Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
02-12-2024 22:46
General
-
Target
ba8a46d6910ea0e5b6958d330df95846_JaffaCakes118.exe
-
Size
216KB
-
MD5
ba8a46d6910ea0e5b6958d330df95846
-
SHA1
7bb2e84a2016bae7673ae2d4e1a10893576590c0
-
SHA256
1db293f665a0457f1bf241b351dc7e4b92c9c2538a9b6ec61dbf79e97cf80305
-
SHA512
99844529382cd059d84dbfc02bb817f784c01531c6a55a94e264844793882af084658b60f106e41a59cb063c7e13fcb46befce1fe6d4450a8c3875845ed93649
-
SSDEEP
3072:P7PYO4HB1NxoMnmgnbd4UyAA5pJCiV8xC7813q57SytpwjdwmFc68Vq:TuHoMmISAg2iVYq5HqjdwmG6cq
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Executes dropped EXE 64 IoCs
-
Loads dropped DLL 64 IoCs
-
Drops file in System32 directory 64 IoCs
-
Suspicious use of SetThreadContext 64 IoCs
-
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba8a46d6910ea0e5b6958d330df95846_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ba8a46d6910ea0e5b6958d330df95846_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ba8a46d6910ea0e5b6958d330df95846_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\ba8a46d6910ea0e5b6958d330df95846_JaffaCakes118.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\jokhlbf.exeC:\Windows\system32\jokhlbf.exe 476 "C:\Users\Admin\AppData\Local\Temp\ba8a46d6910ea0e5b6958d330df95846_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\jokhlbf.exeC:\Windows\SysWOW64\jokhlbf.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\lcnsocl.exeC:\Windows\system32\lcnsocl.exe 528 "C:\Windows\SysWOW64\jokhlbf.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\lcnsocl.exeC:\Windows\SysWOW64\lcnsocl.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\avkfppw.exeC:\Windows\system32\avkfppw.exe 528 "C:\Windows\SysWOW64\lcnsocl.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\avkfppw.exeC:\Windows\SysWOW64\avkfppw.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nmmigyt.exeC:\Windows\system32\nmmigyt.exe 528 "C:\Windows\SysWOW64\avkfppw.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nmmigyt.exeC:\Windows\SysWOW64\nmmigyt.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\xanfwfg.exeC:\Windows\system32\xanfwfg.exe 528 "C:\Windows\SysWOW64\nmmigyt.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\xanfwfg.exeC:\Windows\SysWOW64\xanfwfg.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\isdcbvi.exeC:\Windows\system32\isdcbvi.exe 528 "C:\Windows\SysWOW64\xanfwfg.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\isdcbvi.exeC:\Windows\SysWOW64\isdcbvi.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\xpdcnnk.exeC:\Windows\system32\xpdcnnk.exe 532 "C:\Windows\SysWOW64\isdcbvi.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\xpdcnnk.exeC:\Windows\SysWOW64\xpdcnnk.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\kfffwwp.exeC:\Windows\system32\kfffwwp.exe 536 "C:\Windows\SysWOW64\xpdcnnk.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\kfffwwp.exeC:\Windows\SysWOW64\kfffwwp.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Windows\SysWOW64\xeaiewv.exeC:\Windows\system32\xeaiewv.exe 528 "C:\Windows\SysWOW64\kfffwwp.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\xeaiewv.exeC:\Windows\SysWOW64\xeaiewv.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\jygxqiz.exeC:\Windows\system32\jygxqiz.exe 528 "C:\Windows\SysWOW64\xeaiewv.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\jygxqiz.exeC:\Windows\SysWOW64\jygxqiz.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\tiwillf.exeC:\Windows\system32\tiwillf.exe 528 "C:\Windows\SysWOW64\jygxqiz.exe"23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\tiwillf.exeC:\Windows\SysWOW64\tiwillf.