Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-12-2024 10:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c22bf75822c2ba55da5573b81efb14d3_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
c22bf75822c2ba55da5573b81efb14d3_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
c22bf75822c2ba55da5573b81efb14d3_JaffaCakes118.exe
-
Size
269KB
-
MD5
c22bf75822c2ba55da5573b81efb14d3
-
SHA1
c8ad9d1fc990762397828329bfa8f4a81fc17cb8
-
SHA256
5ef2664ad32c8773d3b31364d3661206bb576d3695daf61e966ece331dd1b4a7
-
SHA512
08ad291b756bb0cab6da43d6b3eb76e39bb5e5605444d7162829ffdf07bd25ef1f02bb9cff6394ed1183e7156cdb908ff0dfd04ad65a5069b2c55969718f1f4e
-
SSDEEP
6144:1ZEaSuRXbZi+qDP7aOg28wvP6bQ7yMP+DE827geG:kPYr7qXL6b7MP+Dd2P
Malware Config
Extracted
Family
metasploit
Version
encoder/fnstenv_mov
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Executes dropped EXE 64 IoCs
pid Process 2844 bzsoakp.exe 280 tkggihp.exe 2780 ylobymv.exe 1948 qdqtesb.exe 1676 avfqrjd.exe 2208 kjgohqi.exe 864 xwqdmmp.exe 1616 hvcbflp.exe 2016 pdpbray.exe 1528 zonledm.exe 1952 oeyllvi.exe 2056 tirtewv.exe 1484 dhwrpvu.exe 3064 txhzvny.exe 2528 ykbhpod.exe 2808 nhjgbpm.exe 808 pgnemft.exe 2868 xkxrdyw.exe 2860 jedhoda.exe 2616 ulpezci.exe 2848 gckhpkn.exe 2896 tafjyst.exe 892 ezrhirs.exe 1684 ozvetqa.exe 2052 abbueue.exe 1984 nrexvck.exe 2152 ucdckws.exe 2512 hejjvjf.exe 404 rajcldf.exe 2308 eyeftdl.exe 2464 lkdkjft.exe 2480 brospox.exe 492 mnpcxjx.exe 548 vbqzvql.exe 2088 gxrkdll.exe 2412 szxaopq.exe 564 cybxgox.exe 1596 poeapwd.exe 1348 cnzcyea.exe 2880 pdtfgfg.exe 2740 wwskdgo.exe 2736 jnvnmgu.exe 2644 tykxzki.exe 2828 jclsdxf.exe 2832 tfidqsl.exe 308 gddxzar.exe 636 nobkwuz.exe 2024 anenfcf.exe 1896 kmilpbm.exe 2424 xcdngjk.exe 2584 hyeyndk.exe 2200 rmfvddx.exe 1352 bljswcf.exe 480 okmvekl.exe 1852 bxvlkoj.exe 784 orbbvso.exe 920 ybrljvc.exe 924 lstgrda.exe 2788 vcjqmho.exe 1652 kkuytqj.exe 2160 vgviblk.exe 372 hibymxx.exe 2924 jsriaad.exe 2000 wjllqai.exe -
Loads dropped DLL 64 IoCs
pid Process 2504 c22bf75822c2ba55da5573b81efb14d3_JaffaCakes118.exe 2504 c22bf75822c2ba55da5573b81efb14d3_JaffaCakes118.exe 2844 bzsoakp.exe 2844 bzsoakp.exe 280 tkggihp.exe 280 tkggihp.exe 2780 ylobymv.exe 2780 ylobymv.exe 1948 qdqtesb.exe 1948 qdqtesb.exe 1676 avfqrjd.exe 1676 avfqrjd.exe 2208 kjgohqi.exe 2208 kjgohqi.exe 864 xwqdmmp.exe 864 xwqdmmp.exe 1616 hvcbflp.exe 1616 hvcbflp.exe 2016 pdpbray.exe 2016 pdpbray.exe 1528 zonledm.exe 1528 zonledm.exe 1952 oeyllvi.exe 1952 oeyllvi.exe 2056 tirtewv.exe 2056 tirtewv.exe 1484 dhwrpvu.exe 1484 dhwrpvu.exe 3064 txhzvny.exe 3064 txhzvny.exe 2528 ykbhpod.exe 2528 ykbhpod.exe 2808 nhjgbpm.exe 2808 nhjgbpm.exe 808 pgnemft.exe 808 pgnemft.exe 2868 xkxrdyw.exe 2868 xkxrdyw.exe 2860 jedhoda.exe 2860 jedhoda.exe 2616 ulpezci.exe 2616 ulpezci.exe 2848 gckhpkn.exe 2848 gckhpkn.exe 2896 tafjyst.exe 2896 tafjyst.exe 892 ezrhirs.exe 892 ezrhirs.exe 1684 ozvetqa.exe 1684 ozvetqa.exe 2052 abbueue.exe 2052 abbueue.exe 1984 nrexvck.exe 1984 nrexvck.exe 2152 ucdckws.exe 2152 ucdckws.exe 2512 hejjvjf.exe 2512 hejjvjf.exe 404 rajcldf.exe 404 rajcldf.exe 2308 eyeftdl.exe 2308 eyeftdl.exe 2464 lkdkjft.exe 2464 lkdkjft.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 64 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 rxakvdm.exe File opened for modification \??\PhysicalDrive0 jjxlmgy.exe File opened for modification \??\PhysicalDrive0 sdimrfe.exe File opened for modification \??\PhysicalDrive0 mimbzfx.exe File opened for modification \??\PhysicalDrive0 tshzyis.exe File opened for modification \??\PhysicalDrive0 zqresaz.exe File opened for modification \??\PhysicalDrive0 fuwovbn.exe File opened for modification \??\PhysicalDrive0 hxxgzup.exe File opened for modification \??\PhysicalDrive0 ixlketj.exe File opened for modification \??\PhysicalDrive0 ouskuqq.exe File opened for modification \??\PhysicalDrive0 mgqdtdp.exe File opened for modification \??\PhysicalDrive0 exsvpai.exe File opened for modification \??\PhysicalDrive0 fzvkkdz.exe File opened for modification \??\PhysicalDrive0 mnpcxjx.exe File opened for modification \??\PhysicalDrive0 byiqdof.exe File opened for modification \??\PhysicalDrive0 nlmqkaf.exe File opened for modification \??\PhysicalDrive0 unevjbh.exe File opened for modification \??\PhysicalDrive0 qdqtesb.exe File opened for modification \??\PhysicalDrive0 yaofaow.exe File opened for modification \??\PhysicalDrive0 gsiojsv.exe File opened for modification \??\PhysicalDrive0 tmvgtvo.exe File opened for modification \??\PhysicalDrive0 gbmwpin.exe File opened for modification \??\PhysicalDrive0 gcxrish.exe File opened for modification \??\PhysicalDrive0 cpsrpas.exe File opened for modification \??\PhysicalDrive0 xqexnoi.exe File opened for modification \??\PhysicalDrive0 rjisnha.exe File opened for modification \??\PhysicalDrive0 ubeqpvv.exe File opened for modification \??\PhysicalDrive0 qlttkku.exe File opened for modification \??