Windows\SysWOW64\uxirq.exe88⤵PID:2920
-
C:\Windows\SysWOW64\eixbd.exeC:\Windows\system32\eixbd.exe 528 "C:\Windows\SysWOW64\uxirq.exe"89⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2832 -
C:\Windows\SysWOW64\eixbd.exeC:\Windows\SysWOW64\eixbd.exe90⤵PID:2596
-
C:\Windows\SysWOW64\rvprj.exeC:\Windows\system32\rvprj.exe 532 "C:\Windows\SysWOW64\eixbd.exe"91⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1404 -
C:\Windows\SysWOW64\rvprj.exeC:\Windows\SysWOW64\rvprj.exe92⤵PID:2084
-
C:\Windows\SysWOW64\byebw.exeC:\Windows\system32\byebw.exe 528 "C:\Windows\SysWOW64\rvprj.exe"93⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1928 -
C:\Windows\SysWOW64\byebw.exeC:\Windows\SysWOW64\byebw.exe94⤵PID:2208
-
C:\Windows\SysWOW64\lxiyp.exeC:\Windows\system32\lxiyp.exe 528 "C:\Windows\SysWOW64\byebw.exe"95⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2140 -
C:\Windows\SysWOW64\lxiyp.exeC:\Windows\SysWOW64\lxiyp.exe96⤵PID:2372
-
C:\Windows\SysWOW64\yzooa.exeC:\Windows\system32\yzooa.exe 528 "C:\Windows\SysWOW64\lxiyp.exe"97⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2960 -
C:\Windows\SysWOW64\yzooa.exeC:\Windows\SysWOW64\yzooa.exe98⤵PID:2552
-
C:\Windows\SysWOW64\lxrrj.exeC:\Windows\system32\lxrrj.exe 528 "C:\Windows\SysWOW64\yzooa.exe"99⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1720 -
C:\Windows\SysWOW64\lxrrj.exeC:\Windows\SysWOW64\lxrrj.exe100⤵
- System Location Discovery: System Language Discovery
PID:1200 -
C:\Windows\SysWOW64\yomus.exeC:\Windows\system32\yomus.exe 528 "C:\Windows\SysWOW64\lxrrj.exe"101⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:348 -
C:\Windows\SysWOW64\yomus.exeC:\Windows\SysWOW64\yomus.exe102⤵PID:1748
-
C:\Windows\SysWOW64\cehwa.exeC:\Windows\system32\cehwa.exe 528 "C:\Windows\SysWOW64\yomus.exe"103⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2044 -
C:\Windows\SysWOW64\cehwa.exeC:\Windows\SysWOW64\cehwa.exe104⤵PID:1712
-
C:\Windows\SysWOW64\mpehv.exeC:\Windows\system32\mpehv.exe 528 "C:\Windows\SysWOW64\cehwa.exe"105⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2968 -
C:\Windows\SysWOW64\mpehv.exeC:\Windows\SysWOW64\mpehv.exe106⤵PID:1744
-
C:\Windows\SysWOW64\zfzje.exeC:\Windows\system32\zfzje.exe 528 "C:\Windows\SysWOW64\mpehv.exe"107⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2784 -
C:\Windows\SysWOW64\zfzje.exeC:\Windows\SysWOW64\zfzje.exe108⤵PID:2860
-
C:\Windows\SysWOW64\jqomr.exeC:\Windows\system32\jqomr.exe 528 "C:\Windows\SysWOW64\zfzje.exe"109⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2892 -
C:\Windows\SysWOW64\jqomr.exeC:\Windows\SysWOW64\jqomr.exe110⤵PID:2752
-
C:\Windows\SysWOW64\wdgjx.exeC:\Windows\system32\wdgjx.exe 536 "C:\Windows\SysWOW64\jqomr.exe"111⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:840 -
C:\Windows\SysWOW64\wdgjx.exeC:\Windows\SysWOW64\wdgjx.exe112⤵PID:2336
-
C:\Windows\SysWOW64\gfvms.exeC:\Windows\system32\gfvms.exe 532 "C:\Windows\SysWOW64\wdgjx.exe"113⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2108 -
C:\Windows\SysWOW64\gfvms.exeC:\Windows\SysWOW64\gfvms.exe114⤵PID:2712
-
C:\Windows\SysWOW64\tafjy.exeC:\Windows\system32\tafjy.exe 532 "C:\Windows\SysWOW64\gfvms.exe"115⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2812 -
C:\Windows\SysWOW64\tafjy.exeC:\Windows\SysWOW64\tafjy.exe116⤵PID:2716
-
C:\Windows\SysWOW64\ddcul.exeC:\Windows\system32\ddcul.exe 520 "C:\Windows\SysWOW64\tafjy.exe"117⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1164 -
C:\Windows\SysWOW64\ddcul.exeC:\Windows\SysWOW64\ddcul.exe118⤵PID:1600
-
C:\Windows\SysWOW64\qtxxu.exeC:\Windows\system32\qtxxu.exe 528 "C:\Windows\SysWOW64\ddcul.exe"119⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2232 -
C:\Windows\SysWOW64\qtxxu.exeC:\Windows\SysWOW64\qtxxu.exe120⤵PID:1260
-
C:\Windows\SysWOW64\aemzh.exeC:\Windows\system32\aemzh.exe 528 "C:\Windows\SysWOW64\qtxxu.exe"121⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2004
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-