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\bnedprk.exeC:\Windows\system32\bnedprk.exe 532 "C:\Windows\SysWOW64\tiwillf.exe"25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\bnedprk.exeC:\Windows\SysWOW64\bnedprk.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\lbxsfyp.exeC:\Windows\system32\lbxsfyp.exe 528 "C:\Windows\SysWOW64\bnedprk.exe"27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\lbxsfyp.exeC:\Windows\SysWOW64\lbxsfyp.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\bffnjlu.exeC:\Windows\system32\bffnjlu.exe 528 "C:\Windows\SysWOW64\lbxsfyp.exe"29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\bffnjlu.exeC:\Windows\SysWOW64\bffnjlu.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\ktflzlz.exeC:\Windows\system32\ktflzlz.exe 528 "C:\Windows\SysWOW64\bffnjlu.exe"31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\ktflzlz.exeC:\Windows\SysWOW64\ktflzlz.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\ygpafog.exeC:\Windows\system32\ygpafog.exe 532 "C:\Windows\SysWOW64\ktflzlz.exe"33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\ygpafog.exeC:\Windows\SysWOW64\ygpafog.exe34⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\kfsdnxd.exeC:\Windows\system32\kfsdnxd.exe 528 "C:\Windows\SysWOW64\ygpafog.exe"35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\kfsdnxd.exeC:\Windows\SysWOW64\kfsdnxd.exe36⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\ulsaler.exeC:\Windows\system32\ulsaler.exe 528 "C:\Windows\SysWOW64\kfsdnxd.exe"37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\ulsaler.exeC:\Windows\SysWOW64\ulsaler.exe38⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\hjnduew.exeC:\Windows\system32\hjnduew.exe 532 "C:\Windows\SysWOW64\ulsaler.exe"39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\hjnduew.exeC:\Windows\SysWOW64\hjnduew.exe40⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\uaigdmc.exeC:\Windows\system32\uaigdmc.exe 528 "C:\Windows\SysWOW64\hjnduew.exe"41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\uaigdmc.exeC:\Windows\SysWOW64\uaigdmc.exe42⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\hqlilvz.exeC:\Windows\system32\hqlilvz.exe 528 "C:\Windows\SysWOW64\uaigdmc.exe"43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\hqlilvz.exeC:\Windows\SysWOW64\hqlilvz.exe44⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\upgluvf.exeC:\Windows\system32\upgluvf.exe 528 "C:\Windows\SysWOW64\hqlilvz.exe"45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\upgluvf.exeC:\Windows\SysWOW64\upgluvf.exe46⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\ddgascs.exeC:\Windows\system32\ddgascs.exe 528 "C:\Windows\SysWOW64\upgluvf.exe"47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\ddgascs.exeC:\Windows\SysWOW64\ddgascs.exe48⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\qubdakx.exeC:\Windows\system32\qubdakx.exe 528 "C:\Windows\SysWOW64\ddgascs.exe"49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\qubdakx.exeC:\Windows\SysWOW64\qubdakx.exe50⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\dkegjsv.exeC:\Windows\system32\dkegjsv.exe 532 "C:\Windows\SysWOW64\qubdakx.exe"51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\dkegjsv.exeC:\Windows\SysWOW64\dkegjsv.exe52⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\qizjstb.exeC:\Windows\system32\qizjstb.exe 532 "C:\Windows\SysWOW64\dkegjsv.exe"53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\qizjstb.exeC:\Windows\SysWOW64\qizjstb.exe54⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\dzulabg.exeC:\Windows\system32\dzulabg.exe 