Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
05-12-2024 03:53
General
-
Target
c5c7337e1cc43922cb5c9e312dc07aec_JaffaCakes118.exe
-
Size
406KB
-
MD5
c5c7337e1cc43922cb5c9e312dc07aec
-
SHA1
106f6fe7724580d32782c16e914df82b6c94dae6
-
SHA256
0e4cc5443850aa4ae804edf9e38364bf66a352934222a9f183a0f818433c0b0b
-
SHA512
23a7f7a74ad54239a4f25fc0d6145217a1555dcb2181aad5ed7448dad62ab016944c5d213285d137d0c86ac106f4ca09a797fcc7178abfd68850e719dafcea16
-
SSDEEP
6144:0OXbPDYSa4EllnQRWjLFup4aocXIxcg4g+gwoM9i3Uxc8hn2S7eW3Muu/:hL0LfnQELVaoNCg47gEz+8hnrl3MP/
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Executes dropped EXE 64 IoCs
-
Loads dropped DLL 64 IoCs
-
Drops file in System32 directory 64 IoCs
-
Suspicious use of SetThreadContext 64 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5c7337e1cc43922cb5c9e312dc07aec_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c5c7337e1cc43922cb5c9e312dc07aec_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c5c7337e1cc43922cb5c9e312dc07aec_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\c5c7337e1cc43922cb5c9e312dc07aec_JaffaCakes118.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ohqhvoc.exeC:\Windows\system32\ohqhvoc.exe 468 "C:\Users\Admin\AppData\Local\Temp\c5c7337e1cc43922cb5c9e312dc07aec_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ohqhvoc.exeC:\Windows\SysWOW64\ohqhvoc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ozrzxam.exeC:\Windows\system32\ozrzxam.exe 528 "C:\Windows\SysWOW64\ohqhvoc.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ozrzxam.exeC:\Windows\SysWOW64\ozrzxam.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\yydwhzu.exeC:\Windows\system32\yydwhzu.exe 528 "C:\Windows\SysWOW64\ozrzxam.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\yydwhzu.exeC:\Windows\SysWOW64\yydwhzu.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cpajdnf.exeC:\Windows\system32\cpajdnf.exe 528 "C:\Windows\SysWOW64\yydwhzu.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cpajdnf.exeC:\Windows\SysWOW64\cpajdnf.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\fhshwbf.exeC:\Windows\system32\fhshwbf.exe 472 "C:\Windows\SysWOW64\cpajdnf.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\fhshwbf.exeC:\Windows\SysWOW64\fhshwbf.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rbyxhor.exeC:\Windows\system32\rbyxhor.exe 532 "C:\Windows\SysWOW64\fhshwbf.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rbyxhor.exeC:\Windows\SysWOW64\rbyxhor.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\fopmnrq.exeC:\Windows\system32\fopmnrq.exe 528 "C:\Windows\SysWOW64\rbyxhor.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\fopmnrq.exeC:\Windows\SysWOW64\fopmnrq.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\jajugtv.exeC:\Windows\system32\jajugtv.exe 532 "C:\Windows\SysWOW64\fopmnrq.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\jajugtv.exeC:\Windows\SysWOW64\jajugtv.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\wgapukg.exeC:\Windows\system32\wgapukg.exe 532 "C:\Windows\SysWOW64\jajugtv.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\wgapukg.exeC:\Windows\SysWOW64\wgapukg.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Windows\SysWOW64\gbtzceh.exeC:\Windows\system32\gbtzceh.exe 532 "C:\Windows\SysWOW64\wgapukg.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\gbtzceh.exeC:\Windows\SysWOW64\gbtzceh.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\qbffudo.exeC:\Windows\system32\qbffudo.exe 528 "C:\Windows\SysWOW64\gbtzceh.exe"23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\qbffudo.exeC:\Windows\SysWOW64\qbffudo.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\twgpcyp.exeC:\Windows\system32\twgpcyp.exe 532 "C:\Windows\SysWOW64\qbffudo.exe"25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\twgpcyp.exeC:\Windows\SysWOW64\twgpcyp.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\dvknmww.exeC:\Windows\system32\dvknmww.exe 528 "C:\Windows\SysWOW64\twgpcyp.exe"27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\dvknmww.exeC:\Windows\SysWOW64\dvknmww.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\pbbpafi.exeC:\Windows\system32\pbbpafi.exe 528 "C:\Windows\SysWOW64\dvknmww.exe"29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\pbbpafi.exeC:\Windows\SysWOW64\pbbpafi.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cwlfojg.exeC:\Windows\system32\cwlfojg.exe 528 "C:\Windows\SysWOW64\pbbpafi.exe"31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cwlfojg.exeC:\Windows\SysWOW64\cwlfojg.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\myipcmn.exeC:\Windows\system32\myipcmn.exe 536 "C:\Windows\SysWOW64\cwlfojg.exe"33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\myipcmn.exeC:\Windows\SysWOW64\myipcmn.exe34⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\xubajhv.exeC:\Windows\system32\xubajhv.exe 540 "C:\Windows\SysWOW64\myipcmn.exe"35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\xubajhv.exeC:\Windows\SysWOW64\xubajhv.exe36⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\heqkekc.exeC:\Windows\system32\heqkekc.exe 528 "C:\Windows\SysWOW64\xubajhv.exe"37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\heqkekc.exeC:\Windows\SysWOW64\heqkekc.exe38⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\rhovsni.exeC:\Windows\system32\rhovsni.exe 528 "C:\Windows\SysWOW64\heqkekc.exe"39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\rhovsni.exeC:\Windows\SysWOW64\rhovsni.exe40⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\dyjxavo.exeC:\Windows\system32\dyjxavo.exe 544 "C:\Windows\SysWOW64\rhovsni.exe"41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\dyjxavo.exeC:\Windows\SysWOW64\dyjxavo.exe42⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\rtangrm.exeC:\Windows\system32\rtangrm.exe 528 "C:\Windows\SysWOW64\dyjxavo.exe"43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\rtangrm.exeC:\Windows\SysWOW64\rtangrm.exe44⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Windows\SysWOW64\bsekqqu.exeC:\Windows\system32\bsekqqu.exe 528 "C:\Windows\SysWOW64\rtangrm.exe"45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\bsekqqu.exeC:\Windows\SysWOW64\bsekqqu.exe46⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\kgfioxh.exeC:\Windows\system32\kgfioxh.exe 528 "C:\Windows\SysWOW64\bsekqqu.exe"47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\kgfioxh.exeC:\Windows\SysWOW64\kgfioxh.exe48⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\ytoxubg.exeC:\Windows\system32\ytoxubg.exe 536 "C:\Windows\SysWOW64\kgfioxh.exe"49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\ytoxubg.exeC:\Windows\SysWOW64\ytoxubg.exe50⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\isbvfan.exeC:\Windows\system32\isbvfan.exe 532 "C:\Windows\SysWOW64\ytoxubg.exe"51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\isbvfan.exeC:\Windows\SysWOW64\isbvfan.exe52⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\suqfadu.exeC:\Windows\system32\suqfadu.exe 544 "C:\Windows\SysWOW64\isbvfan.exe"53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\suqfadu.exeC:\Windows\SysWOW64\suqfadu.exe54⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Windows\SysWOW64\ftliidz.exeC:\Windows\system32\ftliidz.exe 536 "C:\Windows\SysWOW64\suqfadu.exe"55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\ftliidz.exeC:\Windows\SysWOW64\ftliidz.exe56⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\rjolrlx.exeC:\Windows\system32\rjolrlx.exe 528 "C:\Windows\SysWOW64\ftliidz.exe"57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\rjolrlx.exeC:\Windows\SysWOW64\rjolrlx.exe58⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\eiinatc.exeC:\Windows\system32\eiinatc.exe 536 "C:\Windows\SysWOW64\rjolrlx.exe"59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\eiinatc.exeC:\Windows\SysWOW64\eiinatc.exe60⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\olyynwj.exeC:\Windows\system32\olyynwj.exe 540 "C:\Windows\SysWOW64\eiinatc.exe"61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\olyynwj.exeC:\Windows\SysWOW64\olyynwj.exe62⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\bjbavxo.exeC:\Windows\system32\bjbavxo.exe 536 "C:\Windows\SysWOW64\olyynwj.exe"63⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\bjbavxo.exeC:\Windows\SysWOW64\bjbavxo.exe64⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\lmqlrav.exeC:\Windows\system32\lmqlrav.exe 528 "C:\Windows\SysWOW64\bjbavxo.exe"65⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\lmqlrav.exeC:\Windows\SysWOW64\lmqlrav.exe66⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\yzabxeb.exeC:\Windows\system32\yzabxeb.exe 536 "C:\Windows\SysWOW64\lmqlrav.exe"67⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\yzabxeb.exeC:\Windows\SysWOW64\yzabxeb.exe68⤵
-
C:\Windows\SysWOW64\inaqnlg.exeC:\Windows\system32\inaqnlg.exe 528 "C:\Windows\SysWOW64\yzabxeb.exe"69⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\inaqnlg.exeC:\Windows\SysWOW64\inaqnlg.exe70⤵
-
C:\Windows\SysWOW64\vasoshn.exeC:\Windows\system32\vasoshn.exe 528 "C:\Windows\SysWOW64\inaqnlg.exe"71⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\vasoshn.exeC:\Windows\SysWOW64\vasoshn.exe72⤵
-
C:\Windows\SysWOW64\fkhyokt.exeC:\Windows\system32\fkhyokt.exe 528 "C:\Windows\SysWOW64\vasoshn.exe"73⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\fkhyokt.exeC:\Windows\SysWOW64\fkhyokt.exe74⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sxzotos.exeC:\Windows\system32\sxzotos.exe 540 "C:\Windows\SysWOW64\fkhyokt.exe"75⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\sxzotos.exeC:\Windows\SysWOW64\sxzotos.exe76⤵
-
C:\Windows\SysWOW64\caoyhrz.exeC:\Windows\system32\caoyhrz.exe 528 "C:\Windows\SysWOW64\sxzotos.exe"77⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\caoyhrz.exeC:\Windows\SysWOW64\caoyhrz.exe78⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\mkdicun.exeC:\Windows\system32\mkdicun.exe 528 "C:\Windows\SysWOW64\caoyhrz.exe"79⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\mkdicun.exeC:\Windows\SysWOW64\mkdicun.exe80⤵
-
C:\Windows\SysWOW64\zxnyiym.exeC:\Windows\system32\zxnyiym.exe 532 "C:\Windows\SysWOW64\mkdicun.exe"81⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\zxnyiym.exeC:\Windows\SysWOW64\zxnyiym.exe82⤵
-
C:\Windows\SysWOW64\moqbqyr.exeC:\Windows\system32\moqbqyr.exe 532 "C:\Windows\SysWOW64\zxnyiym.exe"83⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\moqbqyr.exeC:\Windows\SysWOW64\moqbqyr.exe84⤵
-
C:\Windows\SysWOW64\wcqqgfw.exeC:\Windows\system32\wcqqgfw.exe 540 "C:\Windows\SysWOW64\moqbqyr.exe"85⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\wcqqgfw.exeC:\Windows\SysWOW64\wcqqgfw.exe86⤵
-
C:\Windows\SysWOW64\jpagmjd.exeC:\Windows\system32\jpagmjd.exe 532 "C:\Windows\SysWOW64\wcqqgfw.exe"87⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\jpagmjd.exeC:\Windows\SysWOW64\jpagmjd.exe88⤵
