Analysis
-
max time kernel
137s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22/01/2024, 08:27
Static task
static1
Behavioral task
behavioral1
Sample
6f313414261cfe97829e961f7c693735.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
6f313414261cfe97829e961f7c693735.exe
Resource
win10v2004-20231215-en
General
-
Target
6f313414261cfe97829e961f7c693735.exe
-
Size
172KB
-
MD5
6f313414261cfe97829e961f7c693735
-
SHA1
6a5e54aeeb27f8c0ef960bb7975e4884c4853ab8
-
SHA256
b5912ec679e46ddcaf14b16e2e0dad68971d0413a9335014f015b61ce75c4538
-
SHA512
5dcf17c7c98e497ba30f8093f5cd8be350a2cc465c8e83f46c5edd695d404e7861fa85f4e84244cb1836387e5fb166afdb0b778c206e8a7be9291e82bc975161
-
SSDEEP
3072:BrkSCebEmjjuq6gCyDwSVSMSF61DW/TUdbiX5Bt7LxPmBqGwvwkjmarQ6nSMLBuR:1o6jjH3CyDw3MSF2uUa53JmBtwvwf09s
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 64 IoCs
pid Process 2316 efpqsfyb.exe 2968 aghdwikk.exe 2592 obqtcmix.exe 2616 vnpyrgrj.exe 1648 dfoygmvx.exe 2916 nqlitqbz.exe 1700 uunokjmp.exe 1192 exlyymsj.exe 784 unwgevwf.exe 856 tfxqyigw.exe 1872 bntqtxhg.exe 2396 odntbgnn.exe 2108 sqhbupzw.exe 1140 ijeowdcn.exe 1032 prroqtlf.exe 908 xznglqnx.exe 1672 bmgowszx.exe 1756 esmrljbb.exe 1568 ldteidjo.exe 2792 wzmoqysl.exe 2780 ibsebkwv.exe 2932 llsutget.exe 1724 ssfmownl.exe 1704 xunpebtr.exe 2864 nnkcopwi.exe 2604 urupxiyy.exe 2468 htawimdh.exe 2180 rpbpyhlf.exe 268 brqzlksh.exe 2040 lcgkznyb.exe 2120 ypxzmrxo.exe 1992 aocxxqen.exe 2112 hzicmjna.exe 1964 uydfcksh.exe 720 ftepkete.exe 1612 ptiuudbe.exe 2980 zdxxqghg.exe 2264 mqpvvkol.exe 988 wptsgjnl.exe 2848 tqlfcuzu.exe 1728 dtbpxpno.exe 2772 qokfdtmb.exe 2332 aqiqqwsv.exe 2548 kqmnivav.exe 3024 uabxwygx.exe 2764 eznvgxow.exe 524 oyrsyvvw.exe 3048 bljiezub.exe 1636 okelnzai.exe 1496 ymtvadgk.exe 2144 lloyjlmr.exe 2896 volieosl.exe 1012 dsnvnzvb.exe 1408 nnogdtdg.exe 2248 xbpdtbjd.exe 2256 hbtadaqd.exe 2020 myyirbxo.exe 1796 wjntewei.exe 996 vfaqjvmt.exe 1868 lywltjxk.exe 2860 yprobrus.exe 2756 iodlmqcr.exe 2852 sjewtkcw.exe 848 critmjkw.exe -
Loads dropped DLL 64 IoCs
pid Process 2272 6f313414261cfe97829e961f7c693735.exe 2272 6f313414261cfe97829e961f7c693735.exe 2316 efpqsfyb.exe 2316 efpqsfyb.exe 2968 aghdwikk.exe 2968 aghdwikk.exe 2592 obqtcmix.exe 2592 obqtcmix.exe 2616 vnpyrgrj.exe 2616 vnpyrgrj.exe 1648 dfoygmvx.exe 1648 dfoygmvx.exe 2916 nqlitqbz.exe 2916 nqlitqbz.exe 1700 uunokjmp.exe 1700 uunokjmp.exe 1192 exlyymsj.exe 1192 exlyymsj.exe 784 unwgevwf.exe 784 unwgevwf.exe 856 tfxqyigw.exe 856 tfxqyigw.exe 1872 bntqtxhg.exe 1872 bntqtxhg.exe 2396 odntbgnn.exe 2396 odntbgnn.exe 2108 sqhbupzw.exe 2108 sqhbupzw.exe 1140 ijeowdcn.exe 1140 ijeowdcn.exe 1032 prroqtlf.exe 1032 prroqtlf.exe 908 xznglqnx.exe 908 xznglqnx.exe 1672 bmgowszx.exe 1672 bmgowszx.exe 1756 esmrljbb.exe 1756 esmrljbb.exe 1568 ldteidjo.exe 1568 ldteidjo.exe 2792 wzmoqysl.exe 2792 wzmoqysl.exe 2780 ibsebkwv.exe 2780 ibsebkwv.exe 2932 llsutget.exe 2932 llsutget.exe 1724 ssfmownl.exe 1724 ssfmownl.exe 1704 xunpebtr.exe 1704 xunpebtr.exe 2864 nnkcopwi.exe 2864 nnkcopwi.exe 2604 urupxiyy.exe 2604 urupxiyy.exe 2468 htawimdh.exe 2468 htawimdh.exe 2180 rpbpyhlf.exe 2180 rpbpyhlf.exe 268 brqzlksh.exe 268 brqzlksh.exe 2040 lcgkznyb.exe 2040 lcgkznyb.exe 2120 ypxzmrxo.exe 2120 ypxzmrxo.