Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 04:31
Static task
static1
Behavioral task
behavioral1
Sample
02d0963800aef7c6aa241fbf390b3c60_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
02d0963800aef7c6aa241fbf390b3c60_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
02d0963800aef7c6aa241fbf390b3c60_JaffaCakes118.exe
-
Size
529KB
-
MD5
02d0963800aef7c6aa241fbf390b3c60
-
SHA1
28a38ca919b14bc6187f090573d60c6525f36026
-
SHA256
dd1a2a64dd02561e2f15530287d58c76a439a8582b7cf72d0cae50be59f1c497
-
SHA512
27203987d2fa0c567e47cf994958cb64716b06519f67daa46bf172c5db5158f17b19068b4f9082b9c64048310a0c526a3bb0fe2526368980a2cde6327c6b7b2c
-
SSDEEP
12288:iYU+TrobcGdJUzmhcmk+1QPakD6Dx7snXtu:iYhTQdJ6J+C6DxAXY
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 64 IoCs
Processes:
xyzbjir.exeypojjzo.exeavswyuf.exextzerts.exembtxsxy.exeuxeckii.exeeeihuhq.exedaufzyz.exeowvpgsz.exenpwhanj.exearcxmro.exeehgkifz.exepchcqai.exewoginuq.exeyjhsuor.exeozsabyu.exeixjvevc.exevdsxsmn.exekwpkcap.exexnrnkiv.exeklmqtia.exeukqndhi.exeenoyyko.exerljahst.exeecddqbr.exeobpaazz.exeymflvuf.exeihgvdxo.exevyaymxl.execrzdjrc.exenqlitqb.exexppgdoj.exeknkjuxo.exeujltcrp.exeeixqmqw.exeolnbhtd.exebjhdqbi.exeoacgybo.exexodeojt.exelbutuna.exevlkepqg.exeiybtvlf.exesyfrgkm.exebmgowsz.exemlkmoqh.exewkwjzph.exegjagjoo.exeqfbzzjp.exeamfwjhw.exellsutge.exeybmwkoj.exehmchxjq.exeucfjgsv.exehbzmoat.exeswaxwuc.exehixrgie.exersmublk.exeejhxjtq.exerlnmvyu.exedbipega.exeialsmox.exeqlkxjio.exefbvfqrj.exepekpdvx.exepid process 2668 xyzbjir.exe 2464 ypojjzo.exe 2908 avswyuf.exe 2784 xtzerts.exe 2084 mbtxsxy.exe 2248 uxeckii.exe 1348 eeihuhq.exe 2980 daufzyz.exe 2612 owvpgsz.exe 2680 npwhanj.exe 2628 arcxmro.exe 2888 ehgkifz.exe 1984 pchcqai.exe 1772 woginuq.exe 2964 yjhsuor.exe 820 ozsabyu.exe 2604 ixjvevc.exe 1684 vdsxsmn.exe 2548 kwpkcap.exe 2948 xnrnkiv.exe 2656 klmqtia.exe 1292 ukqndhi.exe 348 enoyyko.exe 1100 rljahst.exe 1468 ecddqbr.exe 448 obpaazz.exe 1712 ymflvuf.exe 1764 ihgvdxo.exe 1252 vyaymxl.exe 1812 crzdjrc.exe 2844 nqlitqb.exe 2740 xppgdoj.exe 2532 knkjuxo.exe 1372 ujltcrp.exe 2020 eixqmqw.exe 1668 olnbhtd.exe 3032 bjhdqbi.exe 556 oacgybo.exe 2536 xodeojt.exe 2900 lbutuna.exe 2452 vlkepqg.exe 1696 iybtvlf.exe 608 syfrgkm.exe 864 bmgowsz.exe 956 mlkmoqh.exe 812 wkwjzph.exe 2460 gjagjoo.exe 2180 qfbzzjp.exe 2624 amfwjhw.exe 1868 llsutge.exe 2100 ybmwkoj.exe 1840 hmchxjq.exe 1652 ucfjgsv.exe 324 hbzmoat.exe 540 swaxwuc.exe 1316 hixrgie.exe 1860 rsmublk.exe 2156 ejhxjtq.exe 2328 rlnmvyu.exe 1616 dbipega.exe 1824 ialsmox.exe 1232 qlkxjio.exe 2296 fbvfqrj.exe 936 pekpdvx.exe -
Identifies Wine through registry keys 2 TTPs 64 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
rmxkman.exeedvmygc.exeozbyauk.exexrowzvy.exeejdsait.exejurdniy.exezxnyiym.exebhqlmqj.exexbjikof.exewcizfjn.exeweeccug.exeiewlasz.exeavswyuf.exeagitrss.exekcofbgz.exeqlhavsm.exebrtdpps.exelazqnww.exefciocpx.exevdzxkqu.exedqdfild.exejlkemiz.exebuejtsh.exejlmfepv.exexjzinkn.exeqoxhqlj.exefrqsswc.exexemceto.exelpabfee.exedsqavom.exefqjqnkx.exejvpxhoe.exegoulgre.exegdsqxzp.exebqwbquh.exebtppziz.exefbvfqrj.exeabbueue.exesccrhhl.exegmwzmhg.exeedqmcyf.exebnxjljs.exethzjxnm.exeaifoynd.exewmgowxy.exeamhpred.exewflcfoh.exeombvpyj.exequnryez.exezylhxrc.exenvemiwg.exegpavfma.exerlnmvyu.exedbipega.exeiteqeeb.exelephwmh.exelsyuyss.exengzxhad.exeofyikmn.exekgsspfb.exewcqqgfw.exegwchqor.exekrmlsxk.exeisozozo.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine rmxkman.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine edvmygc.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine ozbyauk.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine xrowzvy.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine ejdsait.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine jurdniy.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine zxnyiym.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine bhqlmqj.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine xbjikof.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine wcizfjn.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine weeccug.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine iewlasz.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine avswyuf.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine agitrss.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine kcofbgz.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine qlhavsm.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine brtdpps.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine lazqnww.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine fciocpx.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine vdzxkqu.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine dqdfild.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine jlkemiz.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine buejtsh.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine jlmfepv.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine xjzinkn.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine qoxhqlj.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine frqsswc.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine xemceto.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine lpabfee.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine dsqavom.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine fqjqnkx.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine jvpxhoe.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine goulgre.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine gdsqxzp.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine bqwbquh.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine btppziz.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine fbvfqrj.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine abbueue.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine sccrhhl.