Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-12-2024 09:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe
-
Size
484KB
-
MD5
d90a33ac1d1845428baec0765efe1796
-
SHA1
41d4d07095aee2ffe20497a4d1621f764a33ee73
-
SHA256
ad4cc7d0639d95613f2c3a7b26c644e4bcbd5c4d9325a1dd48b7280124923a7a
-
SHA512
f98d8ce2efa86f41e6eec39cae9f95064f5e154cc03543960236f77407146e0e35470cdbf9e4bd503fd8ca8ededb4468ee3b06eeeed858e846d96dd0cc3c0d2a
-
SSDEEP
12288:YRQmDsgDPIAnsJ8Q19/vA80Tk+Lf2hgQmUQj3MFgb0ZCznzMs14AEoeli:yk+Lf27mUJFBunzz4AEoe
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Modifies security service 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" Process not Found -
Executes dropped EXE 64 IoCs
pid Process 2740 bgmphxa.exe 2256 bgmphxa.exe 2668 ylipnms.exe 1464 ylipnms.exe 1124 knofzrx.exe 2308 knofzrx.exe 604 xafuevw.exe 3024 xafuevw.exe 2768 kclkqha.exe 1668 kclkqha.exe 2116 uymvfcj.exe 2648 uymvfcj.exe 2240 fxqsqai.exe 2960 fxqsqai.exe 1416 pwcpazq.exe 2336 pwcpazq.exe 2732 zdgntyx.exe 2880 zdgntyx.exe 2684 jfwxgte.exe 1420 jfwxgte.exe 2384 tqlitwk.exe 2292 tqlitwk.exe 2204 dpxfmvr.exe 1796 dpxfmvr.exe 2800 nobkwuz.exe 2628 nobkwuz.exe 2044 anenfcf.exe 568 anenfcf.exe 1968 kmilpbm.exe 544 kmilpbm.exe 2136 xcdngjk.exe 2712 xcdngjk.exe 2212 hntytey.exe 2652 hntytey.exe 3004 uaknzix.exe 2392 uaknzix.exe 1900 edzymld.exe 2792 edzymld.exe 2824 rbcautj.exe 2356 rbcautj.exe 2512 besdqwp.exe 2644 besdqwp.exe 2352 ldwiavw.exe 2332 ldwiavw.exe 1448 bpedeat.exe 1064 bpedeat.exe 380 kdxtuig.exe 2316 kdxtuig.exe 2148 yqoiamf.exe 1988 yqoiamf.exe 1444 htetvhl.exe 1660 htetvhl.exe 2520 vgviblk.exe 2856 vgviblk.exe 2328 eqktooz.exe 2140 eqktooz.exe 1804 jsriaad.exe 772 jsriaad.exe 2028 wfiynwc.exe 2084 wfiynwc.exe 2156 gljwddp.exe 2656 gljwddp.exe 3044 wyjrhrm.exe 1800 wyjrhrm.exe -
Loads dropped DLL 64 IoCs
pid Process 2524 d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe 2524 d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe 2740 bgmphxa.exe 2256 bgmphxa.exe 2256 bgmphxa.exe 2668 ylipnms.exe 1464 ylipnms.exe 1464 ylipnms.exe 2308 knofzrx.exe 2308 knofzrx.exe 3024 xafuevw.exe 3024 xafuevw.exe 1668 kclkqha.exe 1668 kclkqha.exe 2648 uymvfcj.exe 2648 uymvfcj.exe 2960 fxqsqai.exe 2960 fxqsqai.exe 2336 pwcpazq.exe 2336 pwcpazq.exe 2880 zdgntyx.exe 2880 zdgntyx.exe 1420 jfwxgte.exe 1420 jfwxgte.exe 2292 tqlitwk.exe 2292 tqlitwk.exe 1796 dpxfmvr.exe 1796 dpxfmvr.exe 2628 nobkwuz.exe 2628 nobkwuz.exe 568 anenfcf.exe 568 anenfcf.exe 544 kmilpbm.exe 544 kmilpbm.exe 2712 xcdngjk.exe 2712 xcdngjk.exe 2652 hntytey.exe 2652 hntytey.exe 2392 uaknzix.exe 2392 uaknzix.exe 2792 edzymld.exe 2792 edzymld.exe 2356 rbcautj.exe 2356 rbcautj.exe 2644 besdqwp.exe 2644 besdqwp.exe 2332 ldwiavw.exe 2332 ldwiavw.exe 1064 bpedeat.exe 1064 bpedeat.exe 2316 kdxtuig.exe 2316 kdxtuig.exe 1988 yqoiamf.exe 1988 yqoiamf.exe 1660 htetvhl.exe 1660 htetvhl.exe 2856 vgviblk.exe 2856 vgviblk.exe 2140 eqktooz.exe 2140 eqktooz.exe 772 jsriaad.exe 772 jsriaad.exe 2084 wfiynwc.exe 2084 wfiynwc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\fdiyqut.exe Process not Found File created C:\Windows\SysWOW64\lyixpcs.exe Process not Found File created C:\Windows\SysWOW64\uihuhei.exe Process not Found File opened for modification C:\Windows\SysWOW64\gmnjjxy.exe Process not Found File opened for modification C:\Windows\SysWOW64\zctyvta.exe Process not Found File opened for modification C:\Windows\SysWOW64\ffobdki.exe Process not Found File created C:\Windows\SysWOW64\jsriaad.exe eqktooz.exe File created C:\Windows\SysWOW64\fdfczkw.exe Process not Found File created C:\Windows\SysWOW64\kubdzix.exe Process not Found File created C:\Windows\SysWOW64\vmnztpf.exe Process not Found File created C:\Windows\SysWOW64\hhylnsb.exe Process not Found File opened for modification C:\Windows\SysWOW64\wcwkyuu.exe Process not Found File opened for modification C:\Windows\SysWOW64\yboeldq.exe Process not Found File created C:\Windows\SysWOW64\yktcvwl.exe Process not Found File opened for modification C:\Windows\SysWOW64\wlrejpw.exe jnpbbgr.exe File created C:\Windows\SysWOW64\ogjfxuo.exe Process not Found File created C:\Windows\SysWOW64\linafgh.exe