694fef7d7c2f0a5fdf9110caac07b01c24be8653faed1d670e3a53679ccd4d26

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 07:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5fcd73cabc2e7ce6d86d7d3ab7dd2c2_JaffaCakes118.exe
Size

1.7MB
MD5

d5fcd73cabc2e7ce6d86d7d3ab7dd2c2
SHA1

d8b1aa82b23d20e3164c5471e86c3e31646ee2bc
SHA256

694fef7d7c2f0a5fdf9110caac07b01c24be8653faed1d670e3a53679ccd4d26
SHA512

894446e782a21f6c9c8f6879e0fdcaac380152a7d4801449ac853de4f56c2a66fac1c4cb6f00f8a71547beae0524e15bdba846cee45a101b51ffeee308088f67
SSDEEP

49152:JCS45lWOPX9r3FI+QPMb1Per45dcXRMR8EVLZwj:JCzpPpF1H5er45eBKr

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Executes dropped EXE 59 IoCs

pid	Process
2680	wD3onF4am6W7E.exe
100	h1ivD2onFaHsJfL.exe
1936	gTXqjUCelBzNc1.exe
4988	rVelOBtxPySiDoG.exe
2732	zwkIVrzONx.exe
4036	GTXqjUCelBzNc1v.exe
3256	plOBtxP0ySiDoGa.exe
4000	BA0uvS2ib3m5Q6E.exe
4980	uvD2onF4pHsJdLg.exe
636	JQH6sWK7f.exe
1324	CF3pmG5aQ6E8R9Y.exe
3408	P5sWJ7dELgZhCkV.exe
2088	o7fRL9gTXjCkBzN.exe
1544	wRZ9hYXwjVlBz0c.exe
2288	mYCwkIVrlNx0c2b.exe
3128	BIBrzPNyx1v2b4m.exe
2232	vP0ycS1iv3n4m6W.exe
3740	bONtxA0uc2b.exe
3028	GBrzPNyxAuDoFpH.exe
4868	yelOBtzP0c1v3n4.exe
1948	ycS2ibF3pGaJdKf.exe
4900	lvD2obF4pHsJdLg.exe
740	QonG4amH6W7E9Tq.exe
4828	NaQJ6dWK8R9TwUe.exe
1936	dsQJ7dEL8RqYwUr.exe
2352	HivD3onG4m6W7E9.exe
4044	gpnG5aQJ6W8R9Tw.exe
4576	TbF4pmH5sJdLgZh.exe
2308	CD3onG4am6W.exe
2880	UJ6dWK8fR9TwUe.exe
2784	g1uvD2obFpHsJdL.exe
1040	OG4amH6sW7E9TqY.exe
4056	s5aQJ6dWKfZhXjV.exe
4588	AD2obF4pm.exe
4324	OK8fRZ9hYwUeOtP.exe
2492	xWJ7dEL8gZhCkV.exe
1460	fD3onG4aQ6W7R9T.exe
1120	H3pmG5aQJdKfZhX.exe
2588	bnF4pmH5sJdLgZ.exe
2736	xBtxP0ycSiDoGaH.exe
2172	fxA0uvS2iFpGaJd.exe
1320	JjUCelIBrPyAuDo.exe
3352	FwkUVelOBx0c1b3.exe
4260	LgTZqjYCwIr.exe
2288	l6dWK7fRLhXjClB.exe
1620	QK8gRZ9hYwUeOtP.exe
4572	AamH5sWJ7.exe
3740	RcS1ibD3pGaHdK.exe
1020	PgTZqjYCeIrOyA.exe
2792	epnG5aQH6W8R9Tw.exe
1836	ZG5sQJ7dE8RqYwU.exe
1884	qIBtzP0yc1v3n4m.exe
2444	RRZqhYCwkVlNx0c.exe
1776	eYCekIBrzNx1v2b.exe
1744	rTXwjUVelBz0c1v.exe
1672	jYCwkUVrlNx0c.exe
4692	HfEL9gTXqYeIrOy.exe
3564	vK8fRZ9hTwUeItP.exe
4100	VyxA1uvD2b4m5Q7.exe