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine gmwzmhg.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine edqmcyf.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine bnxjljs.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine thzjxnm.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine aifoynd.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine wmgowxy.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine amhpred.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine wflcfoh.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine ombvpyj.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine qunryez.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine zylhxrc.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine nvemiwg.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine gpavfma.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine rlnmvyu.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine dbipega.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine iteqeeb.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine lephwmh.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine lsyuyss.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine ngzxhad.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine ofyikmn.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine kgsspfb.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine wcqqgfw.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine gwchqor.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine krmlsxk.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine isozozo.exe -
Loads dropped DLL 64 IoCs
Processes:
02d0963800aef7c6aa241fbf390b3c60_JaffaCakes118.exexyzbjir.exeypojjzo.exeavswyuf.exextzerts.exembtxsxy.exeuxeckii.exeeeihuhq.exedaufzyz.exeowvpgsz.exenpwhanj.exearcxmro.exeehgkifz.exepchcqai.exewoginuq.exeyjhsuor.exeozsabyu.exeixjvevc.exevdsxsmn.exekwpkcap.exexnrnkiv.exeklmqtia.exeukqndhi.exeenoyyko.exerljahst.exeecddqbr.exeobpaazz.exeymflvuf.exeihgvdxo.exevyaymxl.execrzdjrc.exenqlitqb.exepid process 2012 02d0963800aef7c6aa241fbf390b3c60_JaffaCakes118.exe 2012 02d0963800aef7c6aa241fbf390b3c60_JaffaCakes118.exe 2668 xyzbjir.exe 2668 xyzbjir.exe 2464 ypojjzo.exe 2464 ypojjzo.exe 2908 avswyuf.exe 2908 avswyuf.exe 2784 xtzerts.exe 2784 xtzerts.exe 2084 mbtxsxy.exe 2084 mbtxsxy.exe 2248 uxeckii.exe 2248 uxeckii.exe 1348 eeihuhq.exe 1348 eeihuhq.exe 2980 daufzyz.exe 2980 daufzyz.exe 2612 owvpgsz.exe 2612 owvpgsz.exe 2680 npwhanj.exe 2680 npwhanj.exe 2628 arcxmro.exe 2628 arcxmro.exe 2888 ehgkifz.exe 2888 ehgkifz.exe 1984 pchcqai.exe 1984 pchcqai.exe 1772 woginuq.exe 1772 woginuq.exe 2964 yjhsuor.exe 2964 yjhsuor.exe 820 ozsabyu.exe 820 ozsabyu.exe 2604 ixjvevc.exe 2604 ixjvevc.exe 1684 vdsxsmn.exe 1684 vdsxsmn.exe 2548 kwpkcap.exe 2548 kwpkcap.exe 2948 xnrnkiv.exe 2948 xnrnkiv.exe 2656 klmqtia.exe 2656 klmqtia.exe 1292 ukqndhi.exe 1292 ukqndhi.exe 348 enoyyko.exe 348 enoyyko.exe 1100 rljahst.exe 1100 rljahst.exe 1468 ecddqbr.exe 1468 ecddqbr.exe 448 obpaazz.exe 448 obpaazz.exe 1712 ymflvuf.exe 1712 ymflvuf.exe 1764 ihgvdxo.exe 1764 ihgvdxo.exe 1252 vyaymxl.exe 1252 vyaymxl.exe 1812 crzdjrc.exe 1812 crzdjrc.exe 2844 nqlitqb.exe 2844 nqlitqb.exe -
Drops file in System32 directory 64 IoCs
Processes:
lmbssbw.exekvsgvun.exekkefwkh.exewsugwrv.exevqmyjbd.exeykyrcld.exersmublk.exetdtttgx.exedvknmww.exelbywfmz.exegxqrdos.exerccavxq.exejtftmae.exexcqrien.exeejhxjtq.exelxdnbst.exebzsoakp.exeqyzmzqk.exeonjmeew.exekwglwuq.exenttzxbu.exegwrspfp.exefqjqnkx.exeessjxof.execgrwaww.exegoulgre.exerhfvqqr.exeecagynh.exegpsuriy.exerfkjmcp.exeevfmdcv.exetsqykpi.exemhswzqg.exeulatmfo.exeaaimcsf.exeajrtgcd.exejwohqor.exebmgowsz.exefbvfqrj.execfmbygd.exemxrrdru.exemjfpzkp.execyxxkgz.exelbutuna.exevalflss.exehyimukd.exebcwyygp.exeynqftav.exemlstgug.exexxrttan.exewoginuq.exeolnbhtd.exeamfwjhw.exerwultur.exeruwdjqo.exeobhmqfs.exegpavfma.exemxgzkgi.execelkrlv.exeefzqoox.exewgvigev.exeqclplgk.exelcegwon.exegcvvbpd.exedescription ioc process File created C:\Windows\SysWOW64\ydwvbjc.exe lmbssbw.exe File opened for modification C:\Windows\SysWOW64\ubtetba.exe kvsgvun.exe File opened for modification C:\Windows\SysWOW64\xjzinkn.exe kkefwkh.exe File opened for modification C:\Windows\SysWOW64\fvkqjuk.exe wsugwrv.exe File created C:\Windows\SysWOW64\aufgvdh.exe vqmyjbd.exe File created C:\Windows\SysWOW64\dorzvni.exe ykyrcld.exe File opened for modification C:\Windows\SysWOW64\ejhxjtq.exe rsmublk.exe File created C:\Windows\SysWOW64\gcvvbpd.exe tdtttgx.exe File created C:\Windows\SysWOW64\ngzxhad.exe dvknmww.exe File opened for modification C:\Windows\SysWOW64\yasroux.exe lbywfmz.exe File created C:\Windows\SysWOW64\tzezobx.exe gxqrdos.exe File created C:\Windows\SysWOW64\bqcxlev.exe rccavxq.exe File opened for modification C:\Windows\SysWOW64\wkivvic.exe jtftmae.exe File created C:\Windows\SysWOW64\kattrns.exe xcqrien.exe File created C:\Windows\SysWOW64\rlnmvyu.exe ejhxjtq.exe File created C:\Windows\SysWOW64\ywgpkbr.exe lxdnbst.exe File opened for modification C:\Windows\SysWOW64\oqnqjsn.exe bzsoakp.exe File opened for modification C:\Windows\SysWOW64\vpuoiyp.exe qyzmzqk.exe File created C:\Windows\SysWOW64\amlpnmb.exe onjmeew.exe File created C:\Windows\SysWOW64\xjpbcyp.exe kwglwuq.exe File opened for modification C:\Windows\SysWOW64\ajwcgbz.exe nttzxbu.exe File created C:\Windows\SysWOW64\syxhasc.exe gwrspfp.exe File opened for modification C:\Windows\SysWOW64\oejglsk.exe fqjqnkx.exe File created C:\Windows\SysWOW64\rinmgwl.exe essjxof.exe File opened for modification C:\Windows\SysWOW64\pxmyqet.exe cgrwaww.exe File created C:\Windows\SysWOW64\tepoprj.exe goulgre.exe File created C:\Windows\SysWOW64\eyayzrw.exe rhfvqqr.exe File created C:\Windows\SysWOW64\racihon.exe ecagynh.exe File created C:\Windows\SysWOW64\tonxaqw.exe gpsuriy.exe File opened for modification C:\Windows\SysWOW64\evfmdcv.exe rfkjmcp.exe File