Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
06/03/2025, 09:55
Behavioral task
behavioral1
Sample
JaffaCakes118_55e87d644c383ee9fa9caf50cd9b738b.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
JaffaCakes118_55e87d644c383ee9fa9caf50cd9b738b.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
JaffaCakes118_55e87d644c383ee9fa9caf50cd9b738b.exe
-
Size
149KB
-
MD5
55e87d644c383ee9fa9caf50cd9b738b
-
SHA1
c6dac2322699a6bbd28fdaf4272535a49939b9d9
-
SHA256
10ef7e6d32e8398b2613989f9e5c978acb60161b1816e2630f5dd3469a9cf2e1
-
SHA512
df709e1b5281d3375f8310fe370869a4153f43a3a2041d2f46cb5c8452bbec1a4ffa9048d4dbc859831c982b5e2bb1e67878d9a30d27130611c73f3290bb1e7b
-
SSDEEP
3072:P2T7uCWOhANdpgMxsdSyg4TvtcMk8Lyzb8ckivlu5KgiCbmN:PW7uCWOh4pl2GkGMkSgb8Svlu5KgON
Score
10/10
Malware Config
Signatures
-
Gh0st RAT payload 32 IoCs
resource yara_rule behavioral2/files/0x005a000000023c4e-6.dat family_gh0strat behavioral2/files/0x0007000000023d44-13.dat family_gh0strat behavioral2/files/0x0007000000023d46-16.dat family_gh0strat behavioral2/files/0x0007000000023d48-29.dat family_gh0strat behavioral2/files/0x0007000000023d4a-38.dat family_gh0strat behavioral2/files/0x0007000000023d4c-43.dat family_gh0strat behavioral2/files/0x0007000000023d4e-52.dat family_gh0strat behavioral2/files/0x0007000000023d50-61.dat family_gh0strat behavioral2/files/0x0007000000023d52-69.dat family_gh0strat behavioral2/files/0x0007000000023d56-83.dat family_gh0strat behavioral2/files/0x0007000000023d58-94.dat family_gh0strat behavioral2/files/0x0007000000023d5c-108.dat family_gh0strat behavioral2/files/0x0007000000023d60-123.dat family_gh0strat behavioral2/files/0x0007000000023d62-134.dat family_gh0strat behavioral2/files/0x0007000000023d66-147.dat family_gh0strat behavioral2/files/0x0007000000023d69-167.dat family_gh0strat behavioral2/files/0x0007000000023d6d-183.dat family_gh0strat behavioral2/files/0x0007000000023d70-191.dat family_gh0strat behavioral2/files/0x0007000000023d74-204.dat family_gh0strat behavioral2/files/0x0007000000023d76-215.dat family_gh0strat behavioral2/files/0x0007000000023d7e-247.dat family_gh0strat behavioral2/files/0x0007000000023d80-255.dat family_gh0strat behavioral2/files/0x0007000000023d7c-239.dat family_gh0strat behavioral2/files/0x0007000000023d7a-230.dat family_gh0strat behavioral2/files/0x0007000000023d78-223.dat family_gh0strat behavioral2/files/0x0007000000023d72-198.dat family_gh0strat behavioral2/files/0x0007000000023d6b-175.dat family_gh0strat behavioral2/files/0x0008000000023d40-159.dat family_gh0strat behavioral2/files/0x0007000000023d64-142.dat family_gh0strat behavioral2/files/0x0007000000023d5e-118.dat family_gh0strat behavioral2/files/0x0007000000023d5a-102.dat family_gh0strat behavioral2/files/0x0007000000023d54-77.dat family_gh0strat -
Gh0strat family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{yyoo7aub-d7dk-6r2v-63aa-dgle230y66t0} Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{dgyylamx-fdkp-epdy-naam-einuseawatge} Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{rotsjsxx-dxtv-keqm-kxpk-lvaxprsjmtwb}\stubpath = "C:\\Windows\\System32\\inebnmlco.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{utvhqvzj-cihj-iptc-dvct-tkbwazwazdvg}\stubpath = "C:\\Windows\\System32\\inortslka.exe" inhwnltjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{habpdjoj-nkmk-fxww-iqnz-ppuavrgajokh}\ = "ϵͳÉèÖÃ" inpyudmwu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6wojqz00-3f40-3b0e-j2j2-u5ao8pe1g91k}\stubpath = "C:\\Windows\\System32\\inoxamzxs.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2x13g4uh-65id-l47a-t8o1-0y581f2ufqpg}\stubpath = "C:\\Windows\\System32\\inusvszqz.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ilosomvi-ufsq-audw-bewj-jkvldbinpycn} Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{hnjhlivn-ryag-iwgf-zgpa-zkkcjdovpfpv} Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{qsfyxvfc-kuhm-lclz-qhpb-zqymodwjzeft}\stubpath = "C:\\Windows\\System32\\injpfdazr.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{sqosqsmr-rvna-azsh-nysz-pybqglxfqumq} insnxovkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{gxbzfzst-cips-hxxa-frnc-hqimmcnzjugv}\ = "ϵͳÉèÖÃ" inpkuzhdr.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50tm010e-r3fw-m5ea-05bi-4p0tt4a1yq61} Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7ws6jhpq-stmt-ngzr-esdn-dst8uirgrcou}\ = "ϵͳÉèÖÃ" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38oamrt3-j13w-2ft1-v4s1-k1pni8o02p37}\ = "ϵͳÉèÖÃ" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9icb60lr-i12l-99d2-moy5-3gs7ee5qeojc}\ = "ϵͳÉèÖÃ" inqbcmcsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{lvrzvrlx-ijpl-bzci-ailv-rcjqmmebqxrh}\ = "ϵͳÉèÖÃ" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{a4z378ss-3z35-311i-01v3-q8u28gx73yf4} Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{k50yndmj-td9e-rmfn-ia1o-xawj56zy32zk}\ = "ϵͳÉèÖÃ" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{cfjfyhcl-nas2-9535-pta2-80s342tjsa3k}\ = "ϵͳÉèÖÃ" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{pdvxfkti-xpnl-nnpj-losy-xqlbpevkvpwq} incwvxbyn.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{lpvhyuni-myxs-xsmt-jska-xryiuykowgkv} inhfnbzwf.