Adds Run key to start application 2 TTPs 59 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HQH6sWK7fLgXjC8234A = "C:\\Windows\\system32\\rVelOBtxPySiDoG.exe"	gTXqjUCelBzNc1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XA1uvD2ob4m5Q7E8234A = "C:\\Windows\\system32\\o7fRL9gTXjCkBzN.exe"	P5sWJ7dELgZhCkV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AsQJ7dEL8RqYwUr8234A = "C:\\Windows\\system32\\BIBrzPNyx1v2b4m.exe"	mYCwkIVrlNx0c2b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfEL9gTXqYeIrOy8234A = "C:\\Windows\\system32\\CD3onG4am6W.exe"	TbF4pmH5sJdLgZh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IjUVelOBtPySiDo8234A = "C:\\Windows\\system32\\CF3pmG5aQ6E8R9Y.exe"	JQH6sWK7f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wVelIBtzPyAiDoF8234A = "C:\\Windows\\system32\\gpnG5aQJ6W8R9Tw.exe"	HivD3onG4m6W7E9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QG4aQH6sW7R9TqU8234A = "C:\\Windows\\system32\\FwkUVelOBx0c1b3.exe"	JjUCelIBrPyAuDo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HonF4amH6W7E9T8234A = "C:\\Windows\\system32\\rTXwjUVelBz0c1v.exe"	eYCekIBrzNx1v2b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ruvS2ibF3m5Q6E88234A = "C:\\Windows\\system32\\zwkIVrzONx.exe"	rVelOBtxPySiDoG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dpnG5aQJ6W8R9Tw8234A = "C:\\Windows\\system32\\mYCwkIVrlNx0c2b.exe"	wRZ9hYXwjVlBz0c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwkUVrlONx0c2b8234A = "C:\\Windows\\system32\\TbF4pmH5sJdLgZh.exe"	gpnG5aQJ6W8R9Tw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FsQJ7dEL8RqYwUr8234A = "C:\\Windows\\system32\\AD2obF4pm.exe"	s5aQJ6dWKfZhXjV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WonF4pmH5W7E8Tq8234A = "C:\\Windows\\system32\\GTXqjUCelBzNc1v.exe"	zwkIVrzONx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NNtxP0ucSiDpGa8234A = "C:\\Windows\\system32\\dsQJ7dEL8RqYwUr.exe"	NaQJ6dWK8R9TwUe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xkIBrzONyAuSoFp8234A = "C:\\Windows\\system32\\OG4amH6sW7E9TqY.exe"	g1uvD2obFpHsJdL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\q8fRZ9hYXjVlBz08234A = "C:\\Windows\\system32\\fxA0uvS2iFpGaJd.exe"	xBtxP0ycSiDoGaH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Z9gTXqjUCkBzNx18234A = "C:\\Windows\\system32\\JQH6sWK7f.exe"	uvD2onF4pHsJdLg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ccS1ivD3oGaHsKf8234A = "C:\\Windows\\system32\\OK8fRZ9hYwUeOtP.exe"	AD2obF4pm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RYCwkIVrlNx8234A = "C:\\Windows\\system32\\bnF4pmH5sJdLgZ.exe"	H3pmG5aQJdKfZhX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\R4pmH5sWJdLgZhC8234A = "C:\\Windows\\system32\\JjUCelIBrPyAuDo.exe"	fxA0uvS2iFpGaJd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\E1uvS2obFpGsJdK8234A = "C:\\Windows\\system32\\HfEL9gTXqYeIrOy.exe"	jYCwkUVrlNx0c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DpnG5aQJ6W8R9Tw8234A = "C:\\Windows\\system32\\bONtxA0uc2b.exe"	vP0ycS1iv3n4m6W.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VIBtzP0yc1v3n4m8234A = "C:\\Windows\\system32\\s5aQJ6dWKfZhXjV.exe"	OG4amH6sW7E9TqY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fcS1ibD3oGaHsKf8234A = "C:\\Windows\\system32\\QK8gRZ9hYwUeOtP.exe"	l6dWK7fRLhXjClB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LqhYCwkIVlNx0c28234A = "C:\\Windows\\system32\\uvD2onF4pHsJdLg.exe"	BA0uvS2ib3m5Q6E.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yqhYCwkUVlNx0c28234A = "C:\\Windows\\system32\\lvD2obF4pHsJdLg.exe"	ycS2ibF3pGaJdKf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fCekIBrzOyAuSoF8234A = "C:\\Windows\\system32\\QonG4amH6W7E9Tq.exe"	lvD2obF4pHsJdLg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iWK7fRL9gXjCkBz8234A = "C:\\Windows\\system32\\xBtxP0ycSiDoGaH.exe"	bnF4pmH5sJdLgZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FCelIBtzPyAiDoF8234A = "C:\\Windows\\system32\\epnG5aQH6W8R9Tw.exe"	PgTZqjYCeIrOyA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EXqjYCekIrOyAuS8234A = "C:\\Windows\\system32\\HivD3onG4m6W7E9.exe"	dsQJ7dEL8RqYwUr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qRZqhYCwkVlNx0c8234A = "C:\\Windows\\system32\\g1uvD2obFpHsJdL.exe"	UJ6dWK8fR9TwUe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DsWJ7fEL9TqYeI8234A = "C:\\Windows\\system32\\qIBtzP0yc1v3n4m.exe"	ZG5sQJ7dE8RqYwU.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JibD3pnG58234A = "C:\\Windows\\system32\\jYCwkUVrlNx0c.exe"	rTXwjUVelBz0c1v.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WgTZqjYCe8234A = "C:\\Windows\\system32\\wD3onF4am6W7E.exe"	d5fcd73cabc2e7ce6d86d7d3ab7dd2c2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vONtxA0uc2b3n5Q8234A = "C:\\Windows\\system32\\P5sWJ7dELgZhCkV.exe"	CF3pmG5aQ6E8R9Y.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FivD3onG4m6W7E98234A = "C:\\Windows\\system32\\wRZ9hYXwjVlBz0c.exe"	o7fRL9gTXjCkBzN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KH6sWK7fE9TqYeI8234A = "C:\\Windows\\system32\\yelOBtzP0c1v3n4.exe"	GBrzPNyxAuDoFpH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SBtzP0ycAiDoFaH8234A = "C:\\Windows\\system32\\NaQJ6dWK8R9TwUe.exe"	QonG4amH6W7E9Tq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oNtxA0uvSiFpGaJ8234A = "C:\\Windows\\system32\\LgTZqjYCwIr.exe"	FwkUVelOBx0c1b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JvS2obF3pGsJ8234A = "C:\\Windows\\system32\\PgTZqjYCeIrOyA.exe"	RcS1ibD3pGaHdK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pcA1ivD3oFaHsJf8234A = "C:\\Windows\\system32\\vK8fRZ9hTwUeItP.exe"	HfEL9gTXqYeIrOy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PL8gRZqhYwUrOt8234A = "C:\\Windows\\system32\\VyxA1uvD2b4m5Q7.exe"	vK8fRZ9hTwUeItP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pfEL9gTXqYeIrOy8234A = "C:\\Windows\\system32\\vP0ycS1iv3n4m6W.exe"	BIBrzPNyx1v2b4m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DBtzP0ycAiD8234A = "C:\\Windows\\system32\\UJ6dWK8fR9TwUe.exe"	CD3onG4am6W.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qjUCekIBrPyAuDo8234A = "C:\\Windows\\system32\\fD3onG4aQ6W7R9T.exe"	xWJ7dEL8gZhCkV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FL8gTZqjYwIrOtA8234A = "C:\\Windows\\system32\\AamH5sWJ7.exe"	QK8gRZ9hYwUeOtP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ARL9hTXqjClB8234A = "C:\\Windows\\system32\\RcS1ibD3pGaHdK.exe"	AamH5sWJ7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\C6sWK7fRLgXjCkB8234A = "C:\\Windows\\system32\\plOBtxP0ySiDoGa.exe"	GTXqjUCelBzNc1v.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\K9hTXwjUVlBz0c18234A = "C:\\Windows\\system32\\ycS2ibF3pGaJdKf.exe"	yelOBtzP0c1v3n4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EUVelOBtz0c1v3n8234A = "C:\\Windows\\system32\\H3pmG5aQJdKfZhX.exe"	fD3onG4aQ6W7R9T.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\GpmG5sQJ7E8RqYw8234A = "C:\\Windows\\system32\\eYCekIBrzNx1v2b.exe"	RRZqhYCwkVlNx0c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QQJ7dEL8gZhCkVl8234A = "C:\\Windows\\system32\\GBrzPNyxAuDoFpH.exe"	bONtxA0uc2b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QONtxA0uc2b8234A = "C:\\Windows\\system32\\xWJ7dEL8gZhCkV.exe"	OK8fRZ9hYwUeOtP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PfRZ9hYXwUeOtPy8234A = "C:\\Windows\\system32\\BA0uvS2ib3m5Q6E.exe"	plOBtxP0ySiDoGa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UlOBtxP0uSiDpG8234A = "C:\\Windows\\system32\\ZG5sQJ7dE8RqYwU.exe"	epnG5aQH6W8R9Tw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eTZqjYCwkVzNx0v8234A = "C:\\Windows\\system32\\h1ivD2onFaHsJfL.exe"	wD3onF4am6W7E.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cD2onF4pm5W78234A = "C:\\Windows\\system32\\gTXqjUCelBzNc1.exe"	h1ivD2onFaHsJfL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jibD3pnG5Q6W8R98234A = "C:\\Windows\\system32\\RRZqhYCwkVlNx0c.exe"	qIBtzP0yc1v3n4m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yPNycA1uv2n4m5W8234A = "C:\\Windows\\system32\\l6dWK7fRLhXjClB.exe"	LgTZqjYCwIr.exe

