Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-12-2024 03:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e99f6ab90c467e6f67379912be367664_JaffaCakes118.exe
Resource
win7-20241023-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
e99f6ab90c467e6f67379912be367664_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
e99f6ab90c467e6f67379912be367664_JaffaCakes118.exe
-
Size
693KB
-
MD5
e99f6ab90c467e6f67379912be367664
-
SHA1
a2236b36e18c46941051590ecbc2f9b81089e7bb
-
SHA256
dd1b98a578d4c4dac4064b9849630878b95fe9e06a8eb141c8612e660caeacee
-
SHA512
9718c7d0eecf1f1cd843a59554193857fd9fe8edf23c77f046c9b6f1453ce570a76ebce715ca69ca4268c168d7f4771c97a6163cf07f2e1cc6f0f60217079a89
-
SSDEEP
12288:FayriPUR51b9eX7Gy569idYRYJW1VDjrmAkx:FayrisR51ReX7Go/Ed7jrmd
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/fnstenv_mov
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Checks BIOS information in registry 2 TTPs 64 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion hpwqhsfoxig.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion pkynerfppay.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate pshooofuaap.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion whmfhgdeqmr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion jsdophovlcd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion mroeiyxogoa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate vbpswhaakbf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate lxjjqlfoztu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate fafgthxdtlu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate bwrltxlfnva.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate nabgokeazwr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate zrursnkudwt.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ybuzcoqyvnb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate rzfxojpqivj.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wmjeauteybr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wuzccursnvf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate iplunwycpjr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion fsqjkjkdwtt.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion pcgwwqfnzzm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate pcgwwqfnzzm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion zdqioyrhopb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate qlxvesiqfkf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wslhkflchcx.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate prbosvhohlr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ezoatksmdpu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion niozfaktzic.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate robvxwpakfn.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate nbloletiemu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate jxlqhmryyxn.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate xdathwbpyao.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate jnqrgqyiwnd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion psxypmbfzcz.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate vgzujikmgur.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate nppsrhoiawt.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate qapferysnrv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate pntzaggyxxb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion qapferysnrv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate zgsxkvviwvt.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ihborabfjlb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate gaxarnpwpjc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate deeofijqbwh.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate pagwuuvmugp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion youaqpqxozb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate ljuixemlnsr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate njjqfklavcd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate clrmpdqzgfl.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate jvqodltpand.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion kcpiyictzrq.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate cgflktyuwoy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate zkznwpnjttn.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate egpjkvibhdt.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion gtkivowmfmj.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion vxpqdpbxjip.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion vyheuriyuzo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion uxgfdfbbzku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion dqvijxiyfip.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion tihbhhtmuox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion lwbzybgtlwy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate poziackdagb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate xatgaubashk.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate rqmvynfsfbx.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion vidcgmhgzae.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate tunnqujgdap.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion nabgokeazwr.exe -
Executes dropped EXE 64 IoCs
pid Process 3104 nslbrpoebvh.exe 2276 anbgqwiopmm.exe 3504 fojbgtgcxaf.exe 1804 fahfmzxohcv.exe 3024 cqpdsssdrwm.exe 1444 fxenisthlqv.exe 60 psxypmbfzcz.exe 3664 zoyifhckmfc.exe 4548 fmcykabnhnv.exe 2020 nbqlwkzgvko.exe 5000 soktpmloplz.exe 4444 xxqwsmdzjxl.exe 3528 xqromgnqxrm.exe 556 sokzibnbsta.exe 2388 nflcfywwtph.exe 3540 unzurnyotzc.exe 3320 ixfeumyzvlo.exe 3376 unahdndgnyb.exe 2744 slhheuinois.exe 2008 aavuhwogcft.exe 2432 zsdfkrpwqqm.exe 4572 kowxrlyuecp.exe 1512 slskvovnsqr.exe 116 aerlkcziaal.exe 3680 puctqmvxtbh.exe 4948 seuijidvair.exe 4568 xrnqcspdvjc.exe 1496 zlqoofsfcrk.exe 2652 ktdlzerecpo.exe 1036 xcbocdrpwba.exe 2840 hfzmbgdilke.exe 5096 cwthyvfdnhl.exe 2452 prleezdqbgx.exe 4632 clrmpdqzgfl.exe 1412 mdgruukuhdo.exe 4748 pjnujttycqx.exe 3976 rtmsbhbxjpz.exe 1940 eshuspyejcm.exe 1360 pnifakhbxnp.exe 3596 aumxcwcklya.exe 4484 hywktpfzyvu.exe 5088 mlqsershsdf.exe 4000 sxknpnkrbrx.exe 4388 utcgxitoocb.exe 5032 biyyrfugomw.exe 3960 kymlviazkbx.exe 4592 rqkljowmklr.exe 3184 xatgaubashk.exe 1260 mimogdfplhy.exe 532 rrujpjlvtdq.exe 2592 weorisqdnec.exe 3892 cblzwuxoamu.exe 4888 bqjencadclu.exe 2000 kclmoaytdun.exe 1796 eabhryftdjv.exe 1888 owcsysoyruy.exe 2604 miynxvmcfrp.exe 2480 zdqioyrhopb.exe 4464 xpmdebxlumr.exe 996 rggybqhodig.exe 4416 rvddtgkcxhg.exe 4064 cntjfwmfyfj.exe 1628 jsdophovlcd.exe 1720 wmjeauteybr.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\dqvijxiyfip.exe nxyvzkghzva.exe File opened for modification C:\Windows\SysWOW64\hnpwrqurnug.exe zuqwkjrwmkn.exe File opened for modification C:\Windows\SysWOW64\sxknpnkrbrx.exe mlqsershsdf.exe File created C:\Windows\SysWOW64\ejgswtydxyk.exe ukcuevqdxag.exe File opened for modification C:\Windows\SysWOW64\uoqygcewbww.exe vvpompufvkd.exe File created C:\Windows\SysWOW64\xkdcbnuxbhg.exe nhfrgkgvpwc.exe File created C:\Windows\SysWOW64\jqrwvhyskps.exe edypcylkqgh.exe File opened for modification C:\Windows\SysWOW64\tkxjkewucnf.exe gaqzheekjtt.exe File opened for modification C:\Windows\SysWOW64\dvzyhypbeha.exe iauipfhwqys.exe File opened for modification C:\Windows\SysWOW64\zdwjdtkhtde.exe pivrwyjjfsa.exe File opened for modification C:\Windows\SysWOW64\wnrxapxqfzv.exe pfdxoaoggpa.exe File created C:\Windows\SysWOW64\rtmsbhbxjpz.exe pjnujttycqx.exe File created C:\Windows\SysWOW64\jfqbfzbasfu.exe okllfgtdevm.exe File opened for modification C:\Windows\SysWOW64\deeofijqbwh.exe qcxtiwzptzv.exe File created C:\Windows\SysWOW64\vmqrqnsvede.exe qswwnzsmvhm.exe File opened for modification C:\Windows\SysWOW64\wslhkflchcx.exe vpypvbhiarx.exe File created C:\Windows\SysWOW64\fkhygdlfnbk.exe sppibzeazbx.exe File opened for modification C:\Windows\SysWOW64\jsdophovlcd.exe cntjfwmfyfj.exe File created C:\Windows\SysWOW64\kpnwcgaffqb.exe aumevmaisfp.exe File created C:\Windows\SysWOW64\aeybocvtvnn.exe mroeiyxogoa.exe File created C:\Windows\SysWOW64\oalmcpngvgo.exe pikciddppun.exe File created C:\Windows\SysWOW64\vezjsicmkof.exe vmqrqnsvede.exe File opened for modification C:\Windows\SysWOW64\uylanzayytt.exe ujnuwqxkeub.exe File created C:\Windows\SysWOW64\zxmjqlcxqcc.exe oqamymuxqey.exe File created C:\Windows\SysWOW64\lgozonzcwqc.exe dfphagvhogi.exe File opened for modification C:\Windows\SysWOW64\sppibzeazbx.exe nkeahxasntm.exe File created C:\Windows\SysWOW64\xgqjnbqdmwh.exe pcgwwqfnzzm.exe File opened for modification C:\Windows\SysWOW64\nflcfywwtph.exe sokzibnbsta.exe File opened for modification C:\Windows\SysWOW64\vpypvbhiarx.exe lxjjqlfoztu.exe File created C:\Windows\SysWOW64\sppibzeazbx.exe nkeahxasntm.exe File opened for modification C:\Windows\SysWOW64\kcwqgeznjci.exe fezasdajwby.exe File created C:\Windows\SysWOW64\xaamzbfhvpn.exe snhegzazboc.exe File created C:\Windows\SysWOW64\anbgqwiopmm.exe nslbrpoebvh.exe File opened for modification C:\Windows\SysWOW64\seuijidvair.exe puctqmvxtbh.exe File created C:\Windows\SysWOW64\afdctuoeuki.exe yvlnbyggnky.exe File opened for modification C:\Windows\SysWOW64\dqvijxiyfip.exe nxyvzkghzva.exe File created C:\Windows\SysWOW64\tihbhhtmuox.exe lexoxwqxizd.exe File opened for modification C:\Windows\SysWOW64\nhtkabamjjd.exe ggmktuwqbzb.exe File created C:\Windows\SysWOW64\snhegzazboc.exe faxoavbmvop.exe File created C:\Windows\SysWOW64\jbjzlhdxztd.exe rbgcmbzkqtg.exe File opened for modification C:\Windows\SysWOW64\dbnfmvpbdax.exe ydqxyuqpprf.exe File created C:\Windows\SysWOW64\mksrjglhnie.exe jelguokdtwu.exe File opened for modification C:\Windows\SysWOW64\gaqzheekjtt.exe gtttqwtvhvt.exe File opened for modification C:\Windows\SysWOW64\ujnuwqxkeub.exe zgsxkvviwvt.exe File opened for modification C:\Windows\SysWOW64\rlmcfmgqepz.exe mnhmzlzerop.exe File opened for modification C:\Windows\SysWOW64\wbvdqyujeoy.exe robvxwpakfn.exe File opened for modification C:\Windows\SysWOW64\vjovbksxmkf.exe feoaxfvkfxk.exe File opened for modification C:\Windows\SysWOW64\fxbbctqtjxa.exe shgytlklqkn.exe File created C:\Windows\SysWOW64\qtnxiieqaqc.exe nnzmtqcugdt.exe File opened for modification C:\Windows\SysWOW64\fahfmzxohcv.exe fojbgtgcxaf.exe File created C:\Windows\SysWOW64\unzurnyotzc.exe nflcfywwtph.exe File opened for modification C:\Windows\SysWOW64\yevqcvnluic.exe jdllysbchkk.exe File created C:\Windows\SysWOW64\zenqwaitrxo.exe rozdlxlawin.exe File opened for modification C:\Windows\SysWOW64\jfqhypzgymr.exe cbgugewilxx.exe File created C:\Windows\SysWOW64\xpmdebxlumr.exe zdqioyrhopb.exe File opened for modification C:\Windows\SysWOW64\ymbgqvwnhbg.exe toeqcuxkmtv.exe File created C:\Windows\SysWOW64\dbnfmvpbdax.exe ydqxyuqpprf.exe File created C:\Windows\SysWOW64\zseuyvbhgpl.exe uylanzayytt.exe File created C:\Windows\SysWOW64\zdqioyrhopb.exe miynxvmcfrp.exe File opened for modification C:\Windows\SysWOW64\fqfvchpdffi.exe vrtpkjidfhe.exe File created C:\Windows\SysWOW64\cwgtsiypikx.exe ragaknqsuzt.exe File opened for modification C:\Windows\SysWOW64\jwdxmemoohd.exe bhpkabpvasc.exe File opened for modification C:\Windows\SysWOW64\sscssupdjwm.exe dzfxiymldbp.exe File opened for modification C:\Windows\SysWOW64\aerlkcziaal.exe slskvovnsqr.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language seuijidvair.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gaxarnpwpjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fmcykabnhnv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gpvcmlzzsll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fuyhupoagsr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language emyqelvdtbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wufbvsbrfyy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bwxzsyysymk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qgjvafjcvku.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppzfkrnnstm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xatgaubashk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pikciddppun.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tunnqujgdap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aavuhwogcft.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ukcuevqdxag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language whmfhgdeqmr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vnwoukrzfvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jfqhypzgymr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mimogdfplhy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrujpjlvtdq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mhmllhwozvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mwtacmlcdxp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wbvdqyujeoy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lpekvzhwdtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nblyqaujuss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xytejzwmokd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zpxvifhxtks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yevqcvnluic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lphigofaotd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntpjzqgqedn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dfphagvhogi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language udyuwmsaetm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cqpdsssdrwm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cojaadmnmde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zuqwkjrwmkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uiyqlizejqv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language swlhxypfuli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jnglvrtqtoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tsxroidlmhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rozdlxlawin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zjhwrruazzu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hywktpfzyvu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qswwnzsmvhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pshooofuaap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnmnvnrjqfs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sppibzeazbx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aumxcwcklya.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wzovrwlwpkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language deeofijqbwh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language augabhgwwce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlmcfmgqepz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sscssupdjwm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uvfpnmfpdbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language grojnapmdia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ptcyqutnrrz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iqviwvmjhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hirhpkgvtcz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qoydbczkjfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nabgokeazwr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language exycrxfpapw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wtkwubomrpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmuuzweuazi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qfpgtwdlyxn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhjmhjosyuz.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\djwgah\ = "}~aRtD{rB}j{gGIQ@rmvdw[dsFeeWfn" sxknpnkrbrx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\yhra mhmllhwozvw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\yhra qmmhusbmygu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\yhlqdsabvi\ = "UN}hzIuJLQMl{h^SHX" uoqygcewbww.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\djwgah\ = "}~aRtD{rB}j{gGIQ@rmvdw[dsFeyGvn" wmuuzweuazi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\yhlqdsabvi\ = "UN}k@IeJLQMl{h^SHX" bwrltxlfnva.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\xfzdxqKjzdg\ = "iO\x7f_Kd@@" dfphagvhogi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\yhlqdsabvi\ = "UN}jFIuJLQMl{h^SHX" unzurnyotzc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\sfENDkm upvsntggneg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\hyrhvbVvokz\ = "~|RI\\o_]jzPg{z_jDSz" gtrmggkeied.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\sMmtisoqk\ = "uEzKX|gp|r|GSU@b[zOWKen@AcAXhb" cwthyvfdnhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\sMmtisoqk\ = "uEzKX|gp|r|GSU@b[zOWKen@AaCXhb" ihborabfjlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\xfzdxqKjzdg\ = "iO|eGAeu" pkynerfppay.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\sMmtisoqk bwovdrxjwpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\sfENDkm\ = "zaUEpCuKMy|uag~obEio}NBCz" rhamgmrmfyw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\xfzdxqKjzdg\ = "iO|o~veI" dawytfvhvma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\xfzdxqKjzdg\ = "iO|iGw{x" bhpkabpvasc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\hyrhvbVvokz\ = "~|RI\\o_]jzPg{z_jDSz" iahmjsbilje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\xfzdxqKjzdg\ = "iO}usYjj" pvsspfcerte.