Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2024 15:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe
-
Size
320KB
-
MD5
acd2661a71a229c77c63cb260657e995
-
SHA1
8d6190883e231a946abd5c03822b85ff8c16f2b7
-
SHA256
f283e2639468c3343b59de6d939db0cca34bb9351c3c213c02165ff70bf052cf
-
SHA512
9362c7d22bc78a6ae351d0771be9e1a4739a4557a4991c97ce4990cea16035dfb110dff1ce8362b55e0e3e184f617321e59c5428f42e6d7641d0cf419c7b9639
-
SSDEEP
6144:kfiSMzzsnQ3WL24QFzF77OjcJEVSj090xrG8i6obi1:kfrMzzsnGWyEcCK1rG8HoA
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Executes dropped EXE 64 IoCs
pid Process 1556 gibxi.exe 1724 gibxi.exe 2864 ojaxw.exe 4636 ojaxw.exe 3684 wbzxd.exe 3060 wbzxd.exe 3392 bosfw.exe 5044 bosfw.exe 4020 gfnif.exe 3412 gfnif.exe 2180 oqxig.exe 3492 oqxig.exe 2408 vylaa.exe 4028 vylaa.exe 4964 gumti.exe 2272 gumti.exe 3532 nywyz.exe 2924 nywyz.exe 5040 qbzvm.exe 1288 qbzvm.exe 4948 bwsot.exe 540 bwsot.exe 3712 lohly.exe 1892 lohly.exe 1512 thgln.exe 1772 thgln.exe 3992 tlcwv.exe 3584 tlcwv.exe 4444 vrihk.exe 2436 vrihk.exe 5096 eheuw.exe 3508 eheuw.exe 1128 gcgxr.exe 4556 gcgxr.exe 2888 ladff.exe 4452 ladff.exe 3204 teoso.exe 4708 teoso.exe 4152 grxhu.exe 2040 grxhu.exe 2064 ixlsj.exe 3444 ixlsj.exe 3416 nzuna.exe 4116 nzuna.exe 2868 vztng.exe 740 vztng.exe 2060 jmkdm.exe 464 jmkdm.exe 4488 wzcts.exe 3224 wzcts.exe 3516 gvvdi.exe 4412 gvvdi.exe 2784 ndqdu.exe 2108 ndqdu.exe 3280 bqata.exe 3100 bqata.exe 1316 lipym.exe 1080 lipym.exe 4780 wdqju.exe 3536 wdqju.exe 3932 gcuge.exe 3684 gcuge.exe 2920 qvkmr.exe 4768 qvkmr.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\zmmpl.exe mdfmi.exe File opened for modification C:\Windows\SysWOW64\vbdwl.exe lczqb.exe File opened for modification C:\Windows\SysWOW64\pkyne.exe eetvc.exe File created C:\Windows\SysWOW64\lfrhj.exe bgekz.exe File created C:\Windows\SysWOW64\jmkdm.exe vztng.exe File opened for modification C:\Windows\SysWOW64\qddsd.exe gtoiq.exe File opened for modification C:\Windows\SysWOW64\zgzyu.exe pkyne.exe File created C:\Windows\SysWOW64\vgazu.exe itjkp.exe File opened for modification C:\Windows\SysWOW64\sgvfy.exe ivgdd.exe File created C:\Windows\SysWOW64\hkyim.exe fwvfr.exe File created C:\Windows\SysWOW64\jlvvc.exe htdyk.exe File created C:\Windows\SysWOW64\vsjuy.exe Process not Found File opened for modification C:\Windows\SysWOW64\qyoap.exe igpaa.exe File created C:\Windows\SysWOW64\xgngq.exe mnyjl.exe File created C:\Windows\SysWOW64\ocvxi.exe pxlky.exe File opened for modification C:\Windows\SysWOW64\xztul.exe napwa.exe File opened for modification C:\Windows\SysWOW64\coult.exe stttl.exe File created C:\Windows\SysWOW64\gtoiq.exe tgwsk.exe File created C:\Windows\SysWOW64\zpxvi.exe ofipd.exe File opened for modification C:\Windows\SysWOW64\dxkmy.exe qkbws.exe File opened for modification C:\Windows\SysWOW64\gldkp.exe Process not Found File created C:\Windows\SysWOW64\sejho.exe iiioy.exe File opened for modification C:\Windows\SysWOW64\vlzpe.exe nhpkv.exe File opened for modification C:\Windows\SysWOW64\xkoyo.exe fsnfu.exe File opened for modification C:\Windows\SysWOW64\qkmzj.exe gswue.exe File created C:\Windows\SysWOW64\bgekz.exe qkmzj.exe File opened for modification C:\Windows\SysWOW64\papke.exe Process not Found File opened for modification C:\Windows\SysWOW64\ckwin.exe vdjqt.exe File opened for modification C:\Windows\SysWOW64\guyjr.exe twwgi.exe File opened for modification C:\Windows\SysWOW64\fcjnq.exe shzyl.exe File opened for modification C:\Windows\SysWOW64\ocrgc.exe ekcjx.exe File created C:\Windows\SysWOW64\oqxig.exe gfnif.exe File created C:\Windows\SysWOW64\kleng.exe apddy.exe File opened for modification C:\Windows\SysWOW64\didrc.exe eaizi.exe File opened for modification C:\Windows\SysWOW64\ybtrl.exe ofsgd.exe File opened for modification C:\Windows\SysWOW64\lukha.exe Process not Found File opened for modification