Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 04:55
Static task
static1
Behavioral task
behavioral1
Sample
02f901580374a04fefa85b250feb13b7_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
02f901580374a04fefa85b250feb13b7_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
02f901580374a04fefa85b250feb13b7_JaffaCakes118.exe
-
Size
464KB
-
MD5
02f901580374a04fefa85b250feb13b7
-
SHA1
fbbfc8b672593d04ce25f86a0f110516f08d14be
-
SHA256
e17e7a3ae0a6d26cc711d90e5167f4e2248ae3f9f14bc1e9e57b6b0dff9c1059
-
SHA512
2f2a9522226b04448a4123013e7bc1b15a21fbbfbb06526679b5b21e9c68647fb9e46f7f09c06e9341078a741368c5a42791af9ffd6d7264e2955df9acaade13
-
SSDEEP
6144:vsTLko5jaT6bSW8sDlmSCF3CioBbrLyKNfrcj6qlpv7bLHdmps000bxIDsk:vsTLPgM75B2oBvLnc6qjbRKL00bxI
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 64 IoCs
Processes:
llgxico.exeormixbq.exeslchwma.exexywppvn.exexjiidzr.exepxznobq.exexcjaxmb.exehbvyila.exerpovgsn.exeefryoat.exeoevvzza.exebdqyhzy.exeillqcxi.exevnrfnbu.exefmvdyat.exescygoiz.execyzqwda.exekrolfqc.exeuclvtuq.exegsgybco.exeoatqvrx.exeachghek.exeoprwnaj.exearxlymn.exekqjjqlu.exexhelzts.exehgijjka.exerqftxno.exefdpjdrn.exeooetyut.exebehwgcy.exeovczpcw.exeyfrjcfk.exelhxrosp.exeyupgbwn.exeibpervb.exevwztxzz.exeimcwghf.exerauueos.exeerxwmpq.exerehmssw.exebshjiab.exeoqkmrah.exebhfhzin.exeoxajiqs.exebwdmzrq.exelyswmue.exexaymxgi.exekrtpgoo.exeuyfmqnn.exeeauxmic.exeufvsqvy.exebytxfph.exeopwznxm.exeyoaxgwu.exelqgmrby.exeygjpaje.exelfesirb.exeveiptqj.exeiclsjqo.exesfacxtv.exerxbnrgf.exeeoepzok.exeoytaurq.exepid process 2700 llgxico.exe 2528 ormixbq.exe 944 slchwma.exe 1696 xywppvn.exe 876 xjiidzr.exe 1280 pxznobq.exe 972 xcjaxmb.exe 1564 hbvyila.exe 2704 rpovgsn.exe 3024 efryoat.exe 1480 oevvzza.exe 2532 bdqyhzy.exe 2564 illqcxi.exe 1216 vnrfnbu.exe 2304 fmvdyat.exe 1804 scygoiz.exe 2712 cyzqwda.exe 1180 krolfqc.exe 2768 uclvtuq.exe 2636 gsgybco.exe 1756 oatqvrx.exe 896 achghek.exe 1632 oprwnaj.exe 688 arxlymn.exe 1920 kqjjqlu.exe 2020 xhelzts.exe 3008 hgijjka.exe 2156 rqftxno.exe 948 fdpjdrn.exe 2588 ooetyut.exe 2892 behwgcy.exe 1136 ovczpcw.exe 1308 yfrjcfk.exe 1448 lhxrosp.exe 2364 yupgbwn.exe 1660 ibpervb.exe 1652 vwztxzz.exe 2476 imcwghf.exe 2460 rauueos.exe 1088 erxwmpq.exe 2164 rehmssw.exe 2308 bshjiab.exe 608 oqkmrah.exe 784 bhfhzin.exe 1092 oxajiqs.exe 2160 bwdmzrq.exe 2788 lyswmue.exe 1044 xaymxgi.exe 2644 krtpgoo.exe 1320 uyfmqnn.exe 1388 eauxmic.exe 572 ufvsqvy.exe 1560 bytxfph.exe 2584 opwznxm.exe 2968 yoaxgwu.exe 2140 lqgmrby.exe 2300 ygjpaje.exe 828 lfesirb.exe 2056 veiptqj.exe 2112 iclsjqo.exe 1836 sfacxtv.exe 1984 rxbnrgf.exe 2824 eoepzok.exe 2168 oytaurq.exe -
Loads dropped DLL 64 IoCs
Processes:
02f901580374a04fefa85b250feb13b7_JaffaCakes118.exellgxico.exeormixbq.exeslchwma.exexywppvn.exexjiidzr.exepxznobq.exexcjaxmb.exehbvyila.exerpovgsn.exeefryoat.exeoevvzza.exebdqyhzy.exeillqcxi.exevnrfnbu.exefmvdyat.exescygoiz.execyzqwda.exekrolfqc.exeuclvtuq.exegsgybco.exeoatqvrx.exeachghek.exeoprwnaj.exearxlymn.exekqjjqlu.exexhelzts.exehgijjka.exerqftxno.exefdpjdrn.exeooetyut.exebehwgcy.exepid process 2884 02f901580374a04fefa85b250feb13b7_JaffaCakes118.exe 2884 02f901580374a04fefa85b250feb13b7_JaffaCakes118.exe 2700 llgxico.exe 2700 llgxico.exe 2528 ormixbq.exe 2528 ormixbq.exe 944 slchwma.exe 944 slchwma.exe 1696 xywppvn.exe 1696 xywppvn.exe 876 xjiidzr.exe 876 xjiidzr.exe 1280 pxznobq.exe 1280 pxznobq.exe 972 xcjaxmb.exe 972 xcjaxmb.exe 1564 hbvyila.exe 1564 hbvyila.exe 2704 rpovgsn.exe 2704 rpovgsn.exe 3024 efryoat.exe 3024 efryoat.exe 1480 oevvzza.exe 1480 oevvzza.exe 2532 bdqyhzy.exe 2532 bdqyhzy.exe 2564 illqcxi.exe 2564 illqcxi.exe 1216 vnrfnbu.exe 1216 vnrfnbu.exe 2304 fmvdyat.exe 2304 fmvdyat.exe 1804 scygoiz.exe 1804 scygoiz.exe 2712 cyzqwda.exe 2712 cyzqwda.exe 1180 krolfqc.exe 1180 krolfqc.exe 2768 uclvtuq.exe 2768 uclvtuq.exe 2636 gsgybco.exe 2636 gsgybco.exe 1756 oatqvrx.exe 1756 oatqvrx.exe 896 achghek.exe 896 achghek.exe 1632 oprwnaj.exe 1632 oprwnaj.exe 688 arxlymn.exe 688 arxlymn.exe 1920 kqjjqlu.exe 1920 kqjjqlu.exe 2020 xhelzts.exe 2020 xhelzts.exe 3008 hgijjka.exe 3008 hgijjka.exe 2156 rqftxno.exe 2156 rqftxno.exe 948 fdpjdrn.exe 948 fdpjdrn.exe 2588 ooetyut.exe 2588 ooetyut.exe 2892 behwgcy.exe 2892 behwgcy.exe -
Drops file in System32 directory 64 IoCs
Processes:
dtfwdeg.exejwllfps.exedectkaq.exelfjjfzn.exenfqyuue.exexnpyvxk.exemwdwhzi.exebgfxmlr.exetttwgxs.exeqmxsewi.exebweigcu.exeiedozgw.exedtkfahw.exebsekqqu.exedpentkf.exewpeyasx.exevvokqqz.exeejhzuva.exeufqnmml.exekkmyfle.exeiqdcllr.exezbjsmdm.exeaxjcotw.exenqzfdpk.exehfhcfny.exevrtharl.exergqkalp.exekrtpgoo.exekjeglmn.exeqnzqbsk.exexmrvwdz.execsejdmw.exehgijjka.exewlpikea.exeflruudc.exeolyxlbz.exetviglrf.exebzcrsfc.exemnougtt.exelerafeg.exeoxajiqs.exeucsfcii.exegypbaec.exeiftrfbh.exehkvneao.exeehwjjgx.exeqkgkpmg.exegqlljyu.exewmgowxy.exesarmvrx.exeyaaunbu.exetygqtgp.exerypxpia.exebhwdqvo.exevmyouqh.exexdeeryd.exepdaqqyz.exeswnsouj.exelfesirb.exegofpqhv.exeuqnnzot.exekvifwcl.exekcstxwv.exedescription ioc process File created C:\Windows\SysWOW64\qjizmme.exe dtfwdeg.exe File created C:\Windows\SysWOW64\wmgowxy.exe jwllfps.exe File created C:\Windows\SysWOW64\msvqahd.exe dectkaq.exe File created C:\Windows\SysWOW64\vqzuacu.exe lfjjfzn.exe File opened for