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\yhlqdsabvi\ = "UN}j\\IuJLQMl{h^SHX" fxenisthlqv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\sMmtisoqk\ = "uEzKX|gp|r|GSU@b[zOWKen@AbsXhb" mhmllhwozvw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\yhra\ = "_YoLQvmCDNaXgnPZl" wuzccursnvf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\sMmtisoqk\ = "uEzKX|gp|r|GSU@b[zOWKen@AaPXhb" nzobftrvloa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\hyrhvbVvokz\ = "~|RI\\o_]jzPg{z_jDSz" jnqrgqyiwnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\xfzdxqKjzdg\ = "iO}rXxv[" jdllysbchkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048} gunxangawlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\sMmtisoqk\ = "uEzKX|gp|r|GSU@b[zOWKen@A`KXhb" zuqwkjrwmkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\djwgah\ = "}~aRtD{rB}j{gGIQ@rmvdw[dsFeYgfn" aerlkcziaal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\yhra\ = "_YoLQvmCDNaXgnPZl" rtmsbhbxjpz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\sMmtisoqk\ = "uEzKX|gp|r|GSU@b[zOWKen@AcTXhb" eabhryftdjv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\sfENDkm rpkjosvlyzh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\sMmtisoqk\ = "uEzKX|gp|r|GSU@b[zOWKen@Aa]Xhb" nabgokeazwr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\djwgah mzxfuismnli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\djwgah\ = "}~aRtD{rB}j{gGIQ@rmvdw[dsFesGjn" zrursnkudwt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\sfENDkm\ = "zaUEpCuKMy|uag~obEio}NBCz" ejuwqgkotjw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\djwgah\ = "}~aRtD{rB}j{gGIQ@rmvdw[dsFe{wvn" wtkwubomrpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\djwgah\ = "}~aRtD{rB}j{gGIQ@rmvdw[dsFeDgfn" soktpmloplz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\xfzdxqKjzdg niozfaktzic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\xfzdxqKjzdg\ = "iO|S@f`\\" nblyqaujuss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\djwgah\ = "}~aRtD{rB}j{gGIQ@rmvdw[dsFe|Gvn" jrdbxpmljsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\xfzdxqKjzdg\ = "iO\x7fS|pJ_" udyuwmsaetm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\sfENDkm kymlviazkbx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048} qswwnzsmvhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\sMmtisoqk\ = "uEzKX|gp|r|GSU@b[zOWKen@AboXxb" dvnhnlhfuqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\hyrhvbVvokz\ = "~|RI\\o_]jzPg{z_jDSz" aeybocvtvnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\yhlqdsabvi\ = "UN}i_IeJLQMl{h^SHX" pnodkxtdlor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\sMmtisoqk\ = "uEzKX|gp|r|GSU@b[zOWKen@A`oXxb" evygfgrakqo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048} tiqrwpwgzdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\yhlqdsabvi\ = "UN}hOIuJLQMl{h^SHX" dqvijxiyfip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\yhra\ = "_YoLQvmCDNaXgnPZl" ujnuwqxkeub.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\yhlqdsabvi uwagnegozvy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\xfzdxqKjzdg mroeiyxogoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\djwgah\ = "}~aRtD{rB}j{gGIQ@rmvdw[dsFe@gfn" nflcfywwtph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\sMmtisoqk\ = "uEzKX|gp|r|GSU@b[zOWKen@AcpXhb" slhheuinois.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\djwgah\ = "}~aRtD{rB}j{gGIQ@rmvdw[dsFeXwnn" iohnfxcbxbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\yhlqdsabvi shgytlklqkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\sfENDkm\ = "zaUEpCuKMy|uag~obEio}NBCz" sppibzeazbx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\xfzdxqKjzdg\ = "iO~yOf^N" snhegzazboc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\yhlqdsabvi\ = "UN}jgIuJLQMl{h^SHX" rrujpjlvtdq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048} zxmjqlcxqcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\xfzdxqKjzdg\ = "iO}\x7fRjp_" rlmcfmgqepz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\sMmtisoqk\ = "uEzKX|gp|r|GSU@b[zOWKen@AbFXxb" yskgzsnktbz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\sMmtisoqk\ = "uEzKX|gp|r|GSU@b[zOWKen@AbZXxb" vjovbksxmkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\hyrhvbVvokz\ = "~|RI\\o_]jzPg{z_jDSz" xpivryqowad.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: 33 1932 e99f6ab90c467e6f67379912be367664_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 1932 e99f6ab90c467e6f67379912be367664_JaffaCakes118.exe Token: 33 3104 nslbrpoebvh.exe Token: SeIncBasePriorityPrivilege 3104 nslbrpoebvh.exe Token: 33 2276 anbgqwiopmm.exe Token: SeIncBasePriorityPrivilege 2276 anbgqwiopmm.exe Token: 33 3504 fojbgtgcxaf.exe Token: SeIncBasePriorityPrivilege 3504 fojbgtgcxaf.exe Token: 33 1804 fahfmzxohcv.exe Token: SeIncBasePriorityPrivilege 1804 fahfmzxohcv.exe Token: 33 3024 cqpdsssdrwm.exe Token: SeIncBasePriorityPrivilege 3024 cqpdsssdrwm.exe Token: 33 1444 fxenisthlqv.exe Token: SeIncBasePriorityPrivilege 1444 fxenisthlqv.exe Token: 33 60 psxypmbfzcz.exe Token: SeIncBasePriorityPrivilege 60 psxypmbfzcz.exe Token: 33 3664 zoyifhckmfc.exe Token: SeIncBasePriorityPrivilege 3664 zoyifhckmfc.exe Token: 33 4548 fmcykabnhnv.exe Token: SeIncBasePriorityPrivilege 4548 fmcykabnhnv.exe Token: 33 2020 nbqlwkzgvko.exe Token: SeIncBasePriorityPrivilege 2020 nbqlwkzgvko.exe Token: 33 5000 soktpmloplz.exe Token: SeIncBasePriorityPrivilege 5000 soktpmloplz.exe Token: 33 4444 xxqwsmdzjxl.exe Token: SeIncBasePriorityPrivilege 4444 xxqwsmdzjxl.exe Token: 33 3528 xqromgnqxrm.exe Token: SeIncBasePriorityPrivilege 3528 xqromgnqxrm.exe Token: 33 556 sokzibnbsta.exe Token: SeIncBasePriorityPrivilege 556 sokzibnbsta.exe Token: 33 2388 nflcfywwtph.exe Token: SeIncBasePriorityPrivilege 2388 nflcfywwtph.exe Token: 33 3540 unzurnyotzc.exe Token: SeIncBasePriorityPrivilege 3540 unzurnyotzc.exe Token: 33 3320 ixfeumyzvlo.exe Token: SeIncBasePriorityPrivilege 3320 ixfeumyzvlo.exe Token: 33 3376 unahdndgnyb.exe Token: SeIncBasePriorityPrivilege 3376 unahdndgnyb.exe Token: 33 2744 slhheuinois.exe Token: SeIncBasePriorityPrivilege 2744 slhheuinois.exe Token: 33 2008 aavuhwogcft.exe Token: SeIncBasePriorityPrivilege 2008 aavuhwogcft.exe Token: 33 2432 zsdfkrpwqqm.exe