C:\Windows\SysWOW64\vwcen.exe ggqwg.exe File opened for modification C:\Windows\SysWOW64\adwhi.exe pidos.exe File opened for modification C:\Windows\SysWOW64\qnohv.exe dsfrp.exe File created C:\Windows\SysWOW64\gsibp.exe sikqm.exe File opened for modification C:\Windows\SysWOW64\dmcyv.exe Process not Found File opened for modification C:\Windows\SysWOW64\iwfxv.exe Process not Found File opened for modification C:\Windows\SysWOW64\thgln.exe lohly.exe File opened for modification C:\Windows\SysWOW64\ndvho.exe aqmri.exe File opened for modification C:\Windows\SysWOW64\fwvfr.exe mpsna.exe File opened for modification C:\Windows\SysWOW64\lwbzy.exe bxxbn.exe File created C:\Windows\SysWOW64\ahihw.exe reswi.exe File created C:\Windows\SysWOW64\pmdsp.exe pmcfd.exe File opened for modification C:\Windows\SysWOW64\bkcne.exe ljffl.exe File opened for modification C:\Windows\SysWOW64\scecd.exe iglsv.exe File opened for modification C:\Windows\SysWOW64\adxnm.exe Process not Found File created C:\Windows\SysWOW64\mnyjl.exe coult.exe File created C:\Windows\SysWOW64\kymlv.exe zclbn.exe File opened for modification C:\Windows\SysWOW64\wzcts.exe jmkdm.exe File opened for modification C:\Windows\SysWOW64\vmqba.exe krqis.exe File created C:\Windows\SysWOW64\cbjbi.exe uxzwz.exe File opened for modification C:\Windows\SysWOW64\qslco.exe gwkkg.exe File opened for modification C:\Windows\SysWOW64\itjkp.exe yufme.exe File created C:\Windows\SysWOW64\qbpna.exe itung.exe File created C:\Windows\SysWOW64\aoxoq.exe Process not Found File created C:\Windows\SysWOW64\avpns.exe qzpdk.exe File opened for modification C:\Windows\SysWOW64\ucsoi.exe jgrwa.exe File created C:\Windows\SysWOW64\uhrpf.exe jwcss.exe File opened for modification C:\Windows\SysWOW64\ycpic.exe rvtqq.exe -
Suspicious use of SetThreadContext 64 IoCs
description pid Process PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe PID 1316 set thread context of 0 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rdizd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aodwv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zgsxk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ywiyi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lkycb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kzyol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rsgeu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iylaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pfhdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rggyb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ylgzt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ggqwg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jngdz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ofsgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vlzpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fthkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvenp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ywrnx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iqqxd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language elibt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iylaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bqata.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aycvf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bofhv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hljoz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zpxem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qnohv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language onrzk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gibxi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lczqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zgikb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thgln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ekqvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gctzq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tpgci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wisge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gmpvf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mqwxm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gcevb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kkets.