Drops file in System32 directory 59 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\QonG4amH6W7E9Tq.exe	lvD2obF4pHsJdLg.exe
File created	C:\Windows\SysWOW64\ZG5sQJ7dE8RqYwU.exe	epnG5aQH6W8R9Tw.exe
File created	C:\Windows\SysWOW64\gTXqjUCelBzNc1.exe	h1ivD2onFaHsJfL.exe
File created	C:\Windows\SysWOW64\JQH6sWK7f.exe	uvD2onF4pHsJdLg.exe
File created	C:\Windows\SysWOW64\o7fRL9gTXjCkBzN.exe	P5sWJ7dELgZhCkV.exe
File created	C:\Windows\SysWOW64\yelOBtzP0c1v3n4.exe	GBrzPNyxAuDoFpH.exe
File created	C:\Windows\SysWOW64\bnF4pmH5sJdLgZ.exe	H3pmG5aQJdKfZhX.exe
File created	C:\Windows\SysWOW64\eYCekIBrzNx1v2b.exe	RRZqhYCwkVlNx0c.exe
File created	C:\Windows\SysWOW64\qIBtzP0yc1v3n4m.exe	ZG5sQJ7dE8RqYwU.exe
File created	C:\Windows\SysWOW64\plOBtxP0ySiDoGa.exe	GTXqjUCelBzNc1v.exe
File created	C:\Windows\SysWOW64\uvD2onF4pHsJdLg.exe	BA0uvS2ib3m5Q6E.exe
File created	C:\Windows\SysWOW64\GBrzPNyxAuDoFpH.exe	bONtxA0uc2b.exe
File created	C:\Windows\SysWOW64\FwkUVelOBx0c1b3.exe	JjUCelIBrPyAuDo.exe
File created	C:\Windows\SysWOW64\l6dWK7fRLhXjClB.exe	LgTZqjYCwIr.exe
File created	C:\Windows\SysWOW64\epnG5aQH6W8R9Tw.exe	PgTZqjYCeIrOyA.exe
File created	C:\Windows\SysWOW64\wD3onF4am6W7E.exe	d5fcd73cabc2e7ce6d86d7d3ab7dd2c2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\HivD3onG4m6W7E9.exe	dsQJ7dEL8RqYwUr.exe
File created	C:\Windows\SysWOW64\OG4amH6sW7E9TqY.exe	g1uvD2obFpHsJdL.exe
File created	C:\Windows\SysWOW64\OK8fRZ9hYwUeOtP.exe	AD2obF4pm.exe
File created	C:\Windows\SysWOW64\xBtxP0ycSiDoGaH.exe	bnF4pmH5sJdLgZ.exe
File created	C:\Windows\SysWOW64\fxA0uvS2iFpGaJd.exe	xBtxP0ycSiDoGaH.exe
File created	C:\Windows\SysWOW64\JjUCelIBrPyAuDo.exe	fxA0uvS2iFpGaJd.exe
File created	C:\Windows\SysWOW64\gpnG5aQJ6W8R9Tw.exe	HivD3onG4m6W7E9.exe
File created	C:\Windows\SysWOW64\TbF4pmH5sJdLgZh.exe	gpnG5aQJ6W8R9Tw.exe
File created	C:\Windows\SysWOW64\s5aQJ6dWKfZhXjV.exe	OG4amH6sW7E9TqY.exe
File created	C:\Windows\SysWOW64\H3pmG5aQJdKfZhX.exe	fD3onG4aQ6W7R9T.exe
File created	C:\Windows\SysWOW64\LgTZqjYCwIr.exe	FwkUVelOBx0c1b3.exe
File created	C:\Windows\SysWOW64\QK8gRZ9hYwUeOtP.exe	l6dWK7fRLhXjClB.exe
File created	C:\Windows\SysWOW64\HfEL9gTXqYeIrOy.exe	jYCwkUVrlNx0c.exe
File created	C:\Windows\SysWOW64\h1ivD2onFaHsJfL.exe	wD3onF4am6W7E.exe
File created	C:\Windows\SysWOW64\P5sWJ7dELgZhCkV.exe	CF3pmG5aQ6E8R9Y.exe
File created	C:\Windows\SysWOW64\dsQJ7dEL8RqYwUr.exe	NaQJ6dWK8R9TwUe.exe
File created	C:\Windows\SysWOW64\fD3onG4aQ6W7R9T.exe	xWJ7dEL8gZhCkV.exe
File created	C:\Windows\SysWOW64\CF3pmG5aQ6E8R9Y.exe	JQH6sWK7f.exe
File created	C:\Windows\SysWOW64\lvD2obF4pHsJdLg.exe	ycS2ibF3pGaJdKf.exe
File created	C:\Windows\SysWOW64\g1uvD2obFpHsJdL.exe	UJ6dWK8fR9TwUe.exe
File created	C:\Windows\SysWOW64\RcS1ibD3pGaHdK.exe	AamH5sWJ7.exe
File created	C:\Windows\SysWOW64\GTXqjUCelBzNc1v.exe	zwkIVrzONx.exe
File created	C:\Windows\SysWOW64\vP0ycS1iv3n4m6W.exe	BIBrzPNyx1v2b4m.exe
File created	C:\Windows\SysWOW64\ycS2ibF3pGaJdKf.exe	yelOBtzP0c1v3n4.exe
File created	C:\Windows\SysWOW64\AamH5sWJ7.exe	QK8gRZ9hYwUeOtP.exe
File created	C:\Windows\SysWOW64\PgTZqjYCeIrOyA.exe	RcS1ibD3pGaHdK.exe
File created	C:\Windows\SysWOW64\VyxA1uvD2b4m5Q7.exe	vK8fRZ9hTwUeItP.exe
File created	C:\Windows\SysWOW64\RRZqhYCwkVlNx0c.exe	qIBtzP0yc1v3n4m.exe
File created	C:\Windows\SysWOW64\wRZ9hYXwjVlBz0c.exe	o7fRL9gTXjCkBzN.exe
File created	C:\Windows\SysWOW64\mYCwkIVrlNx0c2b.exe	wRZ9hYXwjVlBz0c.exe
File created	C:\Windows\SysWOW64\BIBrzPNyx1v2b4m.exe	mYCwkIVrlNx0c2b.exe
File created	C:\Windows\SysWOW64\bONtxA0uc2b.exe	vP0ycS1iv3n4m6W.exe
File created	C:\Windows\SysWOW64\CD3onG4am6W.exe	TbF4pmH5sJdLgZh.exe
File created	C:\Windows\SysWOW64\UJ6dWK8fR9TwUe.exe	CD3onG4am6W.exe
File created	C:\Windows\SysWOW64\rVelOBtxPySiDoG.exe	gTXqjUCelBzNc1.exe
File created	C:\Windows\SysWOW64\zwkIVrzONx.exe	rVelOBtxPySiDoG.exe
File created	C:\Windows\SysWOW64\AD2obF4pm.exe	s5aQJ6dWKfZhXjV.exe
File created	C:\Windows\SysWOW64\jYCwkUVrlNx0c.exe	rTXwjUVelBz0c1v.exe
File created	C:\Windows\SysWOW64\vK8fRZ9hTwUeItP.exe	HfEL9gTXqYeIrOy.exe
File created	C:\Windows\SysWOW64\BA0uvS2ib3m5Q6E.exe	plOBtxP0ySiDoGa.exe
File created	C:\Windows\SysWOW64\NaQJ6dWK8R9TwUe.exe	QonG4amH6W7E9Tq.exe
File created	C:\Windows\SysWOW64\xWJ7dEL8gZhCkV.exe	OK8fRZ9hYwUeOtP.exe
File created	C:\Windows\SysWOW64\rTXwjUVelBz0c1v.exe	eYCekIBrzNx1v2b.exe