Token: SeIncBasePriorityPrivilege 2432 zsdfkrpwqqm.exe Token: 33 4572 kowxrlyuecp.exe Token: SeIncBasePriorityPrivilege 4572 kowxrlyuecp.exe Token: 33 1512 slskvovnsqr.exe Token: SeIncBasePriorityPrivilege 1512 slskvovnsqr.exe Token: 33 116 aerlkcziaal.exe Token: SeIncBasePriorityPrivilege 116 aerlkcziaal.exe Token: 33 3680 puctqmvxtbh.exe Token: SeIncBasePriorityPrivilege 3680 puctqmvxtbh.exe Token: 33 4948 seuijidvair.exe Token: SeIncBasePriorityPrivilege 4948 seuijidvair.exe Token: 33 4568 xrnqcspdvjc.exe Token: SeIncBasePriorityPrivilege 4568 xrnqcspdvjc.exe Token: 33 1496 zlqoofsfcrk.exe Token: SeIncBasePriorityPrivilege 1496 zlqoofsfcrk.exe Token: 33 2652 ktdlzerecpo.exe Token: SeIncBasePriorityPrivilege 2652 ktdlzerecpo.exe Token: 33 1036 xcbocdrpwba.exe Token: SeIncBasePriorityPrivilege 1036 xcbocdrpwba.exe Token: 33 2840 hfzmbgdilke.exe Token: SeIncBasePriorityPrivilege 2840 hfzmbgdilke.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1932 wrote to memory of 3104 1932 e99f6ab90c467e6f67379912be367664_JaffaCakes118.exe 83 PID 1932 wrote to memory of 3104 1932 e99f6ab90c467e6f67379912be367664_JaffaCakes118.exe 83 PID 1932 wrote to memory of 3104 1932 e99f6ab90c467e6f67379912be367664_JaffaCakes118.exe 83 PID 3104 wrote to memory of 2276 3104 nslbrpoebvh.exe 84 PID 3104 wrote to memory of 2276 3104 nslbrpoebvh.exe 84 PID 3104 wrote to memory of 2276 3104 nslbrpoebvh.exe 84 PID 2276 wrote to memory of 3504 2276 anbgqwiopmm.exe 85 PID 2276 wrote to memory of 3504 2276 anbgqwiopmm.exe 85 PID 2276 wrote to memory of 3504 2276 anbgqwiopmm.exe 85 PID 3504 wrote to memory of 1804 3504 fojbgtgcxaf.exe 86 PID 3504 wrote to memory of 1804 3504 fojbgtgcxaf.exe 86 PID 3504 wrote to memory of 1804 3504 fojbgtgcxaf.exe 86 PID 1804 wrote to memory of 3024 1804 fahfmzxohcv.exe 87 PID 1804 wrote to memory of 3024 1804 fahfmzxohcv.exe 87 PID 1804 wrote to memory of 3024 1804 fahfmzxohcv.exe 87 PID 3024 wrote to memory of 1444 3024 cqpdsssdrwm.exe 88 PID 3024 wrote to memory of 1444 3024 cqpdsssdrwm.exe 88 PID 3024 wrote to memory of 1444 3024 cqpdsssdrwm.exe 88 PID 1444 wrote to memory of 60 1444 fxenisthlqv.exe 89 PID 1444 wrote to memory of 60 1444 fxenisthlqv.exe 89 PID 1444 wrote to memory of 60 1444 fxenisthlqv.exe 89 PID 60 wrote to memory of 3664 60 psxypmbfzcz.exe 90 PID 60 wrote to memory of 3664 60 psxypmbfzcz.exe 90 PID 60 wrote to memory of 3664 60 psxypmbfzcz.exe 90 PID 3664 wrote to memory of 4548 3664 zoyifhckmfc.exe 91 PID 3664 wrote to memory of 4548 3664 zoyifhckmfc.exe 91 PID 3664 wrote to memory of 4548 3664 zoyifhckmfc.exe 91 PID 4548 wrote to memory of 2020 4548 fmcykabnhnv.exe 94 PID 4548 wrote to memory of 2020 4548 fmcykabnhnv.exe 94 PID 4548 wrote to memory of 2020 4548 fmcykabnhnv.exe 94 PID 2020 wrote to memory of 5000 2020 nbqlwkzgvko.exe 95 PID 2020 wrote to memory of 5000 2020 nbqlwkzgvko.exe 95 PID 2020 wrote to memory of 5000 2020 nbqlwkzgvko.exe 95 PID 5000 wrote to memory of 4444 5000 soktpmloplz.exe 96 PID 5000 wrote to memory of 4444 5000 soktpmloplz.exe 96 PID 5000 wrote to memory of 4444 5000 soktpmloplz.exe 96 PID 4444 wrote to memory of 3528 4444 xxqwsmdzjxl.exe 97 PID 4444 wrote to memory of 3528 4444 xxqwsmdzjxl.exe 97 PID 4444 wrote to memory of 3528 4444 xxqwsmdzjxl.exe 97 PID 3528 wrote to memory of 556 3528 xqromgnqxrm.exe 99 PID 3528 wrote to memory of 556 3528 xqromgnqxrm.exe 99 PID 3528 wrote to memory of 556 3528 xqromgnqxrm.exe 99 PID 556 wrote to memory of 2388 556 sokzibnbsta.exe 101 PID 556 wrote to memory of 2388 556 sokzibnbsta.exe 101 PID 556 wrote to memory of 2388 556 sokzibnbsta.exe 101 PID 2388 wrote to memory of 3540 2388 nflcfywwtph.exe 102 PID 2388 wrote to memory of 3540 2388 nflcfywwtph.exe 102 PID 2388 wrote to memory of 3540 2388 nflcfywwtph.exe 102 PID 3540 wrote to memory of 3320 3540 unzurnyotzc.exe 103 PID 3540 wrote to memory of 3320 3540 unzurnyotzc.exe 103 PID 3540 wrote to memory of 3320 3540 unzurnyotzc.exe 103 PID 3320 wrote to memory of 3376 3320 ixfeumyzvlo.exe 105 PID 3320 wrote to memory of 3376 3320 ixfeumyzvlo.exe 105 PID 3320 wrote to memory of 3376 3320 ixfeumyzvlo.exe 105 PID 3376 wrote to memory of 2744 3376 unahdndgnyb.exe 106 PID 3376 wrote to memory of 2744 3376 unahdndgnyb.exe 106 PID 3376 wrote to memory of 2744 3376 unahdndgnyb.exe 106 PID 2744 wrote to memory of 2008 2744 slhheuinois.exe 107 PID 2744 wrote to memory of 2008 2744 slhheuinois.exe 107 PID 2744 wrote to memory of 2008 2744 slhheuinois.exe 107 PID 2008 wrote to memory of 2432 2008 aavuhwogcft.exe 108 PID 2008 wrote to memory of 2432 2008 aavuhwogcft.exe 108 PID 2008 wrote to memory of 2432 2008 aavuhwogcft.exe 108 PID 2432 wrote to memory of 4572 2432 zsdfkrpwqqm.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\e99f6ab90c467e6f67379912be367664_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e99f6ab90c467e6f67379912be367664_JaffaCakes118.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\nslbrpoebvh.exeC:\Windows\system32\nslbrpoebvh.exe 1312 "C:\Users\Admin\AppData\Local\Temp\e99f6ab90c467e6f67379912be367664_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\SysWOW64\anbgqwiopmm.exeC:\Windows\system32\anbgqwiopmm.exe 1324 "C:\Windows\SysWOW64\nslbrpoebvh.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\fojbgtgcxaf.exeC:\Windows\system32\fojbgtgcxaf.exe 1436 "C:\Windows\SysWOW64\anbgqwiopmm.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\SysWOW64\fahfmzxohcv.exeC:\Windows\system32\fahfmzxohcv.exe 1300 "C:\Windows\SysWOW64\fojbgtgcxaf.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\cqpdsssdrwm.exeC:\Windows\system32\cqpdsssdrwm.exe 1304 "C:\Windows\SysWOW64\fahfmzxohcv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\fxenisthlqv.exeC:\Windows\system32\fxenisthlqv.exe 1308 "C:\Windows\SysWOW64\cqpdsssdrwm.exe"7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\psxypmbfzcz.exeC:\Windows\system32\psxypmbfzcz.exe 1456 "C:\Windows\SysWOW64\fxenisthlqv.exe"8⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Windows\SysWOW64\zoyifhckmfc.exeC:\Windows\system32\zoyifhckmfc.exe 1452 "C:\Windows\SysWOW64\psxypmbfzcz.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\SysWOW64\fmcykabnhnv.exeC:\Windows\system32\fmcykabnhnv.exe 1344 "C:\Windows\SysWOW64\zoyifhckmfc.exe"10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\SysWOW64\nbqlwkzgvko.exeC:\Windows\system32\nbqlwkzgvko.exe 1236 "C:\Windows\SysWOW64\fmcykabnhnv.exe"11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\soktpmloplz.exeC:\Windows\system32\soktpmloplz.exe 1320 "C:\Windows\SysWOW64\nbqlwkzgvko.exe"12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\xxqwsmdzjxl.exeC:\Windows\system32\xxqwsmdzjxl.exe 1472 "C:\Windows\SysWOW64\soktpmloplz.exe"13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\SysWOW64\xqromgnqxrm.exeC:\Windows\system32\xqromgnqxrm.exe 1364 "C:\Windows\SysWOW64\xxqwsmdzjxl.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\sokzibnbsta.exeC:\Windows\system32\sokzibnbsta.exe 1476 "C:\Windows\SysWOW64\xqromgnqxrm.exe"15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\SysWOW64\nflcfywwtph.exeC:\Windows\system32\nflcfywwtph.exe 1328 "C:\Windows\SysWOW64\sokzibnbsta.exe"16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\unzurnyotzc.exeC:\Windows\system32\unzurnyotzc.exe 1356 "C:\Windows\SysWOW64\nflcfywwtph.exe"17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\SysWOW64\ixfeumyzvlo.exeC:\Windows\system32\ixfeumyzvlo.exe 1492 "C:\Windows\SysWOW64\unzurnyotzc.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\SysWOW64\unahdndgnyb.exeC:\Windows\system32\unahdndgnyb.exe 1488 "C:\Windows\SysWOW64\ixfeumyzvlo.exe"19⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\SysWOW64\slhheuinois.exeC:\Windows\system32\slhheuinois.exe 1512 "C:\Windows\SysWOW64\unahdndgnyb.exe"20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\aavuhwogcft.exeC:\Windows\system32\aavuhwogcft.exe 1500 "C:\Windows\SysWOW64\slhheuinois.exe"21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\zsdfkrpwqqm.exeC:\Windows\system32\zsdfkrpwqqm.exe 1348 "C:\Windows\SysWOW64\aavuhwogcft.exe"22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\kowxrlyuecp.exeC:\Windows\system32\kowxrlyuecp.exe 1340 "C:\Windows\SysWOW64\zsdfkrpwqqm.exe"23⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4572 -
C:\Windows\SysWOW64\slskvovnsqr.exeC:\Windows\system32\slskvovnsqr.exe 1520 "C:\Windows\SysWOW64\kowxrlyuecp.exe"24⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1512 -
C:\Windows\SysWOW64\aerlkcziaal.exeC:\Windows\system32\aerlkcziaal.exe 1516 "C:\Windows\SysWOW64\slskvovnsqr.exe"25⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:116 -
C:\Windows\SysWOW64\puctqmvxtbh.exeC:\Windows\system32\puctqmvxtbh.exe 1524 "C:\Windows\SysWOW64\aerlkcziaal.exe"26⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3680 -
C:\Windows\SysWOW64\seuijidvair.exeC:\Windows\system32\seuijidvair.exe 1560 "C:\Windows\SysWOW64\puctqmvxtbh.exe"27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4948 -
C:\Windows\SysWOW64\xrnqcspdvjc.exeC:\Windows\system32\xrnqcspdvjc.exe 1332 "C:\Windows\SysWOW64\seuijidvair.exe"28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4568 -
C:\Windows\SysWOW64\zlqoofsfcrk.exeC:\Windows\system32\zlqoofsfcrk.exe 1528 "C:\Windows\SysWOW64\xrnqcspdvjc.exe"29⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1496 -
C:\Windows\SysWOW64\ktdlzerecpo.exeC:\Windows\system32\ktdlzerecpo.exe 1380 "C:\Windows\SysWOW64\zlqoofsfcrk.exe"30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2652 -
C:\Windows\SysWOW64\xcbocdrpwba.exeC:\Windows\system32\xcbocdrpwba.exe 1536 "C:\Windows\SysWOW64\ktdlzerecpo.exe"31⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1036 -
C:\Windows\SysWOW64\hfzmbgdilke.exeC:\Windows\system32\hfzmbgdilke.exe 1544 "C:\Windows\SysWOW64\xcbocdrpwba.exe"32⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2840 -
C:\Windows\SysWOW64\cwthyvfdnhl.exeC:\Windows\system32\cwthyvfdnhl.exe 1376 "C:\Windows\SysWOW64\hfzmbgdilke.exe"33⤵
- Executes dropped EXE
- Modifies registry class
PID:5096 -
C:\Windows\SysWOW64\prleezdqbgx.exeC:\Windows\system32\prleezdqbgx.exe 1556 "C:\Windows\SysWOW64\cwthyvfdnhl.exe"34⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\clrmpdqzgfl.exeC:\Windows\system32\clrmpdqzgfl.exe 1548 "C:\Windows\SysWOW64\prleezdqbgx.exe"35⤵
- Checks BIOS information in registry
- Executes dropped EXE
PID:4632 -
C:\Windows\SysWOW64\mdgruukuhdo.exeC:\Windows\system32\mdgruukuhdo.exe 1568 "C:\Windows\SysWOW64\clrmpdqzgfl.exe"36⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\pjnujttycqx.exeC:\Windows\system32\pjnujttycqx.exe 1396 "C:\Windows\SysWOW64\mdgruukuhdo.exe"37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4748 -
C:\Windows\SysWOW64\rtmsbhbxjpz.exeC:\Windows\system32\rtmsbhbxjpz.exe 1336 "C:\Windows\SysWOW64\pjnujttycqx.exe"38⤵
- Executes dropped EXE
- Modifies registry class
PID:3976 -
C:\Windows\SysWOW64\eshuspyejcm.exeC:\Windows\system32\eshuspyejcm.exe 1576 "C:\Windows\SysWOW64\rtmsbhbxjpz.exe"39⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\pnifakhbxnp.exeC:\Windows\system32\pnifakhbxnp.exe 1584 "C:\Windows\SysWOW64\eshuspyejcm.exe"40⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\aumxcwcklya.exeC:\Windows\system32\aumxcwcklya.exe 1360 "C:\Windows\SysWOW64\pnifakhbxnp.exe"41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3596 -
C:\Windows\SysWOW64\hywktpfzyvu.exeC:\Windows\system32\hywktpfzyvu.exe 1368 "C:\Windows\SysWOW64\aumxcwcklya.exe"42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4484 -
C:\Windows\SysWOW64\mlqsershsdf.exeC:\Windows\system32\mlqsershsdf.exe 1596 "C:\Windows\SysWOW64\hywktpfzyvu.exe"43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5088 -
C:\Windows\SysWOW64\sxknpnkrbrx.exeC:\Windows\system32\sxknpnkrbrx.exe 1404 "C:\Windows\SysWOW64\mlqsershsdf.exe"44⤵