528 "C:\Windows\SysWOW64\qizjstb.exe"55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\dzulabg.exeC:\Windows\SysWOW64\dzulabg.exe56⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\nnujyil.exeC:\Windows\system32\nnujyil.exe 528 "C:\Windows\SysWOW64\dzulabg.exe"57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\nnujyil.exeC:\Windows\SysWOW64\nnujyil.exe58⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Windows\SysWOW64\aepdhir.exeC:\Windows\system32\aepdhir.exe 528 "C:\Windows\SysWOW64\nnujyil.exe"59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\aepdhir.exeC:\Windows\SysWOW64\aepdhir.exe60⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\ncsgprw.exeC:\Windows\system32\ncsgprw.exe 528 "C:\Windows\SysWOW64\aepdhir.exe"61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\ncsgprw.exeC:\Windows\SysWOW64\ncsgprw.exe62⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\zeywbdb.exeC:\Windows\system32\zeywbdb.exe 536 "C:\Windows\SysWOW64\ncsgprw.exe"63⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\zeywbdb.exeC:\Windows\SysWOW64\zeywbdb.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\mrhlhzz.exeC:\Windows\system32\mrhlhzz.exe 532 "C:\Windows\SysWOW64\zeywbdb.exe"65⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\mrhlhzz.exeC:\Windows\SysWOW64\mrhlhzz.exe66⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\wxijxgm.exeC:\Windows\system32\wxijxgm.exe 532 "C:\Windows\SysWOW64\mrhlhzz.exe"67⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\wxijxgm.exeC:\Windows\SysWOW64\wxijxgm.exe68⤵
-
C:\Windows\SysWOW64\jwllfps.exeC:\Windows\system32\jwllfps.exe 528 "C:\Windows\SysWOW64\wxijxgm.exe"69⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\jwllfps.exeC:\Windows\SysWOW64\jwllfps.exe70⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\wmgowxy.exeC:\Windows\system32\wmgowxy.exe 528 "C:\Windows\SysWOW64\jwllfps.exe"71⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\wmgowxy.exeC:\Windows\SysWOW64\wmgowxy.exe72⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\jlarfxv.exeC:\Windows\system32\jlarfxv.exe 528 "C:\Windows\SysWOW64\wmgowxy.exe"73⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\jlarfxv.exeC:\Windows\SysWOW64\jlarfxv.exe74⤵
-
C:\Windows\SysWOW64\wbdtnfb.exeC:\Windows\system32\wbdtnfb.exe 528 "C:\Windows\SysWOW64\jlarfxv.exe"75⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\wbdtnfb.exeC:\Windows\SysWOW64\wbdtnfb.exe76⤵
-
C:\Windows\SysWOW64\fpwjdmo.exeC:\Windows\system32\fpwjdmo.exe 528 "C:\Windows\SysWOW64\wbdtnfb.exe"77⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\fpwjdmo.exeC:\Windows\SysWOW64\fpwjdmo.exe78⤵
-
C:\Windows\SysWOW64\sgzmmnt.exeC:\Windows\system32\sgzmmnt.exe 528 "C:\Windows\SysWOW64\fpwjdmo.exe"79⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\sgzmmnt.exeC:\Windows\SysWOW64\sgzmmnt.exe80⤵
-
C:\Windows\SysWOW64\feuouvr.exeC:\Windows\system32\feuouvr.exe 532 "C:\Windows\SysWOW64\sgzmmnt.exe"81⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\feuouvr.exeC:\Windows\SysWOW64\feuouvr.exe82⤵
-
C:\Windows\SysWOW64\svorddw.exeC:\Windows\system32\svorddw.exe 532 "C:\Windows\SysWOW64\feuouvr.exe"83⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\svorddw.exeC:\Windows\SysWOW64\svorddw.exe84⤵
-
C:\Windows\SysWOW64\flruudc.exeC:\Windows\system32\flruudc.exe 532 "C:\Windows\SysWOW64\svorddw.exe"85⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\flruudc.exeC:\Windows\SysWOW64\flruudc.exe86⤵
-
C:\Windows\SysWOW64\pzsrklp.exeC:\Windows\system32\pzsrklp.exe 540 "C:\Windows\SysWOW64\flruudc.exe"87⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\pzsrklp.exeC:\Windows\SysWOW64\pzsrklp.exe88⤵