UPX packed file 63 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1148-2-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/1148-9-0x0000000000400000-0x00000000008B3000-memory.dmp	upx
behavioral2/memory/1148-8-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/2680-12-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/2680-17-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/100-20-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/100-26-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/1936-31-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/4988-37-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/2732-43-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/4036-49-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/3256-55-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/4000-62-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/4980-67-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/636-73-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/1324-79-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/3408-85-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/2088-91-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/1544-97-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/2288-103-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/3128-109-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/2232-115-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/3740-121-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/3028-127-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/4868-133-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/1948-139-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/4900-145-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/740-151-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/4828-157-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/1936-163-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/2352-169-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/4044-176-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/4576-181-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/2308-187-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/2880-193-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/2784-199-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/1040-204-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/4056-208-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/4588-212-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/4324-216-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/2492-220-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/1460-224-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/1120-228-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/2588-232-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/2736-236-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/2172-240-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/1320-244-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/3352-248-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/4260-252-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/2288-256-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/1620-260-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/4572-264-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/3740-268-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/1020-272-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/2792-276-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/1836-280-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/1884-284-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/2444-288-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/1776-292-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/1744-296-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/1672-300-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/4692-304-0x0000000000400000-0x00000000008B6000-memory.dmp	upx
behavioral2/memory/3564-308-0x0000000000400000-0x00000000008B6000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 60 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	o7fRL9gTXjCkBzN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NaQJ6dWK8R9TwUe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TbF4pmH5sJdLgZh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vK8fRZ9hTwUeItP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VyxA1uvD2b4m5Q7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wD3onF4am6W7E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rVelOBtxPySiDoG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GTXqjUCelBzNc1v.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bONtxA0uc2b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fxA0uvS2iFpGaJd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AamH5sWJ7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5fcd73cabc2e7ce6d86d7d3ab7dd2c2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yelOBtzP0c1v3n4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpnG5aQJ6W8R9Tw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bnF4pmH5sJdLgZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RRZqhYCwkVlNx0c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rTXwjUVelBz0c1v.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zwkIVrzONx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xWJ7dEL8gZhCkV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HfEL9gTXqYeIrOy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	h1ivD2onFaHsJfL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uvD2onF4pHsJdLg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mYCwkIVrlNx0c2b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QK8gRZ9hYwUeOtP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jYCwkUVrlNx0c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JQH6sWK7f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HivD3onG4m6W7E9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fD3onG4aQ6W7R9T.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ycS2ibF3pGaJdKf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JjUCelIBrPyAuDo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plOBtxP0ySiDoGa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CF3pmG5aQ6E8R9Y.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vP0ycS1iv3n4m6W.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	s5aQJ6dWKfZhXjV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xBtxP0ycSiDoGaH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eYCekIBrzNx1v2b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gTXqjUCelBzNc1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	P5sWJ7dELgZhCkV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lvD2obF4pHsJdLg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g1uvD2obFpHsJdL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OG4amH6sW7E9TqY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wRZ9hYXwjVlBz0c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GBrzPNyxAuDoFpH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PgTZqjYCeIrOyA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qIBtzP0yc1v3n4m.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QonG4amH6W7E9Tq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CD3onG4am6W.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OK8fRZ9hYwUeOtP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LgTZqjYCwIr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BIBrzPNyx1v2b4m.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	H3pmG5aQJdKfZhX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dsQJ7dEL8RqYwUr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UJ6dWK8fR9TwUe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l6dWK7fRLhXjClB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZG5sQJ7dE8RqYwU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BA0uvS2ib3m5Q6E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AD2obF4pm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FwkUVelOBx0c1b3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RcS1ibD3pGaHdK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	epnG5aQH6W8R9Tw.exe