\PhysicalDrive0 mzzgjjz.exe File opened for modification \??\PhysicalDrive0 cumljxk.exe File opened for modification \??\PhysicalDrive0 fmksrvi.exe File opened for modification \??\PhysicalDrive0 uoowxiu.exe File opened for modification \??\PhysicalDrive0 dcqnrjl.exe File opened for modification \??\PhysicalDrive0 jklvqor.exe File opened for modification \??\PhysicalDrive0 cvvmydx.exe File opened for modification \??\PhysicalDrive0 tookhua.exe File opened for modification \??\PhysicalDrive0 eolijhd.exe File opened for modification \??\PhysicalDrive0 jemzvsw.exe File opened for modification \??\PhysicalDrive0 bljswcf.exe File opened for modification \??\PhysicalDrive0 rcrlhtc.exe File opened for modification \??\PhysicalDrive0 tyllone.exe File opened for modification \??\PhysicalDrive0 qotdbhb.exe File opened for modification \??\PhysicalDrive0 qlawwgo.exe File opened for modification \??\PhysicalDrive0 hvcrjnb.exe File opened for modification \??\PhysicalDrive0 cgnxfkh.exe File opened for modification \??\PhysicalDrive0 ogqphig.exe File opened for modification \??\PhysicalDrive0 wjllqai.exe File opened for modification \??\PhysicalDrive0 oeoknvg.exe File opened for modification \??\PhysicalDrive0 levhmty.exe File opened for modification \??\PhysicalDrive0 ekggtaq.exe File opened for modification \??\PhysicalDrive0 soahbyq.exe File opened for modification \??\PhysicalDrive0 oopenvw.exe File opened for modification \??\PhysicalDrive0 essyava.exe File opened for modification \??\PhysicalDrive0 vxwjuqk.exe File opened for modification \??\PhysicalDrive0 sbzoeil.exe File opened for modification \??\PhysicalDrive0 rupnfsr.exe File opened for modification \??\PhysicalDrive0 hxvqwog.exe File opened for modification \??\PhysicalDrive0 ukvqluy.exe File opened for modification \??\PhysicalDrive0 llwmtsg.exe File opened for modification \??\PhysicalDrive0 iekrtdq.exe File opened for modification \??\PhysicalDrive0 aaqfdtl.exe File opened for modification \??\PhysicalDrive0 yytaujs.exe File opened for modification \??\PhysicalDrive0 sxxokvb.exe File opened for modification \??\PhysicalDrive0 gnrnqcg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\kvkmhni.exe xfqjzfd.exe File created C:\Windows\SysWOW64\qdfmhsp.exe gbqctpj.exe File created C:\Windows\SysWOW64\dwkopwb.exe ttvectn.exe File created C:\Windows\SysWOW64\hxegzyw.exe ukvqluy.exe File opened for modification C:\Windows\SysWOW64\uwhiigc.exe hxegzyw.exe File opened for modification C:\Windows\SysWOW64\xkxrdyw.exe pgnemft.exe File created C:\Windows\SysWOW64\jnvnmgu.exe wwskdgo.exe File opened for modification C:\Windows\SysWOW64\jzoozig.exe wjllqai.exe File opened for modification C:\Windows\SysWOW64\rohsyqf.exe hdspknr.exe File opened for modification C:\Windows\SysWOW64\mrwcjrt.exe llwmtsg.exe File opened for modification C:\Windows\SysWOW64\gsiojsv.exe xhsdoxp.exe File opened for modification C:\Windows\SysWOW64\pttapul.exe fnsdzny.exe File created C:\Windows\SysWOW64\yujbofi.exe leozffd.exe File created C:\Windows\SysWOW64\rbplxat.exe eluipsn.exe File opened for modification C:\Windows\SysWOW64\eyyagvg.exe swskuqu.exe File opened for modification C:\Windows\SysWOW64\pdpbray.exe hvcbflp.exe File created C:\Windows\SysWOW64\wpfzmyg.exe jrcwepi.exe File opened for modification C:\Windows\SysWOW64\yinvyum.exe lnvfsyn.exe File opened for modification C:\Windows\SysWOW64\sfoekms.exe flipzhn.exe File created C:\Windows\SysWOW64\nkmrzdm.exe aqgjnzh.exe File created C:\Windows\SysWOW64\fyfesqs.exe vnquxne.exe File opened for modification C:\Windows\SysWOW64\ffvkkyv.exe soahbyq.exe File created C:\Windows\SysWOW64\detdhqz.exe qcnvvdv.exe File opened for modification C:\Windows\SysWOW64\xckwnyx.exe kmptepz.exe File created C:\Windows\SysWOW64\cdfxckv.exe pnkutcq.exe File created C:\Windows\SysWOW64\gyquzai.exe tlyxtwj.exe File opened for modification C:\Windows\SysWOW64\ysbkcfx.exe lcghtfr.exe File created C:\Windows\SysWOW64\sasnzpg.exe iqdcllr.exe File opened for modification C:\Windows\SysWOW64\sbtpmfa.exe flymexv.exe File created C:\Windows\SysWOW64\nopeoip.exe abxhinq.exe File created C:\Windows\SysWOW64\hmswchx.exe xbdmher.exe File opened for modification C:\Windows\SysWOW64\qlhavsm.exe gasqipg.exe File opened for modification C:\Windows\SysWOW64\xqexnoi.exe lwyhccd.exe File created C:\Windows\SysWOW64\vxwjuqk.exe iythmhf.exe File opened for modification C:\Windows\SysWOW64\sxxokvb.exe fvryqix.exe File created C:\Windows\SysWOW64\jedhoda.exe xkxrdyw.exe File opened for modification C:\Windows\SysWOW64\ubeqpvv.exe hkbnhmx.exe File opened for modification C:\Windows\SysWOW64\zdwbyba.exe pahrlxt.exe File created C:\Windows\SysWOW64\pfxyqsd.exe codvhsf.exe File opened for modification C:\Windows\SysWOW64\ptcadar.exe fuyckbk.exe File created C:\Windows\SysWOW64\rlnmarf.exe eqvwvwh.exe File created C:\Windows\SysWOW64\srysuem.exe igiphbx.exe File created C:\Windows\SysWOW64\metdmjl.exe