modification C:\Windows\SysWOW64\zzwfnyi.exe nfqyuue.exe File created C:\Windows\SysWOW64\kejamgp.exe xnpyvxk.exe File opened for modification C:\Windows\SysWOW64\znxzpho.exe mwdwhzi.exe File opened for modification C:\Windows\SysWOW64\owizulw.exe bgfxmlr.exe File opened for modification C:\Windows\SysWOW64\gkwzofx.exe tttwgxs.exe File created C:\Windows\SysWOW64\dcsvneg.exe qmxsewi.exe File opened for modification C:\Windows\SysWOW64\kkefwkh.exe bweigcu.exe File created C:\Windows\SysWOW64\vcyrhhc.exe iedozgw.exe File created C:\Windows\SysWOW64\ndzinkc.exe dtkfahw.exe File created C:\Windows\SysWOW64\kgfioxh.exe bsekqqu.exe File opened for modification C:\Windows\SysWOW64\qnzqbsk.exe dpentkf.exe File created C:\Windows\SysWOW64\bozajad.exe wpeyasx.exe File opened for modification C:\Windows\SysWOW64\fjphgxm.exe vvokqqz.exe File created C:\Windows\SysWOW64\rajcldf.exe ejhzuva.exe File opened for modification C:\Windows\SysWOW64\gvlqvuj.exe ufqnmml.exe File created C:\Windows\SysWOW64\xbpaotk.exe kkmyfle.exe File created C:\Windows\SysWOW64\sevzbte.exe iqdcllr.exe File opened for modification C:\Windows\SysWOW64\mamvvds.exe zbjsmdm.exe File opened for modification C:\Windows\SysWOW64\nweewbu.exe axjcotw.exe File opened for modification C:\Windows\SysWOW64\agtilxi.exe nqzfdpk.exe File opened for modification C:\Windows\SysWOW64\rmhzvvl.exe hfhcfny.exe File opened for modification C:\Windows\SysWOW64\ipwkjzq.exe vrtharl.exe File created C:\Windows\SysWOW64\dxlniln.exe rgqkalp.exe File created C:\Windows\SysWOW64\uyfmqnn.exe krtpgoo.exe File opened for modification C:\Windows\SysWOW64\xihjtvt.exe kjeglmn.exe File created C:\Windows\SysWOW64\dectkaq.exe qnzqbsk.exe File created C:\Windows\SysWOW64\kkmyfle.exe xmrvwdz.exe File opened for modification C:\Windows\SysWOW64\mgfzbtj.exe csejdmw.exe File created C:\Windows\SysWOW64\rqftxno.exe hgijjka.exe File created C:\Windows\SysWOW64\jygxqiz.exe wlpikea.exe File created C:\Windows\SysWOW64\pzsrklp.exe flruudc.exe File opened for modification C:\Windows\SysWOW64\xayujjm.exe olyxlbz.exe File created C:\Windows\SysWOW64\gldaurd.exe tviglrf.exe File opened for modification C:\Windows\SysWOW64\oyxubgh.exe bzcrsfc.exe File opened for modification C:\Windows\SysWOW64\yljxpbz.exe mnougtt.exe File created C:\Windows\SysWOW64\vssqvml.exe lerafeg.exe File opened for modification C:\Windows\SysWOW64\bwdmzrq.exe oxajiqs.exe File created C:\Windows\SysWOW64\htnilqg.exe ucsfcii.exe File opened for modification C:\Windows\SysWOW64\twkeini.exe gypbaec.exe File created C:\Windows\SysWOW64\vwvmobf.exe iftrfbh.exe File created C:\Windows\SysWOW64\uaxpmam.exe hkvneao.exe File created C:\Windows\SysWOW64\rgrlsod.exe ehwjjgx.exe File created C:\Windows\SysWOW64\dabngmm.exe qkgkpmg.exe File opened for modification C:\Windows\SysWOW64\shgnrgz.exe gqlljyu.exe File opened for modification C:\Windows\SysWOW64\jlarfxv.exe wmgowxy.exe File opened for modification C:\Windows\SysWOW64\fzmodrd.exe sarmvrx.exe File opened for modification C:\Windows\SysWOW64\lrdxwjz.exe yaaunbu.exe File opened for modification C:\Windows\SysWOW64\dmgfjoc.exe tygqtgp.exe File opened for modification C:\Windows\SysWOW64\esvmavf.exe rypxpia.exe File opened for modification C:\Windows\SysWOW64\kvxsocb.exe bhwdqvo.exe File created C:\Windows\SysWOW64\idbrdyf.exe vmyouqh.exe File created C:\Windows\SysWOW64\ccyhzgj.exe xdeeryd.exe File created C:\Windows\SysWOW64\cudszge.exe pdaqqyz.exe File opened for modification C:\Windows\SysWOW64\cknqmcw.exe swnsouj.exe File created C:\Windows\SysWOW64\veiptqj.exe lfesirb.exe File created C:\Windows\SysWOW64\qcgnopi.exe gofpqhv.exe File created C:\Windows\SysWOW64\hstvlbx.exe uqnnzot.exe File created C:\Windows\SysWOW64\nweewbu.exe axjcotw.exe File opened for modification C:\Windows\SysWOW64\tkjcnby.exe kvifwcl.exe File opened for modification C:\Windows\SysWOW64\uqtivda.exe kcstxwv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
02f901580374a04fefa85b250feb13b7_JaffaCakes118.exellgxico.exeormixbq.exeslchwma.exexywppvn.exexjiidzr.exepxznobq.exexcjaxmb.exehbvyila.exerpovgsn.exeefryoat.exeoevvzza.exebdqyhzy.exeillqcxi.exevnrfnbu.exefmvdyat.exedescription pid process target process PID 2884 wrote to memory of 2700 2884 02f901580374a04fefa85b250feb13b7_JaffaCakes118.exe llgxico.exe PID 2884 wrote to memory of 2700 2884 02f901580374a04fefa85b250feb13b7_JaffaCakes118.exe llgxico.exe PID 2884 wrote to memory of 2700 2884 02f901580374a04fefa85b250feb13b7_JaffaCakes118.exe llgxico.exe PID 2884 wrote to memory of 2700 2884 02f901580374a04fefa85b250feb13b7_JaffaCakes118.exe llgxico.exe PID 2700 wrote to memory of 2528 2700 llgxico.exe ormixbq.exe PID 2700 wrote to memory of 2528 2700 llgxico.exe ormixbq.exe PID 2700 wrote to memory of 2528 2700 llgxico.exe ormixbq.exe PID 2700 wrote to memory of 2528 2700 llgxico.exe ormixbq.exe PID 2528 wrote to memory of 944 2528 ormixbq.exe slchwma.exe PID 2528 wrote to memory of 944 2528 ormixbq.exe slchwma.exe PID 2528 wrote to memory of 944 2528 ormixbq.exe slchwma.exe PID 2528 wrote to memory of 944 2528 ormixbq.exe slchwma.exe PID 944 wrote to memory of 1696 944 slchwma.exe xywppvn.exe PID 944 wrote to memory of 1696 944 slchwma.exe xywppvn.exe PID 944 wrote to memory of 1696 944 slchwma.exe xywppvn.exe PID 944 wrote to memory of 1696 944 slchwma.exe xywppvn.exe PID 1696 wrote to memory of 876 1696 xywppvn.exe xjiidzr.exe PID 1696 wrote to memory of 876 1696 xywppvn.exe xjiidzr.exe PID 1696 wrote to memory of 876 1696 xywppvn.exe xjiidzr.exe PID 1696 wrote to memory of 876 1696 xywppvn.exe xjiidzr.exe PID 876 wrote to memory of 1280 876 xjiidzr.exe pxznobq.exe PID 876 wrote to memory of 1280 876 xjiidzr.exe pxznobq.exe PID 876 wrote to memory of 1280 876 xjiidzr.exe pxznobq.exe PID 876 wrote to memory of 1280 876 xjiidzr.exe pxznobq.exe PID 1280 wrote to memory of 972 1280 pxznobq.exe xcjaxmb.exe PID 1280 wrote to memory of 972 1280 pxznobq.exe xcjaxmb.exe PID 1280 wrote to memory of 972 1280 pxznobq.exe xcjaxmb.exe PID 1280 wrote to memory of 972 1280 pxznobq.exe xcjaxmb.exe PID 972 wrote to memory of 1564 972 xcjaxmb.exe hbvyila.exe PID 972 wrote to memory of 1564 972 xcjaxmb.exe hbvyila.exe PID 972 wrote to memory of 1564 972 xcjaxmb.exe hbvyila.exe PID 972 wrote to memory of 1564 972 xcjaxmb.exe hbvyila.exe PID 1564 wrote to memory of 2704 1564 hbvyila.exe rpovgsn.exe PID 1564 wrote to memory of 2704 1564 hbvyila.exe rpovgsn.exe PID 1564 wrote to memory of 2704 1564 hbvyila.exe rpovgsn.exe PID 1564 wrote to memory of 2704 1564 hbvyila.exe rpovgsn.exe PID 2704 wrote to memory of 3024 2704 rpovgsn.exe efryoat.exe PID 2704 wrote to memory of 3024 2704 rpovgsn.exe efryoat.exe PID 2704 wrote to memory of 3024 2704 rpovgsn.exe efryoat.exe PID 2704 wrote to memory of 3024 2704 rpovgsn.exe efryoat.exe PID 3024 wrote to memory of 1480 3024 efryoat.exe oevvzza.exe PID 3024 wrote to memory of 1480 3024 efryoat.exe oevvzza.exe PID 3024 wrote to memory of 1480 3024 efryoat.exe oevvzza.exe PID 3024 wrote to memory of 1480 3024 efryoat.exe oevvzza.exe PID 1480 wrote to memory of 2532 1480 oevvzza.exe bdqyhzy.exe PID 1480 wrote to memory of 2532 1480 oevvzza.exe bdqyhzy.exe PID 1480 wrote to memory of 2532 1480 oevvzza.exe bdqyhzy.exe PID 1480 wrote to memory of 2532 1480 oevvzza.exe bdqyhzy.exe PID 2532 wrote to memory of 2564 2532 bdqyhzy.exe illqcxi.exe PID 2532 wrote to memory of 2564 2532 bdqyhzy.exe illqcxi.exe PID 2532 wrote to memory of 2564 2532 bdqyhzy.exe illqcxi.exe PID 2532 wrote to memory of 2564 2532 bdqyhzy.exe illqcxi.exe PID 2564 wrote to memory of 1216 2564 illqcxi.exe vnrfnbu.exe PID 2564 wrote to memory of 1216 2564 illqcxi.exe vnrfnbu.exe PID 2564 wrote to memory of 1216 2564 illqcxi.exe vnrfnbu.exe PID 2564 wrote to memory of 1216 2564 illqcxi.exe vnrfnbu.exe PID 1216 wrote to memory of 2304 1216 vnrfnbu.exe fmvdyat.exe PID 1216 wrote to memory of 2304 1216 vnrfnbu.exe fmvdyat.exe PID 1216 wrote to memory of 2304 1216 vnrfnbu.exe fmvdyat.exe PID 1216 wrote to memory of 2304 1216 vnrfnbu.exe fmvdyat.exe PID 2304 wrote to memory of 1804 2304 fmvdyat.exe scygoiz.exe PID 2304 wrote to memory of 1804 2304 fmvdyat.exe scygoiz.exe PID 2304 wrote to memory of 1804 2304 fmvdyat.exe scygoiz.exe PID 2304 wrote to memory of 1804 2304 fmvdyat.exe scygoiz.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\02f901580374a04fefa85b250feb13b7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\02f901580374a04fefa85b250feb13b7_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\llgxico.exeC:\Windows\system32\llgxico.exe 620 "C:\Users\Admin\AppData\Local\Temp\02f901580374a04fefa85b250feb13b7_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ormixbq.exeC:\Windows\system32\ormixbq.exe 700 "C:\Windows\SysWOW64\llgxico.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\slchwma.exeC:\Windows\system32\slchwma.exe 644 "C:\Windows\SysWOW64\ormixbq.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\xywppvn.exeC:\Windows\system32\xywppvn.exe 688 "C:\Windows\SysWOW64\slchwma.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\xjiidzr.exeC:\Windows\system32\xjiidzr.exe 624 "C:\Windows\SysWOW64\xywppvn.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\pxznobq.exeC:\Windows\system32\pxznobq.exe 716 "C:\Windows\SysWOW64\xjiidzr.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\xcjaxmb.exeC:\Windows\system32\xcjaxmb.exe 712 "C:\Windows\SysWOW64\pxznobq.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\hbvyila.exeC:\Windows\system32\hbvyila.exe 724 "C:\Windows\SysWOW64\xcjaxmb.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rpovgsn.exeC:\Windows\system32\rpovgsn.exe 728 "C:\Windows\SysWOW64\hbvyila.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\efryoat.exeC:\Windows\system32\efryoat.exe 732 "C:\Windows\SysWOW64\rpovgsn.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\oevvzza.exeC:\Windows\system32\oevvzza.exe 748 "C:\Windows\SysWOW64\efryoat.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\bdqyhzy.exeC:\Windows\system32\bdqyhzy.exe 736 "C:\Windows\SysWOW64\oevvzza.exe"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\illqcxi.exeC:\Windows\system32\illqcxi.exe 740 "C:\Windows\SysWOW64\bdqyhzy.exe"14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vnrfnbu.exeC:\Windows\system32\vnrfnbu.exe 752 "C:\Windows\SysWOW64\illqcxi.exe"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\fmvdyat.exeC:\Windows\system32\fmvdyat.exe 744 "C:\Windows\SysWOW64\vnrfnbu.exe"16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\scygoiz.exeC:\Windows\system32\scygoiz.exe 760 "C:\Windows\SysWOW64\fmvdyat.exe"17⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cyzqwda.exeC:\Windows\system32\cyzqwda.exe 756 "C:\Windows\SysWOW64\scygoiz.exe"18⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\krolfqc.exeC:\Windows\system32\krolfqc.exe 720 "C:\Windows\SysWOW64\cyzqwda.exe"19⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\uclvtuq.exeC:\Windows\system32\uclvtuq.exe 772 "C:\Windows\SysWOW64\krolfqc.exe"20⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\gsgybco.exeC:\Windows\system32\gsgybco.exe 780 "C:\Windows\SysWOW64\uclvtuq.exe"21⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\oatqvrx.exeC:\Windows\system32\oatqvrx.exe 768 "C:\Windows\SysWOW64\gsgybco.exe"22⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\achghek.exeC:\Windows\system32\achghek.exe 784 "C:\Windows\SysWOW64\oatqvrx.exe"23⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\oprwnaj.exeC:\Windows\system32\oprwnaj.exe 788 "C:\Windows\SysWOW64\achghek.exe"24⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\arxlymn.exeC:\Windows\system32\arxlymn.exe 764 "C:\Windows\SysWOW64\oprwnaj.exe"25⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\kqjjqlu.exeC:\Windows\system32\kqjjqlu.exe 792 "C:\Windows\SysWOW64\arxlymn.exe"26⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\xhelzts.exeC:\Windows\system32\xhelzts.exe 800 "C:\Windows\SysWOW64\kqjjqlu.exe"27⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\hgijjka.exeC:\Windows\system32\hgijjka.exe 796 "C:\Windows\SysWOW64\xhelzts.exe"28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Windows\SysWOW64\rqftxno.exeC:\Windows\system32\rqftxno.exe 776 "C:\Windows\SysWOW64\hgijjka.exe"29⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\fdpjdrn.exeC:\Windows\system32\fdpjdrn.exe 808 "C:\Windows\SysWOW64\rqftxno.exe"30⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\ooetyut.exeC:\Windows\system32\ooetyut.exe 804 "C:\Windows\SysWOW64\fdpjdrn.exe"31⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\behwgcy.exeC:\Windows\system32\behwgcy.exe 816 "C:\Windows\SysWOW64\ooetyut.exe"32⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\ovczpcw.exeC:\Windows\system32\ovczpcw.exe 812 "C:\Windows\SysWOW64\behwgcy.exe"33⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\yfrjcfk.exeC:\Windows\system32\yfrjcfk.exe 828 "C:\Windows\SysWOW64\ovczpcw.exe"34⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\lhxrosp.exeC:\Windows\system32\lhxrosp.exe 820 "C:\Windows\SysWOW64\yfrjcfk.exe"35⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\yupgbwn.exeC:\Windows\system32\yupgbwn.exe 836 "C:\Windows\SysWOW64\lhxrosp.exe"36⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\ibpervb.exeC:\Windows\system32\ibpervb.exe 824 "C:\Windows\SysWOW64\yupgbwn.exe"37⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\vwztxzz.exeC:\Windows\system32\vwztxzz.exe 840 "C:\Windows\SysWOW64\ibpervb.exe"38⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\imcwghf.exeC:\Windows\system32\imcwghf.exe 832 "C:\Windows\SysWOW64\vwztxzz.exe"39⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\rauueos.exeC:\Windows\system32\rauueos.exe 848 "C:\Windows\SysWOW64\imcwghf.exe"40⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\erxwmpq.exeC:\Windows\system32\erxwmpq.exe 852 "C:\Windows\SysWOW64\rauueos.exe"41⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\rehmssw.exeC:\Windows\system32\rehmssw.exe 856 "C:\Windows\SysWOW64\erxwmpq.exe"42⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\bshjiab.exeC:\Windows\system32\bshjiab.exe 844 "C:\Windows\SysWOW64\rehmssw.exe"43⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\oqkmrah.exeC:\Windows\system32\oqkmrah.exe 876 "C:\Windows\SysWOW64\bshjiab.exe"44⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\bhfhzin.exeC:\Windows\system32\bhfhzin.exe 864 "C:\Windows\SysWOW64\oqkmrah.exe"45⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\oxajiqs.exeC:\Windows\system32\oxajiqs.exe 868 "C:\Windows\SysWOW64\bhfhzin.exe"46⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\bwdmzrq.exeC:\Windows\system32\bwdmzrq.exe 860 "C:\Windows\SysWOW64\oxajiqs.exe"47⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\lyswmue.exeC:\Windows\system32\lyswmue.exe 880 "C:\Windows\SysWOW64\bwdmzrq.exe"48⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\xaymxgi.exeC:\Windows\system32\xaymxgi.exe 872 "C:\Windows\SysWOW64\lyswmue.exe"49⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\krtpgoo.exeC:\Windows\system32\krtpgoo.exe 892 "C:\Windows\SysWOW64\xaymxgi.exe"50⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\uyfmqnn.exeC:\Windows\system32\uyfmqnn.exe 896 "C:\Windows\SysWOW64\krtpgoo.exe"51⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\eauxmic.exeC:\Windows\system32\eauxmic.exe 884 "C:\Windows\SysWOW64\uyfmqnn.exe"52⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\ufvsqvy.exeC:\Windows\system32\ufvsqvy.exe 904 "C:\Windows\SysWOW64\eauxmic.exe"53⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\bytxfph.exeC:\Windows\system32\bytxfph.exe 900 "C:\Windows\SysWOW64\ufvsqvy.exe"54⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\opwznxm.exeC:\Windows\system32\opwznxm.exe 888 "C:\Windows\SysWOW64\bytxfph.exe"55⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\yoaxgwu.exeC:\Windows\system32\yoaxgwu.exe 916 "C:\Windows\SysWOW64\opwznxm.exe"56⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\lqgmrby.exeC:\Windows\system32\lqgmrby.exe 912 "C:\Windows\SysWOW64\yoaxgwu.exe"57⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\ygjpaje.exeC:\Windows\system32\ygjpaje.exe 920 "C:\Windows\SysWOW64\lqgmrby.exe"58⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\lfesirb.exeC:\Windows\system32\lfesirb.exe 924 "C:\Windows\SysWOW64\ygjpaje.exe"59⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\veiptqj.exeC:\Windows\system32\veiptqj.exe 932 "C:\Windows\SysWOW64\lfesirb.exe"60⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\iclsjqo.exeC:\Windows\system32\iclsjqo.exe 908 "C:\Windows\SysWOW64\veiptqj.exe"61⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\sfacxtv.exeC:\Windows\system32\sfacxtv.exe 936 "C:\Windows\SysWOW64\iclsjqo.exe"62⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\ehgkifz.exeC:\Windows\system32\ehgkifz.exe 940 "C:\Windows\SysWOW64\sfacxtv.exe"63⤵
-
C:\Windows\SysWOW64\rxbnrgf.exeC:\Windows\system32\rxbnrgf.exe 948 "C:\Windows\SysWOW64\ehgkifz.exe"64⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\eoepzok.exeC:\Windows\system32\eoepzok.exe 952 "C:\Windows\SysWOW64\rxbnrgf.exe"65⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\oytaurq.exeC:\Windows\system32\oytaurq.exe 956 "C:\Windows\SysWOW64\eoepzok.exe"66⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\tldqavp.exeC:\Windows\system32\tldqavp.exe 944 "C:\Windows\SysWOW64\oytaurq.exe"67⤵
-
C:\Windows\SysWOW64\grusoea.exeC:\Windows\system32\grusoea.exe 964 "C:\Windows\SysWOW64\tldqavp.exe"68⤵
-
C:\Windows\SysWOW64\thpvxmg.exeC:\Windows\system32\thpvxmg.exe 960 "C:\Windows\SysWOW64\grusoea.exe"69⤵
-
C:\Windows\SysWOW64\ggsygud.exeC:\Windows\system32\ggsygud.exe 968 "C:\Windows\SysWOW64\thpvxmg.exe"70⤵
-
C:\Windows\SysWOW64\swnsouj.exeC:\Windows\system32\swnsouj.exe 976 "C:\Windows\SysWOW64\ggsygud.exe"71⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cknqmcw.exeC:\Windows\system32\cknqmcw.exe 972 "C:\Windows\SysWOW64\swnsouj.exe"72⤵
-
C:\Windows\SysWOW64\pbisvkc.exeC:\Windows\system32\pbisvkc.exe 980 "C:\Windows\SysWOW64\cknqmcw.exe"73⤵
-
C:\Windows\SysWOW64\czlvdkz.exeC:\Windows\system32\czlvdkz.exe 988 "C:\Windows\SysWOW64\pbisvkc.exe"74⤵
-
C:\Windows\SysWOW64\pbrlpwm.exeC:\Windows\system32\pbrlpwm.exe 928 "C:\Windows\SysWOW64\czlvdkz.exe"75⤵
-
C:\Windows\SysWOW64\cobavak.exeC:\Windows\system32\cobavak.exe 996 "C:\Windows\SysWOW64\pbrlpwm.exe"76⤵
-
C:\Windows\SysWOW64\lvbqlix.exeC:\Windows\system32\lvbqlix.exe 992 "C:\Windows\SysWOW64\cobavak.exe"77⤵
-
C:\Windows\SysWOW64\ytestiv.exeC:\Windows\system32\ytestiv.exe 1004 "C:\Windows\SysWOW64\lvbqlix.exe"78⤵
-
C:\Windows\SysWOW64\lkzvkqb.exeC:\Windows\system32\lkzvkqb.exe 1000 "C:\Windows\SysWOW64\ytestiv.exe"79⤵
-
C:\Windows\SysWOW64\yiuytyg.exeC:\Windows\system32\yiuytyg.exe 1012 "C:\Windows\SysWOW64\lkzvkqb.exe"80⤵
-
C:\Windows\SysWOW64\lzoabym.exeC:\Windows\system32\lzoabym.exe 1008 "C:\Windows\SysWOW64\yiuytyg.exe"81⤵
-
C:\Windows\SysWOW64\ybcqnlq.exeC:\Windows\system32\ybcqnlq.exe 1016 "C:\Windows\SysWOW64\lzoabym.exe"82⤵
-
C:\Windows\SysWOW64\lrxtvto.exeC:\Windows\system32\lrxtvto.exe 1020 "C:\Windows\SysWOW64\ybcqnlq.exe"83⤵
-
C:\Windows\SysWOW64\vcndioc.exeC:\Windows\system32\vcndioc.exe 1040 "C:\Windows\SysWOW64\lrxtvto.exe"84⤵
-
C:\Windows\SysWOW64\hshgzwz.exeC:\Windows\system32\hshgzwz.exe 1032 "C:\Windows\SysWOW64\vcndioc.exe"85⤵
-
C:\Windows\SysWOW64\ujkjief.exeC:\Windows\system32\ujkjief.exe 1028 "C:\Windows\SysWOW64\hshgzwz.exe"86⤵
-
C:\Windows\SysWOW64\exlyyms.exeC:\Windows\system32\exlyyms.exe 1036 "C:\Windows\SysWOW64\ujkjief.exe"87⤵
-
C:\Windows\SysWOW64\rvgbgmy.exeC:\Windows\system32\rvgbgmy.exe 1044 "C:\Windows\SysWOW64\exlyyms.exe"88⤵
-
C:\Windows\SysWOW64\emadpuv.exeC:\Windows\system32\emadpuv.exe 1048 "C:\Windows\SysWOW64\rvgbgmy.exe"89⤵
-
C:\Windows\SysWOW64\rcdgxcb.exeC:\Windows\system32\rcdgxcb.exe 1056 "C:\Windows\SysWOW64\emadpuv.exe"90⤵
-
C:\Windows\SysWOW64\ebyjgcg.exeC:\Windows\system32\ebyjgcg.exe 1052 "C:\Windows\SysWOW64\rcdgxcb.exe"91⤵
-
C:\Windows\SysWOW64\npzgekt.exeC:\Windows\system32\npzgekt.exe 1060 "C:\Windows\SysWOW64\ebyjgcg.exe"92⤵
-
C:\Windows\SysWOW64\afubnsr.exeC:\Windows\system32\afubnsr.exe 1068 "C:\Windows\SysWOW64\npzgekt.exe"93⤵
-
C:\Windows\SysWOW64\nwodvsx.exeC:\Windows\system32\nwodvsx.exe 1064 "C:\Windows\SysWOW64\afubnsr.exe"94⤵
-
C:\Windows\SysWOW64\aurgeac.exeC:\Windows\system32\aurgeac.exe 1084 "C:\Windows\SysWOW64\nwodvsx.exe"95⤵
-
C:\Windows\SysWOW64\nlmjmji.exeC:\Windows\system32\nlmjmji.exe 1072 "C:\Windows\SysWOW64\aurgeac.exe"96⤵
-
C:\Windows\SysWOW64\xznglqn.exeC:\Windows\system32\xznglqn.exe 1076 "C:\Windows\SysWOW64\nlmjmji.exe"97⤵
-
C:\Windows\SysWOW64\kphjtqs.exeC:\Windows\system32\kphjtqs.exe 1080 "C:\Windows\SysWOW64\xznglqn.exe"98⤵
-
C:\Windows\SysWOW64\wrnzfdx.exeC:\Windows\system32\wrnzfdx.exe 1088 "C:\Windows\SysWOW64\kphjtqs.exe"99⤵
-
C:\Windows\SysWOW64\jiqtndc.exeC:\Windows\system32\jiqtndc.exe 1092 "C:\Windows\SysWOW64\wrnzfdx.exe"100⤵
-
C:\Windows\SysWOW64\wdarthb.exeC:\Windows\system32\wdarthb.exe 1096 "C:\Windows\SysWOW64\jiqtndc.exe"101⤵
-
C:\Windows\SysWOW64\jxgzetn.exeC:\Windows\system32\jxgzetn.exe 1104 "C:\Windows\SysWOW64\wdarthb.exe"102⤵
-
C:\Windows\SysWOW64\thvjawu.exeC:\Windows\system32\thvjawu.exe 1100 "C:\Windows\SysWOW64\jxgzetn.exe"103⤵
-
C:\Windows\SysWOW64\gyymiwz.exeC:\Windows\system32\gyymiwz.exe 1112 "C:\Windows\SysWOW64\thvjawu.exe"104⤵
-
C:\Windows\SysWOW64\saebujd.exeC:\Windows\system32\saebujd.exe 1124 "C:\Windows\SysWOW64\gyymiwz.exe"105⤵
-
C:\Windows\SysWOW64\gnorznc.exeC:\Windows\system32\gnorznc.exe 1108 "C:\Windows\SysWOW64\saebujd.exe"106⤵
-
C:\Windows\SysWOW64\pboopmp.exeC:\Windows\system32\pboopmp.exe 1116 "C:\Windows\SysWOW64\gnorznc.exe"107⤵
-
C:\Windows\SysWOW64\crrryun.exeC:\Windows\system32\crrryun.exe 1120 "C:\Windows\SysWOW64\pboopmp.exe"108⤵
-
C:\Windows\SysWOW64\pqmupcs.exeC:\Windows\system32\pqmupcs.exe 1128 "C:\Windows\SysWOW64\crrryun.exe"109⤵
-
C:\Windows\SysWOW64\cghpxdy.exeC:\Windows\system32\cghpxdy.exe 984 "C:\Windows\SysWOW64\pqmupcs.exe"110⤵
-
C:\Windows\SysWOW64\pxkrgle.exeC:\Windows\system32\pxkrgle.exe 1140 "C:\Windows\SysWOW64\cghpxdy.exe"111⤵
-
C:\Windows\SysWOW64\cveuotb.exeC:\Windows\system32\cveuotb.exe 1132 "C:\Windows\SysWOW64\pxkrgle.exe"112⤵
-
C:\Windows\SysWOW64\lkfrfao.exeC:\Windows\system32\lkfrfao.exe 1148 "C:\Windows\SysWOW64\cveuotb.exe"113⤵
-
C:\Windows\SysWOW64\yaaunbu.exeC:\Windows\system32\yaaunbu.exe 1144 "C:\Windows\SysWOW64\lkfrfao.exe"114⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\lrdxwjz.exeC:\Windows\system32\lrdxwjz.exe 1156 "C:\Windows\SysWOW64\yaaunbu.exe"115⤵
-
C:\Windows\SysWOW64\vbshrmg.exeC:\Windows\system32\vbshrmg.exe 1152 "C:\Windows\SysWOW64\lrdxwjz.exe"116⤵
-
C:\Windows\SysWOW64\asnkaul.exeC:\Windows\system32\asnkaul.exe 1164 "C:\Windows\SysWOW64\vbshrmg.exe"117⤵
-
C:\Windows\SysWOW64\nfezfqk.exeC:\Windows\system32\nfezfqk.exe 1168 "C:\Windows\SysWOW64\asnkaul.exe"118⤵
-
C:\Windows\SysWOW64\xtfpvxx.exeC:\Windows\system32\xtfpvxx.exe 1160 "C:\Windows\SysWOW64\nfezfqk.exe"119⤵
-
C:\Windows\SysWOW64\kgpnbbw.exeC:\Windows\system32\kgpnbbw.exe 1172 "C:\Windows\SysWOW64\xtfpvxx.exe"120⤵
-
C:\Windows\SysWOW64\uqexwec.exeC:\Windows\system32\uqexwec.exe 1184 "C:\Windows\SysWOW64\kgpnbbw.exe"121⤵
-
C:\Windows\SysWOW64\hhhsfei.exeC:\Windows\system32\hhhsfei.exe 1136 "C:\Windows\SysWOW64\uqexwec.exe"122⤵
-
C:\Windows\SysWOW64\ufcuonn.exeC:\Windows\system32\ufcuonn.exe 1180 "C:\Windows\SysWOW64\hhhsfei.exe"123⤵
-
C:\Windows\SysWOW64\hwwxwvl.exeC:\Windows\system32\hwwxwvl.exe 1188 "C:\Windows\SysWOW64\ufcuonn.exe"124⤵
-
C:\Windows\SysWOW64\qkxuucy.exeC:\Windows\system32\qkxuucy.exe 1192 "C:\Windows\SysWOW64\hwwxwvl.exe"125⤵
-
C:\Windows\SysWOW64\gofpqhv.exeC:\Windows\system32\gofpqhv.exe 1196 "C:\Windows\SysWOW64\qkxuucy.exe"126⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\qcgnopi.exeC:\Windows\system32\qcgnopi.exe 1176 "C:\Windows\SysWOW64\gofpqhv.exe"127⤵
-
C:\Windows\SysWOW64\dppcuth.exeC:\Windows\system32\dppcuth.exe 1208 "C:\Windows\SysWOW64\qcgnopi.exe"128⤵
-
C:\Windows\SysWOW64\qokfdtm.exeC:\Windows\system32\qokfdtm.exe 1204 "C:\Windows\SysWOW64\dppcuth.exe"129⤵
-
C:\Windows\SysWOW64\diynofq.exeC:\Windows\system32\diynofq.exe 1216 "C:\Windows\SysWOW64\qokfdtm.exe"130⤵
-
C:\Windows\SysWOW64\qgtqxfw.exeC:\Windows\system32\qgtqxfw.exe 1220 "C:\Windows\SysWOW64\diynofq.exe"131⤵
-
C:\Windows\SysWOW64\zjiasjc.exeC:\Windows\system32\zjiasjc.exe 1212 "C:\Windows\SysWOW64\qgtqxfw.exe"132⤵
-
C:\Windows\SysWOW64\mlpqdvh.exeC:\Windows\system32\mlpqdvh.exe 1224 "C:\Windows\SysWOW64\zjiasjc.exe"133⤵
-
C:\Windows\SysWOW64\zbjsmdm.exeC:\Windows\system32\zbjsmdm.exe 1228 "C:\Windows\SysWOW64\mlpqdvh.exe"134⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\mamvvds.exeC:\Windows\system32\mamvvds.exe 1232 "C:\Windows\SysWOW64\zbjsmdm.exe"135⤵
-
C:\Windows\SysWOW64\wdbfihy.exeC:\Windows\system32\wdbfihy.exe 1236 "C:\Windows\SysWOW64\mamvvds.exe"136⤵
-
C:\Windows\SysWOW64\jtwiqpe.exeC:\Windows\system32\jtwiqpe.exe 1240 "C:\Windows\SysWOW64\wdbfihy.exe"137⤵
-
C:\Windows\SysWOW64\wszlzxj.exeC:\Windows\system32\wszlzxj.exe 1248 "C:\Windows\SysWOW64\jtwiqpe.exe"138⤵
-
C:\Windows\SysWOW64\jiufqxh.exeC:\Windows\system32\jiufqxh.exe 1260 "C:\Windows\SysWOW64\wszlzxj.exe"139⤵
-
C:\Windows\SysWOW64\swvdgeu.exeC:\Windows\system32\swvdgeu.exe 1200 "C:\Windows\SysWOW64\jiufqxh.exe"140⤵
-
C:\Windows\SysWOW64\fnpfonz.exeC:\Windows\system32\fnpfonz.exe 1252 "C:\Windows\SysWOW64\swvdgeu.exe"141⤵
-
C:\Windows\SysWOW64\slkixnf.exeC:\Windows\system32\slkixnf.exe 1264 "C:\Windows\SysWOW64\fnpfonz.exe"142⤵
-
C:\Windows\SysWOW64\fcnlfvd.exeC:\Windows\system32\fcnlfvd.exe 1268 "C:\Windows\SysWOW64\slkixnf.exe"143⤵
-
C:\Windows\SysWOW64\saioodi.exeC:\Windows\system32\saioodi.exe 1256 "C:\Windows\SysWOW64\fcnlfvd.exe"144⤵
-
C:\Windows\SysWOW64\cgidmdv.exeC:\Windows\system32\cgidmdv.exe 1272 "C:\Windows\SysWOW64\saioodi.exe"145⤵
-
C:\Windows\SysWOW64\pbabsgu.exeC:\Windows\system32\pbabsgu.exe 1276 "C:\Windows\SysWOW64\cgidmdv.exe"146⤵
-
C:\Windows\SysWOW64\csvdapa.exeC:\Windows\system32\csvdapa.exe 1280 "C:\Windows\SysWOW64\pbabsgu.exe"147⤵
-
C:\Windows\SysWOW64\lgvtrwn.exeC:\Windows\system32\lgvtrwn.exe 1244 "C:\Windows\SysWOW64\csvdapa.exe"148⤵
-
C:\Windows\SysWOW64\ytfiwsl.exeC:\Windows\system32\ytfiwsl.exe 1288 "C:\Windows\SysWOW64\lgvtrwn.exe"149⤵
-
C:\Windows\SysWOW64\ljilnaj.exeC:\Windows\system32\ljilnaj.exe 1284 "C:\Windows\SysWOW64\ytfiwsl.exe"150⤵
-
C:\Windows\SysWOW64\vxiidhw.exeC:\Windows\system32\vxiidhw.exe 1296 "C:\Windows\SysWOW64\ljilnaj.exe"151⤵
-
C:\Windows\SysWOW64\iodlmqc.exeC:\Windows\system32\iodlmqc.exe 1300 "C:\Windows\SysWOW64\vxiidhw.exe"152⤵
-
C:\Windows\SysWOW64\vmyouqh.exeC:\Windows\system32\vmyouqh.exe 1304 "C:\Windows\SysWOW64\iodlmqc.exe"153⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\idbrdyf.exeC:\Windows\system32\idbrdyf.exe 1308 "C:\Windows\SysWOW64\vmyouqh.exe"154⤵
-
C:\Windows\SysWOW64\ufhyokr.exeC:\Windows\system32\ufhyokr.exe 1312 "C:\Windows\SysWOW64\idbrdyf.exe"155⤵
-
C:\Windows\SysWOW64\ehwjjgx.exeC:\Windows\system32\ehwjjgx.exe 1316 "C:\Windows\SysWOW64\ufhyokr.exe"156⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\rgrlsod.exeC:\Windows\system32\rgrlsod.exe 1320 "C:\Windows\SysWOW64\ehwjjgx.exe"157⤵
-
C:\Windows\SysWOW64\ewmobwa.exeC:\Windows\system32\ewmobwa.exe 1324 "C:\Windows\SysWOW64\rgrlsod.exe"158⤵
-
C:\Windows\SysWOW64\rvprjwg.exeC:\Windows\system32\rvprjwg.exe 1292 "C:\Windows\SysWOW64\ewmobwa.exe"159⤵
-
C:\Windows\SysWOW64\eljtsem.exeC:\Windows\system32\eljtsem.exe 1332 "C:\Windows\SysWOW64\rvprjwg.exe"160⤵
-
C:\Windows\SysWOW64\oakrqmz.exeC:\Windows\system32\oakrqmz.exe 1328 "C:\Windows\SysWOW64\eljtsem.exe"161⤵
-
C:\Windows\SysWOW64\aqftyuw.exeC:\Windows\system32\aqftyuw.exe 1340 "C:\Windows\SysWOW64\oakrqmz.exe"162⤵
-
C:\Windows\SysWOW64\npiwhuc.exeC:\Windows\system32\npiwhuc.exe 1344 "C:\Windows\SysWOW64\aqftyuw.exe"163⤵
-
C:\Windows\SysWOW64\xrxyuxi.exeC:\Windows\system32\xrxyuxi.exe 1352 "C:\Windows\SysWOW64\npiwhuc.exe"164⤵
-
C:\Windows\SysWOW64\nextykn.exeC:\Windows\system32\nextykn.exe 1360 "C:\Windows\SysWOW64\xrxyuxi.exe"165⤵
-
C:\Windows\SysWOW64\pgnemft.exeC:\Windows\system32\pgnemft.exe 1348 "C:\Windows\SysWOW64\nextykn.exe"166⤵
-
C:\Windows\SysWOW64\cxqhuoz.exeC:\Windows\system32\cxqhuoz.exe 1356 "C:\Windows\SysWOW64\pgnemft.exe"167⤵
-
C:\Windows\SysWOW64\pvkjlww.exeC:\Windows\system32\pvkjlww.exe 1372 "C:\Windows\SysWOW64\cxqhuoz.exe"168⤵
-
C:\Windows\SysWOW64\zjlhbdj.exeC:\Windows\system32\zjlhbdj.exe 1368 "C:\Windows\SysWOW64\pvkjlww.exe"169⤵
-
C:\Windows\SysWOW64\mwdwhzi.exeC:\Windows\system32\mwdwhzi.exe 1364 "C:\Windows\SysWOW64\zjlhbdj.exe"170⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\znxzpho.exeC:\Windows\system32\znxzpho.exe 1376 "C:\Windows\SysWOW64\mwdwhzi.exe"171⤵
-
C:\Windows\SysWOW64\ibywnpb.exeC:\Windows\system32\ibywnpb.exe 1388 "C:\Windows\SysWOW64\znxzpho.exe"172⤵
-
C:\Windows\SysWOW64\vrtzwxg.exeC:\Windows\system32\vrtzwxg.exe 1380 "C:\Windows\SysWOW64\ibywnpb.exe"173⤵
-
C:\Windows\SysWOW64\iqouexe.exeC:\Windows\system32\iqouexe.exe 1336 "C:\Windows\SysWOW64\vrtzwxg.exe"174⤵
-
C:\Windows\SysWOW64\vgqwnfk.exeC:\Windows\system32\vgqwnfk.exe 1384 "C:\Windows\SysWOW64\iqouexe.exe"175⤵
-
C:\Windows\SysWOW64\iflzwnp.exeC:\Windows\system32\iflzwnp.exe 1400 "C:\Windows\SysWOW64\vgqwnfk.exe"176⤵
-
C:\Windows\SysWOW64\vzrphst.exeC:\Windows\system32\vzrphst.exe 1396 "C:\Windows\SysWOW64\iflzwnp.exe"177⤵
-
C:\Windows\SysWOW64\ejhzuva.exeC:\Windows\system32\ejhzuva.exe 1404 "C:\Windows\SysWOW64\vzrphst.exe"178⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\rajcldf.exeC:\Windows\system32\rajcldf.exe 1408 "C:\Windows\SysWOW64\ejhzuva.exe"179⤵
-
C:\Windows\SysWOW64\eyeftdl.exeC:\Windows\system32\eyeftdl.exe 1412 "C:\Windows\SysWOW64\rajcldf.exe"180⤵
-
C:\Windows\SysWOW64\rpzhcli.exeC:\Windows\system32\rpzhcli.exe 1420 "C:\Windows\SysWOW64\eyeftdl.exe"181⤵
-
C:\Windows\SysWOW64\bdaxstw.exeC:\Windows\system32\bdaxstw.exe 1416 "C:\Windows\SysWOW64\rpzhcli.exe"182⤵
-
C:\Windows\SysWOW64\otvzbtb.exeC:\Windows\system32\otvzbtb.exe 1424 "C:\Windows\SysWOW64\bdaxstw.exe"183⤵
-
C:\Windows\SysWOW64\bsxcjbh.exeC:\Windows\system32\bsxcjbh.exe 1432 "C:\Windows\SysWOW64\otvzbtb.exe"184⤵
-
C:\Windows\SysWOW64\lvnmfen.exeC:\Windows\system32\lvnmfen.exe 1428 "C:\Windows\SysWOW64\bsxcjbh.exe"185⤵
-
C:\Windows\SysWOW64\ylipnms.exeC:\Windows\system32\ylipnms.exe 1440 "C:\Windows\SysWOW64\lvnmfen.exe"186⤵
-
C:\Windows\SysWOW64\kkkswnq.exeC:\Windows\system32\kkkswnq.exe 1436 "C:\Windows\SysWOW64\ylipnms.exe"187⤵
-
C:\Windows\SysWOW64\xafuevw.exeC:\Windows\system32\xafuevw.exe 1444 "C:\Windows\SysWOW64\kkkswnq.exe"188⤵
-
C:\Windows\SysWOW64\hlufsyc.exeC:\Windows\system32\hlufsyc.exe 1448 "C:\Windows\SysWOW64\xafuevw.exe"189⤵
-
C:\Windows\SysWOW64\ubpiigh.exeC:\Windows\system32\ubpiigh.exe 1452 "C:\Windows\SysWOW64\hlufsyc.exe"190⤵
-
C:\Windows\SysWOW64\haskrgn.exeC:\Windows\system32\haskrgn.exe 1456 "C:\Windows\SysWOW64\ubpiigh.exe"191⤵
-
C:\Windows\SysWOW64\uqnnzot.exeC:\Windows\system32\uqnnzot.exe 1464 "C:\Windows\SysWOW64\haskrgn.exe"192⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\hstvlbx.exeC:\Windows\system32\hstvlbx.exe 1460 "C:\Windows\SysWOW64\uqnnzot.exe"193⤵
-
C:\Windows\SysWOW64\rvifywd.exeC:\Windows\system32\rvifywd.exe 1472 "C:\Windows\SysWOW64\hstvlbx.exe"194⤵
-
C:\Windows\SysWOW64\dtlihej.exeC:\Windows\system32\dtlihej.exe 1480 "C:\Windows\SysWOW64\rvifywd.exe"195⤵
-
C:\Windows\SysWOW64\qkgkpmg.exeC:\Windows\system32\qkgkpmg.exe 1468 "C:\Windows\SysWOW64\dtlihej.exe"196⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\dabngmm.exeC:\Windows\system32\dabngmm.exe 1476 "C:\Windows\SysWOW64\qkgkpmg.exe"197⤵
-
C:\Windows\SysWOW64\nobkwuz.exeC:\Windows\system32\nobkwuz.exe 1392 "C:\Windows\SysWOW64\dabngmm.exe"198⤵
-
C:\Windows\SysWOW64\dtkfahw.exeC:\Windows\system32\dtkfahw.exe 1492 "C:\Windows\SysWOW64\nobkwuz.exe"199⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\ndzinkc.exeC:\Windows\system32\ndzinkc.exe 1496 "C:\Windows\SysWOW64\dtkfahw.exe"200⤵
-
C:\Windows\SysWOW64\zffxzpo.exeC:\Windows\system32\zffxzpo.exe 1488 "C:\Windows\SysWOW64\ndzinkc.exe"201⤵
-
C:\Windows\SysWOW64\mwaahxm.exeC:\Windows\system32\mwaahxm.exe 1512 "C:\Windows\SysWOW64\zffxzpo.exe"202⤵
-
C:\Windows\SysWOW64\wyplcaa.exeC:\Windows\system32\wyplcaa.exe 1484 "C:\Windows\SysWOW64\mwaahxm.exe"203⤵
-
C:\Windows\SysWOW64\jxsnlay.exeC:\Windows\system32\jxsnlay.exe 1504 "C:\Windows\SysWOW64\wyplcaa.exe"204⤵
-
C:\Windows\SysWOW64\wnnquid.exeC:\Windows\system32\wnnquid.exe 1508 "C:\Windows\SysWOW64\jxsnlay.exe"205⤵
-
C:\Windows\SysWOW64\jmitcqj.exeC:\Windows\system32\jmitcqj.exe 1520 "C:\Windows\SysWOW64\wnnquid.exe"206⤵
-
C:\Windows\SysWOW64\wclvlrp.exeC:\Windows\system32\wclvlrp.exe 1516 "C:\Windows\SysWOW64\jmitcqj.exe"207⤵
-
C:\Windows\SysWOW64\gqlljyu.exeC:\Windows\system32\gqlljyu.exe 1524 "C:\Windows\SysWOW64\wclvlrp.exe"208⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\shgnrgz.exeC:\Windows\system32\shgnrgz.exe 1528 "C:\Windows\SysWOW64\gqlljyu.exe"209⤵
-
C:\Windows\SysWOW64\guxdxky.exeC:\Windows\system32\guxdxky.exe 1532 "C:\Windows\SysWOW64\shgnrgz.exe"210⤵
-
C:\Windows\SysWOW64\piqanjl.exeC:\Windows\system32\piqanjl.exe 1536 "C:\Windows\SysWOW64\guxdxky.exe"211⤵
-
C:\Windows\SysWOW64\cgtdwsr.exeC:\Windows\system32\cgtdwsr.exe 1540 "C:\Windows\SysWOW64\piqanjl.exe"212⤵
-
C:\Windows\SysWOW64\pxogeaw.exeC:\Windows\system32\pxogeaw.exe 1500 "C:\Windows\SysWOW64\cgtdwsr.exe"213⤵
-
C:\Windows\SysWOW64\zidqadc.exeC:\Windows\system32\zidqadc.exe 1548 "C:\Windows\SysWOW64\pxogeaw.exe"214⤵
-
C:\Windows\SysWOW64\eygtidi.exeC:\Windows\system32\eygtidi.exe 1552 "C:\Windows\SysWOW64\zidqadc.exe"215⤵
-
C:\Windows\SysWOW64\rpbwrlg.exeC:\Windows\system32\rpbwrlg.exe 1556 "C:\Windows\SysWOW64\eygtidi.exe"216⤵
-
C:\Windows\SysWOW64\enwyatl.exeC:\Windows\system32\enwyatl.exe 1564 "C:\Windows\SysWOW64\rpbwrlg.exe"217⤵
-
C:\Windows\SysWOW64\reybiur.exeC:\Windows\system32\reybiur.exe 1560 "C:\Windows\SysWOW64\enwyatl.exe"218⤵
-
C:\Windows\SysWOW64\asrqgbe.exeC:\Windows\system32\asrqgbe.exe 1568 "C:\Windows\SysWOW64\reybiur.exe"219⤵
-
C:\Windows\SysWOW64\niutpjb.exeC:\Windows\system32\niutpjb.exe 1576 "C:\Windows\SysWOW64\asrqgbe.exe"220⤵
-
C:\Windows\SysWOW64\ahpwxrh.exeC:\Windows\system32\ahpwxrh.exe 1572 "C:\Windows\SysWOW64\niutpjb.exe"221⤵
-
C:\Windows\SysWOW64\kjeglmn.exeC:\Windows\system32\kjeglmn.exe 1584 "C:\Windows\SysWOW64\ahpwxrh.exe"222⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\xihjtvt.exeC:\Windows\system32\xihjtvt.exe 1544 "C:\Windows\SysWOW64\kjeglmn.exe"223⤵
-
C:\Windows\SysWOW64\kycmcdy.exeC:\Windows\system32\kycmcdy.exe 1592 "C:\Windows\SysWOW64\xihjtvt.exe"224⤵
-
C:\Windows\SysWOW64\xpwosdw.exeC:\Windows\system32\xpwosdw.exe 1588 "C:\Windows\SysWOW64\kycmcdy.exe"225⤵
-
C:\Windows\SysWOW64\hzmzggk.exeC:\Windows\system32\hzmzggk.exe 1596 "C:\Windows\SysWOW64\xpwosdw.exe"226⤵
-
C:\Windows\SysWOW64\uqpbooi.exeC:\Windows\system32\uqpbooi.exe 1604 "C:\Windows\SysWOW64\hzmzggk.exe"227⤵
-
C:\Windows\SysWOW64\gojexwn.exeC:\Windows\system32\gojexwn.exe 1600 "C:\Windows\SysWOW64\uqpbooi.exe"228⤵
-
C:\Windows\SysWOW64\tfezfxt.exeC:\Windows\system32\tfezfxt.exe 1608 "C:\Windows\SysWOW64\gojexwn.exe"229⤵
-
C:\Windows\SysWOW64\dtfwdeg.exeC:\Windows\system32\dtfwdeg.exe 1612 "C:\Windows\SysWOW64\tfezfxt.exe"230⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\qjizmme.exeC:\Windows\system32\qjizmme.exe 1616 "C:\Windows\SysWOW64\dtfwdeg.exe"231⤵
-
C:\Windows\SysWOW64\derosqk.exeC:\Windows\system32\derosqk.exe 1580 "C:\Windows\SysWOW64\qjizmme.exe"232⤵
-
C:\Windows\SysWOW64\nksmipp.exeC:\Windows\system32\nksmipp.exe 1620 "C:\Windows\SysWOW64\derosqk.exe"233⤵
-
C:\Windows\SysWOW64\axjcotw.exeC:\Windows\system32\axjcotw.exe 1632 "C:\Windows\SysWOW64\nksmipp.exe"234⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\nweewbu.exeC:\Windows\system32\nweewbu.exe 1636 "C:\Windows\SysWOW64\axjcotw.exe"235⤵
-
C:\Windows\SysWOW64\xzupsfi.exeC:\Windows\system32\xzupsfi.exe 1640 "C:\Windows\SysWOW64\nweewbu.exe"236⤵
-
C:\Windows\SysWOW64\kxorafg.exeC:\Windows\system32\kxorafg.exe 1648 "C:\Windows\SysWOW64\xzupsfi.exe"237⤵
-
C:\Windows\SysWOW64\xorujnl.exeC:\Windows\system32\xorujnl.exe 1624 "C:\Windows\SysWOW64\kxorafg.exe"238⤵
-
C:\Windows\SysWOW64\gyhewqr.exeC:\Windows\system32\gyhewqr.exe 1644 "C:\Windows\SysWOW64\xorujnl.exe"239⤵
-
C:\Windows\SysWOW64\tpbhfyx.exeC:\Windows\system32\tpbhfyx.exe 1652 "C:\Windows\SysWOW64\gyhewqr.exe"240⤵
-
C:\Windows\SysWOW64\gfekvyd.exeC:\Windows\system32\gfekvyd.exe 1656 "C:\Windows\SysWOW64\tpbhfyx.exe"241⤵