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\mhukoqdj.exe cweztmxh.exe File created C:\Windows\SysWOW64\junccpfm.exe wwszupaf.exe File created C:\Windows\SysWOW64\qsskwaye.exe dfamqers.exe File opened for modification C:\Windows\SysWOW64\bsmuiemb.exe rtixqfeb.exe File created C:\Windows\SysWOW64\opimhhqs.exe eftcueky.exe File opened for modification C:\Windows\SysWOW64\lkwgvfqr.exe bahvikjo.exe File opened for modification C:\Windows\SysWOW64\critmjkw.exe sjewtkcw.exe File created C:\Windows\SysWOW64\qxujeqtg.exe gqqlurmg.exe File opened for modification C:\Windows\SysWOW64\junccpfm.exe wwszupaf.exe File created C:\Windows\SysWOW64\igzzerpi.exe yhvutshj.exe File opened for modification C:\Windows\SysWOW64\bbuablfh.exe rbidqmxh.exe File opened for modification C:\Windows\SysWOW64\qfyikcgi.exe ixdqqnxp.exe File opened for modification C:\Windows\SysWOW64\pjsefxoq.exe cwjgzbqd.exe File created C:\Windows\SysWOW64\egjuuigy.exe rpormzar.exe File created C:\Windows\SysWOW64\zmzoxfvy.exe oqzeilma.exe File opened for modification C:\Windows\SysWOW64\nsxvqvrb.exe cklygwkb.exe File opened for modification C:\Windows\SysWOW64\hwjmdcdx.exe waibvhds.exe File opened for modification C:\Windows\SysWOW64\nymwibfh.exe atvbmkud.exe File created C:\Windows\SysWOW64\zwlalucf.exe soqaqfam.exe File opened for modification C:\Windows\SysWOW64\kvpyvtjw.exe zwlalucf.exe File opened for modification C:\Windows\SysWOW64\wvdvwlbw.exe mvqymmcx.exe File opened for modification C:\Windows\SysWOW64\ppvjlrdd.exe czsocjfo.exe File created C:\Windows\SysWOW64\yixbwxfm.exe lvnlqthz.exe File created C:\Windows\SysWOW64\osurskcv.exe btzokcxo.exe File created C:\Windows\SysWOW64\xznglqnx.exe prroqtlf.exe File created C:\Windows\SysWOW64\xbpdtbjd.exe nnogdtdg.exe File opened for modification C:\Windows\SysWOW64\lochyjtz.exe huuzzzju.exe File created C:\Windows\SysWOW64\mopeopyf.exe ybfoitza.exe File opened for modification C:\Windows\SysWOW64\gsopdlck.exe wensfeoo.exe File created C:\Windows\SysWOW64\suhpfjjn.exe fhyzagka.exe File opened for modification C:\Windows\SysWOW64\rigjlsrn.exe jeyopmut.exe File created C:\Windows\SysWOW64\fplrkbbt.exe vmnhxyvr.exe File opened for modification C:\Windows\SysWOW64\zmzoxfvy.exe oqzeilma.exe File opened for modification C:\Windows\SysWOW64\qdhudokk.exe dqqexslx.exe File opened for modification C:\Windows\SysWOW64\pvvpffhw.exe fwjrngze.exe File created C:\Windows\SysWOW64\qdhudokk.exe dqqexslx.exe File opened for modification C:\Windows\SysWOW64\fegaxyup.exe vtrpkvon.exe File created C:\Windows\SysWOW64\drshpgoz.exe qtxegyjr.exe File opened for modification C:\Windows\SysWOW64\xhencsxm.exe oxpchpqk.exe File created C:\Windows\SysWOW64\xqxfeaqd.exe kwrxsolu.exe File opened for modification C:\Windows\SysWOW64\npgnkdxr.exe acoyehze.exe File created C:\Windows\SysWOW64\xtdprfvg.exe nuzszgnh.exe File created C:\Windows\SysWOW64\cbzutzdu.exe rjjoojbr.exe File opened for modification C:\Windows\SysWOW64\uydfcksh.exe hzicmjna.exe File opened for modification C:\Windows\SysWOW64\qeuwscas.exe crcgmybg.exe File opened for modification C:\Windows\SysWOW64\rjjoojbr.exe hjfrwkus.exe File opened for modification C:\Windows\SysWOW64\uunokjmp.exe nqlitqbz.exe File created C:\Windows\SysWOW64\xbahpums.exe klfngmgl.exe File created C:\Windows\SysWOW64\tbhpyhca.exe jqjelewy.exe File opened for modification C:\Windows\SysWOW64\alsallza.exe wrkanspv.exe File created C:\Windows\SysWOW64\ynfifwph.exe ootlvxii.exe File created C:\Windows\SysWOW64\ygkfooho.exe nljmhtgr.exe File opened for modification C:\Windows\SysWOW64\nelemdco.exe bcfobqxe.exe File opened for modification C:\Windows\SysWOW64\mohtrqno.exe codvhsfo.exe File created C:\Windows\SysWOW64\iiwmykok.exe abbueues.exe File opened for modification C:\Windows\SysWOW64\cnzcyeag.exe vfdcdhzn.exe File created C:\Windows\SysWOW64\xcdngjkf.exe ndzinkcn.exe File opened for modification C:\Windows\SysWOW64\mvlehhaf.exe ctnumeld.exe File opened for modification C:\Windows\SysWOW64\gchspkjw.exe