zgqaebn.exe File created C:\Windows\SysWOW64\lliilsw.exe vhinhfz.exe File opened for modification C:\Windows\SysWOW64\okmvekl.exe bljswcf.exe File created C:\Windows\SysWOW64\kvoisjb.exe xbishew.exe File created C:\Windows\SysWOW64\cecdbcb.exe stmtghu.exe File opened for modification C:\Windows\SysWOW64\sujcgya.exe fegaxyu.exe File created C:\Windows\SysWOW64\vjhlmtl.exe iwxwgxm.exe File opened for modification C:\Windows\SysWOW64\lraydwj.exe zpujsjf.exe File created C:\Windows\SysWOW64\pkllhgq.exe ctiiyyl.exe File created C:\Windows\SysWOW64\aucdsei.exe qvyghfa.exe File created C:\Windows\SysWOW64\gzewzzn.exe tmvgtvo.exe File created C:\Windows\SysWOW64\lniccpo.exe cktrpui.exe File opened for modification C:\Windows\SysWOW64\gnrnqcg.exe tookhua.exe File opened for modification C:\Windows\SysWOW64\erbpeaa.exe ontuand.exe File opened for modification C:\Windows\SysWOW64\rrznijr.exe hdzyrkm.exe File created C:\Windows\SysWOW64\avfqrjd.exe qdqtesb.exe File created C:\Windows\SysWOW64\sipuwqx.exe fvfeqny.exe File created C:\Windows\SysWOW64\vdnuclo.exe iekrtdq.exe File opened for modification C:\Windows\SysWOW64\fkhvicn.exe sxqgcyo.exe File opened for modification C:\Windows\SysWOW64\pwxsxtk.exe cgvqole.exe File opened for modification C:\Windows\SysWOW64\awiexna.exe qlttkku.exe File created C:\Windows\SysWOW64\sjshcvb.exe ivrkmno.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fqzmagi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tykxzki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jyqnojt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xtqtigu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wzzqmqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unxncnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pahrlxt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pgnemft.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnecpxt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xqyxyna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gasqipg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kvrfwqp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tafjyst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jsriaad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xvvqnhu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmodvez.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjsefxo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xeqosgx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bxvlkoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rjisnha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ctphutc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sdxmsgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pxchwic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rajcldf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oijgodw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jyujdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uehoafv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zgqaebn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language drneyxp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdnuclo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language swclnth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fuyckbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igiphbx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rqjemor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ogqphig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kcavogg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hmswchx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cilihqv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ukvqluy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbgxrqk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zqresaz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ybvhyac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sasnzpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lriijob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxwsumw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qbtqzjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mjhwkef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ltaxqyv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttwgxs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ouhsbfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nlmqkaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tkggihp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mlvykkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lnbzrgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hxxgzup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dlenixm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wusrysb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hdspknr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmdgfvg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zaeltbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language umjsmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ryhmtpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nrlilbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vtrpkvo.