Process not Found File created C:\Windows\SysWOW64\dcippbu.exe Process not Found File opened for modification C:\Windows\SysWOW64\eezzdre.exe Process not Found File opened for modification C:\Windows\SysWOW64\nnhfahu.exe Process not Found File opened for modification C:\Windows\SysWOW64\fqcigwj.exe Process not Found File created C:\Windows\SysWOW64\yadyzfu.exe Process not Found File opened for modification C:\Windows\SysWOW64\icsimia.exe Process not Found File created C:\Windows\SysWOW64\iyjehvg.exe Process not Found File created C:\Windows\SysWOW64\hqppscs.exe Process not Found File opened for modification C:\Windows\SysWOW64\vjadfex.exe Process not Found File created C:\Windows\SysWOW64\eytpscj.exe Process not Found File opened for modification C:\Windows\SysWOW64\lpcgxok.exe Process not Found File created C:\Windows\SysWOW64\gaybvus.exe wyjrhrm.exe File created C:\Windows\SysWOW64\wdgmowr.exe msqcbsk.exe File opened for modification C:\Windows\SysWOW64\mhorkly.exe Process not Found File opened for modification C:\Windows\SysWOW64\vbxicfy.exe Process not Found File opened for modification C:\Windows\SysWOW64\fzwllgn.exe Process not Found File opened for modification C:\Windows\SysWOW64\hxbkozx.exe Process not Found File opened for modification C:\Windows\SysWOW64\iqutszw.exe Process not Found File created C:\Windows\SysWOW64\ripjgmk.exe Process not Found File opened for modification C:\Windows\SysWOW64\waayoaf.exe Process not Found File created C:\Windows\SysWOW64\itbwhzk.exe Process not Found File created C:\Windows\SysWOW64\mtuxymu.exe Process not Found File created C:\Windows\SysWOW64\zgkfimx.exe Process not Found File created C:\Windows\SysWOW64\uymvfcj.exe kclkqha.exe File created C:\Windows\SysWOW64\ejnzfag.exe udmchbt.exe File created C:\Windows\SysWOW64\xlzxkjl.exe hzrcgeo.exe File opened for modification C:\Windows\SysWOW64\fwkifry.exe Process not Found File opened for modification C:\Windows\SysWOW64\rjoviwi.exe Process not Found File opened for modification C:\Windows\SysWOW64\tdoxufg.exe Process not Found File created C:\Windows\SysWOW64\uqvprzd.exe hrsniry.exe File opened for modification C:\Windows\SysWOW64\hivlumf.exe Process not Found File created C:\Windows\SysWOW64\ukbtgzk.exe Process not Found File created C:\Windows\SysWOW64\ohyhepz.exe Process not Found File created C:\Windows\SysWOW64\hqwxzqf.exe Process not Found File opened for modification C:\Windows\SysWOW64\wyjrhrm.exe gljwddp.exe File created C:\Windows\SysWOW64\mskyhwq.exe Process not Found File opened for modification C:\Windows\SysWOW64\ytrluqp.exe Process not Found File opened for modification C:\Windows\SysWOW64\rsiyrao.exe Process not Found File created C:\Windows\SysWOW64\ajpthlr.exe Process not Found File created C:\Windows\SysWOW64\ryzmfkv.exe Process not Found File opened for modification C:\Windows\SysWOW64\nsikswt.exe Process not Found File created C:\Windows\SysWOW64\vbnluqg.exe Process not Found File created C:\Windows\SysWOW64\zdgntyx.exe pwcpazq.exe File created C:\Windows\SysWOW64\qtxzlgq.exe gfekvyd.exe File opened for modification C:\Windows\SysWOW64\suelozd.exe Process not Found File opened for modification C:\Windows\SysWOW64\yjzxvhc.exe Process not Found File opened for modification C:\Windows\SysWOW64\rbjbjiw.exe Process not Found -
Suspicious use of SetThreadContext 64 IoCs
description pid Process procid_target PID 2528 set thread context of 2524 2528 d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe 30 PID 2740 set thread context of 2256 2740 bgmphxa.exe 47 PID 2668 set thread context of 1464 2668 ylipnms.exe 64 PID 1124 set thread context of 2308 1124 knofzrx.exe 84 PID 604 set thread context of 3024 604 xafuevw.exe 102 PID 2768 set thread context of 1668 2768 kclkqha.exe 120 PID 2116 set thread context of 2648 2116 uymvfcj.exe 138 PID 2240 set thread context of 2960 2240 fxqsqai.exe 156 PID 1416 set thread context of 2336 1416 pwcpazq.exe 174 PID 2732 set thread context of 2880 2732 zdgntyx.exe 192 PID 2684 set thread context of 1420 2684 jfwxgte.exe 210 PID 2384 set thread context of 2292 2384 tqlitwk.exe 228 PID 2204 set thread context of 1796 2204 