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ydbei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bradx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rsrti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yxzns.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dlnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bgekz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gibxi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bqata.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uevri.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language krxqo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xwvmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reswi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kzxrp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ocvxi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yvpnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ndqdu.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe Token: SeDebugPrivilege 1556 gibxi.exe Token: SeDebugPrivilege 2864 ojaxw.exe Token: SeDebugPrivilege 3684 wbzxd.exe Token: SeDebugPrivilege 3392 bosfw.exe Token: SeDebugPrivilege 4020 gfnif.exe Token: SeDebugPrivilege 2180 oqxig.exe Token: SeDebugPrivilege 2408 vylaa.exe Token: SeDebugPrivilege 4964 gumti.exe Token: SeDebugPrivilege 3532 nywyz.exe Token: SeDebugPrivilege 5040 qbzvm.exe Token: SeDebugPrivilege 4948 bwsot.exe Token: SeDebugPrivilege 3712 lohly.exe Token: SeDebugPrivilege 1512 thgln.exe Token: SeDebugPrivilege 1260 twere.exe Token: SeDebugPrivilege 3992 tlcwv.exe Token: SeDebugPrivilege 4444 vrihk.exe Token: SeDebugPrivilege 5096 eheuw.exe Token: SeDebugPrivilege 1128 gcgxr.exe Token: SeDebugPrivilege 2888 ladff.exe Token: SeDebugPrivilege 3204 teoso.exe Token: SeDebugPrivilege 4152 grxhu.exe Token: SeDebugPrivilege 2064 ixlsj.exe Token: SeDebugPrivilege 3416 nzuna.exe Token: SeDebugPrivilege 2868 vztng.exe Token: SeDebugPrivilege 2060 jmkdm.exe Token: SeDebugPrivilege 4488 wzcts.exe Token: SeDebugPrivilege 3516 gvvdi.exe Token: SeDebugPrivilege 2784 ndqdu.exe Token: SeDebugPrivilege 3280 bqata.exe Token: SeDebugPrivilege 1316 lipym.exe Token: SeDebugPrivilege 4780 wdqju.exe Token: SeDebugPrivilege 3932 gcuge.exe Token: SeDebugPrivilege 2920 qvkmr.exe Token: SeDebugPrivilege 532 afhwe.exe Token: SeDebugPrivilege 3292 lmlpg.exe Token: SeDebugPrivilege 3660 vwbzc.exe Token: SeDebugPrivilege 312 ggqwg.exe Token: SeDebugPrivilege 2488 vwcen.exe Token: SeDebugPrivilege 2788 dbmsx.exe Token: SeDebugPrivilege 2060 otcpk.exe Token: SeDebugPrivilege 5020 qvrzx.exe Token: SeDebugPrivilege 2708 dfxka.exe Token: SeDebugPrivilege 3352 nekik.exe Token: SeDebugPrivilege 1052 ywrnx.exe Token: SeDebugPrivilege 1432 lyfvi.exe Token: SeDebugPrivilege 1964 vuynq.exe Token: SeDebugPrivilege 1352 geolv.exe Token: SeDebugPrivilege 2016 qzpdk.exe Token: SeDebugPrivilege 2496 avpns.exe Token: SeDebugPrivilege 4908 nizdy.exe Token: SeDebugPrivilege 4964 xsonl.exe Token: SeDebugPrivilege 4472 lfgdr.exe Token: SeDebugPrivilege 5040 qpoyh.exe Token: SeDebugPrivilege 3664 akprp.exe Token: SeDebugPrivilege 4928 lufwc.exe Token: SeDebugPrivilege 1336 vmutg.exe Token: SeDebugPrivilege 4740 fmyrr.exe Token: SeDebugPrivilege 64 nqjei.exe Token: SeDebugPrivilege 1804 vutrs.exe Token: SeDebugPrivilege 636 dvsrg.exe Token: SeDebugPrivilege 228 nfhpl.exe Token: SeDebugPrivilege 4448 aszfr.exe Token: SeDebugPrivilege 2600 ihmfl.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe 1556 gibxi.exe 2864 ojaxw.exe 3684 wbzxd.exe 3392 bosfw.exe 4020 gfnif.exe 2180 oqxig.exe 2408 vylaa.exe 4964 gumti.exe 3532 nywyz.exe 5040 qbzvm.exe 4948 bwsot.exe 3712 lohly.exe 1512 thgln.exe 1260 twere.exe 3992 tlcwv.exe 4444 vrihk.exe 5096 eheuw.exe 1128 gcgxr.exe 2888 ladff.exe 3204 teoso.exe 4152 grxhu.exe 2064 ixlsj.exe 3416 nzuna.exe 2868 vztng.exe 2060 jmkdm.exe 4488 wzcts.exe 3516 gvvdi.exe 2784 ndqdu.exe 3280 bqata.exe 1316 lipym.exe 4780 wdqju.exe 3932 gcuge.exe 2920 qvkmr.exe 532 afhwe.exe 3292 lmlpg.exe 3660 vwbzc.exe 312 ggqwg.exe 2488 vwcen.exe 2788 dbmsx.exe 2060 otcpk.exe 5020 qvrzx.exe 2708 dfxka.exe 3352 nekik.exe 1052 ywrnx.exe 1432 lyfvi.exe 1964 vuynq.exe 1352 geolv.exe 2016 qzpdk.exe 2496 avpns.exe 4908 nizdy.exe 4964 xsonl.exe 4472 lfgdr.exe 5040 qpoyh.exe 3664 akprp.exe 4928 lufwc.exe 1336 vmutg.exe 4740 fmyrr.exe 64 nqjei.exe 1804 vutrs.exe 636 dvsrg.exe 228 nfhpl.exe 4448 aszfr.exe 2600 ihmfl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1316 wrote to memory of 1720 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe 83 PID 1316 wrote to memory of 1720 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe 83 PID 1316 wrote to memory of 1720 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe 83 PID 1316 wrote to memory of 1720 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe 83 PID 1316 wrote to memory of 1720 1316 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe 83 PID 1720 wrote to memory of 1556 1720 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe 84 PID 1720 wrote to memory of 1556 1720 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe 84 PID 1720 wrote to memory of 1556 1720 acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe 84 PID 1556 wrote to memory of 1724 1556 gibxi.exe 85 PID 1556 wrote to memory of 1724 1556 gibxi.exe 85 PID 1556 wrote to memory of 1724 1556 gibxi.exe 85 PID 1556 wrote to memory of 1724 1556 gibxi.exe 85 PID 1556 wrote to memory of 1724 1556 gibxi.exe 85 PID 1724 wrote to memory of 2864 1724 gibxi.exe 86 PID 1724 wrote to memory of 2864 1724 gibxi.exe 86 PID 1724 wrote to memory of 2864 1724 gibxi.exe 86 PID 2864 wrote to memory of 4636 2864 ojaxw.exe 87 PID 2864 wrote to memory of 4636 2864 ojaxw.exe 87 PID 2864 wrote to memory of 4636 2864 ojaxw.exe 87 PID 2864 wrote to memory of 4636 2864 ojaxw.exe 87 PID 2864 wrote to memory of 4636 2864 ojaxw.exe 87 PID 4636 wrote to memory of 3684 4636 ojaxw.exe 88 PID 4636 wrote to memory of 3684 4636 ojaxw.exe 88 PID 4636 wrote to memory of 3684 4636 ojaxw.exe 88 PID 3684 wrote to memory of 3060 3684 wbzxd.exe 89 PID 3684 wrote to memory of 3060 3684 wbzxd.exe 89 PID 3684 wrote to memory of 3060 3684 wbzxd.exe 89 PID 3684 wrote to memory of 3060 3684 wbzxd.exe 89 PID 3684 wrote to memory of 3060 3684 wbzxd.exe 89 PID 3060 wrote to memory of 3392 3060 wbzxd.exe 90 PID 3060 wrote to memory of 3392 3060 wbzxd.exe 90 PID 3060 wrote to memory of 3392 3060 wbzxd.exe 90 PID 3392 wrote to memory of 5044 3392 bosfw.exe 91 PID 3392 wrote to memory of 5044 3392 bosfw.exe 91 PID 3392 wrote to memory of 5044 3392 bosfw.exe 91 PID 3392 wrote to memory of 5044 3392 bosfw.exe 91 PID 3392 wrote to memory of 5044 3392 bosfw.exe 91 PID 5044 wrote to memory of 4020 5044 bosfw.exe 92 PID 5044 wrote to memory of 4020 5044 bosfw.exe 92 PID 5044 wrote to memory of 4020 5044 bosfw.exe 92 PID 4020 wrote to memory of 3412 4020 gfnif.exe 93 PID 4020 wrote to memory of 3412 4020 gfnif.exe 93 PID 4020 wrote to memory of 3412 4020 gfnif.exe 93 PID 4020 wrote to memory of 3412 4020 gfnif.exe 93 PID 4020 wrote to memory of 3412 4020 gfnif.exe 93 PID 3412 wrote to memory of 2180 3412 gfnif.exe 94 PID 3412 wrote to memory of 2180 3412 gfnif.exe 94 PID 3412 wrote to memory of 2180 3412 gfnif.exe 94 PID 2180 wrote to memory of 3492 2180 oqxig.exe 95 PID 2180 wrote to memory of 3492 2180 oqxig.exe 95 PID 2180 wrote to memory of 3492 2180 oqxig.exe 95 PID 2180 wrote to memory of 3492 2180 oqxig.exe 95 PID 2180 wrote to memory of 3492 2180 oqxig.exe 95 PID 3492 wrote to memory of 2408 3492 oqxig.exe 98 PID 3492 wrote to memory of 2408 3492 oqxig.exe 98 PID 3492 wrote to memory of 2408 3492 oqxig.exe 98 PID 2408 wrote to memory of 4028 2408 vylaa.exe 99 PID 2408 wrote to memory of 4028 2408 vylaa.exe 99 PID 2408 wrote to memory of 4028 2408 vylaa.exe 99 PID 2408 wrote to memory of 4028 2408 vylaa.exe 99 PID 2408 wrote to memory of 4028 2408 vylaa.exe 99 PID 4028 wrote to memory of 4964 4028 vylaa.exe 100 PID 4028 wrote to memory of 4964 4028 vylaa.exe 100 PID 4028 wrote to memory of 4964 4028 vylaa.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Users\Admin\AppData\Local\Temp\acd2661a71a229c77c63cb260657e995_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\gibxi.exeC:\Windows\system32\gibxi.exe 1000 "C:\Users\Admin\AppData\Local\Temp\acd2661a71a229c77c63cb260657e995_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\gibxi.exeC:\Windows\SysWOW64\gibxi.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\ojaxw.exeC:\Windows\system32\ojaxw.exe 1148 "C:\Windows\SysWOW64\gibxi.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\ojaxw.exeC:\Windows\SysWOW64\ojaxw.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\SysWOW64\wbzxd.exeC:\Windows\system32\wbzxd.exe 1096 "C:\Windows\SysWOW64\ojaxw.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\SysWOW64\wbzxd.exeC:\Windows\SysWOW64\wbzxd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\bosfw.exeC:\Windows\system32\bosfw.exe 1044 "C:\Windows\SysWOW64\wbzxd.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Windows\SysWOW64\bosfw.exeC:\Windows\SysWOW64\bosfw.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\gfnif.exeC:\Windows\system32\gfnif.exe 1016 "C:\Windows\SysWOW64\bosfw.exe"11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\SysWOW64\gfnif.exeC:\Windows\SysWOW64\gfnif.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Windows\SysWOW64\oqxig.exeC:\Windows\system32\oqxig.exe 1016 "C:\Windows\SysWOW64\gfnif.exe"13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\oqxig.exeC:\Windows\SysWOW64\oqxig.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\SysWOW64\vylaa.exeC:\Windows\system32\vylaa.exe 1016 "C:\Windows\SysWOW64\oqxig.exe"15⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\vylaa.exeC:\Windows\SysWOW64\vylaa.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SysWOW64\gumti.exeC:\Windows\system32\gumti.exe 1028 "C:\Windows\SysWOW64\vylaa.exe"17⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4964 -
C:\Windows\SysWOW64\gumti.exeC:\Windows\SysWOW64\gumti.exe18⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\nywyz.exeC:\Windows\system32\nywyz.exe 1032 "C:\Windows\SysWOW64\gumti.exe"19⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3532 -
C:\Windows\SysWOW64\nywyz.exeC:\Windows\SysWOW64\nywyz.exe20⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\qbzvm.exeC:\Windows\system32\qbzvm.exe 1044 "C:\Windows\SysWOW64\nywyz.exe"21⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5040 -
C:\Windows\SysWOW64\qbzvm.exeC:\Windows\SysWOW64\qbzvm.exe22⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\bwsot.exeC:\Windows\system32\bwsot.exe 1152 "C:\Windows\SysWOW64\qbzvm.exe"23⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4948 -
C:\Windows\SysWOW64\bwsot.exeC:\Windows\SysWOW64\bwsot.exe24⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\lohly.exeC:\Windows\system32\lohly.exe 1112 "C:\Windows\SysWOW64\bwsot.exe"25⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3712 -
C:\Windows\SysWOW64\lohly.exeC:\Windows\SysWOW64\lohly.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1892 -
C:\Windows\SysWOW64\thgln.exeC:\Windows\system32\thgln.exe 1044 "C:\Windows\SysWOW64\lohly.exe"27⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1512 -
C:\Windows\SysWOW64\thgln.exeC:\Windows\SysWOW64\thgln.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1772 -
C:\Windows\SysWOW64\twere.exeC:\Windows\system32\twere.exe 1112 "C:\Windows\SysWOW64\thgln.exe"29⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1260 -
C:\Windows\SysWOW64\twere.exeC:\Windows\SysWOW64\twere.exe30⤵PID:4232
-
C:\Windows\SysWOW64\tlcwv.exeC:\Windows\system32\tlcwv.exe 1020 "C:\Windows\SysWOW64\twere.exe"31⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3992 -
C:\Windows\SysWOW64\tlcwv.exeC:\Windows\SysWOW64\tlcwv.exe32⤵
- Executes dropped EXE
PID:3584 -
C:\Windows\SysWOW64\vrihk.exeC:\Windows\system32\vrihk.exe 1052 "C:\Windows\SysWOW64\tlcwv.exe"33⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4444 -
C:\Windows\SysWOW64\vrihk.exeC:\Windows\SysWOW64\vrihk.exe34⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\eheuw.exeC:\Windows\system32\eheuw.exe 1040 "C:\Windows\SysWOW64\vrihk.exe"35⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5096 -
C:\Windows\SysWOW64\eheuw.exeC:\Windows\SysWOW64\eheuw.exe36⤵
- Executes dropped EXE
PID:3508 -
C:\Windows\SysWOW64\gcgxr.exeC:\Windows\system32\gcgxr.exe 1032 "C:\Windows\SysWOW64\eheuw.exe"37⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1128 -
C:\Windows\SysWOW64\gcgxr.exeC:\Windows\SysWOW64\gcgxr.exe38⤵
- Executes dropped EXE
PID:4556 -
C:\Windows\SysWOW64\ladff.exeC:\Windows\system32\ladff.exe 1028 "C:\Windows\SysWOW64\gcgxr.exe"39⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2888 -
C:\Windows\SysWOW64\ladff.exeC:\Windows\SysWOW64\ladff.exe40⤵
- Executes dropped EXE
PID:4452 -
C:\Windows\SysWOW64\teoso.exeC:\Windows\system32\teoso.exe 1028 "C:\Windows\SysWOW64\ladff.exe"41⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3204 -
C:\Windows\SysWOW64\teoso.exeC:\Windows\SysWOW64\teoso.exe42⤵
- Executes dropped EXE
PID:4708 -
C:\Windows\SysWOW64\grxhu.exeC:\Windows\system32\grxhu.exe 1148 "C:\Windows\SysWOW64\teoso.exe"43⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4152 -
C:\Windows\SysWOW64\grxhu.exeC:\Windows\SysWOW64\grxhu.exe44⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\ixlsj.exeC:\Windows\system32\ixlsj.exe 1016 "C:\Windows\SysWOW64\grxhu.exe"45⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2064 -
C:\Windows\SysWOW64\ixlsj.exeC:\Windows\SysWOW64\ixlsj.exe46⤵
- Executes dropped EXE
PID:3444 -
C:\Windows\SysWOW64\nzuna.exeC:\Windows\system32\nzuna.exe 1152 "C:\Windows\SysWOW64\ixlsj.exe"47⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3416 -
C:\Windows\SysWOW64\nzuna.exeC:\Windows\SysWOW64\nzuna.exe48⤵
- Executes dropped EXE
PID:4116 -
C:\Windows\SysWOW64\vztng.exeC:\Windows\system32\vztng.exe 1016 "C:\Windows\SysWOW64\nzuna.exe"49⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2868 -
C:\Windows\SysWOW64\vztng.exeC:\Windows\SysWOW64\vztng.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:740 -
C:\Windows\SysWOW64\jmkdm.exeC:\Windows\system32\jmkdm.exe 1016 "C:\Windows\SysWOW64\vztng.exe"51⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2060 -
C:\Windows\SysWOW64\jmkdm.exeC:\Windows\SysWOW64\jmkdm.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:464 -
C:\Windows\SysWOW64\wzcts.exeC:\Windows\system32\wzcts.exe 1028 "C:\Windows\SysWOW64\jmkdm.exe"53⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4488 -
C:\Windows\SysWOW64\wzcts.exeC:\Windows\SysWOW64\wzcts.exe54⤵
- Executes dropped EXE
PID:3224 -
C:\Windows\SysWOW64\gvvdi.exeC:\Windows\system32\gvvdi.exe 1028 "C:\Windows\SysWOW64\wzcts.exe"55⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3516 -
C:\Windows\SysWOW64\gvvdi.exeC:\Windows\SysWOW64\gvvdi.exe56⤵
- Executes dropped EXE
PID:4412 -
C:\Windows\SysWOW64\ndqdu.exeC:\Windows\system32\ndqdu.exe 1020 "C:\Windows\SysWOW64\gvvdi.exe"57⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2784 -