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{xc8y4033-77bt-56j6-lj6z-d5c15pn049ye} inyofxrod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{tt03noaz-6woj-z00v-f40n-b0eij2j28u5a}\ = "ϵͳÉèÖÃ" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6aef044q-eg82-64la-c583-zcsg3kg2w5zs}\ = "ϵͳÉèÖÃ" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{cvigaqbz-vloi-bzcu-oggd-opkrnyrqmjkb}\stubpath = "C:\\Windows\\System32\\inugccoyy.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{hgkauhqb-plld-apwq-qwpj-nfyyqbbcfpxa} Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{gdikvirt-mstm-nhdd-zivb-aexubkvnculf} Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{m73omci1-0uw6-z0oi-1dx0-j3rg8s0aqi90}\ = "ϵͳÉèÖÃ" inmawkptn.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{mzndrgxm-rydo-apfk-czpt-pkfbknnflaoh} inicbilrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{sqkrxbnr-hph7-pdeb-dxso-p1ywypvdo1cg} innvcvbrm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{vlb5hj1f-jxqx-mmbx-s2fp-e8unjcizr9mh}\stubpath = "C:\\Windows\\System32\\inrfvkmdx.exe" iniqjgqjr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{rkatiafp-lexd-uzqy-uqkt-wmthiokmoasz}\stubpath = "C:\\Windows\\System32\\inavgkgkt.exe" invnvfler.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{z2lmnoho-vbvu-m86x-llno-p2dmbmyjwpsu} Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{eroyuizo-qlgq-wtaq-cffa-lbnjfckxfrss}\ = "ϵͳÉèÖÃ" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{z5167qie-qded-ux6o-bmkl-ueqroy5edg1u} Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{507t9icb-0lr9-12la-9d2l-oy583gs7ee5q}\ = "ϵͳÉèÖÃ" inilftocs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{tfqdbluq-nqgj-mvpp-bbgl-jkfmytmllhew}\stubpath = "C:\\Windows\\System32\\inrrxpbjt.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{yzpkvcdv-wfxe-smlq-vspn-oyaypfxnrhye} Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{yzofdzrq-fyxv-czku-mrlc-ztqhpbxzqymo} Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{hqn44p13-415a-550d-5ixk-zz2oe0yd2g0q} Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{fotxhwag-hjgn-ambt-rqry-uyyxuxbtebgk}\stubpath = "C:\\Windows\\System32\\insrzztuj.exe" inzkcszdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{osykxqlb-evkv-wqcm-ndiu-lxnrzjnyzdil}\stubpath = "C:\\Windows\\System32\\innnpmjol.exe" intglbjrf.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4jj1napr-yzlp-zuli-5hvn-fylamdhdbptk} Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{iskazfys-gwhb-jzlu-jsos-hgcqtrczhwug}\stubpath = "C:\\Windows\\System32\\inoeomhqc.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{144rotu0-203m-r05s-a7gc-v3xuk52328bn}\ = "ϵͳÉèÖÃ" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{auhqbipl-dkap-qgqw-jdnf-yqbbcfpxajgl} Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{rjjujpxd-2yxb-d1tb-qn73-xjk1irll2fsq}\stubpath = "C:\\Windows\\System32\\inpdhdshz.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{gdikvirt-mstm-nhdd-zivb-aexubkvnculf}\stubpath = "C:\\Windows\\System32\\inxeqlcel.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{zjnyzdil-dnjy-zmfc-qfyd-qqcypkvbvopm}\stubpath = "C:\\Windows\\System32\\inxcfnkrc.exe" inkdpokcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{gpcl09dw-lv12-uwme-apma-q0c20wktighv}\ = "ϵͳÉèÖÃ" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{eqhuhdcf-3fzk-b5e6-sdrt-34bwi5roulpl}\ = "ϵͳÉèÖÃ" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{hmrlclzt-hpbx-qymo-wjze-tjtdqyxjseyh}\stubpath = "C:\\Windows\\System32\\inhczkkui.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{hp9883qh-6jm6-73f7-9g0t-uwqa36vh4k2w} Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{rsew5snu-44a9-2j8r-f4ad-8mn3ya3nmcoe} Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{q4iz90h6-dsxc-h239-n7id-z5d26m5ku84b}\ = "ϵͳÉèÖÃ" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{lgqrwtaq-cffa-lbnj-ckxf-ssmjdgoixcsp} Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{dlszfnpr-gkzp-ytvd-ukim-bvrdxyojubcu}\stubpath = "C:\\Windows\\System32\\inyvjvvjf.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ghmbxvkw-alsh-garc-mlii-wgoaldynvcns}\stubpath = "C:\\Windows\\System32\\injxwexji.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{kjfabfkz-bjtf-dblu-gnqg-dmvppjbbgllj} Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{m86x3lln-3p2d-bmyj-psuk-soxt8sgab76p}\ = "ϵͳÉèÖÃ" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{xim0jvoy-7kr6-7x6p-4i0j-0jzxqy71fp6s}\stubpath = "C:\\Windows\\System32\\inoirmiun.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{nwssitpe-hmyf-bbsc-ruxa-gohjjfmikasb}\stubpath = "C:\\Windows\\System32\\indtnbimn.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{x8917yoe-f8pp-7p2a-n33k-f7k2f2rx7f50} Process not Found -
Executes dropped EXE 64 IoCs
pid Process 4760 insohtodl.exe 412 inruwvobn.exe 3892 inatwyxqd.exe 740 inetlfmxc.exe 4648 indwztgsi.exe 3220 inhwoipfi.exe 212 inbfyviuk.exe 2640 injyqkarh.exe 1984 inpleqlxa.exe 2184 inmtnbdcu.exe 4632 inogwahsa.exe 4836 inoavpdfe.exe 1916 inuqbjvqf.exe 3340 inrdysgih.exe 2416 inwsdlxsh.exe 4048 intfuikjc.exe 1052 inzvgovkd.exe 4636 inwixlnmf.exe 4452 inxiaqxbm.exe 1160 inykznpoh.exe 4912 inldtepix.exe 4432 innqsrkjz.exe 376 innfvgrkz.exe 2228 inwmpgfnn.exe 4076 inbqiycju.exe 1652 insvxwpco.exe 4520 invrckwrg.exe 4124 inbuxzyre.exe 4424 inyufnzuj.exe 4308 invhwkmle.exe 4652 inaexuhtj.exe 412 inixpjqgj.exe 2000 incgzwjvl.exe 1060 inlsmacbt.exe 4180 inmprqjiy.exe 4172 inmeufqjy.exe 2616 inpsutmlb.exe 4476 injwnoaqy.exe 1984 inqcxrfhg.exe 876 indxawycz.exe 4904 incrjzdkv.exe 1656 insezthji.exe 4060 inxtemyti.exe 5096 infumgnyd.exe 3468 infhthtec.exe 3556 inwhpwale.exe 2700 inxjymong.exe 1396 inaikwkwh.exe 1804 inyjbrycn.exe 628 inkzrlbas.exe 2996 inigtklnv.exe 3768 inhwnltjf.exe 4328 inortslka.exe 728 ingtvpopk.exe 4524 inpbwqegf.exe 2376 inocokdvj.exe 3544 innlypqcs.exe 4624 inazpsjiq.exe 1520 inpfzcyeq.exe 4616 infdqdofu.exe 4744 inugvjlkd.exe 4688 insbquvhx.exe 3076 ingtgabri.exe 3508 ineuxonvv.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\inpzchsnz.exe inmbydanh.exe File created C:\Windows\SysWOW64\insulijat.exe Process not Found File created C:\Windows\SysWOW64\inwlfbmdc.exe_lang.ini Process not Found File opened for modification C:\Windows\SysWOW64\inbszhgzv.exe_lang.ini Process not Found File created C:\Windows\SysWOW64\inriowmxh.exe Process not Found File opened for modification C:\Windows\SysWOW64\ingdvwqdf.exe_lang.ini Process not Found File opened for modification C:\Windows\SysWOW64\inxcfnkrc.exe_lang.ini inkdpokcq.exe File created C:\Windows\SysWOW64\iniicbjvf.exe_lang.ini Process not Found File opened for modification C:\Windows\SysWOW64\inwbuyfkz.exe_lang.ini Process not Found File created C:\Windows\SysWOW64\inxzaacwh.exe Process not Found File created C:\Windows\SysWOW64\inshagtul.exe_lang.ini Process not Found File created C:\Windows\SysWOW64\inawmdgvh.exe Process not Found File opened for modification C:\Windows\SysWOW64\inwrldfbs.exe_lang.ini Process not Found File created C:\Windows\SysWOW64\ineyyaxuz.exe_lang.ini inkihxsdk.exe File opened for modification C:\Windows\SysWOW64\indhodkji.exe_lang.ini inkptwycw.exe File opened for modification C:\Windows\SysWOW64\incvzyajn.exe_lang.ini Process not Found File created C:\Windows\SysWOW64\inyzokcmk.exe Process not Found File opened for modification C:\Windows\SysWOW64\inntdsamx.exe_lang.ini Process not Found File created C:\Windows\SysWOW64\inxwfeaor.exe Process not Found File opened for modification C:\Windows\SysWOW64\inczldgdn.exe_lang.ini Process not Found File created C:\Windows\SysWOW64\indvjzcoq.exe_lang.ini inftrnfcc.exe File created C:\Windows\SysWOW64\inikshbcv.exe inupeyqpk.exe File created C:\Windows\SysWOW64\innvcvbrm.exe_lang.ini inodazcuq.exe File created C:\Windows\SysWOW64\inyetbegv.exe_lang.ini inwrucabh.exe File created C:\Windows\SysWOW64\inribhzbr.exe Process not Found File created C:\Windows\SysWOW64\incsxvszz.exe Process not Found File opened for modification C:\Windows\SysWOW64\inhwvhgrq.exe_lang.ini Process not Found File created C:\Windows\SysWOW64\inutvwllh.exe inumafjdj.exe File created C:\Windows\SysWOW64\indremhvm.exe_lang.ini inaqxeylh.exe File created C:\Windows\SysWOW64\inouyugyj.exe_lang.ini Process not Found File created C:\Windows\SysWOW64\inryxksnp.exe Process not Found File created C:\Windows\SysWOW64\inhswkhhs.exe Process not Found File created C:\Windows\SysWOW64\iniuqnvtl.exe Process not Found File created C:\Windows\SysWOW64\inkldbtjw.exe_lang.ini Process not Found File opened for modification C:\Windows\SysWOW64\inbqhxdxk.exe_lang.ini Process not Found File created C:\Windows\SysWOW64\inpvfzxlr.exe_lang.ini Process not Found File created C:\Windows\SysWOW64\inykcncum.exe_lang.ini Process not Found File created C:\Windows\SysWOW64\inebdvara.exe_lang.ini indwezqep.exe File created C:\Windows\SysWOW64\inncqcfob.exe_lang.ini Process not Found File opened for modification C:\Windows\SysWOW64\infycqpdr.exe_lang.ini Process not Found File created C:\Windows\SysWOW64\innwfcplb.exe_lang.ini incibocxs.exe File created C:\Windows\SysWOW64\inonaijhp.exe Process not Found File created C:\Windows\SysWOW64\inouakffm.exe Process not Found File created C:\Windows\SysWOW64\inqskfeci.exe_lang.ini Process not Found File created C:\Windows\SysWOW64\insgywmcd.exe Process not Found File opened for modification C:\Windows\SysWOW64\inwfmjhbr.exe_lang.ini Process not Found File opened for modification C:\Windows\SysWOW64\innjrlbrs.exe_lang.ini inbsbjtei.exe File created C:\Windows\SysWOW64\inqjvuqid.exe_lang.ini innvrumqh.exe File created C:\Windows\SysWOW64\inmdzgilx.exe Process not Found File created C:\Windows\SysWOW64\inetkcgnz.exe Process not Found File opened for modification C:\Windows\SysWOW64\inzwrgbpl.exe_lang.ini Process not Found File created C:\Windows\SysWOW64\intsvzgpj.exe Process not Found File created C:\Windows\SysWOW64\inrgmuxay.exe_lang.ini Process not Found File created C:\Windows\SysWOW64\ingjtvrnk.exe_lang.ini Process not Found File created C:\Windows\SysWOW64\inyorihpp.exe infvqbbup.exe File created C:\Windows\SysWOW64\inzjrnqyi.exe inbqzdbaf.exe File created C:\Windows\SysWOW64\injavkrnv.exe insyvvnkf.exe File created C:\Windows\SysWOW64\inucqrdpv.exe_lang.ini Process not Found File opened for modification C:\Windows\SysWOW64\inqhlijas.exe_lang.ini Process not Found File created C:\Windows\SysWOW64\inaqwbzhv.exe_lang.ini Process not Found File created C:\Windows\SysWOW64\injujuigy.exe_lang.ini Process not Found File opened for modification C:\Windows\SysWOW64\infrkxeug.exe_lang.ini Process not Found File created C:\Windows\SysWOW64\iniqzgcyz.exe inlvjosms.exe File created C:\Windows\SysWOW64\insnyjjgx.exe_lang.ini inhxamofz.exe -
resource yara_rule behavioral2/memory/2936-0-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/files/0x005a000000023c4e-6.dat upx behavioral2/memory/2936-8-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/files/0x0007000000023d44-13.dat upx behavioral2/memory/4760-14-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/files/0x0007000000023d46-16.dat upx behavioral2/memory/412-22-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/memory/3892-30-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/files/0x0007000000023d48-29.dat upx behavioral2/files/0x0007000000023d4a-38.dat upx behavioral2/memory/740-37-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/memory/4648-45-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/files/0x0007000000023d4c-43.dat upx behavioral2/memory/3220-54-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/files/0x0007000000023d4e-52.dat upx behavioral2/memory/212-62-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/files/0x0007000000023d50-61.dat upx behavioral2/files/0x0007000000023d52-69.dat upx behavioral2/memory/2640-70-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/memory/1984-78-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/files/0x0007000000023d56-83.dat upx behavioral2/memory/2184-85-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/files/0x0007000000023d58-94.dat upx behavioral2/memory/4632-93-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/memory/1916-110-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/files/0x0007000000023d5c-108.dat upx behavioral2/files/0x0007000000023d60-123.dat upx behavioral2/files/0x0007000000023d62-134.dat upx behavioral2/memory/4048-133-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/files/0x0007000000023d66-147.dat upx behavioral2/memory/4452-158-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/files/0x0007000000023d69-167.dat upx behavioral2/memory/1160-166-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/memory/4432-182-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/files/0x0007000000023d6d-183.dat upx behavioral2/files/0x0007000000023d70-191.dat upx behavioral2/files/0x0007000000023d74-204.dat upx behavioral2/files/0x0007000000023d76-215.dat upx behavioral2/memory/1652-214-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/memory/4124-231-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/memory/4308-246-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/files/0x0007000000023d7e-247.dat upx behavioral2/memory/412-260-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/memory/4172-285-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/memory/4476-296-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/memory/1984-302-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/memory/4904-314-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/memory/4060-326-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/memory/2700-349-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/memory/1804-360-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/memory/2996-371-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/memory/4328-383-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/memory/4616-423-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/memory/4688-435-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/memory/3076-441-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/memory/3584-475-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/memory/1968-487-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/memory/4832-481-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/memory/2952-493-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/memory/4512-513-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/memory/3068-525-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/memory/1916-531-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/memory/4044-537-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/memory/4596-519-0x0000000000400000-0x0000000000416000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inorbpnrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inqdhyock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inpdraxym.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inzbfsfjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inovtknpq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iniszaxor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inertnmni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language innxkgbub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inpfvwyie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inzrqlnxa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inxmeiauv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language innwfcplb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ingvigfak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inaulrodd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inbrumuek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language insnyjjgx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language infacmfam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2936 JaffaCakes118_55e87d644c383ee9fa9caf50cd9b738b.exe 2936 JaffaCakes118_55e87d644c383ee9fa9caf50cd9b738b.exe 4760 insohtodl.exe 4760 insohtodl.exe 412 inruwvobn.exe 412 inruwvobn.exe 3892 inatwyxqd.exe 3892 inatwyxqd.exe 740 inetlfmxc.exe 740 inetlfmxc.exe 4648 indwztgsi.exe 4648 indwztgsi.exe 3220 inhwoipfi.exe 3220 inhwoipfi.exe 212 inbfyviuk.exe 212 inbfyviuk.exe 2640 injyqkarh.exe 2640 injyqkarh.exe 1984 inpleqlxa.exe 1984 inpleqlxa.exe 2184 inmtnbdcu.exe 2184 inmtnbdcu.exe 4632 inogwahsa.exe 4632 inogwahsa.exe 4836 inoavpdfe.exe 4836 inoavpdfe.exe 1916 inuqbjvqf.exe 1916 inuqbjvqf.exe 3340 inrdysgih.exe 3340 inrdysgih.exe 2416 inwsdlxsh.exe 2416 inwsdlxsh.exe 4048 intfuikjc.exe 4048 intfuikjc.exe 1052 inzvgovkd.exe 1052 inzvgovkd.exe 4636 inwixlnmf.exe 4636 inwixlnmf.exe 4452 inxiaqxbm.exe 4452 inxiaqxbm.exe 1160 inykznpoh.exe 1160 inykznpoh.exe 4912 inldtepix.exe 4912 inldtepix.exe 4432 innqsrkjz.exe 4432 innqsrkjz.exe 376 innfvgrkz.exe 376 innfvgrkz.exe 2228 inwmpgfnn.exe 2228 inwmpgfnn.exe 4076 inbqiycju.exe 4076 inbqiycju.exe 1652 insvxwpco.exe 1652 insvxwpco.exe 4520 invrckwrg.exe 4520 invrckwrg.exe 4124 inbuxzyre.exe 4124 inbuxzyre.exe 4424 inyufnzuj.exe 4424 inyufnzuj.exe 4308 invhwkmle.exe 4308 invhwkmle.exe 4652 inaexuhtj.exe 4652 inaexuhtj.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2936 JaffaCakes118_55e87d644c383ee9fa9caf50cd9b738b.exe Token: SeDebugPrivilege 4760 insohtodl.exe Token: SeDebugPrivilege 412 inruwvobn.exe Token: SeDebugPrivilege 3892 inatwyxqd.exe Token: SeDebugPrivilege 740 inetlfmxc.exe Token: SeDebugPrivilege 4648 indwztgsi.exe Token: SeDebugPrivilege 3220 inhwoipfi.exe Token: SeDebugPrivilege 212 inbfyviuk.exe Token: SeDebugPrivilege 2640 injyqkarh.exe Token: SeDebugPrivilege 1984 inpleqlxa.exe Token: SeDebugPrivilege 2184 inmtnbdcu.exe Token: SeDebugPrivilege 4632 inogwahsa.exe Token: SeDebugPrivilege 4836 inoavpdfe.exe Token: SeDebugPrivilege 1916 inuqbjvqf.exe Token: SeDebugPrivilege 3340 inrdysgih.exe Token: SeDebugPrivilege 2416 inwsdlxsh.exe Token: SeDebugPrivilege 4048 intfuikjc.exe Token: SeDebugPrivilege 1052 inzvgovkd.exe Token: SeDebugPrivilege 4636 inwixlnmf.exe Token: SeDebugPrivilege 4452 inxiaqxbm.exe Token: SeDebugPrivilege 1160 inykznpoh.exe Token: SeDebugPrivilege 4912 inldtepix.exe Token: SeDebugPrivilege 4432 innqsrkjz.exe Token: SeDebugPrivilege 376 innfvgrkz.exe Token: SeDebugPrivilege 2228 inwmpgfnn.exe Token: SeDebugPrivilege 4076 inbqiycju.exe Token: SeDebugPrivilege 1652 insvxwpco.exe Token: SeDebugPrivilege 4520 invrckwrg.exe Token: SeDebugPrivilege 4124 inbuxzyre.exe Token: SeDebugPrivilege 4424 inyufnzuj.exe Token: SeDebugPrivilege 4308 invhwkmle.exe Token: SeDebugPrivilege 4652 inaexuhtj.exe Token: SeDebugPrivilege 412 inixpjqgj.exe Token: SeDebugPrivilege 2000 incgzwjvl.exe Token: SeDebugPrivilege 1060 inlsmacbt.exe Token: SeDebugPrivilege 4180 inmprqjiy.exe Token: SeDebugPrivilege 4172 inmeufqjy.exe Token: SeDebugPrivilege 2616 inpsutmlb.exe Token: SeDebugPrivilege 4476 injwnoaqy.exe Token: SeDebugPrivilege 1984 inqcxrfhg.exe Token: SeDebugPrivilege 876 indxawycz.exe Token: SeDebugPrivilege 4904 incrjzdkv.exe Token: SeDebugPrivilege 1656 insezthji.exe Token: SeDebugPrivilege 4060 inxtemyti.exe Token: SeDebugPrivilege 5096 infumgnyd.exe Token: SeDebugPrivilege 3468 infhthtec.exe Token: SeDebugPrivilege 3556 inwhpwale.exe Token: SeDebugPrivilege 2700 inxjymong.exe Token: SeDebugPrivilege 1396 inaikwkwh.exe Token: SeDebugPrivilege 1804 inyjbrycn.exe Token: SeDebugPrivilege 628 inkzrlbas.exe Token: SeDebugPrivilege 2996 inigtklnv.exe Token: SeDebugPrivilege 3768 inhwnltjf.exe Token: SeDebugPrivilege 4328 inortslka.exe Token: SeDebugPrivilege 728 ingtvpopk.exe Token: SeDebugPrivilege 4524 inpbwqegf.exe Token: SeDebugPrivilege 2376 inocokdvj.exe Token: SeDebugPrivilege 3544 innlypqcs.exe Token: SeDebugPrivilege 4624 inazpsjiq.exe Token: SeDebugPrivilege 1520 inpfzcyeq.exe Token: SeDebugPrivilege 4616 infdqdofu.exe Token: SeDebugPrivilege 4744 inugvjlkd.exe Token: SeDebugPrivilege 4688 insbquvhx.exe Token: SeDebugPrivilege 3076 ingtgabri.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2936 wrote to memory of 4760 2936 JaffaCakes118_55e87d644c383ee9fa9caf50cd9b738b.exe 84 PID 2936 wrote to memory of 4760 2936 JaffaCakes118_55e87d644c383ee9fa9caf50cd9b738b.exe 84 PID 2936 wrote to memory of 4760 2936 JaffaCakes118_55e87d644c383ee9fa9caf50cd9b738b.exe 84 PID 4760 wrote to memory of 412 4760 insohtodl.exe 118 PID 4760 wrote to memory of 412 4760 insohtodl.exe 118 PID 4760 wrote to memory of 412 4760 insohtodl.exe 118 PID 412 wrote to memory of 3892 412 inruwvobn.exe 86 PID 412 wrote to memory of 3892 412 inruwvobn.exe 86 PID 412 wrote to memory of 3892 412 inruwvobn.exe 86 PID 3892 wrote to memory of 740 3892 inatwyxqd.exe 87 PID 3892 wrote to memory of 740 3892 inatwyxqd.exe 87 PID 3892 wrote to memory of 740 3892 inatwyxqd.exe 87 PID 740 wrote to memory of 4648 740 inetlfmxc.exe 88 PID 740 wrote to memory of 4648 740 inetlfmxc.exe 88 PID 740 wrote to memory of 4648 740 inetlfmxc.exe 88 PID 4648 wrote to memory of 3220 4648 indwztgsi.exe 89 PID 4648 wrote to memory of 3220 4648 indwztgsi.exe 89 PID 4648 wrote to memory of 3220 4648 indwztgsi.exe 89 PID 3220 wrote to memory of 212 3220 inhwoipfi.exe 90 PID 3220 wrote to memory of 212 3220 inhwoipfi.exe 90 PID 3220 wrote to memory of 212 3220 inhwoipfi.exe 90 PID 212 wrote to memory of 2640 212 inbfyviuk.exe 91 PID 212 wrote to memory of 2640 212 inbfyviuk.exe 91 PID 212 wrote to memory of 2640 212 inbfyviuk.exe 91 PID 2640 wrote to memory of 1984 2640 injyqkarh.exe 125 PID 2640 wrote to memory of 1984 2640 injyqkarh.exe 125 PID 2640 wrote to memory of 1984 2640 injyqkarh.exe 125 PID 1984 wrote to memory of 2184 1984 inpleqlxa.exe 94 PID 1984 wrote to memory of 2184 1984 inpleqlxa.exe 94 PID 1984 wrote to memory of 2184 1984 inpleqlxa.exe 94 PID 2184 wrote to memory of 4632 2184 inmtnbdcu.exe 95 PID 2184 wrote to memory of 4632 2184 inmtnbdcu.exe 95 PID 2184 wrote to memory of 4632 2184 inmtnbdcu.exe 95 PID 4632 wrote to memory of 4836 4632 inogwahsa.exe 96 PID 4632 wrote to memory of 4836 4632 inogwahsa.exe 96 PID 4632 wrote to memory of 4836 4632 inogwahsa.exe 96 PID 4836 wrote to memory of 1916 4836 inoavpdfe.exe 97 PID 4836 wrote to memory of 1916 4836 inoavpdfe.exe 97 PID 4836 wrote to memory of 1916 4836 inoavpdfe.exe 97 PID 1916 wrote to memory of 3340 1916 inuqbjvqf.exe 99 PID 1916 wrote to memory of 3340 1916 inuqbjvqf.exe 99 PID 1916 wrote to memory of 3340 1916 inuqbjvqf.exe 99 PID 3340 wrote to memory of 2416 3340 inrdysgih.exe 100 PID 3340 wrote to memory of 2416 3340 inrdysgih.exe 100 PID 3340 wrote to memory of 2416 3340 inrdysgih.exe 100 PID 2416 wrote to memory of 4048 2416 inwsdlxsh.exe 101 PID 2416 wrote to memory of 4048 2416 inwsdlxsh.exe 101 PID 2416 wrote to memory of 4048 2416 inwsdlxsh.exe 101 PID 4048 wrote to memory of 1052 4048 intfuikjc.exe 103 PID 4048 wrote to memory of 1052 4048 intfuikjc.exe 103 PID 4048 wrote to memory of 1052 4048 intfuikjc.exe 103 PID 1052 wrote to memory of 4636 1052 inzvgovkd.exe 104 PID 1052 wrote to memory of 4636 1052 inzvgovkd.exe 104 PID 1052 wrote to memory of 4636 1052 inzvgovkd.exe 104 PID 4636 wrote to memory of 4452 4636 inwixlnmf.exe 105 PID 4636 wrote to memory of 4452 4636 inwixlnmf.exe 105 PID 4636 wrote to memory of 4452 4636 inwixlnmf.exe 105 PID 4452 wrote to memory of 1160 4452 inxiaqxbm.exe 106 PID 4452 wrote to memory of 1160 4452 inxiaqxbm.exe 106 PID 4452 wrote to memory of 1160 4452 inxiaqxbm.exe 106 PID 1160 wrote to memory of 4912 1160 inykznpoh.exe 107 PID 1160 wrote to memory of 4912 1160 inykznpoh.exe 107 PID 1160 wrote to memory of 4912 1160 inykznpoh.exe 107 PID 4912 wrote to memory of 4432 4912 inldtepix.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55e87d644c383ee9fa9caf50cd9b738b.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55e87d644c383ee9fa9caf50cd9b738b.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\insohtodl.exeC:\Windows\System32\insohtodl.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\SysWOW64\inruwvobn.exeC:\Windows\System32\inruwvobn.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\SysWOW64\inatwyxqd.exeC:\Windows\System32\inatwyxqd.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Windows\SysWOW64\inetlfmxc.exeC:\Windows\System32\inetlfmxc.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\indwztgsi.exeC:\Windows\System32\indwztgsi.exe6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\SysWOW64\inhwoipfi.exeC:\Windows\System32\inhwoipfi.exe7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\SysWOW64\inbfyviuk.exeC:\Windows\System32\inbfyviuk.exe8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\SysWOW64\injyqkarh.exeC:\Windows\System32\injyqkarh.exe9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\inpleqlxa.exeC:\Windows\System32\inpleqlxa.exe10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\inmtnbdcu.exeC:\Windows\System32\inmtnbdcu.exe11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\inogwahsa.exeC:\Windows\System32\inogwahsa.exe12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\SysWOW64\inoavpdfe.exeC:\Windows\System32\inoavpdfe.exe13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\inuqbjvqf.exeC:\Windows\System32\inuqbjvqf.exe14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\inrdysgih.exeC:\Windows\System32\inrdysgih.exe15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\SysWOW64\inwsdlxsh.exeC:\Windows\System32\inwsdlxsh.exe16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\intfuikjc.exeC:\Windows\System32\intfuikjc.exe17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\SysWOW64\inzvgovkd.exeC:\Windows\System32\inzvgovkd.exe18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\inwixlnmf.exeC:\Windows\System32\inwixlnmf.exe19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\SysWOW64\inxiaqxbm.exeC:\Windows\System32\inxiaqxbm.exe20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\SysWOW64\inykznpoh.exeC:\Windows\System32\inykznpoh.exe21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\inldtepix.exeC:\Windows\System32\inldtepix.exe22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\SysWOW64\innqsrkjz.exeC:\Windows\System32\innqsrkjz.exe23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4432 -
C:\Windows\SysWOW64\innfvgrkz.exeC:\Windows\System32\innfvgrkz.exe24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:376 -
C:\Windows\SysWOW64\inwmpgfnn.exeC:\Windows\System32\inwmpgfnn.exe25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228 -
C:\Windows\SysWOW64\inbqiycju.exeC:\Windows\System32\inbqiycju.exe26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4076 -
C:\Windows\SysWOW64\insvxwpco.exeC:\Windows\System32\insvxwpco.exe27⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652 -
C:\Windows\SysWOW64\invrckwrg.exeC:\Windows\System32\invrckwrg.exe28⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4520 -
C:\Windows\SysWOW64\inbuxzyre.exeC:\Windows\System32\inbuxzyre.exe29⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4124 -
C:\Windows\SysWOW64\inyufnzuj.exeC:\Windows\System32\inyufnzuj.exe30⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4424 -
C:\Windows\SysWOW64\invhwkmle.exeC:\Windows\System32\invhwkmle.exe31⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4308 -
C:\Windows\SysWOW64\inaexuhtj.exeC:\Windows\System32\inaexuhtj.exe32⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4652 -
C:\Windows\SysWOW64\inixpjqgj.exeC:\Windows\System32\inixpjqgj.exe33⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:412 -
C:\Windows\SysWOW64\incgzwjvl.exeC:\Windows\System32\incgzwjvl.exe34⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2000 -
C:\Windows\SysWOW64\inlsmacbt.exeC:\Windows\System32\inlsmacbt.exe35⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1060 -
C:\Windows\SysWOW64\inmprqjiy.exeC:\Windows\System32\inmprqjiy.exe36⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4180 -
C:\Windows\SysWOW64\inmeufqjy.exeC:\Windows\System32\inmeufqjy.exe37⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4172 -
C:\Windows\SysWOW64\inpsutmlb.exeC:\Windows\System32\inpsutmlb.exe38⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2616 -
C:\Windows\SysWOW64\injwnoaqy.exeC:\Windows\System32\injwnoaqy.exe39⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4476 -
C:\Windows\SysWOW64\inqcxrfhg.exeC:\Windows\System32\inqcxrfhg.exe40⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1984 -
C:\Windows\SysWOW64\indxawycz.exeC:\Windows\System32\indxawycz.exe41⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:876 -
C:\Windows\SysWOW64\incrjzdkv.exeC:\Windows\System32\incrjzdkv.exe42⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4904 -
C:\Windows\SysWOW64\insezthji.exeC:\Windows\System32\insezthji.exe43⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1656 -
C:\Windows\SysWOW64\inxtemyti.exeC:\Windows\System32\inxtemyti.exe44⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4060 -
C:\Windows\SysWOW64\infumgnyd.exeC:\Windows\System32\infumgnyd.exe45⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5096 -
C:\Windows\SysWOW64\infhthtec.exeC:\Windows\System32\infhthtec.exe46⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3468 -
C:\Windows\SysWOW64\inwhpwale.exeC:\Windows\System32\inwhpwale.exe47⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3556 -
C:\Windows\SysWOW64\inxjymong.exeC:\Windows\System32\inxjymong.exe48⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2700 -
C:\Windows\SysWOW64\inaikwkwh.exeC:\Windows\System32\inaikwkwh.exe49⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1396 -
C:\Windows\SysWOW64\inyjbrycn.exeC:\Windows\System32\inyjbrycn.exe50⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1804 -
C:\Windows\SysWOW64\inkzrlbas.exeC:\Windows\System32\inkzrlbas.exe51⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:628 -
C:\Windows\SysWOW64\inigtklnv.exeC:\Windows\System32\inigtklnv.exe52⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2996 -
C:\Windows\SysWOW64\inhwnltjf.exeC:\Windows\System32\inhwnltjf.exe53⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3768 -
C:\Windows\SysWOW64\inortslka.exeC:\Windows\System32\inortslka.exe54⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4328 -
C:\Windows\SysWOW64\ingtvpopk.exeC:\Windows\System32\ingtvpopk.exe55⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:728 -
C:\Windows\SysWOW64\inpbwqegf.exeC:\Windows\System32\inpbwqegf.exe56⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4524 -
C:\Windows\SysWOW64\inocokdvj.exeC:\Windows\System32\inocokdvj.exe57⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2376 -
C:\Windows\SysWOW64\innlypqcs.exeC:\Windows\System32\innlypqcs.exe58⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3544 -
C:\Windows\SysWOW64\inazpsjiq.exeC:\Windows\System32\inazpsjiq.exe59⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4624 -
C:\Windows\SysWOW64\inpfzcyeq.exeC:\Windows\System32\inpfzcyeq.exe60⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1520 -
C:\Windows\SysWOW64\infdqdofu.exeC:\Windows\System32\infdqdofu.exe61⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4616 -