Suspicious use of SetWindowsHookEx 59 IoCs

pid	Process
1148	d5fcd73cabc2e7ce6d86d7d3ab7dd2c2_JaffaCakes118.exe
2680	wD3onF4am6W7E.exe
100	h1ivD2onFaHsJfL.exe
1936	gTXqjUCelBzNc1.exe
4988	rVelOBtxPySiDoG.exe
2732	zwkIVrzONx.exe
4036	GTXqjUCelBzNc1v.exe
3256	plOBtxP0ySiDoGa.exe
4000	BA0uvS2ib3m5Q6E.exe
4980	uvD2onF4pHsJdLg.exe
636	JQH6sWK7f.exe
1324	CF3pmG5aQ6E8R9Y.exe
3408	P5sWJ7dELgZhCkV.exe
2088	o7fRL9gTXjCkBzN.exe
1544	wRZ9hYXwjVlBz0c.exe
2288	mYCwkIVrlNx0c2b.exe
3128	BIBrzPNyx1v2b4m.exe
2232	vP0ycS1iv3n4m6W.exe
3740	bONtxA0uc2b.exe
3028	GBrzPNyxAuDoFpH.exe
4868	yelOBtzP0c1v3n4.exe
1948	ycS2ibF3pGaJdKf.exe
4900	lvD2obF4pHsJdLg.exe
740	QonG4amH6W7E9Tq.exe
4828	NaQJ6dWK8R9TwUe.exe
1936	dsQJ7dEL8RqYwUr.exe
2352	HivD3onG4m6W7E9.exe
4044	gpnG5aQJ6W8R9Tw.exe
4576	TbF4pmH5sJdLgZh.exe
2308	CD3onG4am6W.exe
2880	UJ6dWK8fR9TwUe.exe
2784	g1uvD2obFpHsJdL.exe
1040	OG4amH6sW7E9TqY.exe
4056	s5aQJ6dWKfZhXjV.exe
4588	AD2obF4pm.exe
4324	OK8fRZ9hYwUeOtP.exe
2492	xWJ7dEL8gZhCkV.exe
1460	fD3onG4aQ6W7R9T.exe
1120	H3pmG5aQJdKfZhX.exe
2588	bnF4pmH5sJdLgZ.exe
2736	xBtxP0ycSiDoGaH.exe
2172	fxA0uvS2iFpGaJd.exe
1320	JjUCelIBrPyAuDo.exe
3352	FwkUVelOBx0c1b3.exe
4260	LgTZqjYCwIr.exe
2288	l6dWK7fRLhXjClB.exe
1620	QK8gRZ9hYwUeOtP.exe
4572	AamH5sWJ7.exe
3740	RcS1ibD3pGaHdK.exe
1020	PgTZqjYCeIrOyA.exe
2792	epnG5aQH6W8R9Tw.exe
1836	ZG5sQJ7dE8RqYwU.exe
1884	qIBtzP0yc1v3n4m.exe
2444	RRZqhYCwkVlNx0c.exe
1776	eYCekIBrzNx1v2b.exe
1744	rTXwjUVelBz0c1v.exe
1672	jYCwkUVrlNx0c.exe
4692	HfEL9gTXqYeIrOy.exe
3564	vK8fRZ9hTwUeItP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 2680	1148	d5fcd73cabc2e7ce6d86d7d3ab7dd2c2_JaffaCakes118.exe	84
PID 1148 wrote to memory of 2680	1148	d5fcd73cabc2e7ce6d86d7d3ab7dd2c2_JaffaCakes118.exe	84
PID 1148 wrote to memory of 2680	1148	d5fcd73cabc2e7ce6d86d7d3ab7dd2c2_JaffaCakes118.exe	84
PID 2680 wrote to memory of 100	2680	wD3onF4am6W7E.exe	85
PID 2680 wrote to memory of 100	2680	wD3onF4am6W7E.exe	85
PID 2680 wrote to memory of 100	2680	wD3onF4am6W7E.exe	85
PID 100 wrote to memory of 1936	100	h1ivD2onFaHsJfL.exe	92
PID 100 wrote to memory of 1936	100	h1ivD2onFaHsJfL.exe	92
PID 100 wrote to memory of 1936	100	h1ivD2onFaHsJfL.exe	92
PID 1936 wrote to memory of 4988	1936	gTXqjUCelBzNc1.exe	95
PID 1936 wrote to memory of 4988	1936	gTXqjUCelBzNc1.exe	95
PID 1936 wrote to memory of 4988	1936	gTXqjUCelBzNc1.exe	95
PID 4988 wrote to memory of 2732	4988	rVelOBtxPySiDoG.exe	100
PID 4988 wrote to memory of 2732	4988	rVelOBtxPySiDoG.exe	100
PID 4988 wrote to memory of 2732	4988	rVelOBtxPySiDoG.exe	100
PID 2732 wrote to memory of 4036	2732	zwkIVrzONx.exe	101
PID 2732 wrote to memory of 4036	2732	zwkIVrzONx.exe	101
PID 2732 wrote to memory of 4036	2732	zwkIVrzONx.exe	101
PID 4036 wrote to memory of 3256	4036	GTXqjUCelBzNc1v.exe	102
PID 4036 wrote to memory of 3256	4036	GTXqjUCelBzNc1v.exe	102
PID 4036 wrote to memory of 3256	4036	GTXqjUCelBzNc1v.exe	102
PID 3256 wrote to memory of 4000	3256	plOBtxP0ySiDoGa.exe	103
PID 3256 wrote to memory of 4000	3256	plOBtxP0ySiDoGa.exe	103
PID 3256 wrote to memory of 4000	3256	plOBtxP0ySiDoGa.exe	103
PID 4000 wrote to memory of 4980	4000	BA0uvS2ib3m5Q6E.exe	104
PID 4000 wrote to memory of 4980	4000	BA0uvS2ib3m5Q6E.exe	104
PID 4000 wrote to memory of 4980	4000	BA0uvS2ib3m5Q6E.exe	104
PID 4980 wrote to memory of 636	4980	uvD2onF4pHsJdLg.exe	105
PID 4980 wrote to memory of 636	4980	uvD2onF4pHsJdLg.exe	105
PID 4980 wrote to memory of 636	4980	uvD2onF4pHsJdLg.exe	105
PID 636 wrote to memory of 1324	636	JQH6sWK7f.exe	107
PID 636 wrote to memory of 1324	636	JQH6sWK7f.exe	107
PID 636 wrote to memory of 1324	636	JQH6sWK7f.exe	107
PID 1324 wrote to memory of 3408	1324	CF3pmG5aQ6E8R9Y.exe	109
PID 1324 wrote to memory of 3408	1324	CF3pmG5aQ6E8R9Y.exe	109
PID 1324 wrote to memory of 3408	1324	CF3pmG5aQ6E8R9Y.exe	109
PID 3408 wrote to memory of 2088	3408	P5sWJ7dELgZhCkV.exe	111
PID 3408 wrote to memory of 2088	3408	P5sWJ7dELgZhCkV.exe	111
PID 3408 wrote to memory of 2088	3408	P5sWJ7dELgZhCkV.exe	111
PID 2088 wrote to memory of 1544	2088	o7fRL9gTXjCkBzN.exe	112
PID 2088 wrote to memory of 1544	2088	o7fRL9gTXjCkBzN.exe	112
PID 2088 wrote to memory of 1544	2088	o7fRL9gTXjCkBzN.exe	112
PID 1544 wrote to memory of 2288	1544	wRZ9hYXwjVlBz0c.exe	113
PID 1544 wrote to memory of 2288	1544	wRZ9hYXwjVlBz0c.exe	113
PID 1544 wrote to memory of 2288	1544	wRZ9hYXwjVlBz0c.exe	113
PID 2288 wrote to memory of 3128	2288	mYCwkIVrlNx0c2b.exe	114
PID 2288 wrote to memory of 3128	2288	mYCwkIVrlNx0c2b.exe	114
PID 2288 wrote to memory of 3128	2288	mYCwkIVrlNx0c2b.exe	114
PID 3128 wrote to memory of 2232	3128	BIBrzPNyx1v2b4m.exe	115
PID 3128 wrote to memory of 2232	3128	BIBrzPNyx1v2b4m.exe	115
PID 3128 wrote to memory of 2232	3128	BIBrzPNyx1v2b4m.exe	115
PID 2232 wrote to memory of 3740	2232	vP0ycS1iv3n4m6W.exe	116
PID 2232 wrote to memory of 3740	2232	vP0ycS1iv3n4m6W.exe	116
PID 2232 wrote to memory of 3740	2232	vP0ycS1iv3n4m6W.exe	116
PID 3740 wrote to memory of 3028	3740	bONtxA0uc2b.exe	117
PID 3740 wrote to memory of 3028	3740	bONtxA0uc2b.exe	117
PID 3740 wrote to memory of 3028	3740	bONtxA0uc2b.exe	117
PID 3028 wrote to memory of 4868	3028	GBrzPNyxAuDoFpH.exe	118
PID 3028 wrote to memory of 4868	3028	GBrzPNyxAuDoFpH.exe	118
PID 3028 wrote to memory of 4868	3028	GBrzPNyxAuDoFpH.exe	118
PID 4868 wrote to memory of 1948	4868	yelOBtzP0c1v3n4.exe	119
PID 4868 wrote to memory of 1948	4868	yelOBtzP0c1v3n4.exe	119
PID 4868 wrote to memory of 1948	4868	yelOBtzP0c1v3n4.exe	119
PID 1948 wrote to memory of 4900	1948	ycS2ibF3pGaJdKf.exe	120