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ xunoqwg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ rqjemor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ fiaeuts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" yrejuvn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key cvipoew.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" lazqnww.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" ontuand.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ zaeltbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ zontjmu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key xfqjzfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key xjywjct.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" yydetby.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" fstqnfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" ctiiyyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key ltaxqyv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key kangzah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ ktyqaek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ fvfeqny.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" tlyxtwj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" wwuwnqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" cjugxtw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" bclragd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" ozvetqa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key levhmty.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ xjywjct.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" gpgrthz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" mmpkjlc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key ouhsbfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" gdbqdfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key jjmenhv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key pfxyqsd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key swskuqu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ xgcmtch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" ceawfhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key pixjgtt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ rohsyqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" eshcone.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key oekoczo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key ygbpldq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key zpujsjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" xcdngjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" lxwsumw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key chvicqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" gkjydmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ xbdmher.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" rvfxpgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" pypbfyn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ tafjyst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key qbtqzjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" ybrljvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ jepvaiy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" aaqfdtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ yytaujs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" xnviuwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" hejjvjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" okluxns.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" eiejkpv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ fmqesuj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" leksyqk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key kmnvpnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key lgyeueu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key ubcohna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key cybxgox.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ yrejuvn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2504 wrote to memory of 2844 2504 c22bf75822c2ba55da5573b81efb14d3_JaffaCakes118.exe 30 PID 2504 wrote to memory of 2844 2504 c22bf75822c2ba55da5573b81efb14d3_JaffaCakes118.exe 30 PID 2504 wrote to memory of 2844 2504 c22bf75822c2ba55da5573b81efb14d3_JaffaCakes118.exe 30 PID 2504 wrote to memory of 2844 2504 c22bf75822c2ba55da5573b81efb14d3_JaffaCakes118.exe 30 PID 2844 wrote to memory of 280 2844 bzsoakp.exe 31 PID 2844 wrote to memory of 280 2844 bzsoakp.exe 31 PID 2844 wrote to memory of 280 2844 bzsoakp.exe 31 PID 2844 wrote to memory of 280 2844 bzsoakp.exe 31 PID 280 wrote to memory of 2780 280 tkggihp.exe 32 PID 280 wrote to memory of 2780 280 tkggihp.exe 32 PID 280 wrote to memory of 2780 280 tkggihp.exe 32 PID 280 wrote to memory of 2780 280 tkggihp.exe 32 PID 2780 wrote to memory of 1948 2780 ylobymv.exe 33 PID 2780 wrote to memory of 1948 2780 ylobymv.exe 33 PID 2780 wrote to memory of 1948 2780 ylobymv.exe 33 PID 2780 wrote to memory of 1948 2780 ylobymv.exe 33 PID 1948 wrote to memory of 1676 1948 qdqtesb.exe 34 PID 1948 wrote to memory of 1676 1948 qdqtesb.exe 34 PID 1948 wrote to memory of 1676 1948 qdqtesb.exe 34 PID 1948 wrote to memory of 1676 1948 qdqtesb.exe 34 PID 1676 wrote to memory of 2208 1676 avfqrjd.exe 35 PID 1676 wrote to memory of 2208 1676 avfqrjd.exe 35 PID 1676 wrote to memory of 2208 1676 avfqrjd.exe 35 PID 1676 wrote to memory of 2208 1676 avfqrjd.exe 35 PID 2208 wrote to memory of 864 2208 kjgohqi.exe 36 PID 2208 wrote to memory of 864 2208 kjgohqi.exe 36 PID 2208 wrote to memory of 864 2208 kjgohqi.exe 36 PID 2208 wrote to memory of 864 2208 kjgohqi.exe 36 PID 864 wrote to memory of 1616 864 xwqdmmp.exe 37 PID 864 wrote to memory of 1616 864 xwqdmmp.exe 37 PID 864 wrote to memory of 1616 864 xwqdmmp.exe 37 PID 864 wrote to memory of 1616 864 xwqdmmp.exe 37 PID 1616 wrote to memory of 2016 1616 hvcbflp.exe 38 PID 1616 wrote to memory of 2016 1616 hvcbflp.exe 38 PID 1616 wrote to memory of 2016 1616 hvcbflp.exe 38 PID 1616 wrote to memory of 2016 1616 hvcbflp.exe 38 PID 2016 wrote to memory of 1528 2016 pdpbray.exe 39 PID 2016 wrote to memory of 1528 2016 pdpbray.exe 39 PID 2016 wrote to memory of 1528 2016 pdpbray.exe 39 PID 2016 wrote to memory of 1528 2016 pdpbray.exe 39 PID 1528 wrote to memory of 1952 1528 zonledm.exe 40 PID 1528 wrote to memory of 1952 1528 zonledm.exe 40 PID 1528 wrote to memory of 1952 1528 zonledm.exe 40 PID 1528 wrote to memory of 1952 1528 zonledm.exe 40 PID 1952 wrote to memory of 2056 1952 oeyllvi.exe 41 PID 1952 wrote to memory of 2056 1952 oeyllvi.exe 41 PID 1952 wrote to memory of 2056 1952 oeyllvi.exe 41 PID 1952 wrote to memory of 2056 1952 oeyllvi.exe 41 PID 2056 wrote to memory of 1484 2056 tirtewv.exe 42 PID 2056 wrote to memory of 1484 2056 tirtewv.exe 42 PID 2056 wrote to memory of 1484 2056 tirtewv.exe 42 PID 2056 wrote to memory of 1484 2056 tirtewv.exe 42 PID 1484 wrote to memory of 3064 1484 dhwrpvu.exe 43 PID 1484 wrote to memory of 3064 1484 dhwrpvu.exe 43 PID 1484 wrote to memory of 3064 1484 dhwrpvu.exe 43 PID 1484 wrote to memory of 3064 1484 dhwrpvu.exe 43 PID 3064 wrote to memory of 2528 3064 txhzvny.exe 44 PID 3064 wrote to memory of 2528 3064 txhzvny.exe 44 PID 3064 wrote to memory of 2528 3064 txhzvny.exe 44 PID 3064 wrote to memory of 2528 3064 txhzvny.exe 44 PID 2528 wrote to memory of 2808 2528 ykbhpod.exe 45 PID 2528 wrote to memory of 2808 2528 ykbhpod.exe 45 PID 2528 wrote to memory of 2808 2528 ykbhpod.exe 45 PID 2528 wrote to memory of 2808 2528 ykbhpod.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\c22bf75822c2ba55da5573b81efb14d3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c22bf75822c2ba55da5573b81efb14d3_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\bzsoakp.exeC:\Windows\system32\bzsoakp.exe 496 "C:\Users\Admin\AppData\Local\Temp\c22bf75822c2ba55da5573b81efb14d3_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\tkggihp.exeC:\Windows\system32\tkggihp.exe 560 "C:\Windows\SysWOW64\bzsoakp.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:280 -
C:\Windows\SysWOW64\ylobymv.exeC:\Windows\system32\ylobymv.exe 564 "C:\Windows\SysWOW64\tkggihp.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\qdqtesb.exeC:\Windows\system32\qdqtesb.exe 572 "C:\Windows\SysWOW64\ylobymv.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\avfqrjd.exeC:\Windows\system32\avfqrjd.exe 580 "C:\Windows\SysWOW64\qdqtesb.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\kjgohqi.exeC:\Windows\system32\kjgohqi.exe 552 "C:\Windows\SysWOW64\avfqrjd.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\xwqdmmp.exeC:\Windows\system32\xwqdmmp.exe 556 "C:\Windows\SysWOW64\kjgohqi.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\SysWOW64\hvcbflp.exeC:\Windows\system32\hvcbflp.exe 568 "C:\Windows\SysWOW64\xwqdmmp.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\pdpbray.exeC:\Windows\system32\pdpbray.exe 588 "C:\Windows\SysWOW64\hvcbflp.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\zonledm.exeC:\Windows\system32\zonledm.exe 584 "C:\Windows\SysWOW64\pdpbray.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\oeyllvi.exeC:\Windows\system32\oeyllvi.exe 596 "C:\Windows\SysWOW64\zonledm.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\tirtewv.exeC:\Windows\system32\tirtewv.exe 576 "C:\Windows\SysWOW64\oeyllvi.exe"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\dhwrpvu.exeC:\Windows\system32\dhwrpvu.exe 604 "C:\Windows\SysWOW64\tirtewv.exe"14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\txhzvny.exeC:\Windows\system32\txhzvny.exe 592 "C:\Windows\SysWOW64\dhwrpvu.exe"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\ykbhpod.exeC:\Windows\system32\ykbhpod.exe 612 "C:\Windows\SysWOW64\txhzvny.exe"16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\nhjgbpm.exeC:\Windows\system32\nhjgbpm.exe 608 "C:\Windows\SysWOW64\ykbhpod.exe"17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2808 -