-
C:\Windows\SysWOW64\cynustn.exeC:\Windows\system32\cynustn.exe 532 "C:\Windows\SysWOW64\pzsrklp.exe"89⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cynustn.exeC:\Windows\SysWOW64\cynustn.exe90⤵
-
C:\Windows\SysWOW64\oohobts.exeC:\Windows\system32\oohobts.exe 532 "C:\Windows\SysWOW64\cynustn.exe"91⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\oohobts.exeC:\Windows\SysWOW64\oohobts.exe92⤵
-
C:\Windows\SysWOW64\bfkrjby.exeC:\Windows\system32\bfkrjby.exe 532 "C:\Windows\SysWOW64\oohobts.exe"93⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\bfkrjby.exeC:\Windows\SysWOW64\bfkrjby.exe94⤵
-
C:\Windows\SysWOW64\odfusjv.exeC:\Windows\system32\odfusjv.exe 528 "C:\Windows\SysWOW64\bfkrjby.exe"95⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\odfusjv.exeC:\Windows\SysWOW64\odfusjv.exe96⤵
-
C:\Windows\SysWOW64\yrgrqri.exeC:\Windows\system32\yrgrqri.exe 528 "C:\Windows\SysWOW64\odfusjv.exe"97⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\yrgrqri.exeC:\Windows\SysWOW64\yrgrqri.exe98⤵
-
C:\Windows\SysWOW64\lephwmh.exeC:\Windows\system32\lephwmh.exe 536 "C:\Windows\SysWOW64\yrgrqri.exe"99⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\lephwmh.exeC:\Windows\SysWOW64\lephwmh.exe100⤵
-
C:\Windows\SysWOW64\yydwhzu.exeC:\Windows\system32\yydwhzu.exe 528 "C:\Windows\SysWOW64\lephwmh.exe"101⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\yydwhzu.exeC:\Windows\SysWOW64\yydwhzu.exe102⤵
-
C:\Windows\SysWOW64\lxyzqhr.exeC:\Windows\system32\lxyzqhr.exe 532 "C:\Windows\SysWOW64\yydwhzu.exe"103⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\lxyzqhr.exeC:\Windows\SysWOW64\lxyzqhr.exe104⤵
-
C:\Windows\SysWOW64\yntczhx.exeC:\Windows\system32\yntczhx.exe 536 "C:\Windows\SysWOW64\lxyzqhr.exe"105⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\yntczhx.exeC:\Windows\SysWOW64\yntczhx.exe106⤵
-
C:\Windows\SysWOW64\hbtrxpk.exeC:\Windows\system32\hbtrxpk.exe 532 "C:\Windows\SysWOW64\yntczhx.exe"107⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\hbtrxpk.exeC:\Windows\SysWOW64\hbtrxpk.exe108⤵
-
C:\Windows\SysWOW64\usoufxp.exeC:\Windows\system32\usoufxp.exe 528 "C:\Windows\SysWOW64\hbtrxpk.exe"109⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\usoufxp.exeC:\Windows\SysWOW64\usoufxp.exe110⤵
-
C:\Windows\SysWOW64\hqrxoxn.exeC:\Windows\system32\hqrxoxn.exe 528 "C:\Windows\SysWOW64\usoufxp.exe"111⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\hqrxoxn.exeC:\Windows\SysWOW64\hqrxoxn.exe112⤵
-
C:\Windows\SysWOW64\uhmzwfs.exeC:\Windows\system32\uhmzwfs.exe 528 "C:\Windows\SysWOW64\hqrxoxn.exe"113⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\uhmzwfs.exeC:\Windows\SysWOW64\uhmzwfs.exe114⤵
-
C:\Windows\SysWOW64\hfhcfny.exeC:\Windows\system32\hfhcfny.exe 528 "C:\Windows\SysWOW64\uhmzwfs.exe"115⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\hfhcfny.exeC:\Windows\SysWOW64\hfhcfny.exe116⤵
-
C:\Windows\SysWOW64\rmhzvvl.exeC:\Windows\system32\rmhzvvl.exe 520 "C:\Windows\SysWOW64\hfhcfny.exe"117⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\rmhzvvl.exeC:\Windows\SysWOW64\rmhzvvl.exe118⤵
-
C:\Windows\SysWOW64\dkkcmvj.exeC:\Windows\system32\dkkcmvj.exe 532 "C:\Windows\SysWOW64\rmhzvvl.exe"119⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\dkkcmvj.exeC:\Windows\SysWOW64\dkkcmvj.exe120⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\qbffudo.exeC:\Windows\system32\qbffudo.exe 528 "C:\Windows\SysWOW64\dkkcmvj.exe"121⤵
- Suspicious use of SetThreadContext
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-