Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 06:47
Static task
static1
Behavioral task
behavioral1
Sample
03c35e1ee1b0bf6340cdb45773c9fd3e_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
03c35e1ee1b0bf6340cdb45773c9fd3e_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
03c35e1ee1b0bf6340cdb45773c9fd3e_JaffaCakes118.exe
-
Size
524KB
-
MD5
03c35e1ee1b0bf6340cdb45773c9fd3e
-
SHA1
1338fb2e480eb7a42cc6e299948583012c48cad5
-
SHA256
67e07368739819c893c0752d8dc1bc0c1f87764a711f18ceb9507162644a9393
-
SHA512
36ed40208275a2e13704cd73ab61a58f1f5deb02d80e91c3840a8836b6070228ebdf0c017955a84912aaa64a14511f3032468e3c648b64f9db13af79d77fcad4
-
SSDEEP
12288:JI0As/dcwf0e/GQAPCqtKbFeEFk88ho1RFR25Au14qsYBKBgMVkJoQg:W0F1cwfR/4tYk8HxR25+TYki1JoQg
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 64 IoCs
Processes:
lvdfhdt.exevjfiqkd.exeskpnmwp.exekkallbb.exewxfguhn.exelqcbdvq.exetjbbkct.exeachghek.exenscjpeh.exevaqbktr.exefzcyusy.exepggwerg.exectxtkvf.exepksotdk.execpjrpmn.exemoooakv.exewkoyhfw.exeddnmezm.exetxkyovo.exegnnbwvu.exetawrczt.exedlmbpcz.exemnjmlff.exezmeotnl.exekhfzbhm.exexyzbjir.exeejyhgjz.exerwqemfg.exebducxeg.exeljurvlt.exeyempbps.exeidqmloz.exescckvnh.execcghomo.exepabkwmm.exezznhhlt.exekyrfzjb.exetmscpro.exeeitmxlp.exeryopftu.exeajdzbwb.exenagcjxg.exeyhkauvo.exekbqpfis.exexzlsoqq.exehcicjle.exerxbnrgf.exeezhccsj.exeovinsns.exetldqavp.exeaxkvppg.exeostsvse.exeyrfqnrm.exeitvabms.exeseklopy.exeeuffeye.exertiingk.execsmnxej.exemrqlidr.exezqtnqdw.exejpxljce.exetrmvwfk.exednngeal.exeqliiuiq.exepid process 2696 lvdfhdt.exe 2596 vjfiqkd.exe 1664 skpnmwp.exe 2292 kkallbb.exe 2280 wxfguhn.exe 960 lqcbdvq.exe 1376 tjbbkct.exe 2920 achghek.exe 2924 nscjpeh.exe 2560 vaqbktr.exe 2644 fzcyusy.exe 2876 pggwerg.exe 1444 ctxtkvf.exe 2072 pksotdk.exe 1992 cpjrpmn.exe 680 moooakv.exe 1924 wkoyhfw.exe 2360 ddnmezm.exe 2636 txkyovo.exe 2572 gnnbwvu.exe 2384 tawrczt.exe 2956 dlmbpcz.exe 2424 mnjmlff.exe 112 zmeotnl.exe 1396 khfzbhm.exe 1392 xyzbjir.exe 3060 ejyhgjz.exe 2316 rwqemfg.exe 2024 bducxeg.exe 2580 ljurvlt.exe 2568 yempbps.exe 2276 idqmloz.exe 2516 scckvnh.exe 2960 ccghomo.exe 1320 pabkwmm.exe 2464 zznhhlt.exe 2724 kyrfzjb.exe 2784 tmscpro.exe 772 eitmxlp.exe 2728 ryopftu.exe 2012 ajdzbwb.exe 1136 nagcjxg.exe 1812 yhkauvo.exe 1536 kbqpfis.exe 1548 xzlsoqq.exe 2380 hcicjle.exe 2804 rxbnrgf.exe 2768 ezhccsj.exe 2984 ovinsns.exe 2704 tldqavp.exe 1804 axkvppg.exe 1808 ostsvse.exe 1208 yrfqnrm.exe 1492 itvabms.exe 2300 seklopy.exe 1092 euffeye.exe 2028 rtiingk.exe 2032 csmnxej.exe 1916 mrqlidr.exe 1980 zqtnqdw.exe 1348 jpxljce.exe 1820 trmvwfk.exe 560 dnngeal.exe 1424 qliiuiq.exe -
Identifies Wine through registry keys 2 TTPs 64 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
kkbrdkc.exekyrfzjb.exetbsmyrf.execzyafji.exevmbkhsq.exeuxzgixm.exekxhxpvg.exevluibzc.exewrdxawv.exewhqqfjs.exevbshrmg.exetlnejpo.exexubajhv.exegxzdywm.exetnufhfr.exepiterwl.exetxnzmmh.exelqcbdvq.exemrqlidr.exezqdmbrl.exemyuecwp.exewszlzxj.exefyfesqs.exeylkceah.exedorzvni.exeajdzbwb.exeaxkvppg.exejefokgd.exexejpsjb.exeessjxof.exedtytjhm.exeffvkkyv.exeqwwschy.exedgejugv.exencvculf.exesxzqlyd.exeknqkpel.exesdxpkrm.exejsroprt.exearmwxll.exeqvofpqf.exezymifgv.exexphgcsr.exetyxaqwg.exerzghmyk.exesvqelsn.exegqdqwqv.exessjypdz.exejpxljce.exeikenpsn.exeusevgyn.exeehadqco.exenmavqlc.exeneecxav.execiyxgqb.exermntzew.exedxlwaga.exemoeozyz.exerxbnrgf.exewglwwli.exezncowwg.exenknadju.exeiynqbpl.execrizqcy.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine kkbrdkc.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine kyrfzjb.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine tbsmyrf.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine czyafji.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine vmbkhsq.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine uxzgixm.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine kxhxpvg.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine vluibzc.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine wrdxawv.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine whqqfjs.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine vbshrmg.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine tlnejpo.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine xubajhv.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine gxzdywm.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine tnufhfr.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine piterwl.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine txnzmmh.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine lqcbdvq.