C:\Windows\SysWOW64\pgnemft.exeC:\Windows\system32\pgnemft.exe 620 "C:\Windows\SysWOW64\nhjgbpm.exe"18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:808 -
C:\Windows\SysWOW64\xkxrdyw.exeC:\Windows\system32\xkxrdyw.exe 616 "C:\Windows\SysWOW64\pgnemft.exe"19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2868 -
C:\Windows\SysWOW64\jedhoda.exeC:\Windows\system32\jedhoda.exe 600 "C:\Windows\SysWOW64\xkxrdyw.exe"20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2860 -
C:\Windows\SysWOW64\ulpezci.exeC:\Windows\system32\ulpezci.exe 632 "C:\Windows\SysWOW64\jedhoda.exe"21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2616 -
C:\Windows\SysWOW64\gckhpkn.exeC:\Windows\system32\gckhpkn.exe 644 "C:\Windows\SysWOW64\ulpezci.exe"22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2848 -
C:\Windows\SysWOW64\tafjyst.exeC:\Windows\system32\tafjyst.exe 624 "C:\Windows\SysWOW64\gckhpkn.exe"23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\ezrhirs.exeC:\Windows\system32\ezrhirs.exe 636 "C:\Windows\SysWOW64\tafjyst.exe"24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:892 -
C:\Windows\SysWOW64\ozvetqa.exeC:\Windows\system32\ozvetqa.exe 640 "C:\Windows\SysWOW64\ezrhirs.exe"25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1684 -
C:\Windows\SysWOW64\abbueue.exeC:\Windows\system32\abbueue.exe 660 "C:\Windows\SysWOW64\ozvetqa.exe"26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2052 -
C:\Windows\SysWOW64\nrexvck.exeC:\Windows\system32\nrexvck.exe 628 "C:\Windows\SysWOW64\abbueue.exe"27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1984 -
C:\Windows\SysWOW64\ucdckws.exeC:\Windows\system32\ucdckws.exe 656 "C:\Windows\SysWOW64\nrexvck.exe"28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2152 -
C:\Windows\SysWOW64\hejjvjf.exeC:\Windows\system32\hejjvjf.exe 648 "C:\Windows\SysWOW64\ucdckws.exe"29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\rajcldf.exeC:\Windows\system32\rajcldf.exe 668 "C:\Windows\SysWOW64\hejjvjf.exe"30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:404 -
C:\Windows\SysWOW64\eyeftdl.exeC:\Windows\system32\eyeftdl.exe 672 "C:\Windows\SysWOW64\rajcldf.exe"31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2308 -
C:\Windows\SysWOW64\lkdkjft.exeC:\Windows\system32\lkdkjft.exe 664 "C:\Windows\SysWOW64\eyeftdl.exe"32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2464 -
C:\Windows\SysWOW64\brospox.exeC:\Windows\system32\brospox.exe 652 "C:\Windows\SysWOW64\lkdkjft.exe"33⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\mnpcxjx.exeC:\Windows\system32\mnpcxjx.exe 692 "C:\Windows\SysWOW64\brospox.exe"34⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:492 -
C:\Windows\SysWOW64\vbqzvql.exeC:\Windows\system32\vbqzvql.exe 680 "C:\Windows\SysWOW64\mnpcxjx.exe"35⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\gxrkdll.exeC:\Windows\system32\gxrkdll.exe 688 "C:\Windows\SysWOW64\vbqzvql.exe"36⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\szxaopq.exeC:\Windows\system32\szxaopq.exe 676 "C:\Windows\SysWOW64\gxrkdll.exe"37⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\cybxgox.exeC:\Windows\system32\cybxgox.exe 708 "C:\Windows\SysWOW64\szxaopq.exe"38⤵
- Executes dropped EXE
- Modifies registry class
PID:564 -
C:\Windows\SysWOW64\poeapwd.exeC:\Windows\system32\poeapwd.exe 684 "C:\Windows\SysWOW64\cybxgox.exe"39⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\cnzcyea.exeC:\Windows\system32\cnzcyea.exe 700 "C:\Windows\SysWOW64\poeapwd.exe"40⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\pdtfgfg.exeC:\Windows\system32\pdtfgfg.exe 704 "C:\Windows\SysWOW64\cnzcyea.exe"41⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\wwskdgo.exeC:\Windows\system32\wwskdgo.exe 724 "C:\Windows\SysWOW64\pdtfgfg.exe"42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2740 -
C:\Windows\SysWOW64\jnvnmgu.exeC:\Windows\system32\jnvnmgu.exe 696 "C:\Windows\SysWOW64\wwskdgo.exe"43⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\tykxzki.exeC:\Windows\system32\tykxzki.exe 720 "C:\Windows\SysWOW64\jnvnmgu.exe"44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2644 -
C:\Windows\SysWOW64\jclsdxf.exeC:\Windows\system32\jclsdxf.exe 716 "C:\Windows\SysWOW64\tykxzki.exe"45⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\tfidqsl.exeC:\Windows\system32\tfidqsl.exe 740 "C:\Windows\SysWOW64\jclsdxf.exe"46⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\gddxzar.exeC:\Windows\system32\gddxzar.exe 728 "C:\Windows\SysWOW64\tfidqsl.exe"47⤵
- Executes dropped EXE
PID:308 -
C:\Windows\SysWOW64\nobkwuz.exeC:\Windows\system32\nobkwuz.exe 736 "C:\Windows\SysWOW64\gddxzar.exe"48⤵
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\anenfcf.exeC:\Windows\system32\anenfcf.exe 712 "C:\Windows\SysWOW64\nobkwuz.exe"49⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\kmilpbm.exeC:\Windows\system32\kmilpbm.exe 732 "C:\Windows\SysWOW64\anenfcf.exe"50⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\xcdngjk.exeC:\Windows\system32\xcdngjk.exe 756 "C:\Windows\SysWOW64\kmilpbm.exe"51⤵
- Executes dropped EXE
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\hyeyndk.exeC:\Windows\system32\hyeyndk.exe 752 "C:\Windows\SysWOW64\xcdngjk.exe"52⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\rmfvddx.exeC:\Windows\system32\rmfvddx.exe 744 "C:\Windows\SysWOW64\hyeyndk.exe"53⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\bljswcf.exeC:\Windows\system32\bljswcf.exe 760 "C:\Windows\SysWOW64\rmfvddx.exe"54⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:1352 -
C:\Windows\SysWOW64\okmvekl.exeC:\Windows\system32\okmvekl.exe 764 "C:\Windows\SysWOW64\bljswcf.exe"55⤵
- Executes dropped EXE
PID:480 -
C:\Windows\SysWOW64\bxvlkoj.exeC:\Windows\system32\bxvlkoj.exe 772 "C:\Windows\SysWOW64\okmvekl.exe"56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1852 -
C:\Windows\SysWOW64\orbbvso.exeC:\Windows\system32\orbbvso.exe 748 "C:\Windows\SysWOW64\bxvlkoj.exe"57⤵
- Executes dropped EXE
PID:784 -
C:\Windows\SysWOW64\ybrljvc.exeC:\Windows\system32\ybrljvc.exe 768 "C:\Windows\SysWOW64\orbbvso.exe"58⤵
- Executes dropped EXE
- Modifies registry class
PID:920 -
C:\Windows\SysWOW64\lstgrda.exeC:\Windows\system32\lstgrda.exe 780 "C:\Windows\SysWOW64\ybrljvc.exe"59⤵
- Executes dropped EXE
PID:924 -
C:\Windows\SysWOW64\vcjqmho.exeC:\Windows\system32\vcjqmho.exe 776 "C:\Windows\SysWOW64\lstgrda.exe"60⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\kkuytqj.exeC:\Windows\system32\kkuytqj.exe 784 "C:\Windows\SysWOW64\vcjqmho.exe"61⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\vgviblk.exeC:\Windows\system32\vgviblk.exe 804 "C:\Windows\SysWOW64\kkuytqj.exe"62⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\hibymxx.exeC:\Windows\system32\hibymxx.exe 788 "C:\Windows\SysWOW64\vgviblk.exe"63⤵
- Executes dropped EXE
PID:372 -
C:\Windows\SysWOW64\jsriaad.exeC:\Windows\system32\jsriaad.exe 800 "C:\Windows\SysWOW64\hibymxx.exe"64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2924 -
C:\Windows\SysWOW64\wjllqai.exeC:\Windows\system32\wjllqai.exe 792 "C:\Windows\SysWOW64\jsriaad.exe"65⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:2000 -
C:\Windows\SysWOW64\jzoozig.exeC:\Windows\system32\jzoozig.exe 816 "C:\Windows\SysWOW64\wjllqai.exe"66⤵PID:2892
-
C:\Windows\SysWOW64\tkeymmu.exeC:\Windows\system32\tkeymmu.exe 796 "C:\Windows\SysWOW64\jzoozig.exe"67⤵PID:2660
-
C:\Windows\SysWOW64\gxnospt.exeC:\Windows\system32\gxnospt.exe 820 "C:\Windows\SysWOW64\tkeymmu.exe"68⤵PID:2676
-
C:\Windows\SysWOW64\qlolqpg.exeC:\Windows\system32\qlolqpg.exe 808 "C:\Windows\SysWOW64\gxnospt.exe"69⤵PID:1424
-
C:\Windows\SysWOW64\dcroyxe.exeC:\Windows\system32\dcroyxe.exe 828 "C:\Windows\SysWOW64\qlolqpg.exe"70⤵PID:2348
-
C:\Windows\SysWOW64\nbvljwl.exeC:\Windows\system32\nbvljwl.exe 832 "C:\Windows\SysWOW64\dcroyxe.exe"71⤵PID:276
-
C:\Windows\SysWOW64\zdbtuiq.exeC:\Windows\system32\zdbtuiq.exe 836 "C:\Windows\SysWOW64\nbvljwl.exe"72⤵PID:3020
-
C:\Windows\SysWOW64\nqsraew.exeC:\Windows\system32\nqsraew.exe 812 "C:\Windows\SysWOW64\zdbtuiq.exe"73⤵PID:2904
-
C:\Windows\SysWOW64\zontjmu.exeC:\Windows\system32\zontjmu.exe 844 "C:\Windows\SysWOW64\nqsraew.exe"74⤵
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\jrcwepi.exeC:\Windows\system32\jrcwepi.exe 824 "C:\Windows\SysWOW64\zontjmu.exe"75⤵
- Drops file in System32 directory
PID:1468 -
C:\Windows\SysWOW64\wpfzmyg.exeC:\Windows\system32\wpfzmyg.exe 852 "C:\Windows\SysWOW64\jrcwepi.exe"76⤵PID:1292
-
C:\Windows\SysWOW64\jjloycs.exeC:\Windows\system32\jjloycs.exe 840 "C:\Windows\SysWOW64\wpfzmyg.exe"77⤵PID:776
-
C:\Windows\SysWOW64\wigrgkq.exeC:\Windows\system32\wigrgkq.exe 856 "C:\Windows\SysWOW64\jjloycs.exe"78⤵PID:1188
-
C:\Windows\SysWOW64\jybupsv.exeC:\Windows\system32\jybupsv.exe 848 "C:\Windows\SysWOW64\wigrgkq.exe"79⤵PID:2940
-
C:\Windows\SysWOW64\smcrfsi.exeC:\Windows\system32\smcrfsi.exe 868 "C:\Windows\SysWOW64\jybupsv.exe"80⤵PID:1908
-
C:\Windows\SysWOW64\fdwmwao.exeC:\Windows\system32\fdwmwao.exe 872 "C:\Windows\SysWOW64\smcrfsi.exe"81⤵PID:2356
-
C:\Windows\SysWOW64\sbzoeil.exeC:\Windows\system32\sbzoeil.exe 876 "C:\Windows\SysWOW64\fdwmwao.exe"82⤵
- Writes to the Master Boot Record (MBR)
PID:1044 -
C:\Windows\SysWOW64\fvfeqny.exeC:\Windows\system32\fvfeqny.exe 860 "C:\Windows\SysWOW64\sbzoeil.exe"83⤵
- Drops file in System32 directory
- Modifies registry class
PID:1732 -
C:\Windows\SysWOW64\sipuwqx.exeC:\Windows\system32\sipuwqx.exe 884 "C:\Windows\SysWOW64\fvfeqny.exe"84⤵PID:1724
