Analysis
-
max time kernel
150s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
05-12-2024 04:53
General
-
Target
c600781fde274aaae3e3cc8d8182c96a_JaffaCakes118.exe
-
Size
214KB
-
MD5
c600781fde274aaae3e3cc8d8182c96a
-
SHA1
01826294aba79842e5d3e8c5379ebc49072764aa
-
SHA256
f31d7d76860d41aae3b486113685349d00e0bd70d0f39239136df87e144e0c8d
-
SHA512
a40614b0df4929f8d0d73de0c1de06b670b4787bd803d0c7134715524c90d9d6b4bc74d41653cf97c182c9dc9e66a7e1776a3de40537bc8841a5eb1f1ddacfe8
-
SSDEEP
3072:B6eYiCbQmQQaCZWF7QhDXkJVJ8XFRGS9XhKaE74nk2le1wdQLeKzb1/d6+d+GB/o:X2c2XqJ82S9Ql75strq3HBez0Y5
Score
10/10
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 11 IoCs
-
Executes dropped EXE 64 IoCs
-
Loads dropped DLL 64 IoCs
-
Drops file in System32 directory 64 IoCs
-
Suspicious use of SetThreadContext 64 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c600781fde274aaae3e3cc8d8182c96a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c600781fde274aaae3e3cc8d8182c96a_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c600781fde274aaae3e3cc8d8182c96a_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\c600781fde274aaae3e3cc8d8182c96a_JaffaCakes118.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ezfsbphqi.exeC:\Windows\system32\ezfsbphqi.exe 476 "C:\Users\Admin\AppData\Local\Temp\c600781fde274aaae3e3cc8d8182c96a_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ezfsbphqi.exeC:\Windows\SysWOW64\ezfsbphqi.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mdqfsasgd.exeC:\Windows\system32\mdqfsasgd.exe 520 "C:\Windows\SysWOW64\ezfsbphqi.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mdqfsasgd.exeC:\Windows\SysWOW64\mdqfsasgd.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tookhuasp.exeC:\Windows\system32\tookhuasp.exe 516 "C:\Windows\SysWOW64\mdqfsasgd.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tookhuasp.exeC:\Windows\SysWOW64\tookhuasp.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\awkkbjklx.exeC:\Windows\system32\awkkbjklx.exe 524 "C:\Windows\SysWOW64\tookhuasp.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\awkkbjklx.exeC:\Windows\SysWOW64\awkkbjklx.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\lozighmoy.exeC:\Windows\system32\lozighmoy.exe 532 "C:\Windows\SysWOW64\awkkbjklx.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\lozighmoy.exeC:\Windows\SysWOW64\lozighmoy.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\bhwdqvofe.exeC:\Windows\system32\bhwdqvofe.exe 524 "C:\Windows\SysWOW64\lozighmoy.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\bhwdqvofe.exeC:\Windows\SysWOW64\bhwdqvofe.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\kslnlyuzr.exeC:\Windows\system32\kslnlyuzr.exe 520 "C:\Windows\SysWOW64\bhwdqvofe.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\kslnlyuzr.exeC:\Windows\SysWOW64\kslnlyuzr.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\xigiuyagr.exeC:\Windows\system32\xigiuyagr.exe 528 "C:\Windows\SysWOW64\kslnlyuzr.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\xigiuyagr.exeC:\Windows\SysWOW64\xigiuyagr.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\hlwshbgie.exeC:\Windows\system32\hlwshbgie.exe 524 "C:\Windows\SysWOW64\xigiuyagr.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\hlwshbgie.exeC:\Windows\SysWOW64\hlwshbgie.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\ugnqnffns.exeC:\Windows\system32\ugnqnffns.exe 516 "C:\Windows\SysWOW64\hlwshbgie.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\ugnqnffns.exeC:\Windows\SysWOW64\ugnqnffns.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\hatyysrwy.exeC:\Windows\system32\hatyysrwy.exe 524 "C:\Windows\SysWOW64\ugnqnffns.exe"23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\hatyysrwy.exeC:\Windows\SysWOW64\hatyysrwy.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\rljitvyqs.exeC:\Windows\system32\rljitvyqs.exe 524 "C:\Windows\SysWOW64\hatyysrwy.exe"25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\rljitvyqs.exeC:\Windows\SysWOW64\rljitvyqs.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Windows\SysWOW64\eyayzrwdz.exeC:\Windows\system32\eyayzrwdz.exe 520 "C:\Windows\SysWOW64\rljitvyqs.exe"27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\eyayzrwdz.exeC:\Windows\SysWOW64\eyayzrwdz.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\ombvpyjay.exeC:\Windows\system32\ombvpyjay.exe 516 "C:\Windows\SysWOW64\eyayzrwdz.exe"29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\ombvpyjay.exeC:\Windows\SysWOW64\ombvpyjay.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\bcwyygphz.exeC:\Windows\system32\bcwyygphz.exe 524 "C:\Windows\SysWOW64\ombvpyjay.exe"31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\bcwyygphz.exeC:\Windows\SysWOW64\bcwyygphz.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\otqbggnoa.exeC:\Windows\system32\otqbggnoa.exe 516 "C:\Windows\SysWOW64\bcwyygphz.exe"33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\otqbggnoa.exeC:\Windows\SysWOW64\otqbggnoa.exe34⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\brtdppsva.exeC:\Windows\system32\brtdppsva.exe 524 "C:\Windows\SysWOW64\otqbggnoa.exe"35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\brtdppsva.exeC:\Windows\SysWOW64\brtdppsva.exe36⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\niogxxylt.exeC:\Windows\system32\niogxxylt.exe 520 "C:\Windows\SysWOW64\brtdppsva.exe"37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\niogxxylt.exeC:\Windows\SysWOW64\niogxxylt.exe38⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\xwpvvelha.exeC:\Windows\system32\xwpvvelha.exe 524 "C:\Windows\SysWOW64\niogxxylt.exe"39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\xwpvvelha.exeC:\Windows\SysWOW64\xwpvvelha.exe40⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\kmjyeeiot.exeC:\Windows\system32\kmjyeeiot.exe 524 "C:\Windows\SysWOW64\xwpvvelha.exe"41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\kmjyeeiot.exeC:\Windows\SysWOW64\kmjyeeiot.exe42⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\xlmbnnovu.exeC:\Windows\system32\xlmbnnovu.exe 516 "C:\Windows\SysWOW64\kmjyeeiot.exe"43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\xlmbnnovu.exeC:\Windows\SysWOW64\xlmbnnovu.exe44⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\kbhdvvtdv.exeC:\Windows\system32\kbhdvvtdv.exe 524 "C:\Windows\SysWOW64\xlmbnnovu.exe"45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\kbhdvvtdv.exeC:\Windows\SysWOW64\kbhdvvtdv.exe46⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\uilbotbcv.exeC:\Windows\system32\uilbotbcv.exe 520 "C:\Windows\SysWOW64\kbhdvvtdv.exe"47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\uilbotbcv.exeC:\Windows\SysWOW64\uilbotbcv.exe48⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\hcrqzyfmi.exeC:\Windows\system32\hcrqzyfmi.exe 516 "C:\Windows\SysWOW64\uilbotbcv.exe"49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\hcrqzyfmi.exeC:\Windows\SysWOW64\hcrqzyfmi.exe50⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\ubutigdtb.exeC:\Windows\system32\ubutigdtb.exe 520 "C:\Windows\SysWOW64\hcrqzyfmi.exe"51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\ubutigdtb.exeC:\Windows\SysWOW64\ubutigdtb.exe52⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\ddjevjrno.exeC:\Windows\system32\ddjevjrno.exe 532 "C:\Windows\SysWOW64\ubutigdtb.exe"53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\ddjevjrno.exeC:\Windows\SysWOW64\ddjevjrno.exe54⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\qcegejpup.exeC:\Windows\system32\qcegejpup.exe 524 "C:\Windows\SysWOW64\ddjevjrno.exe"55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\qcegejpup.exeC:\Windows\SysWOW64\qcegejpup.exe56⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\dshjmsukq.exeC:\Windows\system32\dshjmsukq.exe 520 "C:\Windows\SysWOW64\qcegejpup.exe"57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\dshjmsukq.exeC:\Windows\SysWOW64\dshjmsukq.exe58⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\qjcmvaarq.exeC:\Windows\system32\qjcmvaarq.exe 516 "C:\Windows\SysWOW64\dshjmsukq.exe"59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\qjcmvaarq.exeC:\Windows\SysWOW64\qjcmvaarq.exe60⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Windows\SysWOW64\axcbthnnq.exeC:\Windows\system32\axcbthnnq.exe 516 "C:\Windows\SysWOW64\qjcmvaarq.exe"61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\axcbthnnq.exeC:\Windows\SysWOW64\axcbthnnq.exe62⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\nkmrzdmsw.exeC:\Windows\system32\nkmrzdmsw.exe 528 "C:\Windows\SysWOW64\axcbthnnq.exe"63⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\nkmrzdmsw.exeC:\Windows\SysWOW64\nkmrzdmsw.exe64⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\ajpthlrzx.exeC:\Windows\system32\ajpthlrzx.exe 524 "C:\Windows\SysWOW64\nkmrzdmsw.exe"65⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\ajpthlrzx.exeC:\Windows\SysWOW64\ajpthlrzx.exe66⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\kleeuoybj.exeC:\Windows\system32\kleeuoybj.exe 532 "C:\Windows\SysWOW64\ajpthlrzx.exe"67⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\kleeuoybj.exeC:\Windows\SysWOW64\kleeuoybj.exe68⤵
-
C:\Windows\SysWOW64\xkzhdwdik.exeC:\Windows\system32\xkzhdwdik.exe 516 "C:\Windows\SysWOW64\kleeuoybj.exe"69⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\xkzhdwdik.exeC:\Windows\SysWOW64\xkzhdwdik.exe70⤵
-
C:\Windows\SysWOW64\kacjuxbql.exeC:\Windows\system32\kacjuxbql.exe 524 "C:\Windows\SysWOW64\xkzhdwdik.exe"71⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\kacjuxbql.exeC:\Windows\SysWOW64\kacjuxbql.exe72⤵
-
C:\Windows\SysWOW64\touhkeomk.exeC:\Windows\system32\touhkeomk.exe 516 "C:\Windows\SysWOW64\kacjuxbql.exe"73⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\touhkeomk.exeC:\Windows\SysWOW64\touhkeomk.exe74⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\gfxjsmttl.exeC:\Windows\system32\gfxjsmttl.exe 528 "C:\Windows\SysWOW64\touhkeomk.exe"75⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\gfxjsmttl.exeC:\Windows\SysWOW64\gfxjsmttl.exe76⤵
-
C:\Windows\SysWOW64\tdsmbmzbe.exeC:\Windows\system32\tdsmbmzbe.exe 520 "C:\Windows\SysWOW64\gfxjsmttl.exe"77⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\tdsmbmzbe.exeC:\Windows\SysWOW64\tdsmbmzbe.exe78⤵
-
C:\Windows\SysWOW64\gunpkvwqf.exeC:\Windows\system32\gunpkvwqf.exe 516 "C:\Windows\SysWOW64\tdsmbmzbe.exe"79⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\gunpkvwqf.exeC:\Windows\SysWOW64\gunpkvwqf.exe80⤵
-
C:\Windows\SysWOW64\tkqjsdcxg.exeC:\Windows\system32\tkqjsdcxg.exe 524 "C:\Windows\SysWOW64\gunpkvwqf.exe"81⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\tkqjsdcxg.exeC:\Windows\SysWOW64\tkqjsdcxg.exe82⤵
-
C:\Windows\SysWOW64\dyqhqcptf.exeC:\Windows\system32\dyqhqcptf.exe 524 "C:\Windows\SysWOW64\tkqjsdcxg.exe"83⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\dyqhqcptf.exeC:\Windows\SysWOW64\dyqhqcptf.exe84⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\qlawwgoyt.exeC:\Windows\system32\qlawwgoyt.exe 532 "C:\Windows\SysWOW64\dyqhqcptf.exe"85⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\qlawwgoyt.exeC:\Windows\SysWOW64\qlawwgoyt.exe86⤵
-
C:\Windows\SysWOW64\awphjjuag.exeC:\Windows\system32\awphjjuag.exe 520 "C:\Windows\SysWOW64\qlawwgoyt.exe"87⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\awphjjuag.exeC:\Windows\SysWOW64\awphjjuag.exe88⤵
-
C:\Windows\SysWOW64\fmsjsrahz.exeC:\Windows\system32\fmsjsrahz.exe 520 "C:\Windows\SysWOW64\awphjjuag.exe"89⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\fmsjsrahz.exeC:\Windows\SysWOW64\fmsjsrahz.exe90⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\royzdwerm.exeC:\Windows\system32\royzdwerm.exe 516 "C:\Windows\SysWOW64\fmsjsrahz.exe"91⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\royzdwerm.exeC:\Windows\SysWOW64\royzdwerm.exe92⤵
-
C:\Windows\SysWOW64\eftcuekyn.exeC:\Windows\system32\eftcuekyn.exe 516 "C:\Windows\SysWOW64\royzdwerm.exe"93⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\eftcuekyn.exeC:\Windows\SysWOW64\eftcuekyn.exe94⤵
-
C:\Windows\SysWOW64\rdofcmpfo.exeC:\Windows\system32\rdofcmpfo.exe 532 "C:\Windows\SysWOW64\eftcuekyn.exe"95⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\rdofcmpfo.exeC:\Windows\SysWOW64\rdofcmpfo.exe96⤵
-
C:\Windows\SysWOW64\bglpqpwaa.exeC:\Windows\system32\bglpqpwaa.exe 536 "C:\Windows\SysWOW64\rdofcmpfo.exe"97⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\bglpqpwaa.exeC:\Windows\SysWOW64\bglpqpwaa.exe98⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\oegsypbpt.exeC:\Windows\system32\oegsypbpt.exe 532 "C:\Windows\SysWOW64\bglpqpwaa.exe"99⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\oegsypbpt.exeC:\Windows\SysWOW64\oegsypbpt.exe100⤵
-
C:\Windows\SysWOW64\bvbmhyzwu.exeC:\Windows\system32\bvbmhyzwu.exe 528 "C:\Windows\SysWOW64\oegsypbpt.exe"101⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\bvbmhyzwu.exeC:\Windows\SysWOW64\bvbmhyzwu.exe102⤵
-
C:\Windows\SysWOW64\oleppgedv.exeC:\Windows\system32\oleppgedv.exe 528 "C:\Windows\SysWOW64\bvbmhyzwu.exe"103⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\oleppgedv.exeC:\Windows\SysWOW64\oleppgedv.exe104⤵
-
C:\Windows\SysWOW64\xawmnfrau.exeC:\Windows\system32\xawmnfrau.exe 516 "C:\Windows\SysWOW64\oleppgedv.exe"105⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\xawmnfrau.exeC:\Windows\SysWOW64\xawmnfrau.exe106⤵
-
C:\Windows\SysWOW64\knoctjqei.exeC:\Windows\system32\knoctjqei.exe 524 "C:\Windows\SysWOW64\xawmnfrau.exe"107⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\knoctjqei.exeC:\Windows\SysWOW64\knoctjqei.exe108⤵
-
C:\Windows\SysWOW64\aczkaaubc.exeC:\Windows\system32\aczkaaubc.exe 524 "C:\Windows\SysWOW64\knoctjqei.exe"109⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\aczkaaubc.exeC:\Windows\SysWOW64\aczkaaubc.exe110⤵
-
C:\Windows\SysWOW64\kfpunwavp.exeC:\Windows\system32\kfpunwavp.exe 524 "C:\Windows\SysWOW64\aczkaaubc.exe"111⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\kfpunwavp.exeC:\Windows\SysWOW64\kfpunwavp.exe112⤵
-
C:\Windows\SysWOW64\xerxwegcp.exeC:\Windows\system32\xerxwegcp.exe 520 "C:\Windows\SysWOW64\kfpunwavp.exe"113⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\xerxwegcp.exeC:\Windows\SysWOW64\xerxwegcp.exe114⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\kyxfhqkmd.exeC:\Windows\system32\kyxfhqkmd.exe 528 "C:\Windows\SysWOW64\xerxwegcp.exe"115⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\kyxfhqkmd.exeC:\Windows\SysWOW64\kyxfhqkmd.exe116⤵
-
C:\Windows\SysWOW64\uinpdtqop.exeC:\Windows\system32\uinpdtqop.exe 528 "C:\Windows\SysWOW64\kyxfhqkmd.exe"117⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\uinpdtqop.exeC:\Windows\SysWOW64\uinpdtqop.exe118⤵
-
C:\Windows\SysWOW64\jnnkhzvaw.exeC:\Windows\system32\jnnkhzvaw.exe 524 "C:\Windows\SysWOW64\uinpdtqop.exe"119⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\jnnkhzvaw.exeC:\Windows\SysWOW64\jnnkhzvaw.exe120⤵
-
C:\Windows\SysWOW64\txkvucbcj.exeC:\Windows\system32\txkvucbcj.exe 528 "C:\Windows\SysWOW64\jnnkhzvaw.exe"121⤵
- Suspicious use of SetThreadContext
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-