dpxfmvr.exe 246 PID 2800 set thread context of 2628 2800 nobkwuz.exe 264 PID 2044 set thread context of 568 2044 anenfcf.exe 282 PID 1968 set thread context of 544 1968 kmilpbm.exe 300 PID 2136 set thread context of 2712 2136 xcdngjk.exe 318 PID 2212 set thread context of 2652 2212 hntytey.exe 336 PID 3004 set thread context of 2392 3004 uaknzix.exe 354 PID 1900 set thread context of 2792 1900 edzymld.exe 372 PID 2824 set thread context of 2356 2824 rbcautj.exe 390 PID 2512 set thread context of 2644 2512 besdqwp.exe 408 PID 2352 set thread context of 2332 2352 ldwiavw.exe 426 PID 1448 set thread context of 1064 1448 bpedeat.exe 444 PID 380 set thread context of 2316 380 kdxtuig.exe 462 PID 2148 set thread context of 1988 2148 yqoiamf.exe 480 PID 1444 set thread context of 1660 1444 htetvhl.exe 498 PID 2520 set thread context of 2856 2520 vgviblk.exe 516 PID 2328 set thread context of 2140 2328 eqktooz.exe 534 PID 1804 set thread context of 772 1804 jsriaad.exe 552 PID 2028 set thread context of 2084 2028 wfiynwc.exe 570 PID 2156 set thread context of 2656 2156 gljwddp.exe 588 PID 3044 set thread context of 1800 3044 wyjrhrm.exe 606 PID 2288 set thread context of 2008 2288 gaybvus.exe 624 PID 2060 set thread context of 2400 2060 tzbedux.exe 642 PID 1288 set thread context of 1224 1288 gpwgmcd.exe 660 PID 2844 set thread context of 1568 2844 qalrhfj.exe 678 PID 2764 set thread context of 856 2764 curysko.exe 696 PID 2576 set thread context of 1436 2576 phjoyou.exe 714 PID 3068 set thread context of 1624 3068 cjpekaz.exe 732 PID 2716 set thread context of 2464 2716 pakgsae.exe 750 PID 2396 set thread context of 1644 2396 zhoedze.exe 768 PID 1916 set thread context of 2872 1916 jnpbbgr.exe 786 PID 1692 set thread context of 1188 1692 wlrejpw.exe 804 PID 2760 set thread context of 2892 2760 jybupsv.exe 822 PID 1584 set thread context of 2688 1584 smcrfsi.exe 840 PID 2604 set thread context of 2848 2604 dlooyrq.exe 858 PID 1268 set thread context of 584 1268 qyxedup.exe 876 PID 1712 set thread context of 1716 1712 cadupht.exe 894 PID 2488 set thread context of 684 2488 mdtwckz.exe 912 PID 2460 set thread context of 1168 2460 cpbrgpw.exe 930 PID 1544 set thread context of 3052 1544 msqcbsk.exe 948 PID 2444 set thread context of 2280 2444 wdgmowr.exe 966 PID 2932 set thread context of 2600 2932 gcsjzuy.exe 984 PID 2708 set thread context of 1548 2708 tpbhfyx.exe 1002 PID 476 set thread context of 3036 476 gfekvyd.exe 1021 PID 756 set thread context of 1824 756 qtxzlgq.exe 1039 PID 2304 set thread context of 2916 2304 apystaq.exe 1057 PID 2252 set thread context of 1208 2252 kznuodx.exe 1075 PID 3012 set thread context of 2772 3012 atkpqrz.exe 1093 PID 2808 set thread context of 2004 2808 kolzfmi.exe 1111 PID 2780 set thread context of 2408 2780 xffcouf.exe 1129 PID 1324 set thread context of 2076 1324 khmszgs.exe 1147 PID 1260 set thread context of 2112 1260 udmchbt.exe 1165 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wfiynwc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Runs net.exe
-
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 2528 d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe 2740 bgmphxa.exe 2668 ylipnms.exe 1124 knofzrx.exe 604 xafuevw.exe 2768 kclkqha.exe 2116 uymvfcj.exe 2240 fxqsqai.exe 1416 pwcpazq.exe 2732 zdgntyx.exe 2684 jfwxgte.exe 2384 tqlitwk.exe 2204 dpxfmvr.exe 2800 nobkwuz.exe 2044 anenfcf.exe 1968 kmilpbm.exe 2136 xcdngjk.exe 2212 hntytey.exe 3004 uaknzix.exe 1900 edzymld.exe 2824 rbcautj.exe 2512 besdqwp.exe 2352 ldwiavw.exe 1448 bpedeat.exe 380 kdxtuig.exe 2148 yqoiamf.exe 1444 htetvhl.exe 2520 vgviblk.exe 2328 eqktooz.exe 1804 jsriaad.exe 2028 wfiynwc.exe 2156 gljwddp.exe 3044 wyjrhrm.exe 2288 gaybvus.exe 2060 tzbedux.exe 1288 gpwgmcd.exe 2844 qalrhfj.exe 2764 curysko.exe 2576 phjoyou.exe 3068 cjpekaz.exe 2716 pakgsae.exe 2396 zhoedze.exe 1916 jnpbbgr.exe 1692 wlrejpw.exe 2760 jybupsv.exe 1584 smcrfsi.exe 2604 dlooyrq.exe 1268 qyxedup.exe 1712 cadupht.exe 2488 mdtwckz.exe 2460 cpbrgpw.exe 1544 msqcbsk.exe 2444 wdgmowr.exe 2932 gcsjzuy.exe 2708 tpbhfyx.exe 476 gfekvyd.exe 756 qtxzlgq.exe 2304 apystaq.exe 2252 kznuodx.exe 3012 atkpqrz.exe 2808 kolzfmi.exe 2780 xffcouf.exe 1324 khmszgs.exe 1260 udmchbt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2528 wrote to memory of 2524 2528 d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe 30 PID 2528 wrote to memory of 2524 2528 d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe 30 PID 2528 wrote to memory of 2524 2528 d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe 30 PID 2528 wrote to memory of 2524 2528 d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe 30 PID 2528 wrote to memory of 2524 2528 d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe 30 PID 2528 wrote to memory of 2524 2528 d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe 30 PID 2528 wrote to memory of 2524 2528 d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe 30 PID 2528 wrote to memory of 2524 2528 d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe 30 PID 2528 wrote to memory of 2524 2528 d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe 30 PID 2528 wrote to memory of 2524 2528 d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe 30 PID 2528 wrote to memory of 2524 2528 d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe 30 PID 2528 wrote to memory of 1992 2528 d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe 31 PID 2528 wrote to memory of 1992 2528 d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe 31 PID 2528 wrote to memory of 1992 2528 d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe 31 PID 2528 wrote to memory of 1992 2528 d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe 31 PID 2528 wrote to memory of 2140 2528 d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe 32 PID 2528 wrote to memory of 2140 2528 d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe 32 PID 2528 wrote to memory of 2140 2528 d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe 32 PID 2528 wrote to memory of 2140 2528 d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe 32 PID 2528 wrote to memory of 2920 2528 d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe 33 PID 2528 wrote to memory of 2920 2528 d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe 33 PID 2528 wrote to memory of 2920 2528 d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe 33 PID 2528 wrote to memory of 2920 2528 d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe 33 PID 2528 wrote to memory of 2348 2528 d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe 34 PID 2528 wrote to memory of 2348 2528 d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe 34 PID 2528 wrote to memory of 2348 2528 d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe 34 PID 2528 wrote to memory of 2348 2528 d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe 34 PID 2528 wrote to memory of 2224 2528 d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe 35 PID 2528 wrote to memory of 2224 2528 d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe 35 PID 2528 wrote to memory of 2224 2528 d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe 35 PID 2528 wrote to memory of 2224 2528 d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe 35 PID 2224 wrote to memory of 2824 2224 cmd.exe 41 PID 2224 wrote to memory of 2824 2224 cmd.exe 41 PID 2224 wrote to memory of 2824 2224 cmd.exe 41 PID 2224 wrote to memory of 2824 2224 cmd.exe 41 PID 1992 wrote to memory of 2992 1992 cmd.exe 43 PID 1992 wrote to memory of 2992 1992 cmd.exe 43 PID 1992 wrote to memory of 2992 1992 cmd.exe 43 PID 1992 wrote to memory of 2992 1992 cmd.exe 43 PID 2140 wrote to memory of 2876 2140 cmd.exe 42 PID 2140 wrote to memory of 2876 2140 cmd.exe 42 PID 2140 wrote to memory of 2876 2140 cmd.exe 42 PID 2140 wrote to memory of 2876 2140 cmd.exe 42 PID 2348 wrote to memory of 2732 2348 cmd.exe 116 PID 2348 wrote to memory of 2732 2348 cmd.exe 116 PID 2348 wrote to memory of 2732 2348 cmd.exe 116 PID 2348 wrote to memory of 2732 2348 cmd.exe 116 PID 2992 wrote to memory of 2856 2992 net.exe 45 PID 2992 wrote to memory of 2856 2992 net.exe 45 PID 2992 wrote to memory of 2856 2992 net.exe 45 PID 2992 wrote to memory of 2856 2992 net.exe 45 PID 2524 wrote to memory of 2740 2524 d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe 46 PID 2524 wrote to memory of 2740 2524 d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe 46 PID 2524 wrote to memory of 2740 2524 d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe 46 PID 2524 wrote to memory of 2740 2524 d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe 46 PID 2876 wrote to memory of 2940 2876 net.exe 48 PID 2876 wrote to memory of 2940 2876 net.exe 48 PID 2876 wrote to memory of 2940 2876 net.exe 48 PID 2876 wrote to memory of 2940 2876 net.exe 48 PID 2740 wrote to memory of 2256 2740 bgmphxa.exe 47 PID 2740 wrote to memory of 2256 2740 bgmphxa.exe 47 PID 2740 wrote to memory of 2256 2740 bgmphxa.exe 47 PID 2740 wrote to memory of 2256 2740 bgmphxa.exe 47 PID 2740 wrote to memory of 2256 2740 bgmphxa.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Users\Admin\AppData\Local\Temp\d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\d90a33ac1d1845428baec0765efe1796_JaffaCakes1182⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\bgmphxa.exeC:\Windows\system32\bgmphxa.exe 476 "C:\Users\Admin\AppData\Local\Temp\d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\bgmphxa.exeC:\Windows\SysWOW64\bgmphxa4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2256 -
C:\Windows\SysWOW64\ylipnms.exeC:\Windows\system32\ylipnms.exe 452 "C:\Windows\SysWOW64\bgmphxa.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2668 -
C:\Windows\SysWOW64\ylipnms.exeC:\Windows\SysWOW64\ylipnms6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1464 -
C:\Windows\SysWOW64\knofzrx.exeC:\Windows\system32\knofzrx.exe 492 "C:\Windows\SysWOW64\ylipnms.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1124 -
C:\Windows\SysWOW64\knofzrx.exeC:\Windows\SysWOW64\knofzrx8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2308 -
C:\Windows\SysWOW64\xafuevw.exeC:\Windows\system32\xafuevw.exe 528 "C:\Windows\SysWOW64\knofzrx.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:604 -
C:\Windows\SysWOW64\xafuevw.exeC:\Windows\SysWOW64\xafuevw10⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3024 -
C:\Windows\SysWOW64\kclkqha.exeC:\Windows\system32\kclkqha.exe 528 "C:\Windows\SysWOW64\xafuevw.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2768 -
C:\Windows\SysWOW64\kclkqha.exeC:\Windows\SysWOW64\kclkqha12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1668 -
C:\Windows\SysWOW64\uymvfcj.exeC:\Windows\system32\uymvfcj.exe 528 "C:\Windows\SysWOW64\kclkqha.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2116 -
C:\Windows\SysWOW64\uymvfcj.exeC:\Windows\SysWOW64\uymvfcj14⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2648 -
C:\Windows\SysWOW64\fxqsqai.exeC:\Windows\system32\fxqsqai.exe 528 "C:\Windows\SysWOW64\uymvfcj.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2240 -
C:\Windows\SysWOW64\fxqsqai.exeC:\Windows\SysWOW64\fxqsqai16⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2960 -
C:\Windows\SysWOW64\pwcpazq.exeC:\Windows\system32\pwcpazq.exe 492 "C:\Windows\SysWOW64\fxqsqai.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1416 -
C:\Windows\SysWOW64\pwcpazq.exeC:\Windows\SysWOW64\pwcpazq18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\zdgntyx.exeC:\Windows\system32\zdgntyx.exe 528 "C:\Windows\SysWOW64\pwcpazq.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2732 -
C:\Windows\SysWOW64\zdgntyx.exeC:\Windows\SysWOW64\zdgntyx20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2880 -
C:\Windows\SysWOW64\jfwxgte.exeC:\Windows\system32\jfwxgte.exe 528 "C:\Windows\SysWOW64\zdgntyx.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2684 -
C:\Windows\SysWOW64\jfwxgte.exeC:\Windows\SysWOW64\jfwxgte22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1420 -
C:\Windows\SysWOW64\tqlitwk.exeC:\Windows\system32\tqlitwk.exe 520 "C:\Windows\SysWOW64\jfwxgte.exe"23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2384 -
C:\Windows\SysWOW64\tqlitwk.exeC:\Windows\SysWOW64\tqlitwk24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2292 -
C:\Windows\SysWOW64\dpxfmvr.exeC:\Windows\system32\dpxfmvr.exe 520 "C:\Windows\SysWOW64\tqlitwk.exe"25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2204 -
C:\Windows\SysWOW64\dpxfmvr.exeC:\Windows\SysWOW64\dpxfmvr26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1796 -
C:\Windows\SysWOW64\nobkwuz.exeC:\Windows\system32\nobkwuz.exe 528 "C:\Windows\SysWOW64\dpxfmvr.exe"27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2800 -
C:\Windows\SysWOW64\nobkwuz.exeC:\Windows\SysWOW64\nobkwuz28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2628 -
C:\Windows\SysWOW64\anenfcf.exeC:\Windows\system32\anenfcf.exe 520 "C:\Windows\SysWOW64\nobkwuz.exe"29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2044 -
C:\Windows\SysWOW64\anenfcf.exeC:\Windows\SysWOW64\anenfcf30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:568 -
C:\Windows\SysWOW64\kmilpbm.exeC:\Windows\system32\kmilpbm.exe 520 "C:\Windows\SysWOW64\anenfcf.exe"31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1968 -
C:\Windows\SysWOW64\kmilpbm.exeC:\Windows\SysWOW64\kmilpbm32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:544 -
C:\Windows\SysWOW64\xcdngjk.exeC:\Windows\system32\xcdngjk.exe 520 "C:\Windows\SysWOW64\kmilpbm.exe"33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2136 -
C:\Windows\SysWOW64\xcdngjk.exeC:\Windows\SysWOW64\xcdngjk34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\hntytey.exeC:\Windows\system32\hntytey.exe 520 "C:\Windows\SysWOW64\xcdngjk.exe"35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2212 -
C:\Windows\SysWOW64\hntytey.exeC:\Windows\SysWOW64\hntytey36⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2652 -
C:\Windows\SysWOW64\uaknzix.exeC:\Windows\system32\uaknzix.exe 520 "C:\Windows\SysWOW64\hntytey.exe"37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3004 -
C:\Windows\SysWOW64\uaknzix.exeC:\Windows\SysWOW64\uaknzix38⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2392 -
C:\Windows\SysWOW64\edzymld.exeC:\Windows\system32\edzymld.exe 528 "C:\Windows\SysWOW64\uaknzix.exe"39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1900 -
C:\Windows\SysWOW64\edzymld.exeC:\Windows\SysWOW64\edzymld40⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2792 -
C:\Windows\SysWOW64\rbcautj.exeC:\Windows\system32\rbcautj.exe 520 "C:\Windows\SysWOW64\edzymld.exe"41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2824 -
C:\Windows\SysWOW64\rbcautj.exeC:\Windows\SysWOW64\rbcautj42⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2356 -
C:\Windows\SysWOW64\besdqwp.exeC:\Windows\system32\besdqwp.exe 520 "C:\Windows\SysWOW64\rbcautj.exe"43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2512 -
C:\Windows\SysWOW64\besdqwp.exeC:\Windows\SysWOW64\besdqwp44⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2644 -
C:\Windows\SysWOW64\ldwiavw.exeC:\Windows\system32\ldwiavw.exe 520 "C:\Windows\SysWOW64\besdqwp.exe"45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2352 -
C:\Windows\SysWOW64\ldwiavw.exeC:\Windows\SysWOW64\ldwiavw46⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2332 -
C:\Windows\SysWOW64\bpedeat.exeC:\Windows\system32\bpedeat.exe 520 "C:\Windows\SysWOW64\ldwiavw.exe"47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1448 -
C:\Windows\SysWOW64\bpedeat.exeC:\Windows\SysWOW64\bpedeat48⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1064 -
C:\Windows\SysWOW64\kdxtuig.exeC:\Windows\system32\kdxtuig.exe 528 "C:\Windows\SysWOW64\bpedeat.exe"49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:380 -
C:\Windows\SysWOW64\kdxtuig.exeC:\Windows\SysWOW64\kdxtuig50⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2316 -
C:\Windows\SysWOW64\yqoiamf.exeC:\Windows\system32\yqoiamf.exe 520 "C:\Windows\SysWOW64\kdxtuig.exe"51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2148 -
C:\Windows\SysWOW64\yqoiamf.exeC:\Windows\SysWOW64\yqoiamf52⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1988 -
C:\Windows\SysWOW64\htetvhl.exeC:\Windows\system32\htetvhl.exe 520 "C:\Windows\SysWOW64\yqoiamf.exe"53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1444 -
C:\Windows\SysWOW64\htetvhl.exeC:\Windows\SysWOW64\htetvhl54⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1660 -
C:\Windows\SysWOW64\vgviblk.exeC:\Windows\system32\vgviblk.exe 520 "C:\Windows\SysWOW64\htetvhl.exe"55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2520 -
C:\Windows\SysWOW64\vgviblk.exeC:\Windows\SysWOW64\vgviblk56⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2856 -
C:\Windows\SysWOW64\eqktooz.exeC:\Windows\system32\eqktooz.exe 520 "C:\Windows\SysWOW64\vgviblk.exe"57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2328 -
C:\Windows\SysWOW64\eqktooz.exeC:\Windows\SysWOW64\eqktooz58⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2140 -
C:\Windows\SysWOW64\jsriaad.exeC:\Windows\system32\jsriaad.exe 520 "C:\Windows\SysWOW64\eqktooz.exe"59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1804 -
C:\Windows\SysWOW64\jsriaad.exeC:\Windows\SysWOW64\jsriaad60⤵
- Executes dropped EXE
- Loads dropped DLL
PID:772 -
C:\Windows\SysWOW64\wfiynwc.exeC:\Windows\system32\wfiynwc.exe 520 "C:\Windows\SysWOW64\jsriaad.exe"61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2028 -
C:\Windows\SysWOW64\wfiynwc.exeC:\Windows\SysWOW64\wfiynwc62⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2084 -
C:\Windows\SysWOW64\gljwddp.exeC:\Windows\system32\gljwddp.exe 520 "C:\Windows\SysWOW64\wfiynwc.exe"63⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2156 -
C:\Windows\SysWOW64\gljwddp.exeC:\Windows\SysWOW64\gljwddp64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2656 -
C:\Windows\SysWOW64\wyjrhrm.exeC:\Windows\system32\wyjrhrm.exe 520 "C:\Windows\SysWOW64\gljwddp.exe"65⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3044 -
C:\Windows\SysWOW64\wyjrhrm.exeC:\Windows\SysWOW64\wyjrhrm66⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1800 -
C:\Windows\SysWOW64\gaybvus.exeC:\Windows\system32\gaybvus.exe 520 "C:\Windows\SysWOW64\wyjrhrm.exe"67⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2288 -
C:\Windows\SysWOW64\gaybvus.exeC:\Windows\SysWOW64\gaybvus68⤵PID:2008
-
C:\Windows\SysWOW64\tzbedux.exeC:\Windows\system32\tzbedux.exe 520 "C:\Windows\SysWOW64\gaybvus.exe"69⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2060 -
C:\Windows\SysWOW64\tzbedux.exeC:\Windows\SysWOW64\tzbedux70⤵PID:2400
-
C:\Windows\SysWOW64\gpwgmcd.exeC:\Windows\system32\gpwgmcd.exe 520 "C:\Windows\SysWOW64\tzbedux.exe"71⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1288 -
C:\Windows\SysWOW64\gpwgmcd.exeC:\Windows\SysWOW64\gpwgmcd72⤵PID:1224
-
C:\Windows\SysWOW64\qalrhfj.exeC:\Windows\system32\qalrhfj.exe 520 "C:\Windows\SysWOW64\gpwgmcd.exe"73⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2844 -
C:\Windows\SysWOW64\qalrhfj.exeC:\Windows\SysWOW64\qalrhfj74⤵PID:1568
-
C:\Windows\SysWOW64\curysko.exeC:\Windows\system32\curysko.exe 528 "C:\Windows\SysWOW64\qalrhfj.exe"75⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2764 -
C:\Windows\SysWOW64\curysko.exeC:\Windows\SysWOW64\curysko76⤵PID:856
-
C:\Windows\SysWOW64\phjoyou.exeC:\Windows\system32\phjoyou.exe 528 "C:\Windows\SysWOW64\curysko.exe"77⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2576 -
C:\Windows\SysWOW64\phjoyou.exeC:\Windows\SysWOW64\phjoyou78⤵PID:1436
-
C:\Windows\SysWOW64\cjpekaz.exeC:\Windows\system32\cjpekaz.exe 528 "C:\Windows\SysWOW64\phjoyou.exe"79⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3068 -
C:\Windows\SysWOW64\cjpekaz.exeC:\Windows\SysWOW64\cjpekaz80⤵PID:1624
-
C:\Windows\SysWOW64\pakgsae.exeC:\Windows\system32\pakgsae.exe 528 "C:\Windows\SysWOW64\cjpekaz.exe"81⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2716 -
C:\Windows\SysWOW64\pakgsae.exeC:\Windows\SysWOW64\pakgsae82⤵PID:2464
-
C:\Windows\SysWOW64\zhoedze.exeC:\Windows\system32\zhoedze.exe 528 "C:\Windows\SysWOW64\pakgsae.exe"83⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2396 -
C:\Windows\SysWOW64\zhoedze.exeC:\Windows\SysWOW64\zhoedze84⤵PID:1644
-
C:\Windows\SysWOW64\jnpbbgr.exeC:\Windows\system32\jnpbbgr.exe 528 "C:\Windows\SysWOW64\zhoedze.exe"85⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1916 -
C:\Windows\SysWOW64\jnpbbgr.exeC:\Windows\SysWOW64\jnpbbgr86⤵
- Drops file in System32 directory
PID:2872 -
C:\Windows\SysWOW64\wlrejpw.exeC:\Windows\system32\wlrejpw.exe 528 "C:\Windows\SysWOW64\jnpbbgr.exe"87⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1692 -
C:\Windows\SysWOW64\wlrejpw.exeC:\Windows\SysWOW64\wlrejpw88⤵PID:1188
-
C:\Windows\SysWOW64\jybupsv.exeC:\Windows\system32\jybupsv.exe 528 "C:\Windows\SysWOW64\wlrejpw.exe"89⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2760 -
C:\Windows\SysWOW64\jybupsv.exeC:\Windows\SysWOW64\jybupsv90⤵PID:2892
-
C:\Windows\SysWOW64\smcrfsi.exeC:\Windows\system32\smcrfsi.exe 528 "C:\Windows\SysWOW64\jybupsv.exe"91⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1584 -
C:\Windows\SysWOW64\smcrfsi.exeC:\Windows\SysWOW64\smcrfsi92⤵PID:2688
-
C:\Windows\SysWOW64\dlooyrq.exeC:\Windows\system32\dlooyrq.exe 528 "C:\Windows\SysWOW64\smcrfsi.exe"93⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2604 -
C:\Windows\SysWOW64\dlooyrq.exeC:\Windows\SysWOW64\dlooyrq94⤵PID:2848
-
C:\Windows\SysWOW64\qyxedup.exeC:\Windows\system32\qyxedup.exe 528 "C:\Windows\SysWOW64\dlooyrq.exe"95⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1268 -
C:\Windows\SysWOW64\qyxedup.exeC:\Windows\SysWOW64\qyxedup96⤵PID:584
-
C:\Windows\SysWOW64\cadupht.exeC:\Windows\system32\cadupht.exe 528 "C:\Windows\SysWOW64\qyxedup.exe"97⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1712 -
C:\Windows\SysWOW64\cadupht.exeC:\Windows\SysWOW64\cadupht98⤵PID:1716
-
C:\Windows\SysWOW64\mdtwckz.exeC:\Windows\system32\mdtwckz.exe 528 "C:\Windows\SysWOW64\cadupht.exe"99⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2488 -
C:\Windows\SysWOW64\mdtwckz.exeC:\Windows\SysWOW64\mdtwckz100⤵PID:684
-
C:\Windows\SysWOW64\cpbrgpw.exeC:\Windows\system32\cpbrgpw.exe 528 "C:\Windows\SysWOW64\mdtwckz.exe"101⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2460 -
C:\Windows\SysWOW64\cpbrgpw.exeC:\Windows\SysWOW64\cpbrgpw102⤵PID:1168
-
C:\Windows\SysWOW64\msqcbsk.exeC:\Windows\system32\msqcbsk.exe 528 "C:\Windows\SysWOW64\cpbrgpw.exe"103⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1544 -
C:\Windows\SysWOW64\msqcbsk.exeC:\Windows\SysWOW64\msqcbsk104⤵
- Drops file in System32 directory
PID:3052 -
C:\Windows\SysWOW64\wdgmowr.exeC:\Windows\system32\wdgmowr.exe 528 "C:\Windows\SysWOW64\msqcbsk.exe"105⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2444 -
C:\Windows\SysWOW64\wdgmowr.exeC:\Windows\SysWOW64\wdgmowr106⤵PID:2280
-
C:\Windows\SysWOW64\gcsjzuy.exeC:\Windows\system32\gcsjzuy.exe 528 "C:\Windows\SysWOW64\wdgmowr.exe"107⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2932 -
C:\Windows\SysWOW64\gcsjzuy.exeC:\Windows\SysWOW64\gcsjzuy108⤵PID:2600
-
C:\Windows\SysWOW64\tpbhfyx.exeC:\Windows\system32\tpbhfyx.exe 528 "C:\Windows\SysWOW64\gcsjzuy.exe"109⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2708 -
C:\Windows\SysWOW64\tpbhfyx.exeC:\Windows\SysWOW64\tpbhfyx110⤵PID:1548
-
C:\Windows\SysWOW64\gfekvyd.exeC:\Windows\system32\gfekvyd.exe 528 "C:\Windows\SysWOW64\tpbhfyx.exe"111⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:476 -
C:\Windows\SysWOW64\gfekvyd.exeC:\Windows\SysWOW64\gfekvyd112⤵
- Drops file in System32 directory
PID:3036 -
C:\Windows\SysWOW64\qtxzlgq.exeC:\Windows\system32\qtxzlgq.exe 528 "C:\Windows\SysWOW64\gfekvyd.exe"113⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:756 -
C:\Windows\SysWOW64\qtxzlgq.exeC:\Windows\SysWOW64\qtxzlgq114⤵PID:1824
-
C:\Windows\SysWOW64\apystaq.exeC:\Windows\system32\apystaq.exe 528 "C:\Windows\SysWOW64\qtxzlgq.exe"115⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2304 -
C:\Windows\SysWOW64\apystaq.exeC:\Windows\SysWOW64\apystaq116⤵PID:2916
-
C:\Windows\SysWOW64\kznuodx.exeC:\Windows\system32\kznuodx.exe 528 "C:\Windows\SysWOW64\apystaq.exe"117⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2252 -
C:\Windows\SysWOW64\kznuodx.exeC:\Windows\SysWOW64\kznuodx118⤵PID:1208
-
C:\Windows\SysWOW64\atkpqrz.exeC:\Windows\system32\atkpqrz.exe 528 "C:\Windows\SysWOW64\kznuodx.exe"119⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3012 -
C:\Windows\SysWOW64\atkpqrz.exeC:\Windows\SysWOW64\atkpqrz120⤵PID:2772
-
C:\Windows\SysWOW64\kolzfmi.exeC:\Windows\system32\kolzfmi.exe 528 "C:\Windows\SysWOW64\atkpqrz.exe"121⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2808
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-