- Executes dropped EXE
- Modifies registry class
PID:4000 -
C:\Windows\SysWOW64\utcgxitoocb.exeC:\Windows\system32\utcgxitoocb.exe 1604 "C:\Windows\SysWOW64\sxknpnkrbrx.exe"45⤵
- Executes dropped EXE
PID:4388 -
C:\Windows\SysWOW64\biyyrfugomw.exeC:\Windows\system32\biyyrfugomw.exe 1600 "C:\Windows\SysWOW64\utcgxitoocb.exe"46⤵
- Executes dropped EXE
PID:5032 -
C:\Windows\SysWOW64\kymlviazkbx.exeC:\Windows\system32\kymlviazkbx.exe 1316 "C:\Windows\SysWOW64\biyyrfugomw.exe"47⤵
- Executes dropped EXE
- Modifies registry class
PID:3960 -
C:\Windows\SysWOW64\rqkljowmklr.exeC:\Windows\system32\rqkljowmklr.exe 1612 "C:\Windows\SysWOW64\kymlviazkbx.exe"48⤵
- Executes dropped EXE
PID:4592 -
C:\Windows\SysWOW64\xatgaubashk.exeC:\Windows\system32\xatgaubashk.exe 1620 "C:\Windows\SysWOW64\rqkljowmklr.exe"49⤵
- Checks BIOS information in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3184 -
C:\Windows\SysWOW64\mimogdfplhy.exeC:\Windows\system32\mimogdfplhy.exe 1624 "C:\Windows\SysWOW64\xatgaubashk.exe"50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1260 -
C:\Windows\SysWOW64\rrujpjlvtdq.exeC:\Windows\system32\rrujpjlvtdq.exe 1352 "C:\Windows\SysWOW64\mimogdfplhy.exe"51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:532 -
C:\Windows\SysWOW64\weorisqdnec.exeC:\Windows\system32\weorisqdnec.exe 1628 "C:\Windows\SysWOW64\rrujpjlvtdq.exe"52⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\cblzwuxoamu.exeC:\Windows\system32\cblzwuxoamu.exe 1616 "C:\Windows\SysWOW64\weorisqdnec.exe"53⤵
- Executes dropped EXE
PID:3892 -
C:\Windows\SysWOW64\bqjencadclu.exeC:\Windows\system32\bqjencadclu.exe 1636 "C:\Windows\SysWOW64\cblzwuxoamu.exe"54⤵
- Executes dropped EXE
PID:4888 -
C:\Windows\SysWOW64\kclmoaytdun.exeC:\Windows\system32\kclmoaytdun.exe 1372 "C:\Windows\SysWOW64\bqjencadclu.exe"55⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\eabhryftdjv.exeC:\Windows\system32\eabhryftdjv.exe 1420 "C:\Windows\SysWOW64\kclmoaytdun.exe"56⤵
- Executes dropped EXE
- Modifies registry class
PID:1796 -
C:\Windows\SysWOW64\owcsysoyruy.exeC:\Windows\system32\owcsysoyruy.exe 1384 "C:\Windows\SysWOW64\eabhryftdjv.exe"57⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\miynxvmcfrp.exeC:\Windows\system32\miynxvmcfrp.exe 1652 "C:\Windows\SysWOW64\owcsysoyruy.exe"58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2604 -
C:\Windows\SysWOW64\zdqioyrhopb.exeC:\Windows\system32\zdqioyrhopb.exe 1648 "C:\Windows\SysWOW64\miynxvmcfrp.exe"59⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
PID:2480 -
C:\Windows\SysWOW64\xpmdebxlumr.exeC:\Windows\system32\xpmdebxlumr.exe 1660 "C:\Windows\SysWOW64\zdqioyrhopb.exe"60⤵
- Executes dropped EXE
PID:4464 -
C:\Windows\SysWOW64\rggybqhodig.exeC:\Windows\system32\rggybqhodig.exe 1668 "C:\Windows\SysWOW64\xpmdebxlumr.exe"61⤵
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\rvddtgkcxhg.exeC:\Windows\system32\rvddtgkcxhg.exe 1432 "C:\Windows\SysWOW64\rggybqhodig.exe"62⤵
- Executes dropped EXE
PID:4416 -
C:\Windows\SysWOW64\cntjfwmfyfj.exeC:\Windows\system32\cntjfwmfyfj.exe 1664 "C:\Windows\SysWOW64\rvddtgkcxhg.exe"63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4064 -
C:\Windows\SysWOW64\jsdophovlcd.exeC:\Windows\system32\jsdophovlcd.exe 1428 "C:\Windows\SysWOW64\cntjfwmfyfj.exe"64⤵
- Checks BIOS information in registry
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\wmjeauteybr.exeC:\Windows\system32\wmjeauteybr.exe 1672 "C:\Windows\SysWOW64\jsdophovlcd.exe"65⤵
- Checks BIOS information in registry
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\jvqodltpand.exeC:\Windows\system32\jvqodltpand.exe 1684 "C:\Windows\SysWOW64\wmjeauteybr.exe"66⤵
- Checks BIOS information in registry
PID:1992 -
C:\Windows\SysWOW64\joqzfgdggze.exeC:\Windows\system32\joqzfgdggze.exe 1388 "C:\Windows\SysWOW64\jvqodltpand.exe"67⤵PID:1852
-
C:\Windows\SysWOW64\pikciddppun.exeC:\Windows\system32\pikciddppun.exe 1400 "C:\Windows\SysWOW64\joqzfgdggze.exe"68⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5024 -
C:\Windows\SysWOW64\oalmcpngvgo.exeC:\Windows\system32\oalmcpngvgo.exe 1700 "C:\Windows\SysWOW64\pikciddppun.exe"69⤵PID:1176
-
C:\Windows\SysWOW64\uvfpnmfpdbg.exeC:\Windows\system32\uvfpnmfpdbg.exe 1572 "C:\Windows\SysWOW64\oalmcpngvgo.exe"70⤵
- System Location Discovery: System Language Discovery
PID:3672 -
C:\Windows\SysWOW64\ukcuevqdxag.exeC:\Windows\system32\ukcuevqdxag.exe 1416 "C:\Windows\SysWOW64\uvfpnmfpdbg.exe"71⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3476 -
C:\Windows\SysWOW64\ejgswtydxyk.exeC:\Windows\system32\ejgswtydxyk.exe 1708 "C:\Windows\SysWOW64\ukcuevqdxag.exe"72⤵PID:816
-
C:\Windows\SysWOW64\gpvcmlzzsll.exeC:\Windows\system32\gpvcmlzzsll.exe 1704 "C:\Windows\SysWOW64\ejgswtydxyk.exe"73⤵
- System Location Discovery: System Language Discovery
PID:3432 -
C:\Windows\SysWOW64\hbxdnrxxbum.exeC:\Windows\system32\hbxdnrxxbum.exe 1480 "C:\Windows\SysWOW64\gpvcmlzzsll.exe"74⤵PID:1540
-
C:\Windows\SysWOW64\gbgvhehohgm.exeC:\Windows\system32\gbgvhehohgm.exe 1424 "C:\Windows\SysWOW64\hbxdnrxxbum.exe"75⤵PID:2140
-
C:\Windows\SysWOW64\oufvvllbhqg.exeC:\Windows\system32\oufvvllbhqg.exe 1444 "C:\Windows\SysWOW64\gbgvhehohgm.exe"76⤵PID:1564
-
C:\Windows\SysWOW64\zmvtabfeioj.exeC:\Windows\system32\zmvtabfeioj.exe 1392 "C:\Windows\SysWOW64\oufvvllbhqg.exe"77⤵PID:1468
-
C:\Windows\SysWOW64\ezoatksmdpu.exeC:\Windows\system32\ezoatksmdpu.exe 1460 "C:\Windows\SysWOW64\zmvtabfeioj.exe"78⤵
- Checks BIOS information in registry
PID:3228 -
C:\Windows\SysWOW64\jxlqhmryyxn.exeC:\Windows\system32\jxlqhmryyxn.exe 1736 "C:\Windows\SysWOW64\ezoatksmdpu.exe"79⤵
- Checks BIOS information in registry
PID:3332 -
C:\Windows\SysWOW64\rpkjosvlyzh.exeC:\Windows\system32\rpkjosvlyzh.exe 1412 "C:\Windows\SysWOW64\jxlqhmryyxn.exe"80⤵
- Modifies registry class
PID:4996 -