C:\Users\Admin\AppData\Local\Temp\d5fcd73cabc2e7ce6d86d7d3ab7dd2c2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d5fcd73cabc2e7ce6d86d7d3ab7dd2c2_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Windows\SysWOW64\wD3onF4am6W7E.exe
  C:\Windows\system32\wD3onF4am6W7E.exe 5985C:\Users\Admin\AppData\Local\Temp\d5fcd73cabc2e7ce6d86d7d3ab7dd2c2_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\SysWOW64\h1ivD2onFaHsJfL.exe
    C:\Windows\system32\h1ivD2onFaHsJfL.exe 5985C:\Windows\SysWOW64\wD3onF4am6W7E.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:100
  - - C:\Windows\SysWOW64\gTXqjUCelBzNc1.exe
      C:\Windows\system32\gTXqjUCelBzNc1.exe 5985C:\Windows\SysWOW64\h1ivD2onFaHsJfL.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1936
    - - C:\Windows\SysWOW64\rVelOBtxPySiDoG.exe
        
        C:\Windows\system32\rVelOBtxPySiDoG.exe 5985C:\Windows\SysWOW64\gTXqjUCelBzNc1.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4988
      - C:\Windows\SysWOW64\zwkIVrzONx.exe
        
        C:\Windows\system32\zwkIVrzONx.exe 5985C:\Windows\SysWOW64\rVelOBtxPySiDoG.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\SysWOW64\GTXqjUCelBzNc1v.exe
        
        C:\Windows\system32\GTXqjUCelBzNc1v.exe 5985C:\Windows\SysWOW64\zwkIVrzONx.exe
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Windows\SysWOW64\plOBtxP0ySiDoGa.exe
        
        C:\Windows\system32\plOBtxP0ySiDoGa.exe 5985C:\Windows\SysWOW64\GTXqjUCelBzNc1v.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3256
        
        C:\Windows\SysWOW64\BA0uvS2ib3m5Q6E.exe
        
        C:\Windows\system32\BA0uvS2ib3m5Q6E.exe 5985C:\Windows\SysWOW64\plOBtxP0ySiDoGa.exe
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Windows\SysWOW64\uvD2onF4pHsJdLg.exe
        
        C:\Windows\system32\uvD2onF4pHsJdLg.exe 5985C:\Windows\SysWOW64\BA0uvS2ib3m5Q6E.exe
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\SysWOW64\JQH6sWK7f.exe
        
        C:\Windows\system32\JQH6sWK7f.exe 5985C:\Windows\SysWOW64\uvD2onF4pHsJdLg.exe
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\SysWOW64\CF3pmG5aQ6E8R9Y.exe
        
        C:\Windows\system32\CF3pmG5aQ6E8R9Y.exe 5985C:\Windows\SysWOW64\JQH6sWK7f.exe
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\SysWOW64\P5sWJ7dELgZhCkV.exe
        
        C:\Windows\system32\P5sWJ7dELgZhCkV.exe 5985C:\Windows\SysWOW64\CF3pmG5aQ6E8R9Y.exe
        13⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\SysWOW64\o7fRL9gTXjCkBzN.exe
        
        C:\Windows\system32\o7fRL9gTXjCkBzN.exe 5985C:\Windows\SysWOW64\P5sWJ7dELgZhCkV.exe
        14⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\wRZ9hYXwjVlBz0c.exe
        
        C:\Windows\system32\wRZ9hYXwjVlBz0c.exe 5985C:\Windows\SysWOW64\o7fRL9gTXjCkBzN.exe
        15⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\SysWOW64\mYCwkIVrlNx0c2b.exe
        
        C:\Windows\system32\mYCwkIVrlNx0c2b.exe 5985C:\Windows\SysWOW64\wRZ9hYXwjVlBz0c.exe
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\BIBrzPNyx1v2b4m.exe
        
        C:\Windows\system32\BIBrzPNyx1v2b4m.exe 5985C:\Windows\SysWOW64\mYCwkIVrlNx0c2b.exe
        17⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3128
        
        C:\Windows\SysWOW64\vP0ycS1iv3n4m6W.exe
        
        C:\Windows\system32\vP0ycS1iv3n4m6W.exe 5985C:\Windows\SysWOW64\BIBrzPNyx1v2b4m.exe
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\bONtxA0uc2b.exe
        
