Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
15-12-2024 10:49
General
-
Target
f3a6663b8cb810e905ff5c7bed9ef67e_JaffaCakes118.exe
-
Size
476KB
-
MD5
f3a6663b8cb810e905ff5c7bed9ef67e
-
SHA1
8e832fbcd04fad6c103bc8753ad87863454830ac
-
SHA256
58fa7103a6da18ad8039c901c10af971627efdfb77a27f55a950aa37f4d04dc8
-
SHA512
986064204320e6b1100e9c83e4691ee1d3aad06cdda575a723e6f49de9ed0ea0c5862b0d87e665167f9e74896dd0cdeaa12de6e1bb6753e68c56387154f98095
-
SSDEEP
6144:jFeLlS5FZCAv2wFR24biJjWti/9q7R/ck6pSDy4N5q39dVdnNn1u9/TPr5P6uzPh:JD6AvTFgJVWt49y5YeE8RhpQetCO
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Executes dropped EXE 64 IoCs
-
Loads dropped DLL 64 IoCs
-
Drops file in System32 directory 64 IoCs
-
Suspicious use of SetThreadContext 64 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f3a6663b8cb810e905ff5c7bed9ef67e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f3a6663b8cb810e905ff5c7bed9ef67e_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f3a6663b8cb810e905ff5c7bed9ef67e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f3a6663b8cb810e905ff5c7bed9ef67e_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\bljiez.exeC:\Windows\system32\bljiez.exe 476 "C:\Users\Admin\AppData\Local\Temp\f3a6663b8cb810e905ff5c7bed9ef67e_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\bljiez.exeC:\Windows\system32\bljiez.exe 476 "C:\Users\Admin\AppData\Local\Temp\f3a6663b8cb810e905ff5c7bed9ef67e_JaffaCakes118.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\hufayr.exeC:\Windows\system32\hufayr.exe 452 "C:\Windows\SysWOW64\bljiez.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\hufayr.exeC:\Windows\system32\hufayr.exe 452 "C:\Windows\SysWOW64\bljiez.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tkggih.exeC:\Windows\system32\tkggih.exe 452 "C:\Windows\SysWOW64\hufayr.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tkggih.exeC:\Windows\system32\tkggih.exe 452 "C:\Windows\SysWOW64\hufayr.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mtydze.exeC:\Windows\system32\mtydze.exe 452 "C:\Windows\SysWOW64\tkggih.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mtydze.exeC:\Windows\system32\mtydze.exe 452 "C:\Windows\SysWOW64\tkggih.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\ifstrx.exeC:\Windows\system32\ifstrx.exe 452 "C:\Windows\SysWOW64\mtydze.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\ifstrx.exeC:\Windows\system32\ifstrx.exe 452 "C:\Windows\SysWOW64\mtydze.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\woiegd.exeC:\Windows\system32\woiegd.exe 452 "C:\Windows\SysWOW64\ifstrx.exe"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\woiegd.exeC:\Windows\system32\woiegd.exe 452 "C:\Windows\SysWOW64\ifstrx.exe"14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Windows\SysWOW64\yfyrju.exeC:\Windows\system32\yfyrju.exe 452 "C:\Windows\SysWOW64\woiegd.exe"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\yfyrju.exeC:\Windows\system32\yfyrju.exe 452 "C:\Windows\SysWOW64\woiegd.exe"16⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\wyfefw.exeC:\Windows\system32\wyfefw.exe 452 "C:\Windows\SysWOW64\yfyrju.exe"17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\wyfefw.exeC:\Windows\system32\wyfefw.exe 452 "C:\Windows\SysWOW64\yfyrju.exe"18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Windows\SysWOW64\nmdsdo.exeC:\Windows\system32\nmdsdo.exe 452 "C:\Windows\SysWOW64\wyfefw.exe"19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\nmdsdo.exeC:\Windows\system32\nmdsdo.exe 452 "C:\Windows\SysWOW64\wyfefw.exe"20⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\krjihq.exeC:\Windows\system32\krjihq.exe 452 "C:\Windows\SysWOW64\nmdsdo.exe"21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\krjihq.exeC:\Windows\system32\krjihq.exe 452 "C:\Windows\SysWOW64\nmdsdo.exe"22⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\qnrxar.exeC:\Windows\system32\qnrxar.exe 452 "C:\Windows\SysWOW64\krjihq.exe"23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\qnrxar.exeC:\Windows\system32\qnrxar.exe 452 "C:\Windows\SysWOW64\krjihq.exe"24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Windows\SysWOW64\fomivh.exeC:\Windows\system32\fomivh.exe 452 "C:\Windows\SysWOW64\qnrxar.exe"25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\fomivh.exeC:\Windows\system32\fomivh.exe 452 "C:\Windows\SysWOW64\qnrxar.exe"26⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\jmitcq.exeC:\Windows\system32\jmitcq.exe 452 "C:\Windows\SysWOW64\fomivh.exe"27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\jmitcq.exeC:\Windows\system32\jmitcq.exe 452 "C:\Windows\SysWOW64\fomivh.exe"28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\khjlqm.exeC:\Windows\system32\khjlqm.exe 452 "C:\Windows\SysWOW64\jmitcq.exe"29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\khjlqm.exeC:\Windows\system32\khjlqm.exe 452 "C:\Windows\SysWOW64\jmitcq.exe"30⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\jlrbcn.exeC:\Windows\system32\jlrbcn.exe 452 "C:\Windows\SysWOW64\khjlqm.exe"31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\jlrbcn.exeC:\Windows\system32\jlrbcn.exe 452 "C:\Windows\SysWOW64\khjlqm.exe"32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Windows\SysWOW64\vjttvq.exeC:\Windows\system32\vjttvq.exe 452 "C:\Windows\SysWOW64\jlrbcn.exe"33⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\vjttvq.exeC:\Windows\system32\vjttvq.exe 452 "C:\Windows\SysWOW64\jlrbcn.exe"34⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\tbsgrt.exeC:\Windows\system32\tbsgrt.exe 452 "C:\Windows\SysWOW64\vjttvq.exe"35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\tbsgrt.exeC:\Windows\system32\tbsgrt.exe 452 "C:\Windows\SysWOW64\vjttvq.exe"36⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\derosq.exeC:\Windows\system32\derosq.exe 452 "C:\Windows\SysWOW64\tbsgrt.exe"37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\derosq.exeC:\Windows\system32\derosq.exe 452 "C:\Windows\SysWOW64\tbsgrt.exe"38⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\hggmcd.exeC:\Windows\system32\hggmcd.exe 452 "C:\Windows\SysWOW64\derosq.exe"39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\hggmcd.exeC:\Windows\system32\hggmcd.exe 452 "C:\Windows\SysWOW64\derosq.exe"40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\qqumib.exeC:\Windows\system32\qqumib.exe 452 "C:\Windows\SysWOW64\hggmcd.exe"41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\qqumib.exeC:\Windows\system32\qqumib.exe 452 "C:\Windows\SysWOW64\hggmcd.exe"42⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\zlthse.exeC:\Windows\system32\zlthse.exe 452 "C:\Windows\SysWOW64\qqumib.exe"43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\zlthse.exeC:\Windows\system32\zlthse.exe 452 "C:\Windows\SysWOW64\qqumib.exe"44⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\lnxnot.exeC:\Windows\system32\lnxnot.exe 452 "C:\Windows\SysWOW64\zlthse.exe"45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\lnxnot.exeC:\Windows\system32\lnxnot.exe 452 "C:\Windows\SysWOW64\zlthse.exe"46⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\xanfwf.exeC:\Windows\system32\xanfwf.exe 452 "C:\Windows\SysWOW64\lnxnot.exe"47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\xanfwf.exeC:\Windows\system32\xanfwf.exe 452 "C:\Windows\SysWOW64\lnxnot.exe"48⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\hgqszz.exeC:\Windows\system32\hgqszz.exe 452 "C:\Windows\SysWOW64\xanfwf.exe"49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\hgqszz.exeC:\Windows\system32\hgqszz.exe 452 "C:\Windows\SysWOW64\xanfwf.exe"50⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\qcnvvd.exeC:\Windows\system32\qcnvvd.exe 452 "C:\Windows\SysWOW64\hgqszz.exe"51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\qcnvvd.exeC:\Windows\system32\qcnvvd.exe 452 "C:\Windows\SysWOW64\hgqszz.exe"52⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\ekxywd.exeC:\Windows\system32\ekxywd.exe 452 "C:\Windows\SysWOW64\qcnvvd.exe"53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\ekxywd.exeC:\Windows\system32\ekxywd.exe 452 "C:\Windows\SysWOW64\qcnvvd.exe"54⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\wciopv.exeC:\Windows\system32\wciopv.exe 452 "C:\Windows\SysWOW64\ekxywd.exe"55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\wciopv.exeC:\Windows\system32\wciopv.exe 452 "C:\Windows\SysWOW64\ekxywd.exe"56⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\khpduq.exeC:\Windows\system32\khpduq.exe 452 "C:\Windows\SysWOW64\wciopv.exe"57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\khpduq.exeC:\Windows\system32\khpduq.exe 452 "C:\Windows\SysWOW64\wciopv.exe"58⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\ckegqv.exeC:\Windows\system32\ckegqv.exe 452 "C:\Windows\SysWOW64\khpduq.exe"59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\ckegqv.exeC:\Windows\system32\ckegqv.exe 452 "C:\Windows\SysWOW64\khpduq.exe"60⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\qwhwur.exeC:\Windows\system32\qwhwur.exe 452 "C:\Windows\SysWOW64\ckegqv.exe"61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\qwhwur.exeC:\Windows\system32\qwhwur.exe 452 "C:\Windows\SysWOW64\ckegqv.exe"62⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\flruud.exeC:\Windows\system32\flruud.exe 480 "C:\Windows\SysWOW64\qwhwur.exe"63⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\flruud.exeC:\Windows\system32\flruud.exe 480 "C:\Windows\SysWOW64\qwhwur.exe"64⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\ryhmtp.exeC:\Windows\system32\ryhmtp.exe 452 "C:\Windows\SysWOW64\flruud.exe"65⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\ryhmtp.exeC:\Windows\system32\ryhmtp.exe 452 "C:\Windows\SysWOW64\flruud.exe"66⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\ifhusy.exeC:\Windows\system32\ifhusy.exe 452 "C:\Windows\SysWOW64\ryhmtp.exe"67⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\ifhusy.exeC:\Windows\system32\ifhusy.exe 452 "C:\Windows\SysWOW64\ryhmtp.exe"68⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\xydfvp.exeC:\Windows\system32\xydfvp.exe 452 "C:\Windows\SysWOW64\ifhusy.exe"69⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\xydfvp.exeC:\Windows\system32\xydfvp.exe 452 "C:\Windows\SysWOW64\ifhusy.exe"70⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\lsyuys.exeC:\Windows\system32\lsyuys.exe 496 "C:\Windows\SysWOW64\xydfvp.exe"71⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\lsyuys.exeC:\Windows\system32\lsyuys.exe 496 "C:\Windows\SysWOW64\xydfvp.exe"72⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\sttftb.exeC:\Windows\system32\sttftb.exe 452 "C:\Windows\SysWOW64\lsyuys.exe"73⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\sttftb.exeC:\Windows\system32\sttftb.exe 452 "C:\Windows\SysWOW64\lsyuys.exe"74⤵
-
C:\Windows\SysWOW64\gxzdyw.exeC:\Windows\system32\gxzdyw.exe 452 "C:\Windows\SysWOW64\sttftb.exe"75⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\gxzdyw.exeC:\Windows\system32\gxzdyw.exe 452 "C:\Windows\SysWOW64\sttftb.exe"76⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\scpnyi.exeC:\Windows\system32\scpnyi.exe 452 "C:\Windows\SysWOW64\gxzdyw.exe"77⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\scpnyi.exeC:\Windows\system32\scpnyi.exe 452 "C:\Windows\SysWOW64\gxzdyw.exe"78⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\jgeqcn.exeC:\Windows\system32\jgeqcn.exe 452 "C:\Windows\SysWOW64\scpnyi.exe"79⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\jgeqcn.exeC:\Windows\system32\jgeqcn.exe 452 "C:\Windows\SysWOW64\scpnyi.exe"80⤵
-
C:\Windows\SysWOW64\yowscm.exeC:\Windows\system32\yowscm.exe 452 "C:\Windows\SysWOW64\jgeqcn.exe"81⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\yowscm.exeC:\Windows\system32\yowscm.exe 452 "C:\Windows\SysWOW64\jgeqcn.exe"82⤵
-
C:\Windows\SysWOW64\pjlvyj.exeC:\Windows\system32\pjlvyj.exe 452 "C:\Windows\SysWOW64\yowscm.exe"83⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\pjlvyj.exeC:\Windows\system32\pjlvyj.exe 452 "C:\Windows\SysWOW64\yowscm.exe"84⤵
-
C:\Windows\SysWOW64\gjudxs.exeC:\Windows\system32\gjudxs.exe 452 "C:\Windows\SysWOW64\pjlvyj.exe"85⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\gjudxs.exeC:\Windows\system32\gjudxs.exe 452 "C:\Windows\SysWOW64\pjlvyj.exe"86⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\yejyso.exeC:\Windows\system32\yejyso.exe 452 "C:\Windows\SysWOW64\gjudxs.exe"87⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\yejyso.exeC:\Windows\system32\yejyso.exe 452 "C:\Windows\SysWOW64\gjudxs.exe"88⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\pxvomo.exeC:\Windows\system32\pxvomo.exe 452 "C:\Windows\SysWOW64\yejyso.exe"89⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\pxvomo.exeC:\Windows\system32\pxvomo.exe 452 "C:\Windows\SysWOW64\yejyso.exe"90⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\dqqexs.exeC:\Windows\system32\dqqexs.exe 452 "C:\Windows\SysWOW64\pxvomo.exe"91⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\dqqexs.exeC:\Windows\system32\dqqexs.exe 452 "C:\Windows\SysWOW64\pxvomo.exe"92⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\yasrou.exeC:\Windows\system32\yasrou.exe 452 "C:\Windows\SysWOW64\dqqexs.exe"93⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\yasrou.exeC:\Windows\system32\yasrou.exe 452 "C:\Windows\SysWOW64\dqqexs.exe"94⤵
-
C:\Windows\SysWOW64\bqtwqk.exeC:\Windows\system32\bqtwqk.exe 452 "C:\Windows\SysWOW64\yasrou.exe"95⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\bqtwqk.exeC:\Windows\system32\bqtwqk.exe 452 "C:\Windows\SysWOW64\yasrou.exe"96⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\naycvr.exeC:\Windows\system32\naycvr.exe 452 "C:\Windows\SysWOW64\bqtwqk.exe"97⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\naycvr.exeC:\Windows\system32\naycvr.exe 452 "C:\Windows\SysWOW64\bqtwqk.exe"98⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cttmqi.exeC:\Windows\system32\cttmqi.exe 476 "C:\Windows\SysWOW64\naycvr.exe"99⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cttmqi.exeC:\Windows\system32\cttmqi.exe 476 "C:\Windows\SysWOW64\naycvr.exe"100⤵
-
C:\Windows\SysWOW64\ogjfxu.exeC:\Windows\system32\ogjfxu.exe 452 "C:\Windows\SysWOW64\cttmqi.exe"101⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\ogjfxu.exeC:\Windows\system32\ogjfxu.exe 452 "C:\Windows\SysWOW64\cttmqi.exe"102⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\zwckik.exeC:\Windows\system32\zwckik.exe 452 "C:\Windows\SysWOW64\ogjfxu.exe"103⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\zwckik.exeC:\Windows\system32\zwckik.exe 452 "C:\Windows\SysWOW64\ogjfxu.exe"104⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\lghqes.exeC:\Windows\system32\lghqes.exe 452 "C:\Windows\SysWOW64\zwckik.exe"105⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\lghqes.exeC:\Windows\system32\lghqes.exe 452 "C:\Windows\SysWOW64\zwckik.exe"106⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\aknfkn.exeC:\Windows\system32\aknfkn.exe 452 "C:\Windows\SysWOW64\lghqes.exe"107⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\aknfkn.exeC:\Windows\system32\aknfkn.exe 452 "C:\Windows\SysWOW64\lghqes.exe"108⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\poudhi.exeC:\Windows\system32\poudhi.exe 452 "C:\Windows\SysWOW64\aknfkn.exe"109⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\poudhi.exeC:\Windows\system32\poudhi.exe 452 "C:\Windows\SysWOW64\aknfkn.exe"110⤵
-
C:\Windows\SysWOW64\dtsbfd.exeC:\Windows\system32\dtsbfd.exe 452 "C:\Windows\SysWOW64\poudhi.exe"111⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\dtsbfd.exeC:\Windows\system32\dtsbfd.exe 452 "C:\Windows\SysWOW64\poudhi.exe"112⤵
-
C:\Windows\SysWOW64\sxzqly.exeC:\Windows\system32\sxzqly.exe 452 "C:\Windows\SysWOW64\dtsbfd.exe"113⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sxzqly.exeC:\Windows\system32\sxzqly.exe 452 "C:\Windows\SysWOW64\dtsbfd.exe"114⤵
-
C:\Windows\SysWOW64\zqubgp.exeC:\Windows\system32\zqubgp.exe 452 "C:\Windows\SysWOW64\sxzqly.exe"115⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\zqubgp.exeC:\Windows\system32\zqubgp.exe 452 "C:\Windows\SysWOW64\sxzqly.exe"116⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\qxujeq.exeC:\Windows\system32\qxujeq.exe 452 "C:\Windows\SysWOW64\zqubgp.exe"117⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\qxujeq.exeC:\Windows\system32\qxujeq.exe 452 "C:\Windows\SysWOW64\zqubgp.exe"118⤵
-
C:\Windows\SysWOW64\hxdzdz.exeC:\Windows\system32\hxdzdz.exe 452 "C:\Windows\SysWOW64\qxujeq.exe"119⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\hxdzdz.exeC:\Windows\system32\hxdzdz.exe 452 "C:\Windows\SysWOW64\qxujeq.exe"120⤵
-
C:\Windows\SysWOW64\ypphwr.exeC:\Windows\system32\ypphwr.exe 452 "C:\Windows\SysWOW64\hxdzdz.exe"121⤵
- Suspicious use of SetThreadContext
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-