created C:\Windows\SysWOW64\ruhpmka.exe evfmdcv.exe File created C:\Windows\SysWOW64\cgrwaww.exe tsqykpi.exe File opened for modification C:\Windows\SysWOW64\zxnyiym.exe mhswzqg.exe File opened for modification C:\Windows\SysWOW64\hcdwvnt.exe ulatmfo.exe File created C:\Windows\SysWOW64\nydpksl.exe aaimcsf.exe File opened for modification C:\Windows\SysWOW64\namvoki.exe ajrtgcd.exe File opened for modification C:\Windows\SysWOW64\thdrery.exe jwohqor.exe File created C:\Windows\SysWOW64\mlkmoqh.exe bmgowsz.exe File created C:\Windows\SysWOW64\pekpdvx.exe fbvfqrj.exe File created C:\Windows\SysWOW64\pwgehgi.exe cfmbygd.exe File created C:\Windows\SysWOW64\yzxzwwz.exe mxrrdru.exe File created C:\Windows\SysWOW64\wmvzmow.exe mjfpzkp.exe File opened for modification C:\Windows\SysWOW64\lmxvaom.exe cyxxkgz.exe File opened for modification C:\Windows\SysWOW64\vlkepqg.exe lbutuna.exe File created C:\Windows\SysWOW64\iqgiuax.exe valflss.exe File opened for modification C:\Windows\SysWOW64\rbyxhor.exe hyimukd.exe File opened for modification C:\Windows\SysWOW64\otqbggn.exe bcwyygp.exe File opened for modification C:\Windows\SysWOW64\lhwneea.exe ynqftav.exe File created C:\Windows\SysWOW64\wwhvuxu.exe mlstgug.exe File created C:\Windows\SysWOW64\kotwbas.exe xxrttan.exe File opened for modification C:\Windows\SysWOW64\yjhsuor.exe woginuq.exe File created C:\Windows\SysWOW64\bjhdqbi.exe olnbhtd.exe File created C:\Windows\SysWOW64\llsutge.exe amfwjhw.exe File opened for modification C:\Windows\SysWOW64\enpobcw.exe rwultur.exe File opened for modification C:\Windows\SysWOW64\ekzfsyt.exe ruwdjqo.exe File created C:\Windows\SysWOW64\brkozny.exe obhmqfs.exe File opened for modification C:\Windows\SysWOW64\tfdxnuf.exe gpavfma.exe File opened for modification C:\Windows\SysWOW64\zvacaon.exe mxgzkgi.exe File created C:\Windows\SysWOW64\mzmdhgw.exe celkrlv.exe File created C:\Windows\SysWOW64\pppwtfz.exe efzqoox.exe File opened for modification C:\Windows\SysWOW64\fuvgemi.exe wgvigev.exe File opened for modification C:\Windows\SysWOW64\aqmejfp.exe qclplgk.exe File created C:\Windows\SysWOW64\vntrrrb.exe lcegwon.exe File created C:\Windows\SysWOW64\tsqykpi.exe gcvvbpd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
02d0963800aef7c6aa241fbf390b3c60_JaffaCakes118.exexyzbjir.exeypojjzo.exeavswyuf.exextzerts.exembtxsxy.exeuxeckii.exeeeihuhq.exedaufzyz.exeowvpgsz.exenpwhanj.exearcxmro.exeehgkifz.exepchcqai.exewoginuq.exeyjhsuor.exedescription pid process target process PID 2012 wrote to memory of 2668 2012 02d0963800aef7c6aa241fbf390b3c60_JaffaCakes118.exe xyzbjir.exe PID 2012 wrote to memory of 2668 2012 02d0963800aef7c6aa241fbf390b3c60_JaffaCakes118.exe xyzbjir.exe PID 2012 wrote to memory of 2668 2012 02d0963800aef7c6aa241fbf390b3c60_JaffaCakes118.exe xyzbjir.exe PID 2012 wrote to memory of 2668 2012 02d0963800aef7c6aa241fbf390b3c60_JaffaCakes118.exe xyzbjir.exe PID 2668 wrote to memory of 2464 2668 xyzbjir.exe ypojjzo.exe PID 2668 wrote to memory of 2464 2668 xyzbjir.exe ypojjzo.exe PID 2668 wrote to memory of 2464 2668 xyzbjir.exe ypojjzo.exe PID 2668 wrote to memory of 2464 2668 xyzbjir.exe ypojjzo.exe PID 2464 wrote to memory of 2908 2464 ypojjzo.exe avswyuf.exe PID 2464 wrote to memory of 2908 2464 ypojjzo.exe avswyuf.exe PID 2464 wrote to memory of 2908 2464 ypojjzo.exe avswyuf.exe PID 2464 wrote to memory of 2908 2464 ypojjzo.exe avswyuf.exe PID 2908 wrote to memory of 2784 2908 avswyuf.exe xtzerts.exe PID 2908 wrote to memory of 2784 2908 avswyuf.exe xtzerts.exe PID 2908 wrote to memory of 2784 2908 avswyuf.exe xtzerts.exe PID 2908 wrote to memory of 2784 2908 avswyuf.exe xtzerts.exe PID 2784 wrote to memory of 2084 2784 xtzerts.exe mbtxsxy.exe PID 2784 wrote to memory of 2084 2784 xtzerts.exe mbtxsxy.exe PID 2784 wrote to memory of 2084 2784 xtzerts.exe mbtxsxy.exe PID 2784 wrote to memory of 2084 2784 xtzerts.exe mbtxsxy.exe PID 2084 wrote to memory of 2248 2084 mbtxsxy.exe uxeckii.exe PID 2084 wrote to memory of 2248 2084 mbtxsxy.exe uxeckii.exe PID 2084 wrote to memory of 2248 2084 mbtxsxy.exe uxeckii.exe PID 2084 wrote to memory of 2248 2084 mbtxsxy.exe uxeckii.exe PID 2248 wrote to memory of 1348 2248 uxeckii.exe eeihuhq.exe PID 2248 wrote to memory of 1348 2248 uxeckii.exe eeihuhq.exe PID 2248 wrote to memory of 1348 2248 uxeckii.exe eeihuhq.exe PID 2248 wrote to memory of 1348 2248 uxeckii.exe eeihuhq.exe PID 1348 wrote to memory of 2980 1348 eeihuhq.exe daufzyz.exe PID 1348 wrote to memory of 2980 1348 eeihuhq.exe daufzyz.exe PID 1348 wrote to memory of 2980 1348 eeihuhq.exe daufzyz.exe PID 1348 wrote to memory of 2980 1348 eeihuhq.exe daufzyz.exe PID 2980 wrote to memory of 2612 2980 daufzyz.exe owvpgsz.exe PID 2980 wrote to memory of 2612 2980 daufzyz.exe owvpgsz.exe PID 2980 wrote to memory of 2612 2980 daufzyz.exe owvpgsz.exe PID 2980 wrote to memory of 2612 2980 daufzyz.exe owvpgsz.exe PID 2612 wrote to memory of 2680 2612 owvpgsz.exe npwhanj.exe PID 2612 wrote to memory of 2680 2612 owvpgsz.exe npwhanj.exe PID 2612 wrote to memory of 2680 2612 owvpgsz.exe npwhanj.exe PID 2612 wrote to memory of 2680 2612 owvpgsz.exe npwhanj.exe PID 2680 wrote to memory of 2628 2680 npwhanj.exe arcxmro.exe PID 2680 wrote to memory of 2628 2680 npwhanj.exe arcxmro.exe PID 2680 wrote to memory of 2628 2680 npwhanj.exe arcxmro.exe PID 2680 wrote to memory of 2628 2680 npwhanj.exe arcxmro.exe PID 2628 wrote to memory of 2888 2628 arcxmro.exe ehgkifz.exe PID 2628 wrote to memory of 2888 2628 arcxmro.exe ehgkifz.exe PID 2628 wrote to memory of 2888 2628 arcxmro.exe ehgkifz.exe PID 2628 wrote to memory of 2888 2628 arcxmro.exe ehgkifz.exe PID 2888 wrote to memory of 1984 2888 ehgkifz.exe pchcqai.exe PID 2888 wrote to memory of 1984 2888 ehgkifz.exe pchcqai.exe PID 2888 wrote to memory of 1984 2888 ehgkifz.exe pchcqai.exe PID 2888 wrote to memory of 1984 2888 ehgkifz.exe pchcqai.exe PID 1984 wrote to memory of 1772 1984 pchcqai.exe woginuq.exe PID 1984 wrote to memory of 1772 1984 pchcqai.exe woginuq.exe PID 1984 wrote to memory of 1772 1984 pchcqai.exe woginuq.exe PID 1984 wrote to memory of 1772 1984 pchcqai.exe woginuq.exe PID 1772 wrote to memory of 2964 1772 woginuq.exe yjhsuor.exe PID 1772 wrote to memory of 2964 1772 woginuq.exe yjhsuor.exe PID 1772 wrote to memory of 2964 1772 woginuq.exe yjhsuor.exe PID 1772 wrote to memory of 2964 1772 woginuq.exe yjhsuor.exe PID 2964 wrote to memory of 820 2964 yjhsuor.exe ozsabyu.exe PID 2964 wrote to memory of 820 2964 yjhsuor.exe ozsabyu.exe PID 2964 wrote to memory of 820 2964 yjhsuor.exe ozsabyu.exe PID 2964 wrote to memory of 820 2964 yjhsuor.exe ozsabyu.