wvdvwlbw.exe File opened for modification C:\Windows\SysWOW64\ucznjwwg.exe hmelbwqz.exe File opened for modification C:\Windows\SysWOW64\ldteidjo.exe esmrljbb.exe File opened for modification C:\Windows\SysWOW64\dtfwdegs.exe wigrgkqx.exe File opened for modification C:\Windows\SysWOW64\tetsevrs.exe lajevkoc.exe File opened for modification C:\Windows\SysWOW64\yroomftm.exe ifsbcjrv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2272 wrote to memory of 2316 2272 6f313414261cfe97829e961f7c693735.exe 28 PID 2272 wrote to memory of 2316 2272 6f313414261cfe97829e961f7c693735.exe 28 PID 2272 wrote to memory of 2316 2272 6f313414261cfe97829e961f7c693735.exe 28 PID 2272 wrote to memory of 2316 2272 6f313414261cfe97829e961f7c693735.exe 28 PID 2316 wrote to memory of 2968 2316 efpqsfyb.exe 29 PID 2316 wrote to memory of 2968 2316 efpqsfyb.exe 29 PID 2316 wrote to memory of 2968 2316 efpqsfyb.exe 29 PID 2316 wrote to memory of 2968 2316 efpqsfyb.exe 29 PID 2968 wrote to memory of 2592 2968 aghdwikk.exe 30 PID 2968 wrote to memory of 2592 2968 aghdwikk.exe 30 PID 2968 wrote to memory of 2592 2968 aghdwikk.exe 30 PID 2968 wrote to memory of 2592 2968 aghdwikk.exe 30 PID 2592 wrote to memory of 2616 2592 obqtcmix.exe 31 PID 2592 wrote to memory of 2616 2592 obqtcmix.exe 31 PID 2592 wrote to memory of 2616 2592 obqtcmix.exe 31 PID 2592 wrote to memory of 2616 2592 obqtcmix.exe 31 PID 2616 wrote to memory of 1648 2616 vnpyrgrj.exe 32 PID 2616 wrote to memory of 1648 2616 vnpyrgrj.exe 32 PID 2616 wrote to memory of 1648 2616 vnpyrgrj.exe 32 PID 2616 wrote to memory of 1648 2616 vnpyrgrj.exe 32 PID 1648 wrote to memory of 2916 1648 dfoygmvx.exe 35 PID 1648 wrote to memory of 2916 1648 dfoygmvx.exe 35 PID 1648 wrote to memory of 2916 1648 dfoygmvx.exe 35 PID 1648 wrote to memory of 2916 1648 dfoygmvx.exe 35 PID 2916 wrote to memory of 1700 2916 nqlitqbz.exe 34 PID 2916 wrote to memory of 1700 2916 nqlitqbz.exe 34 PID 2916 wrote to memory of 1700 2916 nqlitqbz.exe 34 PID 2916 wrote to memory of 1700 2916 nqlitqbz.exe 34 PID 1700 wrote to memory of 1192 1700 uunokjmp.exe 33 PID 1700 wrote to memory of 1192 1700 uunokjmp.exe 33 PID 1700 wrote to memory of 1192 1700 uunokjmp.exe 33 PID 1700 wrote to memory of 1192 1700 uunokjmp.exe 33 PID 1192 wrote to memory of 784 1192 exlyymsj.exe 36 PID 1192 wrote to memory of 784 1192 exlyymsj.exe 36 PID 1192 wrote to memory of 784 1192 exlyymsj.exe 36 PID 1192 wrote to memory of 784 1192 exlyymsj.exe 36 PID 784 wrote to memory of 856 784 unwgevwf.exe 52 PID 784 wrote to memory of 856 784 unwgevwf.exe 52 PID 784 wrote to memory of 856 784 unwgevwf.exe 52 PID 784 wrote to memory of 856 784 unwgevwf.exe 52 PID 856 wrote to memory of 1872 856 tfxqyigw.exe 50 PID 856 wrote to memory of 1872 856 tfxqyigw.exe 50 PID 856 wrote to memory of 1872 856 tfxqyigw.exe 50 PID 856 wrote to memory of 1872 856 tfxqyigw.exe 50 PID 1872 wrote to memory of 2396 1872 bntqtxhg.exe 48 PID 1872 wrote to memory of 2396 1872 bntqtxhg.exe 48 PID 1872 wrote to memory of 2396 1872 bntqtxhg.exe 48 PID 1872 wrote to memory of 2396 1872 bntqtxhg.exe 48 PID 2396 wrote to memory of 2108 2396 odntbgnn.exe 45 PID 2396 wrote to memory of 2108 2396 odntbgnn.exe 45 PID 2396 wrote to memory of 2108 2396 odntbgnn.exe 45 PID 2396 wrote to memory of 2108 2396 odntbgnn.exe 45 PID 2108 wrote to memory of 1140 2108 sqhbupzw.exe 43 PID 2108 wrote to memory of 1140 2108 sqhbupzw.exe 43 PID 2108 wrote to memory of 1140 2108 sqhbupzw.exe 43 PID 2108 wrote to memory of 1140 2108 sqhbupzw.exe 43 PID 1140 wrote to memory of 1032 1140 ijeowdcn.exe 42 PID 1140 wrote to memory of 1032 1140 ijeowdcn.exe 42 PID 1140 wrote to memory of 1032 1140 ijeowdcn.exe 42 PID 1140 wrote to memory of 1032 1140 ijeowdcn.exe 42 PID 1032 wrote to memory of 908 1032 prroqtlf.exe 37 PID 1032 wrote to memory of 908 1032 prroqtlf.exe 37 PID 1032 wrote to memory of 908 1032 prroqtlf.exe 37 PID 1032 wrote to memory of 908 1032 prroqtlf.