-
C:\Windows\SysWOW64\fkdjhdb.exeC:\Windows\system32\fkdjhdb.exe 864 "C:\Windows\SysWOW64\sipuwqx.exe"85⤵PID:2800
-
C:\Windows\SysWOW64\pvsuugh.exeC:\Windows\system32\pvsuugh.exe 880 "C:\Windows\SysWOW64\fkdjhdb.exe"86⤵PID:2404
-
C:\Windows\SysWOW64\clnwlgn.exeC:\Windows\system32\clnwlgn.exe 888 "C:\Windows\SysWOW64\pvsuugh.exe"87⤵PID:2900
-
C:\Windows\SysWOW64\lochyjt.exeC:\Windows\system32\lochyjt.exe 900 "C:\Windows\SysWOW64\clnwlgn.exe"88⤵PID:2636
-
C:\Windows\SysWOW64\ymfkhsz.exeC:\Windows\system32\ymfkhsz.exe 904 "C:\Windows\SysWOW64\lochyjt.exe"89⤵PID:2388
-
C:\Windows\SysWOW64\ldampse.exeC:\Windows\system32\ldampse.exe 892 "C:\Windows\SysWOW64\ymfkhsz.exe"90⤵PID:1772
-
C:\Windows\SysWOW64\ybvhyac.exeC:\Windows\system32\ybvhyac.exe 896 "C:\Windows\SysWOW64\ldampse.exe"91⤵
- System Location Discovery: System Language Discovery
PID:2912 -
C:\Windows\SysWOW64\iekrtdq.exeC:\Windows\system32\iekrtdq.exe 912 "C:\Windows\SysWOW64\ybvhyac.exe"92⤵
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:2148 -
C:\Windows\SysWOW64\vdnuclo.exeC:\Windows\system32\vdnuclo.exe 928 "C:\Windows\SysWOW64\iekrtdq.exe"93⤵
- System Location Discovery: System Language Discovery
PID:588 -
C:\Windows\SysWOW64\itixklt.exeC:\Windows\system32\itixklt.exe 916 "C:\Windows\SysWOW64\vdnuclo.exe"94⤵PID:1644
-
C:\Windows\SysWOW64\vkdzttz.exeC:\Windows\system32\vkdzttz.exe 924 "C:\Windows\SysWOW64\itixklt.exe"95⤵PID:264
-
C:\Windows\SysWOW64\eydxjbm.exeC:\Windows\system32\eydxjbm.exe 932 "C:\Windows\SysWOW64\vkdzttz.exe"96⤵PID:1136
-
C:\Windows\SysWOW64\slvmpfl.exeC:\Windows\system32\slvmpfl.exe 936 "C:\Windows\SysWOW64\eydxjbm.exe"97⤵PID:1056
-
C:\Windows\SysWOW64\enbcajp.exeC:\Windows\system32\enbcajp.exe 908 "C:\Windows\SysWOW64\slvmpfl.exe"98⤵PID:1576
-
C:\Windows\SysWOW64\oxqnvmv.exeC:\Windows\system32\oxqnvmv.exe 944 "C:\Windows\SysWOW64\enbcajp.exe"99⤵PID:1020
-
C:\Windows\SysWOW64\eczizaa.exeC:\Windows\system32\eczizaa.exe 920 "C:\Windows\SysWOW64\oxqnvmv.exe"100⤵PID:2980
-
C:\Windows\SysWOW64\oeoknvg.exeC:\Windows\system32\oeoknvg.exe 940 "C:\Windows\SysWOW64\eczizaa.exe"101⤵
- Writes to the Master Boot Record (MBR)
PID:1592 -
C:\Windows\SysWOW64\bdjnvdm.exeC:\Windows\system32\bdjnvdm.exe 948 "C:\Windows\SysWOW64\oeoknvg.exe"102⤵PID:2180
-
C:\Windows\SysWOW64\lcnsocl.exeC:\Windows\system32\lcnsocl.exe 952 "C:\Windows\SysWOW64\bdjnvdm.exe"103⤵PID:2792
-
C:\Windows\SysWOW64\xhencsx.exeC:\Windows\system32\xhencsx.exe 960 "C:\Windows\SysWOW64\lcnsocl.exe"104⤵PID:2096
-
C:\Windows\SysWOW64\luwciov.exeC:\Windows\system32\luwciov.exe 968 "C:\Windows\SysWOW64\xhencsx.exe"105⤵PID:2916
-
C:\Windows\SysWOW64\xwcstbi.exeC:\Windows\system32\xwcstbi.exe 972 "C:\Windows\SysWOW64\luwciov.exe"106⤵PID:2852
-
C:\Windows\SysWOW64\hzrcgeo.exeC:\Windows\system32\hzrcgeo.exe 956 "C:\Windows\SysWOW64\xwcstbi.exe"107⤵PID:1704
-
C:\Windows\SysWOW64\umjsmin.exeC:\Windows\system32\umjsmin.exe 964 "C:\Windows\SysWOW64\hzrcgeo.exe"108⤵
- System Location Discovery: System Language Discovery
PID:2472 -
C:\Windows\SysWOW64\ewydhdt.exeC:\Windows\system32\ewydhdt.exe 988 "C:\Windows\SysWOW64\umjsmin.exe"109⤵PID:1108
-
C:\Windows\SysWOW64\rjisnha.exeC:\Windows\system32\rjisnha.exe 984 "C:\Windows\SysWOW64\ewydhdt.exe"110⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:3008 -
C:\Windows\SysWOW64\byiqdof.exeC:\Windows\system32\byiqdof.exe 992 "C:\Windows\SysWOW64\rjisnha.exe"111⤵
- Writes to the Master Boot Record (MBR)
PID:2624 -
C:\Windows\SysWOW64\rcrlhtc.exeC:\Windows\system32\rcrlhtc.exe 976 "C:\Windows\SysWOW64\byiqdof.exe"112⤵
- Writes to the Master Boot Record (MBR)
PID:532 -
C:\Windows\SysWOW64\tngnuwq.exeC:\Windows\system32\tngnuwq.exe 1000 "C:\Windows\SysWOW64\rcrlhtc.exe"113⤵PID:2948
-
C:\Windows\SysWOW64\gdbqdfo.exeC:\Windows\system32\gdbqdfo.exe 980 "C:\Windows\SysWOW64\tngnuwq.exe"114⤵
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\qcnvvdv.exeC:\Windows\system32\qcnvvdv.exe 996 "C:\Windows\SysWOW64\gdbqdfo.exe"115⤵
- Drops file in System32 directory
PID:596 -
C:\Windows\SysWOW64\detdhqz.exeC:\Windows\system32\detdhqz.exe 1004 "C:\Windows\SysWOW64\qcnvvdv.exe"116⤵PID:2440
-
C:\Windows\SysWOW64\ndxarhh.exeC:\Windows\system32\ndxarhh.exe 1016 "C:\Windows\SysWOW64\detdhqz.exe"117⤵PID:748
-
C:\Windows\SysWOW64\ctiiyyl.exeC:\Windows\system32\ctiiyyl.exe 1012 "C:\Windows\SysWOW64\ndxarhh.exe"118⤵
- Drops file in System32 directory
- Modifies registry class
PID:660 -
C:\Windows\SysWOW64\pkllhgq.exeC:\Windows\system32\pkllhgq.exe 1028 "C:\Windows\SysWOW64\ctiiyyl.exe"119⤵PID:2324
-
C:\Windows\SysWOW64\zubvcbw.exeC:\Windows\system32\zubvcbw.exe 1008 "C:\Windows\SysWOW64\pkllhgq.exe"120⤵PID:904
-
C:\Windows\SysWOW64\mlvykkc.exeC:\Windows\system32\mlvykkc.exe 1036 "C:\Windows\SysWOW64\zubvcbw.exe"121⤵
- System Location Discovery: System Language Discovery
PID:2336
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-