-
C:\Windows\SysWOW64\wodjvjb.exeC:\Windows\system32\wodjvjb.exe 544 "C:\Windows\SysWOW64\jpagmjd.exe"89⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\wodjvjb.exeC:\Windows\SysWOW64\wodjvjb.exe90⤵
-
C:\Windows\SysWOW64\gqstqnp.exeC:\Windows\system32\gqstqnp.exe 540 "C:\Windows\SysWOW64\wodjvjb.exe"91⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\gqstqnp.exeC:\Windows\SysWOW64\gqstqnp.exe92⤵
-
C:\Windows\SysWOW64\pbiddqv.exeC:\Windows\system32\pbiddqv.exe 532 "C:\Windows\SysWOW64\gqstqnp.exe"93⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\pbiddqv.exeC:\Windows\SysWOW64\pbiddqv.exe94⤵
-
C:\Windows\SysWOW64\dortjuu.exeC:\Windows\system32\dortjuu.exe 528 "C:\Windows\SysWOW64\pbiddqv.exe"95⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\dortjuu.exeC:\Windows\SysWOW64\dortjuu.exe96⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\pqfjugy.exeC:\Windows\system32\pqfjugy.exe 528 "C:\Windows\SysWOW64\dortjuu.exe"97⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\pqfjugy.exeC:\Windows\SysWOW64\pqfjugy.exe98⤵
-
C:\Windows\SysWOW64\zsutqbn.exeC:\Windows\system32\zsutqbn.exe 544 "C:\Windows\SysWOW64\pqfjugy.exe"99⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\zsutqbn.exeC:\Windows\SysWOW64\zsutqbn.exe100⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\mjpwyjk.exeC:\Windows\system32\mjpwyjk.exe 536 "C:\Windows\SysWOW64\zsutqbn.exe"101⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\mjpwyjk.exeC:\Windows\SysWOW64\mjpwyjk.exe102⤵
-
C:\Windows\SysWOW64\zhkzhrq.exeC:\Windows\system32\zhkzhrq.exe 536 "C:\Windows\SysWOW64\mjpwyjk.exe"103⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\zhkzhrq.exeC:\Windows\SysWOW64\zhkzhrq.exe104⤵
-
C:\Windows\SysWOW64\jkzjuvw.exeC:\Windows\system32\jkzjuvw.exe 532 "C:\Windows\SysWOW64\zhkzhrq.exe"105⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\jkzjuvw.exeC:\Windows\SysWOW64\jkzjuvw.exe106⤵
-
C:\Windows\SysWOW64\wfrzaqd.exeC:\Windows\system32\wfrzaqd.exe 532 "C:\Windows\SysWOW64\jkzjuvw.exe"107⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\wfrzaqd.exeC:\Windows\SysWOW64\wfrzaqd.exe108⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\gigjvuj.exeC:\Windows\system32\gigjvuj.exe 536 "C:\Windows\SysWOW64\wfrzaqd.exe"109⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\gigjvuj.exeC:\Windows\SysWOW64\gigjvuj.exe110⤵
-
C:\Windows\SysWOW64\tvyzbxi.exeC:\Windows\system32\tvyzbxi.exe 532 "C:\Windows\SysWOW64\gigjvuj.exe"111⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\tvyzbxi.exeC:\Windows\SysWOW64\tvyzbxi.exe112⤵
-
C:\Windows\SysWOW64\dfnjoao.exeC:\Windows\system32\dfnjoao.exe 532 "C:\Windows\SysWOW64\tvyzbxi.exe"113⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\dfnjoao.exeC:\Windows\SysWOW64\dfnjoao.exe114⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\nidujed.exeC:\Windows\system32\nidujed.exe 528 "C:\Windows\SysWOW64\dfnjoao.exe"115⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\nidujed.exeC:\Windows\SysWOW64\nidujed.exe116⤵
-
C:\Windows\SysWOW64\agywsea.exeC:\Windows\system32\agywsea.exe 532 "C:\Windows\SysWOW64\nidujed.exe"117⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\agywsea.exeC:\Windows\SysWOW64\agywsea.exe118⤵
-
C:\Windows\SysWOW64\ftpmyih.exeC:\Windows\system32\ftpmyih.exe 544 "C:\Windows\SysWOW64\agywsea.exe"119⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\ftpmyih.exeC:\Windows\SysWOW64\ftpmyih.exe120⤵
-
C:\Windows\SysWOW64\pwewlln.exeC:\Windows\system32\pwewlln.exe 528 "C:\Windows\SysWOW64\ftpmyih.exe"121⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-