C:\Windows\SysWOW64\ndqdu.exeC:\Windows\SysWOW64\ndqdu.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2108 -
C:\Windows\SysWOW64\bqata.exeC:\Windows\system32\bqata.exe 1148 "C:\Windows\SysWOW64\ndqdu.exe"59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3280 -
C:\Windows\SysWOW64\bqata.exeC:\Windows\SysWOW64\bqata.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3100 -
C:\Windows\SysWOW64\lipym.exeC:\Windows\system32\lipym.exe 1148 "C:\Windows\SysWOW64\bqata.exe"61⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1316 -
C:\Windows\SysWOW64\lipym.exeC:\Windows\SysWOW64\lipym.exe62⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\wdqju.exeC:\Windows\system32\wdqju.exe 1148 "C:\Windows\SysWOW64\lipym.exe"63⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4780 -
C:\Windows\SysWOW64\wdqju.exeC:\Windows\SysWOW64\wdqju.exe64⤵
- Executes dropped EXE
PID:3536 -
C:\Windows\SysWOW64\gcuge.exeC:\Windows\system32\gcuge.exe 1152 "C:\Windows\SysWOW64\wdqju.exe"65⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3932 -
C:\Windows\SysWOW64\gcuge.exeC:\Windows\SysWOW64\gcuge.exe66⤵
- Executes dropped EXE
PID:3684 -
C:\Windows\SysWOW64\qvkmr.exeC:\Windows\system32\qvkmr.exe 1044 "C:\Windows\SysWOW64\gcuge.exe"67⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2920 -
C:\Windows\SysWOW64\qvkmr.exeC:\Windows\SysWOW64\qvkmr.exe68⤵
- Executes dropped EXE
PID:4768 -
C:\Windows\SysWOW64\afhwe.exeC:\Windows\system32\afhwe.exe 1156 "C:\Windows\SysWOW64\qvkmr.exe"69⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:532 -
C:\Windows\SysWOW64\afhwe.exeC:\Windows\SysWOW64\afhwe.exe70⤵PID:1828
-
C:\Windows\SysWOW64\lmlpg.exeC:\Windows\system32\lmlpg.exe 1148 "C:\Windows\SysWOW64\afhwe.exe"71⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3292 -
C:\Windows\SysWOW64\lmlpg.exeC:\Windows\SysWOW64\lmlpg.exe72⤵PID:3944
-
C:\Windows\SysWOW64\vwbzc.exeC:\Windows\system32\vwbzc.exe 1016 "C:\Windows\SysWOW64\lmlpg.exe"73⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3660 -
C:\Windows\SysWOW64\vwbzc.exeC:\Windows\SysWOW64\vwbzc.exe74⤵PID:1296
-
C:\Windows\SysWOW64\ggqwg.exeC:\Windows\system32\ggqwg.exe 1016 "C:\Windows\SysWOW64\vwbzc.exe"75⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:312 -
C:\Windows\SysWOW64\ggqwg.exeC:\Windows\SysWOW64\ggqwg.exe76⤵
- Drops file in System32 directory
PID:3096 -
C:\Windows\SysWOW64\vwcen.exeC:\Windows\system32\vwcen.exe 1000 "C:\Windows\SysWOW64\ggqwg.exe"77⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2488 -
C:\Windows\SysWOW64\vwcen.exeC:\Windows\SysWOW64\vwcen.exe78⤵PID:1648
-
C:\Windows\SysWOW64\dbmsx.exeC:\Windows\system32\dbmsx.exe 1016 "C:\Windows\SysWOW64\vwcen.exe"79⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2788 -
C:\Windows\SysWOW64\dbmsx.exeC:\Windows\SysWOW64\dbmsx.exe80⤵PID:4744
-
C:\Windows\SysWOW64\otcpk.exeC:\Windows\system32\otcpk.exe 1016 "C:\Windows\SysWOW64\dbmsx.exe"81⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2060 -
C:\Windows\SysWOW64\otcpk.exeC:\Windows\SysWOW64\otcpk.exe82⤵PID:2140
-
C:\Windows\SysWOW64\qvrzx.exeC:\Windows\system32\qvrzx.exe 1016 "C:\Windows\SysWOW64\otcpk.exe"83⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5020 -
C:\Windows\SysWOW64\qvrzx.exeC:\Windows\SysWOW64\qvrzx.exe84⤵PID:2396
-
C:\Windows\SysWOW64\dfxka.exeC:\Windows\system32\dfxka.exe 1016 "C:\Windows\SysWOW64\qvrzx.exe"85⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2708 -
C:\Windows\SysWOW64\dfxka.exeC:\Windows\SysWOW64\dfxka.exe86⤵PID:5116
-
C:\Windows\SysWOW64\nekik.exeC:\Windows\system32\nekik.exe 1020 "C:\Windows\SysWOW64\dfxka.exe"87⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3352 -
C:\Windows\SysWOW64\nekik.exeC:\Windows\SysWOW64\nekik.exe88⤵PID:4328
-
C:\Windows\SysWOW64\ywrnx.exeC:\Windows\system32\ywrnx.exe 1028 "C:\Windows\SysWOW64\nekik.exe"89⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1052 -
C:\Windows\SysWOW64\ywrnx.exeC:\Windows\SysWOW64\ywrnx.exe90⤵
- System Location Discovery: System Language Discovery
PID:4996 -
C:\Windows\SysWOW64\lyfvi.exeC:\Windows\system32\lyfvi.exe 1148 "C:\Windows\SysWOW64\ywrnx.exe"91⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1432 -
C:\Windows\SysWOW64\lyfvi.exeC:\Windows\SysWOW64\lyfvi.exe92⤵PID:1416
-
C:\Windows\SysWOW64\vuynq.exeC:\Windows\system32\vuynq.exe 1016 "C:\Windows\SysWOW64\lyfvi.exe"93⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1964 -
C:\Windows\SysWOW64\vuynq.exeC:\Windows\SysWOW64\vuynq.exe94⤵PID:3960
-
C:\Windows\SysWOW64\geolv.exeC:\Windows\system32\geolv.exe 1036 "C:\Windows\SysWOW64\vuynq.exe"95⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1352 -
C:\Windows\SysWOW64\geolv.exeC:\Windows\SysWOW64\geolv.exe96⤵PID:1320
-
C:\Windows\SysWOW64\qzpdk.exeC:\Windows\system32\qzpdk.exe 1148 "C:\Windows\SysWOW64\geolv.exe"97⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2016 -
C:\Windows\SysWOW64\qzpdk.exeC:\Windows\SysWOW64\qzpdk.exe98⤵
- Drops file in System32 directory
PID:3392 -
C:\Windows\SysWOW64\avpns.exeC:\Windows\system32\avpns.exe 1152 "C:\Windows\SysWOW64\qzpdk.exe"99⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2496 -
C:\Windows\SysWOW64\avpns.exeC:\Windows\SysWOW64\avpns.exe100⤵PID:3952
-
C:\Windows\SysWOW64\nizdy.exeC:\Windows\system32\nizdy.exe 1148 "C:\Windows\SysWOW64\avpns.exe"101⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4908 -
C:\Windows\SysWOW64\nizdy.exeC:\Windows\SysWOW64\nizdy.exe102⤵PID:1064
-
C:\Windows\SysWOW64\xsonl.exeC:\Windows\system32\xsonl.exe 1148 "C:\Windows\SysWOW64\nizdy.exe"103⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4964 -
C:\Windows\SysWOW64\xsonl.exeC:\Windows\SysWOW64\xsonl.exe104⤵PID:640
-
C:\Windows\SysWOW64\lfgdr.exeC:\Windows\system32\lfgdr.exe 1148 "C:\Windows\SysWOW64\xsonl.exe"105⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4472 -
C:\Windows\SysWOW64\lfgdr.exeC:\Windows\SysWOW64\lfgdr.exe106⤵PID:2064
-
C:\Windows\SysWOW64\qpoyh.exeC:\Windows\system32\qpoyh.exe 1028 "C:\Windows\SysWOW64\lfgdr.exe"107⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5040 -
C:\Windows\SysWOW64\qpoyh.exeC:\Windows\SysWOW64\qpoyh.exe108⤵PID:1472
-
C:\Windows\SysWOW64\akprp.exeC:\Windows\system32\akprp.exe 1020 "C:\Windows\SysWOW64\qpoyh.exe"109⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3664 -
C:\Windows\SysWOW64\akprp.exeC:\Windows\SysWOW64\akprp.exe110⤵PID:468
-
C:\Windows\SysWOW64\lufwc.exeC:\Windows\system32\lufwc.exe 1016 "C:\Windows\SysWOW64\akprp.exe"111⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4928 -
C:\Windows\SysWOW64\lufwc.exeC:\Windows\SysWOW64\lufwc.exe112⤵PID:2088
-
C:\Windows\SysWOW64\vmutg.exeC:\Windows\system32\vmutg.exe 1156 "C:\Windows\SysWOW64\lufwc.exe"113⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1336 -
C:\Windows\SysWOW64\vmutg.exeC:\Windows\SysWOW64\vmutg.exe114⤵PID:788
-
C:\Windows\SysWOW64\fmyrr.exeC:\Windows\system32\fmyrr.exe 1196 "C:\Windows\SysWOW64\vmutg.exe"115⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4740 -
C:\Windows\SysWOW64\fmyrr.exeC:\Windows\SysWOW64\fmyrr.exe116⤵PID:4656
-
C:\Windows\SysWOW64\nqjei.exeC:\Windows\system32\nqjei.exe 1028 "C:\Windows\SysWOW64\fmyrr.exe"117⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:64 -
C:\Windows\SysWOW64\nqjei.exeC:\Windows\SysWOW64\nqjei.exe118⤵PID:4108
-
C:\Windows\SysWOW64\vutrs.exeC:\Windows\system32\vutrs.exe 1152 "C:\Windows\SysWOW64\nqjei.exe"119⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1804 -
C:\Windows\SysWOW64\vutrs.exeC:\Windows\SysWOW64\vutrs.exe120⤵PID:2188
-
C:\Windows\SysWOW64\dvsrg.exeC:\Windows\system32\dvsrg.exe 1148 "C:\Windows\SysWOW64\vutrs.exe"121⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:636
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-