C:\Windows\SysWOW64\mhmllhwozvw.exeC:\Windows\system32\mhmllhwozvw.exe 1732 "C:\Windows\SysWOW64\rpkjosvlyzh.exe"81⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\uhlmrwabhfp.exeC:\Windows\system32\uhlmrwabhfp.exe 1748 "C:\Windows\SysWOW64\mhmllhwozvw.exe"82⤵PID:4800
-
C:\Windows\SysWOW64\egpjkvibhdt.exeC:\Windows\system32\egpjkvibhdt.exe 1752 "C:\Windows\SysWOW64\uhlmrwabhfp.exe"83⤵
- Checks BIOS information in registry
PID:2080 -
C:\Windows\SysWOW64\ofbguupaicx.exeC:\Windows\system32\ofbguupaicx.exe 1756 "C:\Windows\SysWOW64\egpjkvibhdt.exe"84⤵PID:5080
-
C:\Windows\SysWOW64\ybuzcoqyvnb.exeC:\Windows\system32\ybuzcoqyvnb.exe 1280 "C:\Windows\SysWOW64\ofbguupaicx.exe"85⤵
- Checks BIOS information in registry
PID:736 -
C:\Windows\SysWOW64\lwlpikplbmn.exeC:\Windows\system32\lwlpikplbmn.exe 1764 "C:\Windows\SysWOW64\ybuzcoqyvnb.exe"86⤵PID:4456
-
C:\Windows\SysWOW64\mayhwwtfrxn.exeC:\Windows\system32\mayhwwtfrxn.exe 1468 "C:\Windows\SysWOW64\lwlpikplbmn.exe"87⤵PID:4804
-
C:\Windows\SysWOW64\rbgcmbzkqtg.exeC:\Windows\system32\rbgcmbzkqtg.exe 1532 "C:\Windows\SysWOW64\mayhwwtfrxn.exe"88⤵
- Drops file in System32 directory
PID:3968 -
C:\Windows\SysWOW64\jbjzlhdxztd.exeC:\Windows\system32\jbjzlhdxztd.exe 1508 "C:\Windows\SysWOW64\rbgcmbzkqtg.exe"89⤵PID:4480
-
C:\Windows\SysWOW64\upvsntggneg.exeC:\Windows\system32\upvsntggneg.exe 1780 "C:\Windows\SysWOW64\jbjzlhdxztd.exe"90⤵
- Modifies registry class
PID:1884 -
C:\Windows\SysWOW64\wwcddkhchrp.exeC:\Windows\system32\wwcddkhchrp.exe 1440 "C:\Windows\SysWOW64\upvsntggneg.exe"91⤵PID:3428
-
C:\Windows\SysWOW64\jqisoxllvyd.exeC:\Windows\system32\jqisoxllvyd.exe 1792 "C:\Windows\SysWOW64\wwcddkhchrp.exe"92⤵PID:4796
-
C:\Windows\SysWOW64\wzovrwlwpkp.exeC:\Windows\system32\wzovrwlwpkp.exe 1784 "C:\Windows\SysWOW64\jqisoxllvyd.exe"93⤵
- System Location Discovery: System Language Discovery
PID:3388 -
C:\Windows\SysWOW64\ggaskvtvpit.exeC:\Windows\system32\ggaskvtvpit.exe 1796 "C:\Windows\SysWOW64\wzovrwlwpkp.exe"94⤵PID:3972
-
C:\Windows\SysWOW64\occgtgwlkxn.exeC:\Windows\system32\occgtgwlkxn.exe 1448 "C:\Windows\SysWOW64\ggaskvtvpit.exe"95⤵PID:3792
-
C:\Windows\SysWOW64\okllfgtdevm.exeC:\Windows\system32\okllfgtdevm.exe 1484 "C:\Windows\SysWOW64\occgtgwlkxn.exe"96⤵
- Drops file in System32 directory
PID:836 -
C:\Windows\SysWOW64\jfqbfzbasfu.exeC:\Windows\system32\jfqbfzbasfu.exe 1812 "C:\Windows\SysWOW64\okllfgtdevm.exe"97⤵PID:1196
-
C:\Windows\SysWOW64\juggwqnotdu.exeC:\Windows\system32\juggwqnotdu.exe 1564 "C:\Windows\SysWOW64\jfqbfzbasfu.exe"98⤵PID:3548
-
C:\Windows\SysWOW64\mxjwjdpqblc.exeC:\Windows\system32\mxjwjdpqblc.exe 1808 "C:\Windows\SysWOW64\juggwqnotdu.exe"99⤵PID:1808
-
C:\Windows\SysWOW64\ohjubzxoikm.exeC:\Windows\system32\ohjubzxoikm.exe 1820 "C:\Windows\SysWOW64\mxjwjdpqblc.exe"100⤵PID:2904
-
C:\Windows\SysWOW64\okvmpdbipwe.exeC:\Windows\system32\okvmpdbipwe.exe 1540 "C:\Windows\SysWOW64\ohjubzxoikm.exe"101⤵PID:3220
-
C:\Windows\SysWOW64\eaiziucwlcz.exeC:\Windows\system32\eaiziucwlcz.exe 1836 "C:\Windows\SysWOW64\okvmpdbipwe.exe"102⤵PID:8
-
C:\Windows\SysWOW64\ohmxatcwlbd.exeC:\Windows\system32\ohmxatcwlbd.exe 1828 "C:\Windows\SysWOW64\eaiziucwlcz.exe"103⤵PID:4616
-
C:\Windows\SysWOW64\ljcsiyiclow.exeC:\Windows\system32\ljcsiyiclow.exe 1676 "C:\Windows\SysWOW64\ohmxatcwlbd.exe"104⤵PID:3060
-
C:\Windows\SysWOW64\bncnmeewacr.exeC:\Windows\system32\bncnmeewacr.exe 1832 "C:\Windows\SysWOW64\ljcsiyiclow.exe"105⤵PID:4336
-
C:\Windows\SysWOW64\youaqpqxozb.exeC:\Windows\system32\youaqpqxozb.exe 1608 "C:\Windows\SysWOW64\bncnmeewacr.exe"106⤵
- Checks BIOS information in registry
PID:3564 -
C:\Windows\SysWOW64\gaxarnpwpjc.exeC:\Windows\system32\gaxarnpwpjc.exe 1852 "C:\Windows\SysWOW64\youaqpqxozb.exe"107⤵
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
PID:4848 -
C:\Windows\SysWOW64\oehnjgrmcgw.exeC:\Windows\system32\oehnjgrmcgw.exe 1856 "C:\Windows\SysWOW64\gaxarnpwpjc.exe"108⤵PID:1892
-
C:\Windows\SysWOW64\qoydbczkjfg.exeC:\Windows\system32\qoydbczkjfg.exe 1552 "C:\Windows\SysWOW64\oehnjgrmcgw.exe"109⤵
- System Location Discovery: System Language Discovery
PID:1660 -
C:\Windows\SysWOW64\tunnqujgdap.exeC:\Windows\system32\tunnqujgdap.exe 1860 "C:\Windows\SysWOW64\qoydbczkjfg.exe"110⤵
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
PID:1896 -
C:\Windows\SysWOW64\qlxvesiqfkf.exeC:\Windows\system32\qlxvesiqfkf.exe 1592 "C:\Windows\SysWOW64\tunnqujgdap.exe"111⤵
- Checks BIOS information in registry
PID:4876 -
C:\Windows\SysWOW64\oxtjunodtiv.exeC:\Windows\system32\oxtjunodtiv.exe 1680 "C:\Windows\SysWOW64\qlxvesiqfkf.exe"112⤵PID:4984
-
C:\Windows\SysWOW64\gtttqwtvhvt.exeC:\Windows\system32\gtttqwtvhvt.exe 1632 "C:\Windows\SysWOW64\oxtjunodtiv.exe"113⤵
- Drops file in System32 directory
PID:988 -
C:\Windows\SysWOW64\gaqzheekjtt.exeC:\Windows\system32\gaqzheekjtt.exe 1644 "C:\Windows\SysWOW64\gtttqwtvhvt.exe"114⤵
- Drops file in System32 directory
PID:3120 -
C:\Windows\SysWOW64\tkxjkewucnf.exeC:\Windows\system32\tkxjkewucnf.exe 1848 "C:\Windows\SysWOW64\gaqzheekjtt.exe"115⤵PID:1648
-
C:\Windows\SysWOW64\wcozcaesjno.exeC:\Windows\system32\wcozcaesjno.exe 1892 "C:\Windows\SysWOW64\tkxjkewucnf.exe"116⤵PID:1944
-
C:\Windows\SysWOW64\ahihwkrbdoa.exeC:\Windows\system32\ahihwkrbdoa.exe 1496 "C:\Windows\SysWOW64\wcozcaesjno.exe"117⤵PID:3668
-
C:\Windows\SysWOW64\qticapovkjv.exeC:\Windows\system32\qticapovkjv.exe 1692 "C:\Windows\SysWOW64\ahihwkrbdoa.exe"118⤵PID:4988
-
C:\Windows\SysWOW64\bhjmhjosyuz.exeC:\Windows\system32\bhjmhjosyuz.exe 1888 "C:\Windows\SysWOW64\qticapovkjv.exe"119⤵
- System Location Discovery: System Language Discovery
PID:4972 -
C:\Windows\SysWOW64\gqrhypuygis.exeC:\Windows\system32\gqrhypuygis.exe 1696 "C:\Windows\SysWOW64\bhjmhjosyuz.exe"120⤵PID:4580
-
C:\Windows\SysWOW64\wuzccursnvf.exeC:\Windows\system32\wuzccursnvf.exe 1504 "C:\Windows\SysWOW64\gqrhypuygis.exe"121⤵
- Checks BIOS information in registry
- Modifies registry class
PID:4936
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-