        C:\Windows\system32\bONtxA0uc2b.exe 5985C:\Windows\SysWOW64\vP0ycS1iv3n4m6W.exe
        19⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3740
        
        C:\Windows\SysWOW64\GBrzPNyxAuDoFpH.exe
        
        C:\Windows\system32\GBrzPNyxAuDoFpH.exe 5985C:\Windows\SysWOW64\bONtxA0uc2b.exe
        20⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\yelOBtzP0c1v3n4.exe
        
        C:\Windows\system32\yelOBtzP0c1v3n4.exe 5985C:\Windows\SysWOW64\GBrzPNyxAuDoFpH.exe
        21⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\SysWOW64\ycS2ibF3pGaJdKf.exe
        
        C:\Windows\system32\ycS2ibF3pGaJdKf.exe 5985C:\Windows\SysWOW64\yelOBtzP0c1v3n4.exe
        22⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\lvD2obF4pHsJdLg.exe
        
        C:\Windows\system32\lvD2obF4pHsJdLg.exe 5985C:\Windows\SysWOW64\ycS2ibF3pGaJdKf.exe
        23⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4900
        
        C:\Windows\SysWOW64\QonG4amH6W7E9Tq.exe
        
        C:\Windows\system32\QonG4amH6W7E9Tq.exe 5985C:\Windows\SysWOW64\lvD2obF4pHsJdLg.exe
        24⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:740
        
        C:\Windows\SysWOW64\NaQJ6dWK8R9TwUe.exe
        
        C:\Windows\system32\NaQJ6dWK8R9TwUe.exe 5985C:\Windows\SysWOW64\QonG4amH6W7E9Tq.exe
        25⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4828
        
        C:\Windows\SysWOW64\dsQJ7dEL8RqYwUr.exe
        
        C:\Windows\system32\dsQJ7dEL8RqYwUr.exe 5985C:\Windows\SysWOW64\NaQJ6dWK8R9TwUe.exe
        26⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1936
        
        C:\Windows\SysWOW64\HivD3onG4m6W7E9.exe
        
        C:\Windows\system32\HivD3onG4m6W7E9.exe 5985C:\Windows\SysWOW64\dsQJ7dEL8RqYwUr.exe
        27⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2352
        
        C:\Windows\SysWOW64\gpnG5aQJ6W8R9Tw.exe
        
        C:\Windows\system32\gpnG5aQJ6W8R9Tw.exe 5985C:\Windows\SysWOW64\HivD3onG4m6W7E9.exe
        28⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4044
        
        C:\Windows\SysWOW64\TbF4pmH5sJdLgZh.exe
        
        C:\Windows\system32\TbF4pmH5sJdLgZh.exe 5985C:\Windows\SysWOW64\gpnG5aQJ6W8R9Tw.exe
        29⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4576
        
        C:\Windows\SysWOW64\CD3onG4am6W.exe
        
        C:\Windows\system32\CD3onG4am6W.exe 5985C:\Windows\SysWOW64\TbF4pmH5sJdLgZh.exe
        30⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2308
        
        C:\Windows\SysWOW64\UJ6dWK8fR9TwUe.exe
        
        C:\Windows\system32\UJ6dWK8fR9TwUe.exe 5985C:\Windows\SysWOW64\CD3onG4am6W.exe
        31⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2880
        
        C:\Windows\SysWOW64\g1uvD2obFpHsJdL.exe
        
        C:\Windows\system32\g1uvD2obFpHsJdL.exe 5985C:\Windows\SysWOW64\UJ6dWK8fR9TwUe.exe
        32⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2784
        
        C:\Windows\SysWOW64\OG4amH6sW7E9TqY.exe
        
        C:\Windows\system32\OG4amH6sW7E9TqY.exe 5985C:\Windows\SysWOW64\g1uvD2obFpHsJdL.exe
        33⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1040
        
        C:\Windows\SysWOW64\s5aQJ6dWKfZhXjV.exe
        
        C:\Windows\system32\s5aQJ6dWKfZhXjV.exe 5985C:\Windows\SysWOW64\OG4amH6sW7E9TqY.exe
        34⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4056
        
        C:\Windows\SysWOW64\AD2obF4pm.exe
        
        C:\Windows\system32\AD2obF4pm.exe 5985C:\Windows\SysWOW64\s5aQJ6dWKfZhXjV.exe
        35⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4588
        
        C:\Windows\SysWOW64\OK8fRZ9hYwUeOtP.exe
        
        C:\Windows\system32\OK8fRZ9hYwUeOtP.exe 5985C:\Windows\SysWOW64\AD2obF4pm.exe
        36⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4324
        
        C:\Windows\SysWOW64\xWJ7dEL8gZhCkV.exe
        
        C:\Windows\system32\xWJ7dEL8gZhCkV.exe 5985C:\Windows\SysWOW64\OK8fRZ9hYwUeOtP.exe
        37⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2492
        
        C:\Windows\SysWOW64\fD3onG4aQ6W7R9T.exe
        
        C:\Windows\system32\fD3onG4aQ6W7R9T.exe 5985C:\Windows\SysWOW64\xWJ7dEL8gZhCkV.exe
        38⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1460
        
        C:\Windows\SysWOW64\H3pmG5aQJdKfZhX.exe
        
        C:\Windows\system32\H3pmG5aQJdKfZhX.exe 5985C:\Windows\SysWOW64\fD3onG4aQ6W7R9T.exe
        39⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1120
        
        C:\Windows\SysWOW64\bnF4pmH5sJdLgZ.exe
        
        C:\Windows\system32\bnF4pmH5sJdLgZ.exe 5985C:\Windows\SysWOW64\H3pmG5aQJdKfZhX.exe
        40⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2588
        
        C:\Windows\SysWOW64\xBtxP0ycSiDoGaH.exe
        
        C:\Windows\system32\xBtxP0ycSiDoGaH.exe 5985C:\Windows\SysWOW64\bnF4pmH5sJdLgZ.exe
        41⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2736
        
        C:\Windows\SysWOW64\fxA0uvS2iFpGaJd.exe
        
        C:\Windows\system32\fxA0uvS2iFpGaJd.exe 5985C:\Windows\SysWOW64\xBtxP0ycSiDoGaH.exe
        42⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2172
        
        C:\Windows\SysWOW64\JjUCelIBrPyAuDo.exe
        
        C:\Windows\system32\JjUCelIBrPyAuDo.exe 5985C:\Windows\SysWOW64\fxA0uvS2iFpGaJd.exe
        43⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1320
        