C:\Windows\SysWOW64\inugvjlkd.exeC:\Windows\System32\inugvjlkd.exe62⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4744 -
C:\Windows\SysWOW64\insbquvhx.exeC:\Windows\System32\insbquvhx.exe63⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4688 -
C:\Windows\SysWOW64\ingtgabri.exeC:\Windows\System32\ingtgabri.exe64⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3076 -
C:\Windows\SysWOW64\ineuxonvv.exeC:\Windows\System32\ineuxonvv.exe65⤵
- Executes dropped EXE
PID:3508 -
C:\Windows\SysWOW64\ingvetxyk.exeC:\Windows\System32\ingvetxyk.exe66⤵PID:1056
-
C:\Windows\SysWOW64\inkbaivic.exeC:\Windows\System32\inkbaivic.exe67⤵PID:3928
-
C:\Windows\SysWOW64\inzloqpih.exeC:\Windows\System32\inzloqpih.exe68⤵PID:1304
-
C:\Windows\SysWOW64\ingvzmksi.exeC:\Windows\System32\ingvzmksi.exe69⤵PID:3412
-
C:\Windows\SysWOW64\inknedlyl.exeC:\Windows\System32\inknedlyl.exe70⤵PID:3584
-
C:\Windows\SysWOW64\intsuvkkg.exeC:\Windows\System32\intsuvkkg.exe71⤵PID:4832
-
C:\Windows\SysWOW64\inrngsnzc.exeC:\Windows\System32\inrngsnzc.exe72⤵PID:1968
-
C:\Windows\SysWOW64\inhiypoew.exeC:\Windows\System32\inhiypoew.exe73⤵PID:2952
-
C:\Windows\SysWOW64\inqtvunam.exeC:\Windows\System32\inqtvunam.exe74⤵PID:4880
-
C:\Windows\SysWOW64\inaivxrqr.exeC:\Windows\System32\inaivxrqr.exe75⤵PID:4508
-
C:\Windows\SysWOW64\incanalcr.exeC:\Windows\System32\incanalcr.exe76⤵PID:4512
-
C:\Windows\SysWOW64\inqklaasr.exeC:\Windows\System32\inqklaasr.exe77⤵PID:4596
-
C:\Windows\SysWOW64\inapnrseu.exeC:\Windows\System32\inapnrseu.exe78⤵PID:3068
-
C:\Windows\SysWOW64\infnwdvwr.exeC:\Windows\System32\infnwdvwr.exe79⤵PID:1916
-
C:\Windows\SysWOW64\ingvnhoze.exeC:\Windows\System32\ingvnhoze.exe80⤵PID:4044
-
C:\Windows\SysWOW64\inpqffxwb.exeC:\Windows\System32\inpqffxwb.exe81⤵PID:2172
-
C:\Windows\SysWOW64\infudswxj.exeC:\Windows\System32\infudswxj.exe82⤵PID:3556
-
C:\Windows\SysWOW64\ingwzqpxx.exeC:\Windows\System32\ingwzqpxx.exe83⤵PID:744
-
C:\Windows\SysWOW64\inewrcnnk.exeC:\Windows\System32\inewrcnnk.exe84⤵PID:4948
-
C:\Windows\SysWOW64\inrfpuysy.exeC:\Windows\System32\inrfpuysy.exe85⤵PID:1912
-
C:\Windows\SysWOW64\inixomukg.exeC:\Windows\System32\inixomukg.exe86⤵PID:3416
-
C:\Windows\SysWOW64\invuwaxma.exeC:\Windows\System32\invuwaxma.exe87⤵PID:2440
-
C:\Windows\SysWOW64\inbpxnjbw.exeC:\Windows\System32\inbpxnjbw.exe88⤵PID:3024
-
C:\Windows\SysWOW64\ineybxzdp.exeC:\Windows\System32\ineybxzdp.exe89⤵PID:3404
-
C:\Windows\SysWOW64\indskelwb.exeC:\Windows\System32\indskelwb.exe90⤵PID:376
-
C:\Windows\SysWOW64\inbrulkss.exeC:\Windows\System32\inbrulkss.exe91⤵PID:756
-
C:\Windows\SysWOW64\incraptug.exeC:\Windows\System32\incraptug.exe92⤵PID:4176
-
C:\Windows\SysWOW64\inhfsfaqh.exeC:\Windows\System32\inhfsfaqh.exe93⤵PID:4624
-
C:\Windows\SysWOW64\intcrvwiy.exeC:\Windows\System32\intcrvwiy.exe94⤵PID:4400
-
C:\Windows\SysWOW64\inrshhzyd.exeC:\Windows\System32\inrshhzyd.exe95⤵PID:3096
-
C:\Windows\SysWOW64\inzkcszdo.exeC:\Windows\System32\inzkcszdo.exe96⤵
- Boot or Logon Autostart Execution: Active Setup
PID:3700 -
C:\Windows\SysWOW64\insrzztuj.exeC:\Windows\System32\insrzztuj.exe97⤵PID:4064
-
C:\Windows\SysWOW64\inxsdoolp.exeC:\Windows\System32\inxsdoolp.exe98⤵PID:1628
-
C:\Windows\SysWOW64\inmibthrw.exeC:\Windows\System32\inmibthrw.exe99⤵PID:2756
-
C:\Windows\SysWOW64\infvqbbup.exeC:\Windows\System32\infvqbbup.exe100⤵
- Drops file in System32 directory
PID:456 -
C:\Windows\SysWOW64\inyorihpp.exeC:\Windows\System32\inyorihpp.exe101⤵PID:3472
-
C:\Windows\SysWOW64\inomzqrdt.exeC:\Windows\System32\inomzqrdt.exe102⤵PID:4648
-
C:\Windows\SysWOW64\inbaqtkjr.exeC:\Windows\System32\inbaqtkjr.exe103⤵PID:372
-
C:\Windows\SysWOW64\inbqostfv.exeC:\Windows\System32\inbqostfv.exe104⤵PID:4952
-
C:\Windows\SysWOW64\indtwnmuu.exeC:\Windows\System32\indtwnmuu.exe105⤵PID:4172
-
C:\Windows\SysWOW64\inpiofygs.exeC:\Windows\System32\inpiofygs.exe106⤵PID:2356
-
C:\Windows\SysWOW64\inxhvtpha.exeC:\Windows\System32\inxhvtpha.exe107⤵PID:4980
-
C:\Windows\SysWOW64\infslrijv.exeC:\Windows\System32\infslrijv.exe108⤵PID:760
-
C:\Windows\SysWOW64\indqsmlmh.exeC:\Windows\System32\indqsmlmh.exe109⤵PID:2476
-
C:\Windows\SysWOW64\inyegrpfl.exeC:\Windows\System32\inyegrpfl.exe110⤵PID:2784
-
C:\Windows\SysWOW64\inljyapnv.exeC:\Windows\System32\inljyapnv.exe111⤵PID:1476
-
C:\Windows\SysWOW64\inmhxsddw.exeC:\Windows\System32\inmhxsddw.exe112⤵PID:4300
-
C:\Windows\SysWOW64\ineqbmfxl.exeC:\Windows\System32\ineqbmfxl.exe113⤵PID:1180
-
C:\Windows\SysWOW64\inesqmezb.exeC:\Windows\System32\inesqmezb.exe114⤵PID:4044
-
C:\Windows\SysWOW64\ingrakqpr.exeC:\Windows\System32\ingrakqpr.exe115⤵PID:1980
-
C:\Windows\SysWOW64\inhjvjvge.exeC:\Windows\System32\inhjvjvge.exe116⤵PID:3556
-
C:\Windows\SysWOW64\indtkzjxv.exeC:\Windows\System32\indtkzjxv.exe117⤵PID:3240
-
C:\Windows\SysWOW64\incsnrmiw.exeC:\Windows\System32\incsnrmiw.exe118⤵PID:4056
-
C:\Windows\SysWOW64\injyixbhg.exeC:\Windows\System32\injyixbhg.exe119⤵PID:3548
-
C:\Windows\SysWOW64\inkivmnpx.exeC:\Windows\System32\inkivmnpx.exe120⤵PID:4780
-
C:\Windows\SysWOW64\inochlfll.exeC:\Windows\System32\inochlfll.exe121⤵PID:1844
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-