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f313414261cfe97829e961f7c693735.exe"C:\Users\Admin\AppData\Local\Temp\6f313414261cfe97829e961f7c693735.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\efpqsfyb.exeC:\Windows\system32\efpqsfyb.exe 544 "C:\Users\Admin\AppData\Local\Temp\6f313414261cfe97829e961f7c693735.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\aghdwikk.exeC:\Windows\system32\aghdwikk.exe 472 "C:\Windows\SysWOW64\efpqsfyb.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\obqtcmix.exeC:\Windows\system32\obqtcmix.exe 564 "C:\Windows\SysWOW64\aghdwikk.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\vnpyrgrj.exeC:\Windows\system32\vnpyrgrj.exe 468 "C:\Windows\SysWOW64\obqtcmix.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\dfoygmvx.exeC:\Windows\system32\dfoygmvx.exe 556 "C:\Windows\SysWOW64\vnpyrgrj.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\nqlitqbz.exeC:\Windows\system32\nqlitqbz.exe 572 "C:\Windows\SysWOW64\dfoygmvx.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2916
-
-
-
-
-
-
-
C:\Windows\SysWOW64\exlyymsj.exeC:\Windows\system32\exlyymsj.exe 568 "C:\Windows\SysWOW64\uunokjmp.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\unwgevwf.exeC:\Windows\system32\unwgevwf.exe 560 "C:\Windows\SysWOW64\exlyymsj.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\SysWOW64\tfxqyigw.exeC:\Windows\system32\tfxqyigw.exe 592 "C:\Windows\SysWOW64\unwgevwf.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:856
-
-
-
C:\Windows\SysWOW64\uunokjmp.exeC:\Windows\system32\uunokjmp.exe 580 "C:\Windows\SysWOW64\nqlitqbz.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1700
-
C:\Windows\SysWOW64\xznglqnx.exeC:\Windows\system32\xznglqnx.exe 512 "C:\Windows\SysWOW64\prroqtlf.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:908 -
C:\Windows\SysWOW64\bmgowszx.exeC:\Windows\system32\bmgowszx.exe 608 "C:\Windows\SysWOW64\xznglqnx.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1672 -
C:\Windows\SysWOW64\esmrljbb.exeC:\Windows\system32\esmrljbb.exe 628 "C:\Windows\SysWOW64\bmgowszx.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1756 -
C:\Windows\SysWOW64\ldteidjo.exeC:\Windows\system32\ldteidjo.exe 620 "C:\Windows\SysWOW64\esmrljbb.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1568 -
C:\Windows\SysWOW64\wzmoqysl.exeC:\Windows\system32\wzmoqysl.exe 624 "C:\Windows\SysWOW64\ldteidjo.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2792 -
C:\Windows\SysWOW64\ibsebkwv.exeC:\Windows\system32\ibsebkwv.exe 612 "C:\Windows\SysWOW64\wzmoqysl.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2780 -
C:\Windows\SysWOW64\llsutget.exeC:\Windows\system32\llsutget.exe 636 "C:\Windows\SysWOW64\ibsebkwv.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2932 -
C:\Windows\SysWOW64\ssfmownl.exeC:\Windows\system32\ssfmownl.exe 616 "C:\Windows\SysWOW64\llsutget.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1724 -
C:\Windows\SysWOW64\xunpebtr.exeC:\Windows\system32\xunpebtr.exe 644 "C:\Windows\SysWOW64\ssfmownl.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1704 -
C:\Windows\SysWOW64\nnkcopwi.exeC:\Windows\system32\nnkcopwi.exe 632 "C:\Windows\SysWOW64\xunpebtr.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2864 -
C:\Windows\SysWOW64\urupxiyy.exeC:\Windows\system32\urupxiyy.exe 660 "C:\Windows\SysWOW64\nnkcopwi.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2604 -
C:\Windows\SysWOW64\htawimdh.exeC:\Windows\system32\htawimdh.exe 640 "C:\Windows\SysWOW64\urupxiyy.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2468 -
C:\Windows\SysWOW64\rpbpyhlf.exeC:\Windows\system32\rpbpyhlf.exe 652 "C:\Windows\SysWOW64\htawimdh.exe"13⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2180 -
C:\Windows\SysWOW64\brqzlksh.exeC:\Windows\system32\brqzlksh.exe 648 "C:\Windows\SysWOW64\rpbpyhlf.exe"14⤵
- Executes dropped EXE
- Loads dropped DLL
PID:268 -
C:\Windows\SysWOW64\lcgkznyb.exeC:\Windows\system32\lcgkznyb.exe 668 "C:\Windows\SysWOW64\brqzlksh.exe"15⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2040 -
C:\Windows\SysWOW64\ypxzmrxo.exeC:\Windows\system32\ypxzmrxo.exe 656 "C:\Windows\SysWOW64\lcgkznyb.exe"16⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2120 -
C:\Windows\SysWOW64\aocxxqen.exeC:\Windows\system32\aocxxqen.exe 676 "C:\Windows\SysWOW64\ypxzmrxo.exe"17⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\hzicmjna.exeC:\Windows\system32\hzicmjna.exe 680 "C:\Windows\SysWOW64\aocxxqen.exe"18⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2112 -
C:\Windows\SysWOW64\uydfcksh.exeC:\Windows\system32\uydfcksh.exe 664 "C:\Windows\SysWOW64\hzicmjna.exe"19⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\ftepkete.exeC:\Windows\system32\ftepkete.exe 552 "C:\Windows\SysWOW64\uydfcksh.exe"20⤵
- Executes dropped EXE
PID:720 -
C:\Windows\SysWOW64\ptiuudbe.exeC:\Windows\system32\ptiuudbe.exe 692 "C:\Windows\SysWOW64\ftepkete.exe"21⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\zdxxqghg.exeC:\Windows\system32\zdxxqghg.exe 684 "C:\Windows\SysWOW64\ptiuudbe.exe"22⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\mqpvvkol.exeC:\Windows\system32\mqpvvkol.exe 708 "C:\Windows\SysWOW64\zdxxqghg.exe"23⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\wptsgjnl.exeC:\Windows\system32\wptsgjnl.exe 700 "C:\Windows\SysWOW64\mqpvvkol.exe"24⤵
- Executes dropped EXE
PID:988 -
C:\Windows\SysWOW64\tqlfcuzu.exeC:\Windows\system32\tqlfcuzu.exe 704 "C:\Windows\SysWOW64\wptsgjnl.exe"25⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\dtbpxpno.exeC:\Windows\system32\dtbpxpno.exe 712 "C:\Windows\SysWOW64\tqlfcuzu.exe"26⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\qokfdtmb.exeC:\Windows\system32\qokfdtmb.exe 688 "C:\Windows\SysWOW64\dtbpxpno.exe"27⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\aqiqqwsv.exeC:\Windows\system32\aqiqqwsv.exe 696 "C:\Windows\SysWOW64\qokfdtmb.exe"28⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\kqmnivav.exeC:\Windows\system32\kqmnivav.exe 732 "C:\Windows\SysWOW64\aqiqqwsv.exe"29⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\uabxwygx.exeC:\Windows\system32\uabxwygx.exe 716 "C:\Windows\SysWOW64\kqmnivav.exe"30⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\eznvgxow.exeC:\Windows\system32\eznvgxow.exe 720 "C:\Windows\SysWOW64\uabxwygx.exe"31⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\oyrsyvvw.exeC:\Windows\system32\oyrsyvvw.exe 724 "C:\Windows\SysWOW64\eznvgxow.exe"32⤵
- Executes dropped EXE
PID:524 -
C:\Windows\SysWOW64\bljiezub.exeC:\Windows\system32\bljiezub.exe 740 "C:\Windows\SysWOW64\oyrsyvvw.exe"33⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\okelnzai.exeC:\Windows\system32\okelnzai.exe 728 "C:\Windows\SysWOW64\bljiezub.exe"34⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\ymtvadgk.exeC:\Windows\system32\ymtvadgk.exe 748 "C:\Windows\SysWOW64\okelnzai.exe"35⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\lloyjlmr.exeC:\Windows\system32\lloyjlmr.exe 736 "C:\Windows\SysWOW64\ymtvadgk.exe"36⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\volieosl.exeC:\Windows\system32\volieosl.exe 756 "C:\Windows\SysWOW64\lloyjlmr.exe"37⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\dsnvnzvb.exeC:\Windows\system32\dsnvnzvb.exe 744 "C:\Windows\SysWOW64\volieosl.exe"38⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\nnogdtdg.exeC:\Windows\system32\nnogdtdg.exe 768 "C:\Windows\SysWOW64\dsnvnzvb.exe"39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1408 -
C:\Windows\SysWOW64\xbpdtbjd.exeC:\Windows\system32\xbpdtbjd.exe 752 "C:\Windows\SysWOW64\nnogdtdg.exe"40⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\hbtadaqd.exeC:\Windows\system32\hbtadaqd.exe 532 "C:\Windows\SysWOW64\xbpdtbjd.exe"41⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\myyirbxo.exeC:\Windows\system32\myyirbxo.exe 764 "C:\Windows\SysWOW64\hbtadaqd.exe"42⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\wjntewei.exeC:\Windows\system32\wjntewei.exe 516 "C:\Windows\SysWOW64\myyirbxo.exe"43⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\vfaqjvmt.exeC:\Windows\system32\vfaqjvmt.exe 776 "C:\Windows\SysWOW64\wjntewei.exe"44⤵
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\lywltjxk.exeC:\Windows\system32\lywltjxk.exe 780 "C:\Windows\SysWOW64\vfaqjvmt.exe"45⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\yprobrus.exeC:\Windows\system32\yprobrus.exe 784 "C:\Windows\SysWOW64\lywltjxk.exe"46⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\iodlmqcr.exeC:\Windows\system32\iodlmqcr.exe 788 "C:\Windows\SysWOW64\yprobrus.exe"47⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\sjewtkcw.exeC:\Windows\system32\sjewtkcw.exe 804 "C:\Windows\SysWOW64\iodlmqcr.exe"48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\critmjkw.exeC:\Windows\system32\critmjkw.exe 800 "C:\Windows\SysWOW64\sjewtkcw.exe"49⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\hvcbflpw.exeC:\Windows\system32\hvcbflpw.exe 540 "C:\Windows\SysWOW64\critmjkw.exe"50⤵PID:2836
-
C:\Windows\SysWOW64\wskjjdyq.exeC:\Windows\system32\wskjjdyq.exe 796 "C:\Windows\SysWOW64\hvcbflpw.exe"51⤵PID:2596
-
C:\Windows\SysWOW64\rysemanp.exeC:\Windows\system32\rysemanp.exe 528 "C:\Windows\SysWOW64\wskjjdyq.exe"52⤵PID:1876
-
C:\Windows\SysWOW64\jnrjxcmq.exeC:\Windows\system32\jnrjxcmq.exe 508 "C:\Windows\SysWOW64\rysemanp.exe"53⤵PID:2232
-
C:\Windows\SysWOW64\tfgobsol.exeC:\Windows\system32\tfgobsol.exe 816 "C:\Windows\SysWOW64\jnrjxcmq.exe"54⤵PID:1536
-
C:\Windows\SysWOW64\aqftyuwg.exeC:\Windows\system32\aqftyuwg.exe 500 "C:\Windows\SysWOW64\tfgobsol.exe"55⤵PID:1268
-
C:\Windows\SysWOW64\afdzqchu.exeC:\Windows\system32\afdzqchu.exe 836 "C:\Windows\SysWOW64\aqftyuwg.exe"56⤵PID:1348
-
C:\Windows\SysWOW64\ajneznkk.exeC:\Windows\system32\ajneznkk.exe 828 "C:\Windows\SysWOW64\afdzqchu.exe"57⤵PID:2252
-
C:\Windows\SysWOW64\woiegddo.exeC:\Windows\system32\woiegddo.exe 476 "C:\Windows\SysWOW64\ajneznkk.exe"58⤵PID:2400
-
C:\Windows\SysWOW64\zuwhvver.exeC:\Windows\system32\zuwhvver.exe 832 "C:\Windows\SysWOW64\woiegddo.exe"59⤵PID:2964
-
C:\Windows\SysWOW64\rboeajvb.exeC:\Windows\system32\rboeajvb.exe 480 "C:\Windows\SysWOW64\zuwhvver.exe"60⤵PID:952
-
C:\Windows\SysWOW64\gywembwv.exeC:\Windows\system32\gywembwv.exe 484 "C:\Windows\SysWOW64\rboeajvb.exe"61⤵PID:2132
-
C:\Windows\SysWOW64\qficxaeu.exeC:\Windows\system32\qficxaeu.exe 848 "C:\Windows\SysWOW64\gywembwv.exe"62⤵PID:1504
-
C:\Windows\SysWOW64\abbueues.exeC:\Windows\system32\abbueues.exe 852 "C:\Windows\SysWOW64\qficxaeu.exe"63⤵
- Drops file in System32 directory
PID:1752 -
C:\Windows\SysWOW64\iiwmykok.exeC:\Windows\system32\iiwmykok.exe 856 "C:\Windows\SysWOW64\abbueues.exe"64⤵PID:2220
-
C:\Windows\SysWOW64\vzrphstr.exeC:\Windows\system32\vzrphstr.exe 672 "C:\Windows\SysWOW64\iiwmykok.exe"65⤵PID:2984
-
C:\Windows\SysWOW64\ejhzuval.exeC:\Windows\system32\ejhzuval.exe 864 "C:\Windows\SysWOW64\vzrphstr.exe"66⤵PID:2028
-
C:\Windows\SysWOW64\mormmgkb.exeC:\Windows\system32\mormmgkb.exe 876 "C:\Windows\SysWOW64\ejhzuval.exe"67⤵PID:2448
-
C:\Windows\SysWOW64\rskmfqpj.exeC:\Windows\system32\rskmfqpj.exe 868 "C:\Windows\SysWOW64\mormmgkb.exe"68⤵PID:2676
-
C:\Windows\SysWOW64\bdaxstwl.exeC:\Windows\system32\bdaxstwl.exe 872 "C:\Windows\SysWOW64\rskmfqpj.exe"69⤵PID:2612
-
C:\Windows\SysWOW64\jwzxhazz.exeC:\Windows\system32\jwzxhazz.exe 880 "C:\Windows\SysWOW64\bdaxstwl.exe"70⤵PID:2812
-
C:\Windows\SysWOW64\qduxtpjr.exeC:\Windows\system32\qduxtpjr.exe 892 "C:\Windows\SysWOW64\jwzxhazz.exe"71⤵PID:2904
-
C:\Windows\SysWOW64\dfafebna.exeC:\Windows\system32\dfafebna.exe 884 "C:\Windows\SysWOW64\qduxtpjr.exe"72⤵PID:2900
-
C:\Windows\SysWOW64\isunylsb.exeC:\Windows\system32\isunylsb.exe 888 "C:\Windows\SysWOW64\dfafebna.exe"73⤵PID:1624
-
C:\Windows\SysWOW64\vfdcdhzn.exeC:\Windows\system32\vfdcdhzn.exe 896 "C:\Windows\SysWOW64\isunylsb.exe"74⤵
- Drops file in System32 directory
PID:2920 -
C:\Windows\SysWOW64\cnzcyeag.exeC:\Windows\system32\cnzcyeag.exe 900 "C:\Windows\SysWOW64\vfdcdhzn.exe"75⤵PID:2116
-
C:\Windows\SysWOW64\cjlauvrr.exeC:\Windows\system32\cjlauvrr.exe 904 "C:\Windows\SysWOW64\cnzcyeag.exe"76⤵PID:2428
-
C:\Windows\SysWOW64\rchvejti.exeC:\Windows\system32\rchvejti.exe 916 "C:\Windows\SysWOW64\cjlauvrr.exe"77⤵PID:1316
-
C:\Windows\SysWOW64\zdgntyxd.exeC:\Windows\system32\zdgntyxd.exe 908 "C:\Windows\SysWOW64\rchvejti.exe"78⤵PID:1988
-
C:\Windows\SysWOW64\gofaisgq.exeC:\Windows\system32\gofaisgq.exe 932 "C:\Windows\SysWOW64\zdgntyxd.exe"79⤵PID:2804
-
C:\Windows\SysWOW64\tbxqnoev.exeC:\Windows\system32\tbxqnoev.exe 924 "C:\Windows\SysWOW64\gofaisgq.exe"80⤵PID:1036
-
C:\Windows\SysWOW64\xvfpmgxa.exeC:\Windows\system32\xvfpmgxa.exe 536 "C:\Windows\SysWOW64\tbxqnoev.exe"81⤵PID:2296
-
C:\Windows\SysWOW64\fzpderzp.exeC:\Windows\system32\fzpderzp.exe 920 "C:\Windows\SysWOW64\xvfpmgxa.exe"82⤵PID:2300
-
C:\Windows\SysWOW64\ndzinkcn.exeC:\Windows\system32\ndzinkcn.exe 548 "C:\Windows\SysWOW64\fzpderzp.exe"83⤵
- Drops file in System32 directory
PID:884 -
C:\Windows\SysWOW64\xcdngjkf.exeC:\Windows\system32\xcdngjkf.exe 940 "C:\Windows\SysWOW64\ndzinkcn.exe"84⤵PID:2052
-
C:\Windows\SysWOW64\wvmyawuw.exeC:\Windows\system32\wvmyawuw.exe 960 "C:\Windows\SysWOW64\xcdngjkf.exe"85⤵PID:1640
-
C:\Windows\SysWOW64\jptyfviw.exeC:\Windows\system32\jptyfviw.exe 492 "C:\Windows\SysWOW64\wvmyawuw.exe"86⤵PID:1652
-
C:\Windows\SysWOW64\wclvlrpb.exeC:\Windows\system32\wclvlrpb.exe 760 "C:\Windows\SysWOW64\jptyfviw.exe"87⤵PID:3068
-
C:\Windows\SysWOW64\gbptdpoa.exeC:\Windows\system32\gbptdpoa.exe 948 "C:\Windows\SysWOW64\wclvlrpb.exe"88⤵PID:2564
-
C:\Windows\SysWOW64\qmedqscd.exeC:\Windows\system32\qmedqscd.exe 952 "C:\Windows\SysWOW64\gbptdpoa.exe"89⤵PID:2384
-
C:\Windows\SysWOW64\swetjpkb.exeC:\Windows\system32\swetjpkb.exe 956 "C:\Windows\SysWOW64\qmedqscd.exe"90⤵PID:2716
-
C:\Windows\SysWOW64\cviqtnkb.exeC:\Windows\system32\cviqtnkb.exe 964 "C:\Windows\SysWOW64\swetjpkb.exe"91⤵PID:2516
-
C:\Windows\SysWOW64\mgxboqyv.exeC:\Windows\system32\mgxboqyv.exe 968 "C:\Windows\SysWOW64\cviqtnkb.exe"92⤵PID:1096
-
C:\Windows\SysWOW64\jsriaadd.exeC:\Windows\system32\jsriaadd.exe 972 "C:\Windows\SysWOW64\mgxboqyv.exe"93⤵PID:2244
-
C:\Windows\SysWOW64\trvgszkd.exeC:\Windows\system32\trvgszkd.exe 976 "C:\Windows\SysWOW64\jsriaadd.exe"94⤵PID:1920
-
C:\Windows\SysWOW64\enwyatla.exeC:\Windows\system32\enwyatla.exe 980 "C:\Windows\SysWOW64\trvgszkd.exe"95⤵PID:1564
-
C:\Windows\SysWOW64\lvrqujvs.exeC:\Windows\system32\lvrqujvs.exe 984 "C:\Windows\SysWOW64\enwyatla.exe"96⤵PID:2284
-
C:\Windows\SysWOW64\tzbeduxi.exeC:\Windows\system32\tzbeduxi.exe 988 "C:\Windows\SysWOW64\lvrqujvs.exe"97⤵PID:564
-
C:\Windows\SysWOW64\dcroyxek.exeC:\Windows\system32\dcroyxek.exe 992 "C:\Windows\SysWOW64\tzbeduxi.exe"98⤵PID:2140
-
C:\Windows\SysWOW64\kgttiioa.exeC:\Windows\system32\kgttiioa.exe 936 "C:\Windows\SysWOW64\dcroyxek.exe"99⤵PID:1816
-
C:\Windows\SysWOW64\pwxoewac.exeC:\Windows\system32\pwxoewac.exe 1000 "C:\Windows\SysWOW64\kgttiioa.exe"100⤵PID:1516
-
C:\Windows\SysWOW64\waibvhds.exeC:\Windows\system32\waibvhds.exe 1004 "C:\Windows\SysWOW64\pwxoewac.exe"101⤵
- Drops file in System32 directory
PID:832 -
C:\Windows\SysWOW64\hwjmdcdx.exeC:\Windows\system32\hwjmdcdx.exe 1008 "C:\Windows\SysWOW64\waibvhds.exe"102⤵PID:2344
-
C:\Windows\SysWOW64\rvnjnblp.exeC:\Windows\system32\rvnjnblp.exe 1012 "C:\Windows\SysWOW64\hwjmdcdx.exe"103⤵PID:2776
-
C:\Windows\SysWOW64\wigrgkqx.exeC:\Windows\system32\wigrgkqx.exe 1016 "C:\Windows\SysWOW64\rvnjnblp.exe"104⤵
- Drops file in System32 directory
PID:2372 -
C:\Windows\SysWOW64\dtfwdegs.exeC:\Windows\system32\dtfwdegs.exe 1020 "C:\Windows\SysWOW64\wigrgkqx.exe"105⤵PID:1656
-
C:\Windows\SysWOW64\lxpjnpjh.exeC:\Windows\system32\lxpjnpjh.exe 1028 "C:\Windows\SysWOW64\dtfwdegs.exe"106⤵PID:2320
-
C:\Windows\SysWOW64\yokmwxop.exeC:\Windows\system32\yokmwxop.exe 1032 "C:\Windows\SysWOW64\lxpjnpjh.exe"107⤵PID:2744
-
C:\Windows\SysWOW64\fvfeqnyh.exeC:\Windows\system32\fvfeqnyh.exe 1036 "C:\Windows\SysWOW64\yokmwxop.exe"108⤵PID:300
-
C:\Windows\SysWOW64\prgoxhze.exeC:\Windows\system32\prgoxhze.exe 1040 "C:\Windows\SysWOW64\fvfeqnyh.exe"109⤵PID:1108
-
C:\Windows\SysWOW64\zqkuigge.exeC:\Windows\system32\zqkuigge.exe 1044 "C:\Windows\SysWOW64\prgoxhze.exe"110⤵PID:1740
-
C:\Windows\SysWOW64\huuzzzju.exeC:\Windows\system32\huuzzzju.exe 1048 "C:\Windows\SysWOW64\zqkuigge.exe"111⤵
- Drops file in System32 directory
PID:2000 -
C:\Windows\SysWOW64\lochyjtz.exeC:\Windows\system32\lochyjtz.exe 1052 "C:\Windows\SysWOW64\huuzzzju.exe"112⤵PID:2128
-
C:\Windows\SysWOW64\tpbhfyxm.exeC:\Windows\system32\tpbhfyxm.exe 1056 "C:\Windows\SysWOW64\lochyjtz.exe"113⤵PID:1900
-
C:\Windows\SysWOW64\bwxzzohe.exeC:\Windows\system32\bwxzzohe.exe 1060 "C:\Windows\SysWOW64\tpbhfyxm.exe"114⤵PID:1912
-
C:\Windows\SysWOW64\ibhmqzju.exeC:\Windows\system32\ibhmqzju.exe 1064 "C:\Windows\SysWOW64\bwxzzohe.exe"115⤵PID:1808
-
C:\Windows\SysWOW64\salkbxrt.exeC:\Windows\system32\salkbxrt.exe 1068 "C:\Windows\SysWOW64\ibhmqzju.exe"116⤵PID:2196
-
C:\Windows\SysWOW64\aevpkjuj.exeC:\Windows\system32\aevpkjuj.exe 1072 "C:\Windows\SysWOW64\salkbxrt.exe"117⤵PID:2096
-
C:\Windows\SysWOW64\hmjpegdb.exeC:\Windows\system32\hmjpegdb.exe 1076 "C:\Windows\SysWOW64\aevpkjuj.exe"118⤵PID:2348
-
C:\Windows\SysWOW64\wbshllwe.exeC:\Windows\system32\wbshllwe.exe 1080 "C:\Windows\SysWOW64\hmjpegdb.exe"119⤵PID:1748
-
C:\Windows\SysWOW64\hxsssfxj.exeC:\Windows\system32\hxsssfxj.exe 1084 "C:\Windows\SysWOW64\wbshllwe.exe"120⤵PID:2648
-
C:\Windows\SysWOW64\tzzhmsbl.exeC:\Windows\system32\tzzhmsbl.exe 1100 "C:\Windows\SysWOW64\hxsssfxj.exe"121⤵PID:1600
-
C:\Windows\SysWOW64\bguayhld.exeC:\Windows\system32\bguayhld.exe 1092 "C:\Windows\SysWOW64\tzzhmsbl.exe"122⤵PID:2580
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-