        C:\Windows\SysWOW64\FwkUVelOBx0c1b3.exe
        
        C:\Windows\system32\FwkUVelOBx0c1b3.exe 5985C:\Windows\SysWOW64\JjUCelIBrPyAuDo.exe
        44⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3352
        
        C:\Windows\SysWOW64\LgTZqjYCwIr.exe
        
        C:\Windows\system32\LgTZqjYCwIr.exe 5985C:\Windows\SysWOW64\FwkUVelOBx0c1b3.exe
        45⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4260
        
        C:\Windows\SysWOW64\l6dWK7fRLhXjClB.exe
        
        C:\Windows\system32\l6dWK7fRLhXjClB.exe 5985C:\Windows\SysWOW64\LgTZqjYCwIr.exe
        46⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2288
        
        C:\Windows\SysWOW64\QK8gRZ9hYwUeOtP.exe
        
        C:\Windows\system32\QK8gRZ9hYwUeOtP.exe 5985C:\Windows\SysWOW64\l6dWK7fRLhXjClB.exe
        47⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1620
        
        C:\Windows\SysWOW64\AamH5sWJ7.exe
        
        C:\Windows\system32\AamH5sWJ7.exe 5985C:\Windows\SysWOW64\QK8gRZ9hYwUeOtP.exe
        48⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4572
        
        C:\Windows\SysWOW64\RcS1ibD3pGaHdK.exe
        
        C:\Windows\system32\RcS1ibD3pGaHdK.exe 5985C:\Windows\SysWOW64\AamH5sWJ7.exe
        49⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3740
        
        C:\Windows\SysWOW64\PgTZqjYCeIrOyA.exe
        
        C:\Windows\system32\PgTZqjYCeIrOyA.exe 5985C:\Windows\SysWOW64\RcS1ibD3pGaHdK.exe
        50⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1020
        
        C:\Windows\SysWOW64\epnG5aQH6W8R9Tw.exe
        
        C:\Windows\system32\epnG5aQH6W8R9Tw.exe 5985C:\Windows\SysWOW64\PgTZqjYCeIrOyA.exe
        51⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2792
        
        C:\Windows\SysWOW64\ZG5sQJ7dE8RqYwU.exe
        
        C:\Windows\system32\ZG5sQJ7dE8RqYwU.exe 5985C:\Windows\SysWOW64\epnG5aQH6W8R9Tw.exe
        52⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1836
        
        C:\Windows\SysWOW64\qIBtzP0yc1v3n4m.exe
        
        C:\Windows\system32\qIBtzP0yc1v3n4m.exe 5985C:\Windows\SysWOW64\ZG5sQJ7dE8RqYwU.exe
        53⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1884
        
        C:\Windows\SysWOW64\RRZqhYCwkVlNx0c.exe
        
        C:\Windows\system32\RRZqhYCwkVlNx0c.exe 5985C:\Windows\SysWOW64\qIBtzP0yc1v3n4m.exe
        54⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2444
        
        C:\Windows\SysWOW64\eYCekIBrzNx1v2b.exe
        
        C:\Windows\system32\eYCekIBrzNx1v2b.exe 5985C:\Windows\SysWOW64\RRZqhYCwkVlNx0c.exe
        55⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1776
        
        C:\Windows\SysWOW64\rTXwjUVelBz0c1v.exe
        
        C:\Windows\system32\rTXwjUVelBz0c1v.exe 5985C:\Windows\SysWOW64\eYCekIBrzNx1v2b.exe
        56⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1744
        
        C:\Windows\SysWOW64\jYCwkUVrlNx0c.exe
        
        C:\Windows\system32\jYCwkUVrlNx0c.exe 5985C:\Windows\SysWOW64\rTXwjUVelBz0c1v.exe
        57⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1672
        
        C:\Windows\SysWOW64\HfEL9gTXqYeIrOy.exe
        
        C:\Windows\system32\HfEL9gTXqYeIrOy.exe 5985C:\Windows\SysWOW64\jYCwkUVrlNx0c.exe
        58⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4692
        
        C:\Windows\SysWOW64\vK8fRZ9hTwUeItP.exe
        
        C:\Windows\system32\vK8fRZ9hTwUeItP.exe 5985C:\Windows\SysWOW64\HfEL9gTXqYeIrOy.exe
        59⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3564
        
        C:\Windows\SysWOW64\VyxA1uvD2b4m5Q7.exe
        
        C:\Windows\system32\VyxA1uvD2b4m5Q7.exe 5985C:\Windows\SysWOW64\vK8fRZ9hTwUeItP.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wD3onF4am6W7E.exe

Filesize
1.7MB

MD5
d5fcd73cabc2e7ce6d86d7d3ab7dd2c2

SHA1
d8b1aa82b23d20e3164c5471e86c3e31646ee2bc

SHA256
694fef7d7c2f0a5fdf9110caac07b01c24be8653faed1d670e3a53679ccd4d26

SHA512
894446e782a21f6c9c8f6879e0fdcaac380152a7d4801449ac853de4f56c2a66fac1c4cb6f00f8a71547beae0524e15bdba846cee45a101b51ffeee308088f67

Download Submit
memory/100-20-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/100-26-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/636-73-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/740-151-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/1020-272-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/1040-204-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/1120-228-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/1148-8-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/1148-1-0x0000000000400000-0x00000000008B3000-memory.dmp

Filesize
4.7MB

Download
memory/1148-9-0x0000000000400000-0x00000000008B3000-memory.dmp

Filesize
4.7MB

Download
memory/1148-2-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/1320-244-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/1324-79-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/1460-224-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/1544-97-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/1620-260-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/1672-300-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/1744-296-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/1776-292-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/1836-280-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/1884-284-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/1936-31-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/1936-163-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/1948-139-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/2088-91-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/2172-240-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/2232-115-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/2288-103-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/2288-256-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/2308-187-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/2352-169-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/2444-288-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/2492-220-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/2588-232-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/2680-11-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/2680-12-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/2680-17-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/2732-43-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/2736-236-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/2784-199-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/2792-276-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/2880-193-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/3028-127-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/3128-109-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/3256-55-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/3352-248-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/3408-85-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/3564-308-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/3740-121-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/3740-268-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/4000-62-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/4036-49-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/4044-176-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/4056-208-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/4260-252-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/4324-216-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/4572-264-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/4576-181-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/4588-212-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/4692-304-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/4828-157-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/4868-133-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/4900-145-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/4980-67-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/4988-37-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads