Analysis
-
max time kernel
140s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
13-12-2024 03:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e99f6ab90c467e6f67379912be367664_JaffaCakes118.exe
Resource
win7-20241023-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
e99f6ab90c467e6f67379912be367664_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
e99f6ab90c467e6f67379912be367664_JaffaCakes118.exe
-
Size
693KB
-
MD5
e99f6ab90c467e6f67379912be367664
-
SHA1
a2236b36e18c46941051590ecbc2f9b81089e7bb
-
SHA256
dd1b98a578d4c4dac4064b9849630878b95fe9e06a8eb141c8612e660caeacee
-
SHA512
9718c7d0eecf1f1cd843a59554193857fd9fe8edf23c77f046c9b6f1453ce570a76ebce715ca69ca4268c168d7f4771c97a6163cf07f2e1cc6f0f60217079a89
-
SSDEEP
12288:FayriPUR51b9eX7Gy569idYRYJW1VDjrmAkx:FayrisR51ReX7Go/Ed7jrmd
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/fnstenv_mov
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Checks BIOS information in registry 2 TTPs 64 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate bmxcmebecln.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate vhwhbygntto.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion tajegfjqkle.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion lzxceyiqbai.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate kfpunwavpro.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate pukrpqijbhx.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion goerjgixzbg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion osnxdhnixdw.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate wcvcifqgjue.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate bkgvfvzujbd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate iddpnjclliz.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cnkrlaoapzz.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate qxannoxjnrn.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate jiyuomzdlqg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion phcwdblghhg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate xsmgwkmcynz.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion arghrsvclsw.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rkhckxjrabj.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate ocmfywueksz.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate lcpgccjmjxh.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate qyjlkjhjguy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate dnmruoecsjm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion omroenmcahq.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate wmtlyozuqpk.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion zesgwklppxo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion xcnmiuhlwqm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion vcunakuanlh.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate uyqpvsmptno.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate iqgfptrzfsi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate ixuzcudyqyz.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate nwncdpjifjp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate mwgttbrgfup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate wiwpisotkxk.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rezcltnszfv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate tjihujwmxnh.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion frydkgnfals.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ifbobqsvqhv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate ccmoupohoca.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate yidbmeooyoh.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate mdjcgdybuai.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion qykboeligcp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate jjmvvuqvkww.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate iizchivzmff.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate tbruzanrzqf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion dztdjlcuwzo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion qclplgktinv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate uzozapjjxth.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ydejmqxeqdt.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate hckffblhzmr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate eqyniehoksr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ucoqebqdvdi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate nuhvgnkqobe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion fopmnrqnbrm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate hnecpxtedzp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate poudhilmvlm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion nwtxvaazmyi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate lkalzvejrzt.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate uochddepihi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate syqyqekhfyh.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate mfejvfluepm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion achvsdezrkc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate ggbmgwstfwr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion dgvhbvhvasa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion mwgttbrgfup.exe -
Executes dropped EXE 64 IoCs
pid Process 2632 rkhckxjrabj.exe 2792 mipxnuzqayr.exe 2312 abtacyyecph.exe 600 ocmfywueksz.exe 2052 iiuqzhsneug.exe 2544 kddqndtlfzj.exe 832 zwsdxzwclng.exe 3024 bwftbknszwk.exe 2396 vfxinzrdgus.exe 2860 kcpgfmixhnp.exe 2680 azporerrane.exe 2796 ohhrsdukvtu.exe 556 gsvjabuicua.exe 1708 aylmcqbicri.exe 756 vesodbgqwtp.exe 1612 nhhzflrgjpw.exe 1932 cepzslarkpl.exe 1716 xvicpabulla.exe 2388 jbaedjmylyg.exe 2928 cickacgcful.exe 1704 hnvrtmtkrve.exe 572 zjuxensdlsc.exe 1828 jiyuomzdlqg.exe 1796 thkrhlhdtok.exe 2292 blmfqwksgdf.exe 408 kokplzyvsoj.exe 2072 vvomwyyutmn.exe 1720 eydxjbmofxr.exe 2704 ptehzvnutjd.exe 1812 fjqpxfqiujr.exe 2124 mrlhsusautm.exe 468 ywukgldeufa.exe 2156 dylfwrjkbtt.exe 3056 vmbkhsqlvqr.exe 1884 vbzpyataoor.exe 1980 qssfcqxlvmz.exe 1484 xanfwfgvuoc.exe 2836 nqzfdpkswwq.exe 2896 uxmfpeucvyt.exe 2044 hkevvisokgf.exe 1888 owcascbbwvb.exe 2316 eloiyteyxdp.exe 2032 eqyniehoksr.exe 1772 osnxdhnixdw.exe 1792 vajypxxaenq.exe 928 inanvbwfknd.exe 1732 syqyqekhfyh.exe 2096 flznwijllxu.exe 1648 mwgttbrgfup.exe 316 ajpizxqlmtc.exe 2908 wvliyniomeu.exe 876 ogybfkjvsfs.exe 2344 wciopvllncu.exe 2276 jbdqxdrsgph.exe 952 laryvienuok.exe 1504 dzulabgrolp.exe 2416 kssqxvoeaik.exe 2740 xfkgdynjphx.exe 1492 ieodnxvipfb.exe 2224 rplojabkbjf.exe 2588 ucoqebqdvdi.exe 1164 oekoczorctw.exe 700 trewvjtaxci.exe 2772 gxvyjseewow.exe -
Loads dropped DLL 64 IoCs
pid Process 2604 e99f6ab90c467e6f67379912be367664_JaffaCakes118.exe 2604 e99f6ab90c467e6f67379912be367664_JaffaCakes118.exe 2632 rkhckxjrabj.exe 2632 rkhckxjrabj.exe 2792 mipxnuzqayr.exe 2792 mipxnuzqayr.exe 2312 abtacyyecph.exe 2312 abtacyyecph.exe 600 ocmfywueksz.exe 600 ocmfywueksz.exe 2052 iiuqzhsneug.exe 2052 iiuqzhsneug.exe 2544 kddqndtlfzj.exe 2544 kddqndtlfzj.exe 832 zwsdxzwclng.exe 832 zwsdxzwclng.exe 3024 bwftbknszwk.exe 3024 bwftbknszwk.exe 2396 vfxinzrdgus.exe 2396 vfxinzrdgus.exe 2860 kcpgfmixhnp.exe 2860 kcpgfmixhnp.exe 2680 azporerrane.exe 2680 azporerrane.exe 2796 ohhrsdukvtu.exe 2796 ohhrsdukvtu.exe 556 gsvjabuicua.exe 556 gsvjabuicua.exe 1708 aylmcqbicri.exe 1708 aylmcqbicri.exe 756 vesodbgqwtp.exe 756 vesodbgqwtp.exe 1612 nhhzflrgjpw.exe 1612 nhhzflrgjpw.exe 1932 cepzslarkpl.exe 1932 cepzslarkpl.exe 1716 xvicpabulla.exe 1716 xvicpabulla.exe 2388 jbaedjmylyg.exe 2388 jbaedjmylyg.exe 2928 cickacgcful.exe 2928 cickacgcful.exe 1704 hnvrtmtkrve.exe 1704 hnvrtmtkrve.exe 572 zjuxensdlsc.exe 572 zjuxensdlsc.exe 1828 jiyuomzdlqg.exe 1828 jiyuomzdlqg.exe 1796 thkrhlhdtok.exe 1796 thkrhlhdtok.exe 2292 blmfqwksgdf.exe 2292 blmfqwksgdf.exe 408 kokplzyvsoj.exe 408 kokplzyvsoj.exe 2072 vvomwyyutmn.exe 2072 vvomwyyutmn.exe 1720 eydxjbmofxr.exe 1720 eydxjbmofxr.exe 2704 ptehzvnutjd.exe 2704 ptehzvnutjd.exe 1812 fjqpxfqiujr.exe 1812 fjqpxfqiujr.exe 2124 mrlhsusautm.exe 2124 mrlhsusautm.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\jbdqxdrsgph.exe wciopvllncu.exe File opened for modification C:\Windows\SysWOW64\uhksakxgqzd.exe hnecpxtedzp.exe File created C:\Windows\SysWOW64\fvqbdqectjh.exe qyqtryviabj.exe File created C:\Windows\SysWOW64\pupddejqwpw.exe tvwtibrejei.exe File created C:\Windows\SysWOW64\uzozapjjxth.exe hexkmlkwjtv.exe File created C:\Windows\SysWOW64\ukowfyojzmh.exe mfejvfluepm.exe File created C:\Windows\SysWOW64\bwblansusae.exe rlmbfjmaypa.exe File created C:\Windows\SysWOW64\zpujsjfxkch.exe uzxwwdtudgv.exe File created C:\Windows\SysWOW64\wvqulsjnolm.exe lzxceyiqbai.exe File created C:\Windows\SysWOW64\oonhfxxsaon.exe hkdcvmmcozt.exe File created C:\Windows\SysWOW64\nlsdtnjgugk.exe yswqsrhpgtn.exe File opened for modification C:\Windows\SysWOW64\uoowxiuhbuc.exe kangzahkbwx.exe File created C:\Windows\SysWOW64\nfivpmxrkle.exe xpxviuuvrli.exe File opened for modification C:\Windows\SysWOW64\fopmnrqnbrm.exe xrfzvgnxgus.exe File created C:\Windows\SysWOW64\peftlypkjfh.exe zljyckntdrs.exe File opened for modification C:\Windows\SysWOW64\fkoyvzhquih.exe siirjucghit.exe File opened for modification C:\Windows\SysWOW64\wnktotclxzy.exe ushrlavkdev.exe File opened for modification C:\Windows\SysWOW64\ukwusthttkc.exe mdjcgdybuai.exe File opened for modification C:\Windows\SysWOW64\mfhnzkmqwuf.exe zhmkqjgjvis.exe File opened for modification C:\Windows\SysWOW64\unyraedzlsa.exe rryztjcbxhx.exe File created C:\Windows\SysWOW64\gxnfhvxpbwq.exe wvqulsjnolm.exe File created C:\Windows\SysWOW64\qyqtryviabj.exe jqvbxjlytzp.exe File created C:\Windows\SysWOW64\fqcigwjyrux.exe sazfxoeryis.exe File opened for modification C:\Windows\SysWOW64\mfkjdmuvnsy.exe fiaeutsfsvd.exe File created C:\Windows\SysWOW64\mrlhsusautm.exe fjqpxfqiujr.exe File created C:\Windows\SysWOW64\inanvbwfknd.exe vajypxxaenq.exe File created C:\Windows\SysWOW64\hnecpxtedzp.exe xrlshdkzpom.exe File opened for modification C:\Windows\SysWOW64\kypilczbppb.exe xwjaapvzbqn.exe File created C:\Windows\SysWOW64\nyvmllweefy.exe awpeszjvqgl.exe File opened for modification C:\Windows\SysWOW64\zhmkqjgjvis.exe rzrswmxrwyx.exe File created C:\Windows\SysWOW64\ywukgldeufa.exe mrlhsusautm.exe File opened for modification C:\Windows\SysWOW64\paovzppsmqu.exe fevdrvovzfq.exe File opened for modification C:\Windows\SysWOW64\tcrvwlvmzxb.exe yanxqexyahu.exe File created C:\Windows\SysWOW64\zfwvdmwqjbi.exe ojvcwsvkvqf.exe File created C:\Windows\SysWOW64\glqfwqmxhlt.exe wmmilrfxhnp.exe File opened for modification C:\Windows\SysWOW64\ptehzvnutjd.exe eydxjbmofxr.exe File created C:\Windows\SysWOW64\bhmoauudkne.exe orklrmowjbr.exe File opened for modification C:\Windows\SysWOW64\txukyibjxqa.exe eaucmqspfpd.exe File opened for modification C:\Windows\SysWOW64\ybvxkcotqmu.exe mzphzqjklmh.exe File created C:\Windows\SysWOW64\nkbclhgxgwo.exe fdfczkwfgut.exe File opened for modification C:\Windows\SysWOW64\itmljamgkwa.exe vvrjasgzjkn.exe File created C:\Windows\SysWOW64\zjxshmrsopj.exe lwgcbqsfzqx.exe File opened for modification C:\Windows\SysWOW64\zsgivftkoof.exe qeftfxgnoqa.exe File opened for modification C:\Windows\SysWOW64\fjtlkhznlhr.exe vkpozirndin.exe File created C:\Windows\SysWOW64\awpeszjvqgl.exe qbomkejydvh.exe File opened for modification C:\Windows\SysWOW64\yoigbfylons.exe mmczqsubbnf.exe File created C:\Windows\SysWOW64\kviptyhwtrc.exe gbahvopraiq.exe File created C:\Windows\SysWOW64\ypdztvxrwmo.exe lzaekuzkvzb.exe File opened for modification C:\Windows\SysWOW64\kviptyhwtrc.exe gbahvopraiq.exe File created C:\Windows\SysWOW64\xfkgdynjphx.exe kssqxvoeaik.exe File created C:\Windows\SysWOW64\lzcdprbrwbw.exe zfwvdmwqjbi.exe File created C:\Windows\SysWOW64\dblthlachvs.exe qotdbhbptwf.exe File opened for modification C:\Windows\SysWOW64\ushrlavkdev.exe iybbzorbqfi.exe File opened for modification C:\Windows\SysWOW64\qeftfxgnoqa.exe gfbvvyyogrw.exe File opened for modification C:\Windows\SysWOW64\wldtxscuygb.exe ohsogzaflrh.exe File opened for modification C:\Windows\SysWOW64\eiywtemrqtf.exe ucgzvwyurca.exe File created C:\Windows\SysWOW64\junccpfmabo.exe zjxshmrsopj.exe File opened for modification C:\Windows\SysWOW64\lisbqzznkdk.exe zcagciobsje.exe File opened for modification C:\Windows\SysWOW64\iiuqzhsneug.exe ocmfywueksz.exe File opened for modification C:\Windows\SysWOW64\xgapojwcsxm.exe qubkzpopyar.exe File created C:\Windows\SysWOW64\mobqecxhmyv.exe xueduovpgky.exe File opened for modification C:\Windows\SysWOW64\ivqujdysypr.exe arghrsvclsw.exe File created C:\Windows\SysWOW64\tnyjecokpja.exe jkjzjzhicyw.exe File opened for modification C:\Windows\SysWOW64\agymabpxewd.exe krmeukuakwh.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhzflrgjpw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language amldytwwazt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lgalqaptpga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dzulabgrolp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language asutjivsvbs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language owpktkujtao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnqbplypzng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skfbltmyrjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language azporerrane.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nonpsnuopsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zocehlacdwr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nainfnnwyri.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ogohlmligif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lzxceyiqbai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yanxqexyahu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nwtxvaazmyi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ermopmpxjgz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eydxjbmofxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iiuqzhsneug.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfxinzrdgus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nkbclhgxgwo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uhksakxgqzd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language geetoennglb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lpeqdtxvjie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jewepwlmmqt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language peftlypkjfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ohhwnonefft.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qykboeligcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbsdrsjdakk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mkiuvtzpvka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bioubkicuzg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flznwijllxu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mgrlklbdkmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pxcrsfycuji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qyqtryviabj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dshjmsukqkw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvyqgtsahho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sunjmnssmzb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ybvxkcotqmu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oyhbmzxdyzs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnyjecokpja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zklxmsduzcy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fjtlkhznlhr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rnknitjnwbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bxcbngdqnoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kviptyhwtrc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mkrrqxoquso.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bdwxjvbnxbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qzylbmmsaqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mfafsvyrdgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axoygdtigbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iohelteqwks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kcymeaxlbbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bwftbknszwk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uaealzscbjw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ozdoikjlhrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kfogwkukamz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbzpyataoor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language clwmgqvucbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fuyckbkwcfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmqsonmlnfs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jswqdjismin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipyoijwtmhs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language npbpprjmkci.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\tryCpckf hhuwpdjyrsz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\uOggchbzm mkdicunaopi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\glJqk\ = "GvniO}r@en{" fqcigwjyrux.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\glJqk\ = "G~niO|yT@^I" xkpffwtwzgu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\MoxukJ\ = "r|GSU@b[zOWKen@AcgX" krdakxvzpod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\tryCpckf\ = "HbUN}jLIUJLQMl|h^SHX}~aRtD{" amldytwwazt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\MoxukJ\ = "r|GSU@b[zOWKen@Ab`X" nqtpxwuvrme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\SbcUdUtukGb\ = "uKMy|uag~obEio}NBCz~|RI\\o_]" ieodnxvipfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\LuyIcgVQtQpf\ = "rB}j{gGIQ@rmvdw[dsFeh" geotytifiva.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\pszpftrq iltwtufyrlm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\pszpftrq awpeszjvqgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\glJqk\ = "WzniO\x7fO}Z_n" ngqxuylusrn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\tryCpckf\ = "HbUN}jmIUJLQMl|h^SHX}~aRtD{" mkiuvtzpvka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\pszpftrq xcnmiuhlwqm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\uOggchbzm ujfdwyzoqeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\SbcUdUtukGb xhyfkpelfwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\glJqk\ = "gvniO}SCoN|" vndfzglnyxa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\pszpftrq zwzlqiewlfz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\MoxukJ\ = "r|GSU@b[zOWKen@AbtX" dlzjympxwov.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\tryCpckf\ = "hbUN}hXIuJLQMl|h^SHX}~aRtD{" abvzmjvbisu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\uOggchbzm\ = "jzPg{z_jDSzuEzKX|gp|" nbgziolkodr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\LuyIcgVQtQpf xjcdqrmnbjx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048} meqedpemuhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\tryCpckf\ = "xbUN}iCIeJLQMl|h^SHX}~aRtD{" uhhvvuwedgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\tryCpckf\ = "HbUN}j\x7fIUJLQMl|h^SHX}~aRtD{" ivqujdysypr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\MoxukJ\ = "r|GSU@b[zOWKen@Ab}X" zpujsjfxkch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\tryCpckf\ = "hbUN}inIuJLQMl|h^SHX}~aRtD{" vnjmqyqkbaz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\pszpftrq\ = "_YoLQvmCDNaXgnPZlzaUEpC" lpeqdtxvjie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\SbcUdUtukGb lezohgflmby.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\glJqk\ = "GBniO}q~cbR" zpujsjfxkch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\glJqk yguenmkzfly.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\glJqk\ = "GnniO~GBw_w" goulgremjfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\glJqk\ = "gnniO|_\\nx\\" wscgkwjhqsh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\MoxukJ\ = "r|GSU@b[zOWKen@AaCX" tvtxeusygyb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\MoxukJ\ = "r|GSU@b[zOWKen@AaOX" wscgkwjhqsh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\glJqk\ = "gBniO~XZGxP" ruivjcyhhgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\glJqk trewvjtaxci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\LuyIcgVQtQpf kyqwacxnjwu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\pszpftrq\ = "_YoLQvmCDNaXgnPZlzaUEpC" vmrditnbuqd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\glJqk nelemdcowrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\tryCpckf\ = "xbUN}h^IeJLQMl|h^SHX}~aRtD{" achvsdezrkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\glJqk\ = "w~niO\x7fclyT}" jmvvqjggmfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\LuyIcgVQtQpf\ = "rB}j{gGIQ@rmvdw[dsFeH" iiuqzhsneug.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\glJqk\ = "GvniO}ODsA@" obbzqujeqne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\LuyIcgVQtQpf rplojabkbjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\tryCpckf\ = "hbUN}k{IuJLQMl|h^SHX}~aRtD{" sbctwszycfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\glJqk lsrrmoycxjv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\pszpftrq pupddejqwpw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\tryCpckf xddmkhlfgjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\LuyIcgVQtQpf\ = "rB}j{gGIQ@rmvdw[dsFeA" fdfczkwfgut.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\pszpftrq mnizlmdjvtz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\LuyIcgVQtQpf kssqxvoeaik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\tryCpckf krsoodajomj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\tryCpckf\ = "hbUN}i_IuJLQMl|h^SHX}~aRtD{" tpvmnnodygz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\tryCpckf\ = "xbUN}jpIeJLQMl|h^SHX}~aRtD{" zdiiaccmtpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\LuyIcgVQtQpf\ = "rB}j{gGIQ@rmvdw[dsFeb" mlheftmgrup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\tryCpckf zocehlacdwr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\LuyIcgVQtQpf\ = "rB}j{gGIQ@rmvdw[dsFeB" nonpsnuopsh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\uOggchbzm xcnmiuhlwqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\tryCpckf\ = "xbUN}hUIeJLQMl|h^SHX}~aRtD{" vyrxtuyipmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\uOggchbzm rlmbfjmaypa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\tryCpckf\ = "HbUN}jSIUJLQMl|h^SHX}~aRtD{" tnunthviwwa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\MoxukJ\ = "r|GSU@b[zOWKen@AcyX" thkrhlhdtok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\tryCpckf dltiqfgwvtk.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: 33 2604 e99f6ab90c467e6f67379912be367664_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2604 e99f6ab90c467e6f67379912be367664_JaffaCakes118.exe Token: 33 2632 rkhckxjrabj.exe Token: SeIncBasePriorityPrivilege 2632 rkhckxjrabj.exe Token: 33 2792 mipxnuzqayr.exe Token: SeIncBasePriorityPrivilege 2792 mipxnuzqayr.exe Token: 33 2312 abtacyyecph.exe Token: SeIncBasePriorityPrivilege 2312 abtacyyecph.exe Token: 33 600 ocmfywueksz.exe Token: SeIncBasePriorityPrivilege 600 ocmfywueksz.exe Token: 33 2052 iiuqzhsneug.exe Token: SeIncBasePriorityPrivilege 2052 iiuqzhsneug.exe Token: 33 2544 kddqndtlfzj.exe Token: SeIncBasePriorityPrivilege 2544 kddqndtlfzj.exe Token: 33 832 zwsdxzwclng.exe Token: SeIncBasePriorityPrivilege 832 zwsdxzwclng.exe Token: 33 3024 bwftbknszwk.exe Token: SeIncBasePriorityPrivilege 3024 bwftbknszwk.exe Token: 33 2396 vfxinzrdgus.exe Token: SeIncBasePriorityPrivilege 2396 vfxinzrdgus.exe Token: 33 2860 kcpgfmixhnp.exe Token: SeIncBasePriorityPrivilege 2860 kcpgfmixhnp.exe Token: 33 2680 azporerrane.exe Token: SeIncBasePriorityPrivilege 2680 azporerrane.exe Token: 33 2796 ohhrsdukvtu.exe Token: SeIncBasePriorityPrivilege 2796 ohhrsdukvtu.exe Token: 33 556 gsvjabuicua.exe Token: SeIncBasePriorityPrivilege 556 gsvjabuicua.exe Token: 33 1708 aylmcqbicri.exe Token: SeIncBasePriorityPrivilege 1708 aylmcqbicri.exe Token: 33 756 vesodbgqwtp.exe Token: SeIncBasePriorityPrivilege 756 vesodbgqwtp.exe Token: 33 1612 nhhzflrgjpw.exe Token: SeIncBasePriorityPrivilege 1612 nhhzflrgjpw.exe Token: 33 1932 cepzslarkpl.exe Token: SeIncBasePriorityPrivilege 1932 cepzslarkpl.exe Token: 33 1716 xvicpabulla.exe Token: SeIncBasePriorityPrivilege 1716 xvicpabulla.exe Token: 33 2388 jbaedjmylyg.exe Token: SeIncBasePriorityPrivilege 2388 jbaedjmylyg.exe Token: 33 2928 cickacgcful.exe Token: SeIncBasePriorityPrivilege 2928 cickacgcful.exe Token: 33 1704 hnvrtmtkrve.exe Token: SeIncBasePriorityPrivilege 1704 hnvrtmtkrve.exe Token: 33 572 zjuxensdlsc.exe Token: SeIncBasePriorityPrivilege 572 zjuxensdlsc.exe Token: 33 1828 jiyuomzdlqg.exe Token: SeIncBasePriorityPrivilege 1828 jiyuomzdlqg.exe Token: 33 1796 thkrhlhdtok.exe Token: SeIncBasePriorityPrivilege 1796 thkrhlhdtok.exe Token: 33 2292 blmfqwksgdf.exe Token: SeIncBasePriorityPrivilege 2292 blmfqwksgdf.exe Token: 33 408 kokplzyvsoj.exe Token: SeIncBasePriorityPrivilege 408 kokplzyvsoj.exe Token: 33 2072 vvomwyyutmn.exe Token: SeIncBasePriorityPrivilege 2072 vvomwyyutmn.exe Token: 33 1720 eydxjbmofxr.exe Token: SeIncBasePriorityPrivilege 1720 eydxjbmofxr.exe Token: 33 2704 ptehzvnutjd.exe Token: SeIncBasePriorityPrivilege 2704 ptehzvnutjd.exe Token: 33 1812 fjqpxfqiujr.exe Token: SeIncBasePriorityPrivilege 1812 fjqpxfqiujr.exe Token: 33 2124 mrlhsusautm.exe Token: SeIncBasePriorityPrivilege 2124 mrlhsusautm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2604 wrote to memory of 2632 2604 e99f6ab90c467e6f67379912be367664_JaffaCakes118.exe 30 PID 2604 wrote to memory of 2632 2604 e99f6ab90c467e6f67379912be367664_JaffaCakes118.exe 30 PID 2604 wrote to memory of 2632 2604 e99f6ab90c467e6f67379912be367664_JaffaCakes118.exe 30 PID 2604 wrote to memory of 2632 2604 e99f6ab90c467e6f67379912be367664_JaffaCakes118.exe 30 PID 2632 wrote to memory of 2792 2632 rkhckxjrabj.exe 31 PID 2632 wrote to memory of 2792 2632 rkhckxjrabj.exe 31 PID 2632 wrote to memory of 2792 2632 rkhckxjrabj.exe 31 PID 2632 wrote to memory of 2792 2632 rkhckxjrabj.exe 31 PID 2792 wrote to memory of 2312 2792 mipxnuzqayr.exe 32 PID 2792 wrote to memory of 2312 2792 mipxnuzqayr.exe 32 PID 2792 wrote to memory of 2312 2792 mipxnuzqayr.exe 32 PID 2792 wrote to memory of 2312 2792 mipxnuzqayr.exe 32 PID 2312 wrote to memory of 600 2312 abtacyyecph.exe 33 PID 2312 wrote to memory of 600 2312 abtacyyecph.exe 33 PID 2312 wrote to memory of 600 2312 abtacyyecph.exe 33 PID 2312 wrote to memory of 600 2312 abtacyyecph.exe 33 PID 600 wrote to memory of 2052 600 ocmfywueksz.exe 34 PID 600 wrote to memory of 2052 600 ocmfywueksz.exe 34 PID 600 wrote to memory of 2052 600 ocmfywueksz.exe 34 PID 600 wrote to memory of 2052 600 ocmfywueksz.exe 34 PID 2052 wrote to memory of 2544 2052 iiuqzhsneug.exe 35 PID 2052 wrote to memory of 2544 2052 iiuqzhsneug.exe 35 PID 2052 wrote to memory of 2544 2052 iiuqzhsneug.exe 35 PID 2052 wrote to memory of 2544 2052 iiuqzhsneug.exe 35 PID 2544 wrote to memory of 832 2544 kddqndtlfzj.exe 36 PID 2544 wrote to memory of 832 2544 kddqndtlfzj.exe 36 PID 2544 wrote to memory of 832 2544 kddqndtlfzj.exe 36 PID 2544 wrote to memory of 832 2544 kddqndtlfzj.exe 36 PID 832 wrote to memory of 3024 832 zwsdxzwclng.exe 37 PID 832 wrote to memory of 3024 832 zwsdxzwclng.exe 37 PID 832 wrote to memory of 3024 832 zwsdxzwclng.exe 37 PID 832 wrote to memory of 3024 832 zwsdxzwclng.exe 37 PID 3024 wrote to memory of 2396 3024 bwftbknszwk.exe 38 PID 3024 wrote to memory of 2396 3024 bwftbknszwk.exe 38 PID 3024 wrote to memory of 2396 3024 bwftbknszwk.exe 38 PID 3024 wrote to memory of 2396 3024 bwftbknszwk.exe 38 PID 2396 wrote to memory of 2860 2396 vfxinzrdgus.exe 39 PID 2396 wrote to memory of 2860 2396 vfxinzrdgus.exe 39 PID 2396 wrote to memory of 2860 2396 vfxinzrdgus.exe 39 PID 2396 wrote to memory of 2860 2396 vfxinzrdgus.exe 39 PID 2860 wrote to memory of 2680 2860 kcpgfmixhnp.exe 40 PID 2860 wrote to memory of 2680 2860 kcpgfmixhnp.exe 40 PID 2860 wrote to memory of 2680 2860 kcpgfmixhnp.exe 40 PID 2860 wrote to memory of 2680 2860 kcpgfmixhnp.exe 40 PID 2680 wrote to memory of 2796 2680 azporerrane.exe 41 PID 2680 wrote to memory of 2796 2680 azporerrane.exe 41 PID 2680 wrote to memory of 2796 2680 azporerrane.exe 41 PID 2680 wrote to memory of 2796 2680 azporerrane.exe 41 PID 2796 wrote to memory of 556 2796 ohhrsdukvtu.exe 42 PID 2796 wrote to memory of 556 2796 ohhrsdukvtu.exe 42 PID 2796 wrote to memory of 556 2796 ohhrsdukvtu.exe 42 PID 2796 wrote to memory of 556 2796 ohhrsdukvtu.exe 42 PID 556 wrote to memory of 1708 556 gsvjabuicua.exe 43 PID 556 wrote to memory of 1708 556 gsvjabuicua.exe 43 PID 556 wrote to memory of 1708 556 gsvjabuicua.exe 43 PID 556 wrote to memory of 1708 556 gsvjabuicua.exe 43 PID 1708 wrote to memory of 756 1708 aylmcqbicri.exe 44 PID 1708 wrote to memory of 756 1708 aylmcqbicri.exe 44 PID 1708 wrote to memory of 756 1708 aylmcqbicri.exe 44 PID 1708 wrote to memory of 756 1708 aylmcqbicri.exe 44 PID 756 wrote to memory of 1612 756 vesodbgqwtp.exe 45 PID 756 wrote to memory of 1612 756 vesodbgqwtp.exe 45 PID 756 wrote to memory of 1612 756 vesodbgqwtp.exe 45 PID 756 wrote to memory of 1612 756 vesodbgqwtp.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\e99f6ab90c467e6f67379912be367664_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e99f6ab90c467e6f67379912be367664_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\rkhckxjrabj.exeC:\Windows\system32\rkhckxjrabj.exe 744 "C:\Users\Admin\AppData\Local\Temp\e99f6ab90c467e6f67379912be367664_JaffaCakes118.exe"2⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\mipxnuzqayr.exeC:\Windows\system32\mipxnuzqayr.exe 680 "C:\Windows\SysWOW64\rkhckxjrabj.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\abtacyyecph.exeC:\Windows\system32\abtacyyecph.exe 748 "C:\Windows\SysWOW64\mipxnuzqayr.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\ocmfywueksz.exeC:\Windows\system32\ocmfywueksz.exe 664 "C:\Windows\SysWOW64\abtacyyecph.exe"5⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Windows\SysWOW64\iiuqzhsneug.exeC:\Windows\system32\iiuqzhsneug.exe 760 "C:\Windows\SysWOW64\ocmfywueksz.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\kddqndtlfzj.exeC:\Windows\system32\kddqndtlfzj.exe 668 "C:\Windows\SysWOW64\iiuqzhsneug.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\zwsdxzwclng.exeC:\Windows\system32\zwsdxzwclng.exe 764 "C:\Windows\SysWOW64\kddqndtlfzj.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\bwftbknszwk.exeC:\Windows\system32\bwftbknszwk.exe 672 "C:\Windows\SysWOW64\zwsdxzwclng.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\vfxinzrdgus.exeC:\Windows\system32\vfxinzrdgus.exe 772 "C:\Windows\SysWOW64\bwftbknszwk.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\kcpgfmixhnp.exeC:\Windows\system32\kcpgfmixhnp.exe 720 "C:\Windows\SysWOW64\vfxinzrdgus.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\azporerrane.exeC:\Windows\system32\azporerrane.exe 784 "C:\Windows\SysWOW64\kcpgfmixhnp.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\ohhrsdukvtu.exeC:\Windows\system32\ohhrsdukvtu.exe 712 "C:\Windows\SysWOW64\azporerrane.exe"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\gsvjabuicua.exeC:\Windows\system32\gsvjabuicua.exe 788 "C:\Windows\SysWOW64\ohhrsdukvtu.exe"14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\SysWOW64\aylmcqbicri.exeC:\Windows\system32\aylmcqbicri.exe 724 "C:\Windows\SysWOW64\gsvjabuicua.exe"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\vesodbgqwtp.exeC:\Windows\system32\vesodbgqwtp.exe 756 "C:\Windows\SysWOW64\aylmcqbicri.exe"16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\nhhzflrgjpw.exeC:\Windows\system32\nhhzflrgjpw.exe 676 "C:\Windows\SysWOW64\vesodbgqwtp.exe"17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1612 -
C:\Windows\SysWOW64\cepzslarkpl.exeC:\Windows\system32\cepzslarkpl.exe 804 "C:\Windows\SysWOW64\nhhzflrgjpw.exe"18⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1932 -
C:\Windows\SysWOW64\xvicpabulla.exeC:\Windows\system32\xvicpabulla.exe 688 "C:\Windows\SysWOW64\cepzslarkpl.exe"19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1716 -
C:\Windows\SysWOW64\jbaedjmylyg.exeC:\Windows\system32\jbaedjmylyg.exe 812 "C:\Windows\SysWOW64\xvicpabulla.exe"20⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2388 -
C:\Windows\SysWOW64\cickacgcful.exeC:\Windows\system32\cickacgcful.exe 816 "C:\Windows\SysWOW64\jbaedjmylyg.exe"21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2928 -
C:\Windows\SysWOW64\hnvrtmtkrve.exeC:\Windows\system32\hnvrtmtkrve.exe 820 "C:\Windows\SysWOW64\cickacgcful.exe"22⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1704 -
C:\Windows\SysWOW64\zjuxensdlsc.exeC:\Windows\system32\zjuxensdlsc.exe 824 "C:\Windows\SysWOW64\hnvrtmtkrve.exe"23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:572 -
C:\Windows\SysWOW64\jiyuomzdlqg.exeC:\Windows\system32\jiyuomzdlqg.exe 828 "C:\Windows\SysWOW64\zjuxensdlsc.exe"24⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1828 -
C:\Windows\SysWOW64\thkrhlhdtok.exeC:\Windows\system32\thkrhlhdtok.exe 836 "C:\Windows\SysWOW64\jiyuomzdlqg.exe"25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1796 -
C:\Windows\SysWOW64\blmfqwksgdf.exeC:\Windows\system32\blmfqwksgdf.exe 832 "C:\Windows\SysWOW64\thkrhlhdtok.exe"26⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2292 -
C:\Windows\SysWOW64\kokplzyvsoj.exeC:\Windows\system32\kokplzyvsoj.exe 840 "C:\Windows\SysWOW64\blmfqwksgdf.exe"27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:408 -
C:\Windows\SysWOW64\vvomwyyutmn.exeC:\Windows\system32\vvomwyyutmn.exe 844 "C:\Windows\SysWOW64\kokplzyvsoj.exe"28⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2072 -
C:\Windows\SysWOW64\eydxjbmofxr.exeC:\Windows\system32\eydxjbmofxr.exe 848 "C:\Windows\SysWOW64\vvomwyyutmn.exe"29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1720 -
C:\Windows\SysWOW64\ptehzvnutjd.exeC:\Windows\system32\ptehzvnutjd.exe 856 "C:\Windows\SysWOW64\eydxjbmofxr.exe"30⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2704 -
C:\Windows\SysWOW64\fjqpxfqiujr.exeC:\Windows\system32\fjqpxfqiujr.exe 860 "C:\Windows\SysWOW64\ptehzvnutjd.exe"31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1812 -
C:\Windows\SysWOW64\mrlhsusautm.exeC:\Windows\system32\mrlhsusautm.exe 852 "C:\Windows\SysWOW64\fjqpxfqiujr.exe"32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2124 -
C:\Windows\SysWOW64\ywukgldeufa.exeC:\Windows\system32\ywukgldeufa.exe 864 "C:\Windows\SysWOW64\mrlhsusautm.exe"33⤵
- Executes dropped EXE
PID:468 -
C:\Windows\SysWOW64\dylfwrjkbtt.exeC:\Windows\system32\dylfwrjkbtt.exe 868 "C:\Windows\SysWOW64\ywukgldeufa.exe"34⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\vmbkhsqlvqr.exeC:\Windows\system32\vmbkhsqlvqr.exe 872 "C:\Windows\SysWOW64\dylfwrjkbtt.exe"35⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\vbzpyataoor.exeC:\Windows\system32\vbzpyataoor.exe 684 "C:\Windows\SysWOW64\vmbkhsqlvqr.exe"36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1884 -
C:\Windows\SysWOW64\qssfcqxlvmz.exeC:\Windows\system32\qssfcqxlvmz.exe 880 "C:\Windows\SysWOW64\vbzpyataoor.exe"37⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\xanfwfgvuoc.exeC:\Windows\system32\xanfwfgvuoc.exe 884 "C:\Windows\SysWOW64\qssfcqxlvmz.exe"38⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\nqzfdpkswwq.exeC:\Windows\system32\nqzfdpkswwq.exe 888 "C:\Windows\SysWOW64\xanfwfgvuoc.exe"39⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\uxmfpeucvyt.exeC:\Windows\system32\uxmfpeucvyt.exe 892 "C:\Windows\SysWOW64\nqzfdpkswwq.exe"40⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\hkevvisokgf.exeC:\Windows\system32\hkevvisokgf.exe 896 "C:\Windows\SysWOW64\uxmfpeucvyt.exe"41⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\owcascbbwvb.exeC:\Windows\system32\owcascbbwvb.exe 900 "C:\Windows\SysWOW64\hkevvisokgf.exe"42⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\eloiyteyxdp.exeC:\Windows\system32\eloiyteyxdp.exe 916 "C:\Windows\SysWOW64\owcascbbwvb.exe"43⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\eqyniehoksr.exeC:\Windows\system32\eqyniehoksr.exe 904 "C:\Windows\SysWOW64\eloiyteyxdp.exe"44⤵
- Checks BIOS information in registry
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\osnxdhnixdw.exeC:\Windows\system32\osnxdhnixdw.exe 908 "C:\Windows\SysWOW64\eqyniehoksr.exe"45⤵
- Checks BIOS information in registry
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\vajypxxaenq.exeC:\Windows\system32\vajypxxaenq.exe 912 "C:\Windows\SysWOW64\osnxdhnixdw.exe"46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1792 -
C:\Windows\SysWOW64\inanvbwfknd.exeC:\Windows\system32\inanvbwfknd.exe 920 "C:\Windows\SysWOW64\vajypxxaenq.exe"47⤵
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\syqyqekhfyh.exeC:\Windows\system32\syqyqekhfyh.exe 924 "C:\Windows\SysWOW64\inanvbwfknd.exe"48⤵
- Checks BIOS information in registry
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\flznwijllxu.exeC:\Windows\system32\flznwijllxu.exe 928 "C:\Windows\SysWOW64\syqyqekhfyh.exe"49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Windows\SysWOW64\mwgttbrgfup.exeC:\Windows\system32\mwgttbrgfup.exe 932 "C:\Windows\SysWOW64\flznwijllxu.exe"50⤵
- Checks BIOS information in registry
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\ajpizxqlmtc.exeC:\Windows\system32\ajpizxqlmtc.exe 936 "C:\Windows\SysWOW64\mwgttbrgfup.exe"51⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\wvliyniomeu.exeC:\Windows\system32\wvliyniomeu.exe 876 "C:\Windows\SysWOW64\ajpizxqlmtc.exe"52⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\ogybfkjvsfs.exeC:\Windows\system32\ogybfkjvsfs.exe 944 "C:\Windows\SysWOW64\wvliyniomeu.exe"53⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\wciopvllncu.exeC:\Windows\system32\wciopvllncu.exe 952 "C:\Windows\SysWOW64\ogybfkjvsfs.exe"54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2344 -
C:\Windows\SysWOW64\jbdqxdrsgph.exeC:\Windows\system32\jbdqxdrsgph.exe 956 "C:\Windows\SysWOW64\wciopvllncu.exe"55⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\laryvienuok.exeC:\Windows\system32\laryvienuok.exe 948 "C:\Windows\SysWOW64\jbdqxdrsgph.exe"56⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\dzulabgrolp.exeC:\Windows\system32\dzulabgrolp.exe 960 "C:\Windows\SysWOW64\laryvienuok.exe"57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1504 -
C:\Windows\SysWOW64\kssqxvoeaik.exeC:\Windows\system32\kssqxvoeaik.exe 964 "C:\Windows\SysWOW64\dzulabgrolp.exe"58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2416 -
C:\Windows\SysWOW64\xfkgdynjphx.exeC:\Windows\system32\xfkgdynjphx.exe 968 "C:\Windows\SysWOW64\kssqxvoeaik.exe"59⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\ieodnxvipfb.exeC:\Windows\system32\ieodnxvipfb.exe 972 "C:\Windows\SysWOW64\xfkgdynjphx.exe"60⤵
- Executes dropped EXE
- Modifies registry class
PID:1492 -
C:\Windows\SysWOW64\rplojabkbjf.exeC:\Windows\system32\rplojabkbjf.exe 976 "C:\Windows\SysWOW64\ieodnxvipfb.exe"61⤵
- Executes dropped EXE
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\ucoqebqdvdi.exeC:\Windows\system32\ucoqebqdvdi.exe 984 "C:\Windows\SysWOW64\rplojabkbjf.exe"62⤵
- Checks BIOS information in registry
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\oekoczorctw.exeC:\Windows\system32\oekoczorctw.exe 980 "C:\Windows\SysWOW64\ucoqebqdvdi.exe"63⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\trewvjtaxci.exeC:\Windows\system32\trewvjtaxci.exe 988 "C:\Windows\SysWOW64\oekoczorctw.exe"64⤵
- Executes dropped EXE
- Modifies registry class
PID:700 -
C:\Windows\SysWOW64\gxvyjseewow.exeC:\Windows\system32\gxvyjseewow.exe 1000 "C:\Windows\SysWOW64\trewvjtaxci.exe"65⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\lcpgccjmjxh.exeC:\Windows\system32\lcpgccjmjxh.exe 992 "C:\Windows\SysWOW64\gxvyjseewow.exe"66⤵
- Checks BIOS information in registry
PID:2608 -
C:\Windows\SysWOW64\dmczczjkpzn.exeC:\Windows\system32\dmczczjkpzn.exe 996 "C:\Windows\SysWOW64\lcpgccjmjxh.exe"67⤵PID:2804
-
C:\Windows\SysWOW64\krmeukuakwh.exeC:\Windows\system32\krmeukuakwh.exe 1004 "C:\Windows\SysWOW64\dmczczjkpzn.exe"68⤵
- Drops file in System32 directory
PID:1760 -
C:\Windows\SysWOW64\agymabpxewd.exeC:\Windows\system32\agymabpxewd.exe 1008 "C:\Windows\SysWOW64\krmeukuakwh.exe"69⤵PID:2852
-
C:\Windows\SysWOW64\hswrpvgjytz.exeC:\Windows\system32\hswrpvgjytz.exe 1012 "C:\Windows\SysWOW64\agymabpxewd.exe"70⤵PID:484
-
C:\Windows\SysWOW64\uqruyddrrfm.exeC:\Windows\system32\uqruyddrrfm.exe 1028 "C:\Windows\SysWOW64\hswrpvgjytz.exe"71⤵PID:2368
-
C:\Windows\SysWOW64\hhuwpdjyrsz.exeC:\Windows\system32\hhuwpdjyrsz.exe 1016 "C:\Windows\SysWOW64\uqruyddrrfm.exe"72⤵
- Modifies registry class
PID:1312 -
C:\Windows\SysWOW64\uxpzxmofsem.exeC:\Windows\system32\uxpzxmofsem.exe 1020 "C:\Windows\SysWOW64\hhuwpdjyrsz.exe"73⤵PID:988
-
C:\Windows\SysWOW64\eebwikwfscq.exeC:\Windows\system32\eebwikwfscq.exe 1036 "C:\Windows\SysWOW64\uxpzxmofsem.exe"74⤵PID:2976
-
C:\Windows\SysWOW64\ryhmtpaogbd.exeC:\Windows\system32\ryhmtpaogbd.exe 1032 "C:\Windows\SysWOW64\eebwikwfscq.exe"75⤵PID:1408
-
C:\Windows\SysWOW64\yguenmkzfly.exeC:\Windows\system32\yguenmkzfly.exe 1052 "C:\Windows\SysWOW64\ryhmtpaogbd.exe"76⤵
- Modifies registry class
PID:1752 -
C:\Windows\SysWOW64\liauzroitlm.exeC:\Windows\system32\liauzroitlm.exe 1040 "C:\Windows\SysWOW64\yguenmkzfly.exe"77⤵PID:2328
-
C:\Windows\SysWOW64\smlhikryfig.exeC:\Windows\system32\smlhikryfig.exe 1048 "C:\Windows\SysWOW64\liauzroitlm.exe"78⤵PID:2684
-
C:\Windows\SysWOW64\fdfczkwfgut.exeC:\Windows\system32\fdfczkwfgut.exe 1044 "C:\Windows\SysWOW64\smlhikryfig.exe"79⤵
- Drops file in System32 directory
- Modifies registry class
PID:1684 -
C:\Windows\SysWOW64\nkbclhgxgwo.exeC:\Windows\system32\nkbclhgxgwo.exe 1064 "C:\Windows\SysWOW64\fdfczkwfgut.exe"80⤵
- System Location Discovery: System Language Discovery
PID:908 -
C:\Windows\SysWOW64\xrfzvgnxgus.exeC:\Windows\system32\xrfzvgnxgus.exe 1056 "C:\Windows\SysWOW64\nkbclhgxgwo.exe"81⤵
- Drops file in System32 directory
PID:752 -
C:\Windows\SysWOW64\fopmnrqnbrm.exeC:\Windows\system32\fopmnrqnbrm.exe 1072 "C:\Windows\SysWOW64\xrfzvgnxgus.exe"82⤵
- Checks BIOS information in registry
PID:1900 -
C:\Windows\SysWOW64\rqvuywuwoqa.exeC:\Windows\system32\rqvuywuwoqa.exe 1060 "C:\Windows\SysWOW64\fopmnrqnbrm.exe"83⤵PID:2236
-
C:\Windows\SysWOW64\clwmgqvucbd.exeC:\Windows\system32\clwmgqvucbd.exe 1068 "C:\Windows\SysWOW64\rqvuywuwoqa.exe"84⤵
- System Location Discovery: System Language Discovery
PID:2624 -
C:\Windows\SysWOW64\lzxceyiqbai.exeC:\Windows\system32\lzxceyiqbai.exe 1076 "C:\Windows\SysWOW64\clwmgqvucbd.exe"85⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1296 -
C:\Windows\SysWOW64\wvqulsjnolm.exeC:\Windows\system32\wvqulsjnolm.exe 1080 "C:\Windows\SysWOW64\lzxceyiqbai.exe"86⤵
- Drops file in System32 directory
PID:1776 -
C:\Windows\SysWOW64\gxnfhvxpbwq.exeC:\Windows\system32\gxnfhvxpbwq.exe 1092 "C:\Windows\SysWOW64\wvqulsjnolm.exe"87⤵PID:1488
-
C:\Windows\SysWOW64\ifrcruxpbuc.exeC:\Windows\system32\ifrcruxpbuc.exe 1084 "C:\Windows\SysWOW64\gxnfhvxpbwq.exe"88⤵PID:3008
-
C:\Windows\SysWOW64\xmdkymaevvq.exeC:\Windows\system32\xmdkymaevvq.exe 1096 "C:\Windows\SysWOW64\ifrcruxpbuc.exe"89⤵PID:1860
-
C:\Windows\SysWOW64\fuyckbkwcfl.exeC:\Windows\system32\fuyckbkwcfl.exe 1088 "C:\Windows\SysWOW64\xmdkymaevvq.exe"90⤵
- System Location Discovery: System Language Discovery
PID:1972 -
C:\Windows\SysWOW64\ukkkrlolwfh.exeC:\Windows\system32\ukkkrlolwfh.exe 1100 "C:\Windows\SysWOW64\fuyckbkwcfl.exe"91⤵PID:2968
-
C:\Windows\SysWOW64\cvipoewfqcc.exeC:\Windows\system32\cvipoewfqcc.exe 1104 "C:\Windows\SysWOW64\ukkkrlolwfh.exe"92⤵PID:2904
-
C:\Windows\SysWOW64\rpfcyayowqz.exeC:\Windows\system32\rpfcyayowqz.exe 1108 "C:\Windows\SysWOW64\cvipoewfqcc.exe"93⤵PID:2696
-
C:\Windows\SysWOW64\bkgvfvzujbd.exeC:\Windows\system32\bkgvfvzujbd.exe 1112 "C:\Windows\SysWOW64\rpfcyayowqz.exe"94⤵
- Checks BIOS information in registry
PID:2088 -
C:\Windows\SysWOW64\obbxovebknq.exeC:\Windows\system32\obbxovebknq.exe 1116 "C:\Windows\SysWOW64\bkgvfvzujbd.exe"95⤵PID:1528
-
C:\Windows\SysWOW64\wiwpisotkxk.exeC:\Windows\system32\wiwpisotkxk.exe 1120 "C:\Windows\SysWOW64\obbxovebknq.exe"96⤵
- Checks BIOS information in registry
PID:1108 -
C:\Windows\SysWOW64\ikcftxsvxwy.exeC:\Windows\system32\ikcftxsvxwy.exe 1124 "C:\Windows\SysWOW64\wiwpisotkxk.exe"97⤵PID:2424
-
C:\Windows\SysWOW64\vbxicfycyjl.exeC:\Windows\system32\vbxicfycyjl.exe 1128 "C:\Windows\SysWOW64\ikcftxsvxwy.exe"98⤵PID:1904
-
C:\Windows\SysWOW64\iddpnjclliz.exeC:\Windows\system32\iddpnjclliz.exe 1132 "C:\Windows\SysWOW64\vbxicfycyjl.exe"99⤵
- Checks BIOS information in registry
PID:2492 -
C:\Windows\SysWOW64\nmlkepirlwj.exeC:\Windows\system32\nmlkepirlwj.exe 1136 "C:\Windows\SysWOW64\iddpnjclliz.exe"100⤵PID:1964
-
C:\Windows\SysWOW64\fevdrvovzfq.exeC:\Windows\system32\fevdrvovzfq.exe 1152 "C:\Windows\SysWOW64\nmlkepirlwj.exe"101⤵
- Drops file in System32 directory
PID:1608 -
C:\Windows\SysWOW64\paovzppsmqu.exeC:\Windows\system32\paovzppsmqu.exe 1140 "C:\Windows\SysWOW64\fevdrvovzfq.exe"102⤵PID:1628
-
C:\Windows\SysWOW64\zklxmsduzcy.exeC:\Windows\system32\zklxmsduzcy.exe 1144 "C:\Windows\SysWOW64\paovzppsmqu.exe"103⤵
- System Location Discovery: System Language Discovery
PID:2832 -
C:\Windows\SysWOW64\mxvvswczfbl.exeC:\Windows\system32\mxvvswczfbl.exe 1148 "C:\Windows\SysWOW64\zklxmsduzcy.exe"104⤵PID:1924
-
C:\Windows\SysWOW64\zoqyawiggny.exeC:\Windows\system32\zoqyawiggny.exe 1156 "C:\Windows\SysWOW64\mxvvswczfbl.exe"105⤵PID:1940
-
C:\Windows\SysWOW64\gvlqvujyops.exeC:\Windows\system32\gvlqvujyops.exe 1160 "C:\Windows\SysWOW64\zoqyawiggny.exe"106⤵PID:900
-
C:\Windows\SysWOW64\tbdljcucgkh.exeC:\Windows\system32\tbdljcucgkh.exe 1164 "C:\Windows\SysWOW64\gvlqvujyops.exe"107⤵PID:3068
-
C:\Windows\SysWOW64\etsqotwfhaj.exeC:\Windows\system32\etsqotwfhaj.exe 808 "C:\Windows\SysWOW64\tbdljcucgkh.exe"108⤵PID:2820
-
C:\Windows\SysWOW64\qyjlkjhjguy.exeC:\Windows\system32\qyjlkjhjguy.exe 1180 "C:\Windows\SysWOW64\etsqotwfhaj.exe"109⤵
- Checks BIOS information in registry
PID:1580 -
C:\Windows\SysWOW64\dltiqfgwvtk.exeC:\Windows\system32\dltiqfgwvtk.exe 1172 "C:\Windows\SysWOW64\qyjlkjhjguy.exe"110⤵
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\ktobcdqguvf.exeC:\Windows\system32\ktobcdqguvf.exe 1176 "C:\Windows\SysWOW64\dltiqfgwvtk.exe"111⤵PID:1352
-
C:\Windows\SysWOW64\sbctwszycfa.exeC:\Windows\system32\sbctwszycfa.exe 1184 "C:\Windows\SysWOW64\ktobcdqguvf.exe"112⤵
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\huzoggbpitw.exeC:\Windows\system32\huzoggbpitw.exe 1188 "C:\Windows\SysWOW64\sbctwszycfa.exe"113⤵PID:1984
-
C:\Windows\SysWOW64\mkdicunaopi.exeC:\Windows\system32\mkdicunaopi.exe 1200 "C:\Windows\SysWOW64\huzoggbpitw.exe"114⤵
- Modifies registry class
PID:1344 -
C:\Windows\SysWOW64\esgozngwjdn.exeC:\Windows\system32\esgozngwjdn.exe 1192 "C:\Windows\SysWOW64\mkdicunaopi.exe"115⤵PID:2136
-
C:\Windows\SysWOW64\orklrmowjbr.exeC:\Windows\system32\orklrmowjbr.exe 1196 "C:\Windows\SysWOW64\esgozngwjdn.exe"116⤵
- Drops file in System32 directory
PID:2240 -
C:\Windows\SysWOW64\bhmoauudkne.exeC:\Windows\system32\bhmoauudkne.exe 1204 "C:\Windows\SysWOW64\orklrmowjbr.exe"117⤵PID:2848
-
C:\Windows\SysWOW64\mgrlklbdkmi.exeC:\Windows\system32\mgrlklbdkmi.exe 1208 "C:\Windows\SysWOW64\bhmoauudkne.exe"118⤵
- System Location Discovery: System Language Discovery
PID:2508 -
C:\Windows\SysWOW64\vvrjasgzjkn.exeC:\Windows\system32\vvrjasgzjkn.exe 1212 "C:\Windows\SysWOW64\mgrlklbdkmi.exe"119⤵
- Drops file in System32 directory
PID:1804 -
C:\Windows\SysWOW64\itmljamgkwa.exeC:\Windows\system32\itmljamgkwa.exe 1216 "C:\Windows\SysWOW64\vvrjasgzjkn.exe"120⤵PID:864
-
C:\Windows\SysWOW64\vkpozirndin.exeC:\Windows\system32\vkpozirndin.exe 1220 "C:\Windows\SysWOW64\itmljamgkwa.exe"121⤵
- Drops file in System32 directory
PID:1672
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-