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\02d0963800aef7c6aa241fbf390b3c60_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\02d0963800aef7c6aa241fbf390b3c60_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\xyzbjir.exeC:\Windows\system32\xyzbjir.exe 636 "C:\Users\Admin\AppData\Local\Temp\02d0963800aef7c6aa241fbf390b3c60_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ypojjzo.exeC:\Windows\system32\ypojjzo.exe 612 "C:\Windows\SysWOW64\xyzbjir.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\avswyuf.exeC:\Windows\system32\avswyuf.exe 620 "C:\Windows\SysWOW64\ypojjzo.exe"4⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\xtzerts.exeC:\Windows\system32\xtzerts.exe 616 "C:\Windows\SysWOW64\avswyuf.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mbtxsxy.exeC:\Windows\system32\mbtxsxy.exe 628 "C:\Windows\SysWOW64\xtzerts.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\uxeckii.exeC:\Windows\system32\uxeckii.exe 624 "C:\Windows\SysWOW64\mbtxsxy.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\eeihuhq.exeC:\Windows\system32\eeihuhq.exe 728 "C:\Windows\SysWOW64\uxeckii.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\daufzyz.exeC:\Windows\system32\daufzyz.exe 656 "C:\Windows\SysWOW64\eeihuhq.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\owvpgsz.exeC:\Windows\system32\owvpgsz.exe 716 "C:\Windows\SysWOW64\daufzyz.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\npwhanj.exeC:\Windows\system32\npwhanj.exe 648 "C:\Windows\SysWOW64\owvpgsz.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\arcxmro.exeC:\Windows\system32\arcxmro.exe 732 "C:\Windows\SysWOW64\npwhanj.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ehgkifz.exeC:\Windows\system32\ehgkifz.exe 632 "C:\Windows\SysWOW64\arcxmro.exe"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\pchcqai.exeC:\Windows\system32\pchcqai.exe 736 "C:\Windows\SysWOW64\ehgkifz.exe"14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\woginuq.exeC:\Windows\system32\woginuq.exe 748 "C:\Windows\SysWOW64\pchcqai.exe"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\yjhsuor.exeC:\Windows\system32\yjhsuor.exe 640 "C:\Windows\SysWOW64\woginuq.exe"16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ozsabyu.exeC:\Windows\system32\ozsabyu.exe 756 "C:\Windows\SysWOW64\yjhsuor.exe"17⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\ixjvevc.exeC:\Windows\system32\ixjvevc.exe 652 "C:\Windows\SysWOW64\ozsabyu.exe"18⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\vdsxsmn.exeC:\Windows\system32\vdsxsmn.exe 752 "C:\Windows\SysWOW64\ixjvevc.exe"19⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\kwpkcap.exeC:\Windows\system32\kwpkcap.exe 760 "C:\Windows\SysWOW64\vdsxsmn.exe"20⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\xnrnkiv.exeC:\Windows\system32\xnrnkiv.exe 772 "C:\Windows\SysWOW64\kwpkcap.exe"21⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\klmqtia.exeC:\Windows\system32\klmqtia.exe 764 "C:\Windows\SysWOW64\xnrnkiv.exe"22⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\ukqndhi.exeC:\Windows\system32\ukqndhi.exe 768 "C:\Windows\SysWOW64\klmqtia.exe"23⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\enoyyko.exeC:\Windows\system32\enoyyko.exe 776 "C:\Windows\SysWOW64\ukqndhi.exe"24⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\rljahst.exeC:\Windows\system32\rljahst.exe 784 "C:\Windows\SysWOW64\enoyyko.exe"25⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\ecddqbr.exeC:\Windows\system32\ecddqbr.exe 788 "C:\Windows\SysWOW64\rljahst.exe"26⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\obpaazz.exeC:\Windows\system32\obpaazz.exe 780 "C:\Windows\SysWOW64\ecddqbr.exe"27⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\ymflvuf.exeC:\Windows\system32\ymflvuf.exe 796 "C:\Windows\SysWOW64\obpaazz.exe"28⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\ihgvdxo.exeC:\Windows\system32\ihgvdxo.exe 792 "C:\Windows\SysWOW64\ymflvuf.exe"29⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\vyaymxl.exeC:\Windows\system32\vyaymxl.exe 804 "C:\Windows\SysWOW64\ihgvdxo.exe"30⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\crzdjrc.exeC:\Windows\system32\crzdjrc.exe 812 "C:\Windows\SysWOW64\vyaymxl.exe"31⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\nqlitqb.exeC:\Windows\system32\nqlitqb.exe 808 "C:\Windows\SysWOW64\crzdjrc.exe"32⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\xppgdoj.exeC:\Windows\system32\xppgdoj.exe 820 "C:\Windows\SysWOW64\nqlitqb.exe"33⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\knkjuxo.exeC:\Windows\system32\knkjuxo.exe 800 "C:\Windows\SysWOW64\xppgdoj.exe"34⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\ujltcrp.exeC:\Windows\system32\ujltcrp.exe 824 "C:\Windows\SysWOW64\knkjuxo.exe"35⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\eixqmqw.exeC:\Windows\system32\eixqmqw.exe 816 "C:\Windows\SysWOW64\ujltcrp.exe"36⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\olnbhtd.exeC:\Windows\system32\olnbhtd.exe 828 "C:\Windows\SysWOW64\eixqmqw.exe"37⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\bjhdqbi.exeC:\Windows\system32\bjhdqbi.exe 832 "C:\Windows\SysWOW64\olnbhtd.exe"38⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\oacgybo.exeC:\Windows\system32\oacgybo.exe 836 "C:\Windows\SysWOW64\bjhdqbi.exe"39⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\xodeojt.exeC:\Windows\system32\xodeojt.exe 840 "C:\Windows\SysWOW64\oacgybo.exe"40⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\lbutuna.exeC:\Windows\system32\lbutuna.exe 852 "C:\Windows\SysWOW64\xodeojt.exe"41⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\vlkepqg.exeC:\Windows\system32\vlkepqg.exe 844 "C:\Windows\SysWOW64\lbutuna.exe"42⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\iybtvlf.exeC:\Windows\system32\iybtvlf.exe 856 "C:\Windows\SysWOW64\vlkepqg.exe"43⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\syfrgkm.exeC:\Windows\system32\syfrgkm.exe 848 "C:\Windows\SysWOW64\iybtvlf.exe"44⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\bmgowsz.exeC:\Windows\system32\bmgowsz.exe 864 "C:\Windows\SysWOW64\syfrgkm.exe"45⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\mlkmoqh.exeC:\Windows\system32\mlkmoqh.exe 868 "C:\Windows\SysWOW64\bmgowsz.exe"46⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\wkwjzph.exeC:\Windows\system32\wkwjzph.exe 872 "C:\Windows\SysWOW64\mlkmoqh.exe"47⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\gjagjoo.exeC:\Windows\system32\gjagjoo.exe 880 "C:\Windows\SysWOW64\wkwjzph.exe"48⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\qfbzzjp.exeC:\Windows\system32\qfbzzjp.exe 892 "C:\Windows\SysWOW64\gjagjoo.exe"49⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\amfwjhw.exeC:\Windows\system32\amfwjhw.exe 860 "C:\Windows\SysWOW64\qfbzzjp.exe"50⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\llsutge.exeC:\Windows\system32\llsutge.exe 876 "C:\Windows\SysWOW64\amfwjhw.exe"51⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\ybmwkoj.exeC:\Windows\system32\ybmwkoj.exe 888 "C:\Windows\SysWOW64\llsutge.exe"52⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\hmchxjq.exeC:\Windows\system32\hmchxjq.exe 884 "C:\Windows\SysWOW64\ybmwkoj.exe"53⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\ucfjgsv.exeC:\Windows\system32\ucfjgsv.exe 904 "C:\Windows\SysWOW64\hmchxjq.exe"54⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\hbzmoat.exeC:\Windows\system32\hbzmoat.exe 908 "C:\Windows\SysWOW64\ucfjgsv.exe"55⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\swaxwuc.exeC:\Windows\system32\swaxwuc.exe 912 "C:\Windows\SysWOW64\hbzmoat.exe"56⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\hixrgie.exeC:\Windows\system32\hixrgie.exe 928 "C:\Windows\SysWOW64\swaxwuc.exe"57⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\rsmublk.exeC:\Windows\system32\rsmublk.exe 916 "C:\Windows\SysWOW64\hixrgie.exe"58⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\ejhxjtq.exeC:\Windows\system32\ejhxjtq.exe 896 "C:\Windows\SysWOW64\rsmublk.exe"59⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\rlnmvyu.exeC:\Windows\system32\rlnmvyu.exe 924 "C:\Windows\SysWOW64\ejhxjtq.exe"60⤵
- Executes dropped EXE
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\dbipega.exeC:\Windows\system32\dbipega.exe 932 "C:\Windows\SysWOW64\rlnmvyu.exe"61⤵
- Executes dropped EXE
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\ialsmox.exeC:\Windows\system32\ialsmox.exe 936 "C:\Windows\SysWOW64\dbipega.exe"62⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\qlkxjio.exeC:\Windows\system32\qlkxjio.exe 940 "C:\Windows\SysWOW64\ialsmox.exe"63⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\fbvfqrj.exeC:\Windows\system32\fbvfqrj.exe 952 "C:\Windows\SysWOW64\qlkxjio.exe"64⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Drops file in System32 directory
-
C:\Windows\SysWOW64\pekpdvx.exeC:\Windows\system32\pekpdvx.exe 944 "C:\Windows\SysWOW64\fbvfqrj.exe"65⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\ccnsmdv.exeC:\Windows\system32\ccnsmdv.exe 948 "C:\Windows\SysWOW64\pekpdvx.exe"66⤵
-
C:\Windows\SysWOW64\ptiuudb.exeC:\Windows\system32\ptiuudb.exe 956 "C:\Windows\SysWOW64\ccnsmdv.exe"67⤵
-
C:\Windows\SysWOW64\cjdpdlg.exeC:\Windows\system32\cjdpdlg.exe 920 "C:\Windows\SysWOW64\ptiuudb.exe"68⤵
-
C:\Windows\SysWOW64\lxdnbst.exeC:\Windows\system32\lxdnbst.exe 964 "C:\Windows\SysWOW64\cjdpdlg.exe"69⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\ywgpkbr.exeC:\Windows\system32\ywgpkbr.exe 960 "C:\Windows\SysWOW64\lxdnbst.exe"70⤵
-
C:\Windows\SysWOW64\lmbssbw.exeC:\Windows\system32\lmbssbw.exe 972 "C:\Windows\SysWOW64\ywgpkbr.exe"71⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\ydwvbjc.exeC:\Windows\system32\ydwvbjc.exe 984 "C:\Windows\SysWOW64\lmbssbw.exe"72⤵
-
C:\Windows\SysWOW64\ayzxwjj.exeC:\Windows\system32\ayzxwjj.exe 660 "C:\Windows\SysWOW64\ydwvbjc.exe"73⤵
-
C:\Windows\SysWOW64\nafnhov.exeC:\Windows\system32\nafnhov.exe 976 "C:\Windows\SysWOW64\ayzxwjj.exe"74⤵
-
C:\Windows\SysWOW64\vtenwdr.exeC:\Windows\system32\vtenwdr.exe 680 "C:\Windows\SysWOW64\nafnhov.exe"75⤵
-
C:\Windows\SysWOW64\cmkslwh.exeC:\Windows\system32\cmkslwh.exe 676 "C:\Windows\SysWOW64\vtenwdr.exe"76⤵
-
C:\Windows\SysWOW64\hntnbcn.exeC:\Windows\system32\hntnbcn.exe 668 "C:\Windows\SysWOW64\cmkslwh.exe"77⤵
-
C:\Windows\SysWOW64\rmxkman.exeC:\Windows\system32\rmxkman.exe 996 "C:\Windows\SysWOW64\hntnbcn.exe"78⤵
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\jxkduyn.exeC:\Windows\system32\jxkduyn.exe 1000 "C:\Windows\SysWOW64\rmxkman.exe"79⤵
-
C:\Windows\SysWOW64\zusdgqw.exeC:\Windows\system32\zusdgqw.exe 1004 "C:\Windows\SysWOW64\jxkduyn.exe"80⤵
-
C:\Windows\SysWOW64\msnfpyc.exeC:\Windows\system32\msnfpyc.exe 1008 "C:\Windows\SysWOW64\zusdgqw.exe"81⤵
-
C:\Windows\SysWOW64\yjiixyh.exeC:\Windows\system32\yjiixyh.exe 1012 "C:\Windows\SysWOW64\msnfpyc.exe"82⤵
-
C:\Windows\SysWOW64\ixifvgm.exeC:\Windows\system32\ixifvgm.exe 1020 "C:\Windows\SysWOW64\yjiixyh.exe"83⤵
-
C:\Windows\SysWOW64\volieos.exeC:\Windows\system32\volieos.exe 1016 "C:\Windows\SysWOW64\ixifvgm.exe"84⤵
-
C:\Windows\SysWOW64\imglmox.exeC:\Windows\system32\imglmox.exe 1032 "C:\Windows\SysWOW64\volieos.exe"85⤵
-
C:\Windows\SysWOW64\vdbnvwd.exeC:\Windows\system32\vdbnvwd.exe 1028 "C:\Windows\SysWOW64\imglmox.exe"86⤵
-
C:\Windows\SysWOW64\iteqeeb.exeC:\Windows\system32\iteqeeb.exe 1036 "C:\Windows\SysWOW64\vdbnvwd.exe"87⤵
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\rhwfumo.exeC:\Windows\system32\rhwfumo.exe 1040 "C:\Windows\SysWOW64\iteqeeb.exe"88⤵
-
C:\Windows\SysWOW64\egzikmt.exeC:\Windows\system32\egzikmt.exe 1044 "C:\Windows\SysWOW64\rhwfumo.exe"89⤵
-
C:\Windows\SysWOW64\rwultur.exeC:\Windows\system32\rwultur.exe 1056 "C:\Windows\SysWOW64\egzikmt.exe"90⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\enpobcw.exeC:\Windows\system32\enpobcw.exe 1060 "C:\Windows\SysWOW64\rwultur.exe"91⤵
-
C:\Windows\SysWOW64\rlsqkcc.exeC:\Windows\system32\rlsqkcc.exe 1052 "C:\Windows\SysWOW64\enpobcw.exe"92⤵
-
C:\Windows\SysWOW64\bzsoakp.exeC:\Windows\system32\bzsoakp.exe 1048 "C:\Windows\SysWOW64\rlsqkcc.exe"93⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\oqnqjsn.exeC:\Windows\system32\oqnqjsn.exe 1064 "C:\Windows\SysWOW64\bzsoakp.exe"94⤵
-
C:\Windows\SysWOW64\agitrss.exeC:\Windows\system32\agitrss.exe 1068 "C:\Windows\SysWOW64\oqnqjsn.exe"95⤵
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\nfloiay.exeC:\Windows\system32\nfloiay.exe 1072 "C:\Windows\SysWOW64\agitrss.exe"96⤵
-
C:\Windows\SysWOW64\avfqrjd.exeC:\Windows\system32\avfqrjd.exe 1080 "C:\Windows\SysWOW64\nfloiay.exe"97⤵
-
C:\Windows\SysWOW64\kjgohqi.exeC:\Windows\system32\kjgohqi.exe 1076 "C:\Windows\SysWOW64\avfqrjd.exe"98⤵
-
C:\Windows\SysWOW64\xabqpqo.exeC:\Windows\system32\xabqpqo.exe 992 "C:\Windows\SysWOW64\kjgohqi.exe"99⤵
-
C:\Windows\SysWOW64\kvsgvun.exeC:\Windows\system32\kvsgvun.exe 1088 "C:\Windows\SysWOW64\xabqpqo.exe"100⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\ubtetba.exeC:\Windows\system32\ubtetba.exe 1092 "C:\Windows\SysWOW64\kvsgvun.exe"101⤵
-
C:\Windows\SysWOW64\hzogccf.exeC:\Windows\system32\hzogccf.exe 1096 "C:\Windows\SysWOW64\ubtetba.exe"102⤵
-
C:\Windows\SysWOW64\uqjjkkl.exeC:\Windows\system32\uqjjkkl.exe 1100 "C:\Windows\SysWOW64\hzogccf.exe"103⤵
-
C:\Windows\SysWOW64\golmtsi.exeC:\Windows\system32\golmtsi.exe 1104 "C:\Windows\SysWOW64\uqjjkkl.exe"104⤵
-
C:\Windows\SysWOW64\tfgobso.exeC:\Windows\system32\tfgobso.exe 1108 "C:\Windows\SysWOW64\golmtsi.exe"105⤵
-
C:\Windows\SysWOW64\dtherzb.exeC:\Windows\system32\dtherzb.exe 1112 "C:\Windows\SysWOW64\tfgobso.exe"106⤵
-
C:\Windows\SysWOW64\qjcgiih.exeC:\Windows\system32\qjcgiih.exe 1120 "C:\Windows\SysWOW64\dtherzb.exe"107⤵
-
C:\Windows\SysWOW64\diejrqe.exeC:\Windows\system32\diejrqe.exe 1116 "C:\Windows\SysWOW64\qjcgiih.exe"108⤵
-
C:\Windows\SysWOW64\qyzmzqk.exeC:\Windows\system32\qyzmzqk.exe 1128 "C:\Windows\SysWOW64\diejrqe.exe"109⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\vpuoiyp.exeC:\Windows\system32\vpuoiyp.exe 1124 "C:\Windows\SysWOW64\qyzmzqk.exe"110⤵
-
C:\Windows\SysWOW64\edvmygc.exeC:\Windows\system32\edvmygc.exe 1132 "C:\Windows\SysWOW64\vpuoiyp.exe"111⤵
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\ruqghga.exeC:\Windows\system32\ruqghga.exe 1084 "C:\Windows\SysWOW64\edvmygc.exe"112⤵
-
C:\Windows\SysWOW64\essjxof.exeC:\Windows\system32\essjxof.exe 1140 "C:\Windows\SysWOW64\ruqghga.exe"113⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\rinmgwl.exeC:\Windows\system32\rinmgwl.exe 1144 "C:\Windows\SysWOW64\essjxof.exe"114⤵
-
C:\Windows\SysWOW64\ehipowj.exeC:\Windows\system32\ehipowj.exe 1148 "C:\Windows\SysWOW64\rinmgwl.exe"115⤵
-
C:\Windows\SysWOW64\onjmeew.exeC:\Windows\system32\onjmeew.exe 1152 "C:\Windows\SysWOW64\ehipowj.exe"116⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\amlpnmb.exeC:\Windows\system32\amlpnmb.exe 1156 "C:\Windows\SysWOW64\onjmeew.exe"117⤵
-
C:\Windows\SysWOW64\ncgrwuh.exeC:\Windows\system32\ncgrwuh.exe 1160 "C:\Windows\SysWOW64\amlpnmb.exe"118⤵
-
C:\Windows\SysWOW64\abbueue.exeC:\Windows\system32\abbueue.exe 1164 "C:\Windows\SysWOW64\ncgrwuh.exe"119⤵
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\nrexvck.exeC:\Windows\system32\nrexvck.exe 1168 "C:\Windows\SysWOW64\abbueue.exe"120⤵
-
C:\Windows\SysWOW64\xfwmlkx.exeC:\Windows\system32\xfwmlkx.exe 1172 "C:\Windows\SysWOW64\nrexvck.exe"121⤵
-
C:\Windows\SysWOW64\kwzptkd.exeC:\Windows\system32\kwzptkd.exe 1176 "C:\Windows\SysWOW64\xfwmlkx.exe"122⤵
-
C:\Windows\SysWOW64\xuurcsa.exeC:\Windows\system32\xuurcsa.exe 1192 "C:\Windows\SysWOW64\kwzptkd.exe"123⤵
-
C:\Windows\SysWOW64\klpulag.exeC:\Windows\system32\klpulag.exe 1180 "C:\Windows\SysWOW64\xuurcsa.exe"124⤵
-
C:\Windows\SysWOW64\xjsxtal.exeC:\Windows\system32\xjsxtal.exe 1184 "C:\Windows\SysWOW64\klpulag.exe"125⤵
-
C:\Windows\SysWOW64\gpsuriy.exeC:\Windows\system32\gpsuriy.exe 1188 "C:\Windows\SysWOW64\xjsxtal.exe"126⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\tonxaqw.exeC:\Windows\system32\tonxaqw.exe 1196 "C:\Windows\SysWOW64\gpsuriy.exe"127⤵
-
C:\Windows\SysWOW64\geisjyb.exeC:\Windows\system32\geisjyb.exe 1200 "C:\Windows\SysWOW64\tonxaqw.exe"128⤵
-
C:\Windows\SysWOW64\tdluryh.exeC:\Windows\system32\tdluryh.exe 1204 "C:\Windows\SysWOW64\geisjyb.exe"129⤵
-
C:\Windows\SysWOW64\gtgxagf.exeC:\Windows\system32\gtgxagf.exe 1208 "C:\Windows\SysWOW64\tdluryh.exe"130⤵
-
C:\Windows\SysWOW64\phguyos.exeC:\Windows\system32\phguyos.exe 1212 "C:\Windows\SysWOW64\gtgxagf.exe"131⤵
-
C:\Windows\SysWOW64\cybxgox.exeC:\Windows\system32\cybxgox.exe 1216 "C:\Windows\SysWOW64\phguyos.exe"132⤵
-
C:\Windows\SysWOW64\poeapwd.exeC:\Windows\system32\poeapwd.exe 1220 "C:\Windows\SysWOW64\cybxgox.exe"133⤵
-
C:\Windows\SysWOW64\cnzcyea.exeC:\Windows\system32\cnzcyea.exe 1224 "C:\Windows\SysWOW64\poeapwd.exe"134⤵
-
C:\Windows\SysWOW64\pdtfgfg.exeC:\Windows\system32\pdtfgfg.exe 1228 "C:\Windows\SysWOW64\cnzcyea.exe"135⤵
-
C:\Windows\SysWOW64\zruuwmt.exeC:\Windows\system32\zruuwmt.exe 1232 "C:\Windows\SysWOW64\pdtfgfg.exe"136⤵
-
C:\Windows\SysWOW64\mipxnuz.exeC:\Windows\system32\mipxnuz.exe 1240 "C:\Windows\SysWOW64\zruuwmt.exe"137⤵
-
C:\Windows\SysWOW64\zgsavuw.exeC:\Windows\system32\zgsavuw.exe 1236 "C:\Windows\SysWOW64\mipxnuz.exe"138⤵
-
C:\Windows\SysWOW64\mxmcedc.exeC:\Windows\system32\mxmcedc.exe 1244 "C:\Windows\SysWOW64\zgsavuw.exe"139⤵
-
C:\Windows\SysWOW64\yvhfnlh.exeC:\Windows\system32\yvhfnlh.exe 1248 "C:\Windows\SysWOW64\mxmcedc.exe"140⤵
-
C:\Windows\SysWOW64\ibiddsu.exeC:\Windows\system32\ibiddsu.exe 1252 "C:\Windows\SysWOW64\yvhfnlh.exe"141⤵
-
C:\Windows\SysWOW64\valflss.exeC:\Windows\system32\valflss.exe 1256 "C:\Windows\SysWOW64\ibiddsu.exe"142⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\iqgiuax.exeC:\Windows\system32\iqgiuax.exe 1264 "C:\Windows\SysWOW64\valflss.exe"143⤵
-
C:\Windows\SysWOW64\vpadljd.exeC:\Windows\system32\vpadljd.exe 1136 "C:\Windows\SysWOW64\iqgiuax.exe"144⤵
-
C:\Windows\SysWOW64\ifdftjj.exeC:\Windows\system32\ifdftjj.exe 1272 "C:\Windows\SysWOW64\vpadljd.exe"145⤵
-
C:\Windows\SysWOW64\ruwdjqo.exeC:\Windows\system32\ruwdjqo.exe 1268 "C:\Windows\SysWOW64\ifdftjj.exe"146⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\ekzfsyt.exeC:\Windows\system32\ekzfsyt.exe 1276 "C:\Windows\SysWOW64\ruwdjqo.exe"147⤵
-
C:\Windows\SysWOW64\rjtiazz.exeC:\Windows\system32\rjtiazz.exe 1280 "C:\Windows\SysWOW64\ekzfsyt.exe"148⤵
-
C:\Windows\SysWOW64\ezoljhw.exeC:\Windows\system32\ezoljhw.exe 1296 "C:\Windows\SysWOW64\rjtiazz.exe"149⤵
-
C:\Windows\SysWOW64\rqrnspc.exeC:\Windows\system32\rqrnspc.exe 1284 "C:\Windows\SysWOW64\ezoljhw.exe"150⤵
-
C:\Windows\SysWOW64\besdqwp.exeC:\Windows\system32\besdqwp.exe 1288 "C:\Windows\SysWOW64\rqrnspc.exe"151⤵
-
C:\Windows\SysWOW64\ocmfywu.exeC:\Windows\system32\ocmfywu.exe 1292 "C:\Windows\SysWOW64\besdqwp.exe"152⤵
-
C:\Windows\SysWOW64\athihfs.exeC:\Windows\system32\athihfs.exe 1300 "C:\Windows\SysWOW64\ocmfywu.exe"153⤵
-
C:\Windows\SysWOW64\njklpny.exeC:\Windows\system32\njklpny.exe 1304 "C:\Windows\SysWOW64\athihfs.exe"154⤵
-
C:\Windows\SysWOW64\aifoynd.exeC:\Windows\system32\aifoynd.exe 1308 "C:\Windows\SysWOW64\njklpny.exe"155⤵
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\kwglwuq.exeC:\Windows\system32\kwglwuq.exe 1312 "C:\Windows\SysWOW64\aifoynd.exe"156⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\xjpbcyp.exeC:\Windows\system32\xjpbcyp.exe 1316 "C:\Windows\SysWOW64\kwglwuq.exe"157⤵
-
C:\Windows\SysWOW64\kzsdkgv.exeC:\Windows\system32\kzsdkgv.exe 1320 "C:\Windows\SysWOW64\xjpbcyp.exe"158⤵
-
C:\Windows\SysWOW64\mkhoycb.exeC:\Windows\system32\mkhoycb.exe 1260 "C:\Windows\SysWOW64\kzsdkgv.exe"159⤵
-
C:\Windows\SysWOW64\wmxytfh.exeC:\Windows\system32\wmxytfh.exe 1328 "C:\Windows\SysWOW64\mkhoycb.exe"160⤵
-
C:\Windows\SysWOW64\mzftpse.exeC:\Windows\system32\mzftpse.exe 1332 "C:\Windows\SysWOW64\wmxytfh.exe"161⤵
-
C:\Windows\SysWOW64\vfxinzr.exeC:\Windows\system32\vfxinzr.exe 1336 "C:\Windows\SysWOW64\mzftpse.exe"162⤵
-
C:\Windows\SysWOW64\idalwzx.exeC:\Windows\system32\idalwzx.exe 1356 "C:\Windows\SysWOW64\vfxinzr.exe"163⤵
-
C:\Windows\SysWOW64\vuvoeic.exeC:\Windows\system32\vuvoeic.exe 1340 "C:\Windows\SysWOW64\idalwzx.exe"164⤵
-
C:\Windows\SysWOW64\ikqrnqa.exeC:\Windows\system32\ikqrnqa.exe 1348 "C:\Windows\SysWOW64\vuvoeic.exe"165⤵
-
C:\Windows\SysWOW64\vjttvqf.exeC:\Windows\system32\vjttvqf.exe 1344 "C:\Windows\SysWOW64\ikqrnqa.exe"166⤵
-
C:\Windows\SysWOW64\fxtrtxs.exeC:\Windows\system32\fxtrtxs.exe 1352 "C:\Windows\SysWOW64\vjttvqf.exe"167⤵
-
C:\Windows\SysWOW64\snotcgy.exeC:\Windows\system32\snotcgy.exe 1360 "C:\Windows\SysWOW64\fxtrtxs.exe"168⤵
-
C:\Windows\SysWOW64\fejwlgw.exeC:\Windows\system32\fejwlgw.exe 1364 "C:\Windows\SysWOW64\snotcgy.exe"169⤵
-
C:\Windows\SysWOW64\rcmrtob.exeC:\Windows\system32\rcmrtob.exe 1368 "C:\Windows\SysWOW64\fejwlgw.exe"170⤵
-
C:\Windows\SysWOW64\ethtcwh.exeC:\Windows\system32\ethtcwh.exe 1372 "C:\Windows\SysWOW64\rcmrtob.exe"171⤵
-
C:\Windows\SysWOW64\ohhrsdu.exeC:\Windows\system32\ohhrsdu.exe 1380 "C:\Windows\SysWOW64\ethtcwh.exe"172⤵
-
C:\Windows\SysWOW64\burggzt.exeC:\Windows\system32\burggzt.exe 1376 "C:\Windows\SysWOW64\ohhrsdu.exe"173⤵
-
C:\Windows\SysWOW64\otujohq.exeC:\Windows\system32\otujohq.exe 1384 "C:\Windows\SysWOW64\burggzt.exe"174⤵
-
C:\Windows\SysWOW64\yzuhepd.exeC:\Windows\system32\yzuhepd.exe 1392 "C:\Windows\SysWOW64\otujohq.exe"175⤵
-
C:\Windows\SysWOW64\lxpjnpj.exeC:\Windows\system32\lxpjnpj.exe 1388 "C:\Windows\SysWOW64\yzuhepd.exe"176⤵
-
C:\Windows\SysWOW64\ykhztth.exeC:\Windows\system32\ykhztth.exe 1396 "C:\Windows\SysWOW64\lxpjnpj.exe"177⤵
-
C:\Windows\SysWOW64\hyzwrav.exeC:\Windows\system32\hyzwrav.exe 1400 "C:\Windows\SysWOW64\ykhztth.exe"178⤵
-
C:\Windows\SysWOW64\upczzja.exeC:\Windows\system32\upczzja.exe 1404 "C:\Windows\SysWOW64\hyzwrav.exe"179⤵
-
C:\Windows\SysWOW64\icmpfez.exeC:\Windows\system32\icmpfez.exe 1408 "C:\Windows\SysWOW64\upczzja.exe"180⤵
-
C:\Windows\SysWOW64\rqmevmm.exeC:\Windows\system32\rqmevmm.exe 1412 "C:\Windows\SysWOW64\icmpfez.exe"181⤵
-
C:\Windows\SysWOW64\egpheuk.exeC:\Windows\system32\egpheuk.exe 1324 "C:\Windows\SysWOW64\rqmevmm.exe"182⤵
-
C:\Windows\SysWOW64\rfkjmcp.exeC:\Windows\system32\rfkjmcp.exe 1424 "C:\Windows\SysWOW64\egpheuk.exe"183⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\evfmdcv.exeC:\Windows\system32\evfmdcv.exe 1420 "C:\Windows\SysWOW64\rfkjmcp.exe"184⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\ruhpmka.exeC:\Windows\system32\ruhpmka.exe 1440 "C:\Windows\SysWOW64\evfmdcv.exe"185⤵
-
C:\Windows\SysWOW64\aaimcsf.exeC:\Windows\system32\aaimcsf.exe 1416 "C:\Windows\SysWOW64\ruhpmka.exe"186⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\nydpksl.exeC:\Windows\system32\nydpksl.exe 1444 "C:\Windows\SysWOW64\aaimcsf.exe"187⤵
-
C:\Windows\SysWOW64\apystaq.exeC:\Windows\system32\apystaq.exe 1432 "C:\Windows\SysWOW64\nydpksl.exe"188⤵
-
C:\Windows\SysWOW64\nnsubiw.exeC:\Windows\system32\nnsubiw.exe 1456 "C:\Windows\SysWOW64\apystaq.exe"189⤵
-
C:\Windows\SysWOW64\xqqxxlc.exeC:\Windows\system32\xqqxxlc.exe 1436 "C:\Windows\SysWOW64\nnsubiw.exe"190⤵
-
C:\Windows\SysWOW64\kswmiqh.exeC:\Windows\system32\kswmiqh.exe 1448 "C:\Windows\SysWOW64\xqqxxlc.exe"191⤵
-
C:\Windows\SysWOW64\xirprym.exeC:\Windows\system32\xirprym.exe 1452 "C:\Windows\SysWOW64\kswmiqh.exe"192⤵
-
C:\Windows\SysWOW64\khmszgs.exeC:\Windows\system32\khmszgs.exe 1464 "C:\Windows\SysWOW64\xirprym.exe"193⤵
-
C:\Windows\SysWOW64\wxouigp.exeC:\Windows\system32\wxouigp.exe 1460 "C:\Windows\SysWOW64\khmszgs.exe"194⤵
-
C:\Windows\SysWOW64\jojxrpv.exeC:\Windows\system32\jojxrpv.exe 1468 "C:\Windows\SysWOW64\wxouigp.exe"195⤵
-
C:\Windows\SysWOW64\tckmpwi.exeC:\Windows\system32\tckmpwi.exe 1476 "C:\Windows\SysWOW64\jojxrpv.exe"196⤵
-
C:\Windows\SysWOW64\gbfpxwg.exeC:\Windows\system32\gbfpxwg.exe 1472 "C:\Windows\SysWOW64\tckmpwi.exe"197⤵
-
C:\Windows\SysWOW64\trhsgel.exeC:\Windows\system32\trhsgel.exe 1480 "C:\Windows\SysWOW64\gbfpxwg.exe"198⤵
-
C:\Windows\SysWOW64\gicuonr.exeC:\Windows\system32\gicuonr.exe 1484 "C:\Windows\SysWOW64\trhsgel.exe"199⤵
-
C:\Windows\SysWOW64\tgxxxnw.exeC:\Windows\system32\tgxxxnw.exe 1488 "C:\Windows\SysWOW64\gicuonr.exe"200⤵
-
C:\Windows\SysWOW64\djmikqc.exeC:\Windows\system32\djmikqc.exe 1496 "C:\Windows\SysWOW64\tgxxxnw.exe"201⤵
-
C:\Windows\SysWOW64\plsxech.exeC:\Windows\system32\plsxech.exe 1492 "C:\Windows\SysWOW64\djmikqc.exe"202⤵
-
C:\Windows\SysWOW64\cyknjgg.exeC:\Windows\system32\cyknjgg.exe 1500 "C:\Windows\SysWOW64\plsxech.exe"203⤵
-
C:\Windows\SysWOW64\mmlkzgt.exeC:\Windows\system32\mmlkzgt.exe 1504 "C:\Windows\SysWOW64\cyknjgg.exe"204⤵
-
C:\Windows\SysWOW64\zcfnioy.exeC:\Windows\system32\zcfnioy.exe 1512 "C:\Windows\SysWOW64\mmlkzgt.exe"205⤵
-
C:\Windows\SysWOW64\mbiirwe.exeC:\Windows\system32\mbiirwe.exe 1508 "C:\Windows\SysWOW64\zcfnioy.exe"206⤵
-
C:\Windows\SysWOW64\zrdkzwb.exeC:\Windows\system32\zrdkzwb.exe 1516 "C:\Windows\SysWOW64\mbiirwe.exe"207⤵
-
C:\Windows\SysWOW64\eqynieh.exeC:\Windows\system32\eqynieh.exe 1428 "C:\Windows\SysWOW64\zrdkzwb.exe"208⤵
-
C:\Windows\SysWOW64\rgbqymm.exeC:\Windows\system32\rgbqymm.exe 1536 "C:\Windows\SysWOW64\eqynieh.exe"209⤵
-
C:\Windows\SysWOW64\autnpua.exeC:\Windows\system32\autnpua.exe 1520 "C:\Windows\SysWOW64\rgbqymm.exe"210⤵
-
C:\Windows\SysWOW64\nlwqxux.exeC:\Windows\system32\nlwqxux.exe 1528 "C:\Windows\SysWOW64\autnpua.exe"211⤵
-
C:\Windows\SysWOW64\ajrtgcd.exeC:\Windows\system32\ajrtgcd.exe 1524 "C:\Windows\SysWOW64\nlwqxux.exe"212⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\namvoki.exeC:\Windows\system32\namvoki.exe 1540 "C:\Windows\SysWOW64\ajrtgcd.exe"213⤵
-
C:\Windows\SysWOW64\aqpyxlg.exeC:\Windows\system32\aqpyxlg.exe 1544 "C:\Windows\SysWOW64\namvoki.exe"214⤵
-
C:\Windows\SysWOW64\kepnvst.exeC:\Windows\system32\kepnvst.exe 1560 "C:\Windows\SysWOW64\aqpyxlg.exe"215⤵
-
C:\Windows\SysWOW64\wvkqeay.exeC:\Windows\system32\wvkqeay.exe 1548 "C:\Windows\SysWOW64\kepnvst.exe"216⤵
-
C:\Windows\SysWOW64\jtftmae.exeC:\Windows\system32\jtftmae.exe 1556 "C:\Windows\SysWOW64\wvkqeay.exe"217⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\wkivvic.exeC:\Windows\system32\wkivvic.exe 1552 "C:\Windows\SysWOW64\jtftmae.exe"218⤵
-
C:\Windows\SysWOW64\jicydrh.exeC:\Windows\system32\jicydrh.exe 1568 "C:\Windows\SysWOW64\wkivvic.exe"219⤵
-
C:\Windows\SysWOW64\todvbyu.exeC:\Windows\system32\todvbyu.exe 1564 "C:\Windows\SysWOW64\jicydrh.exe"220⤵
-
C:\Windows\SysWOW64\gnyykya.exeC:\Windows\system32\gnyykya.exe 1532 "C:\Windows\SysWOW64\todvbyu.exe"221⤵
-
C:\Windows\SysWOW64\tdtttgx.exeC:\Windows\system32\tdtttgx.exe 1576 "C:\Windows\SysWOW64\gnyykya.exe"222⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\gcvvbpd.exeC:\Windows\system32\gcvvbpd.exe 1572 "C:\Windows\SysWOW64\tdtttgx.exe"223⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\tsqykpi.exeC:\Windows\system32\tsqykpi.exe 1584 "C:\Windows\SysWOW64\gcvvbpd.exe"224⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cgrwaww.exeC:\Windows\system32\cgrwaww.exe 1588 "C:\Windows\SysWOW64\tsqykpi.exe"225⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\pxmyqet.exeC:\Windows\system32\pxmyqet.exe 1592 "C:\Windows\SysWOW64\cgrwaww.exe"226⤵
-
C:\Windows\SysWOW64\zeywbdb.exeC:\Windows\system32\zeywbdb.exe 1596 "C:\Windows\SysWOW64\pxmyqet.exe"227⤵
-
C:\Windows\SysWOW64\mvtykdg.exeC:\Windows\system32\mvtykdg.exe 1580 "C:\Windows\SysWOW64\zeywbdb.exe"228⤵
-
C:\Windows\SysWOW64\zlnbslm.exeC:\Windows\system32\zlnbslm.exe 1616 "C:\Windows\SysWOW64\mvtykdg.exe"229⤵
-
C:\Windows\SysWOW64\mkqebuj.exeC:\Windows\system32\mkqebuj.exe 1604 "C:\Windows\SysWOW64\zlnbslm.exe"230⤵
-
C:\Windows\SysWOW64\wmgowxy.exeC:\Windows\system32\wmgowxy.exe 1624 "C:\Windows\SysWOW64\mkqebuj.exe"231⤵
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\jlarfxv.exeC:\Windows\system32\jlarfxv.exe 1608 "C:\Windows\SysWOW64\wmgowxy.exe"232⤵
-
C:\Windows\SysWOW64\tnqbsaj.exeC:\Windows\system32\tnqbsaj.exe 1620 "C:\Windows\SysWOW64\jlarfxv.exe"233⤵
-
C:\Windows\SysWOW64\gmteaih.exeC:\Windows\system32\gmteaih.exe 1612 "C:\Windows\SysWOW64\tnqbsaj.exe"234⤵
-
C:\Windows\SysWOW64\scnzjin.exeC:\Windows\system32\scnzjin.exe 1632 "C:\Windows\SysWOW64\gmteaih.exe"235⤵
-
C:\Windows\SysWOW64\ftibsqs.exeC:\Windows\system32\ftibsqs.exe 1628 "C:\Windows\SysWOW64\scnzjin.exe"236⤵
-
C:\Windows\SysWOW64\phjzqyf.exeC:\Windows\system32\phjzqyf.exe 1636 "C:\Windows\SysWOW64\ftibsqs.exe"237⤵
-
C:\Windows\SysWOW64\cfmbygd.exeC:\Windows\system32\cfmbygd.exe 1640 "C:\Windows\SysWOW64\phjzqyf.exe"238⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\pwgehgi.exeC:\Windows\system32\pwgehgi.exe 1648 "C:\Windows\SysWOW64\cfmbygd.exe"239⤵
-
C:\Windows\SysWOW64\cmbhpoo.exeC:\Windows\system32\cmbhpoo.exe 1644 "C:\Windows\SysWOW64\pwgehgi.exe"240⤵
-
C:\Windows\SysWOW64\mxrrdru.exeC:\Windows\system32\mxrrdru.exe 1652 "C:\Windows\SysWOW64\cmbhpoo.exe"241⤵
- Drops file in System32 directory