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine mrqlidr.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine zqdmbrl.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine myuecwp.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine wszlzxj.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine fyfesqs.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine ylkceah.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine dorzvni.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine ajdzbwb.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine axkvppg.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine jefokgd.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine xejpsjb.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine essjxof.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine dtytjhm.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine ffvkkyv.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine qwwschy.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine dgejugv.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine ncvculf.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine sxzqlyd.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine knqkpel.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine sdxpkrm.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine jsroprt.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine armwxll.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine qvofpqf.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine zymifgv.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine xphgcsr.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine tyxaqwg.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine rzghmyk.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine svqelsn.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine gqdqwqv.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine ssjypdz.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine jpxljce.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine ikenpsn.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine usevgyn.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine ehadqco.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine nmavqlc.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine neecxav.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine ciyxgqb.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine rmntzew.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine dxlwaga.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine moeozyz.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine rxbnrgf.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine wglwwli.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine zncowwg.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine nknadju.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine iynqbpl.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine crizqcy.exe -
Loads dropped DLL 64 IoCs
Processes:
03c35e1ee1b0bf6340cdb45773c9fd3e_JaffaCakes118.exelvdfhdt.exevjfiqkd.exeskpnmwp.exekkallbb.exewxfguhn.exelqcbdvq.exetjbbkct.exeachghek.exenscjpeh.exevaqbktr.exefzcyusy.exepggwerg.exectxtkvf.exepksotdk.execpjrpmn.exemoooakv.exewkoyhfw.exeddnmezm.exetxkyovo.exegnnbwvu.exetawrczt.exedlmbpcz.exemnjmlff.exezmeotnl.exekhfzbhm.exexyzbjir.exeejyhgjz.exerwqemfg.exebducxeg.exeljurvlt.exeyempbps.exepid process 2124 03c35e1ee1b0bf6340cdb45773c9fd3e_JaffaCakes118.exe 2124 03c35e1ee1b0bf6340cdb45773c9fd3e_JaffaCakes118.exe 2696 lvdfhdt.exe 2696 lvdfhdt.exe 2596 vjfiqkd.exe 2596 vjfiqkd.exe 1664 skpnmwp.exe 1664 skpnmwp.exe 2292 kkallbb.exe 2292 kkallbb.exe 2280 wxfguhn.exe 2280 wxfguhn.exe 960 lqcbdvq.exe 960 lqcbdvq.exe 1376 tjbbkct.exe 1376 tjbbkct.exe 2920 achghek.exe 2920 achghek.exe 2924 nscjpeh.exe 2924 nscjpeh.exe 2560 vaqbktr.exe 2560 vaqbktr.exe 2644 fzcyusy.exe 2644 fzcyusy.exe 2876 pggwerg.exe 2876 pggwerg.exe 1444 ctxtkvf.exe 1444 ctxtkvf.exe 2072 pksotdk.exe 2072 pksotdk.exe 1992 cpjrpmn.exe 1992 cpjrpmn.exe 680 moooakv.exe 680 moooakv.exe 1924 wkoyhfw.exe 1924 wkoyhfw.exe 2360 ddnmezm.exe 2360 ddnmezm.exe 2636 txkyovo.exe 2636 txkyovo.exe 2572 gnnbwvu.exe 2572 gnnbwvu.exe 2384 tawrczt.exe 2384 tawrczt.exe 2956 dlmbpcz.exe 2956 dlmbpcz.exe 2424 mnjmlff.exe 2424 mnjmlff.exe 112 zmeotnl.exe 112 zmeotnl.exe 1396 khfzbhm.exe 1396 khfzbhm.exe 1392 xyzbjir.exe 1392 xyzbjir.exe 3060 ejyhgjz.exe 3060 ejyhgjz.exe 2316 rwqemfg.exe 2316 rwqemfg.exe 2024 bducxeg.exe 2024 bducxeg.exe 2580 ljurvlt.exe 2580 ljurvlt.exe 2568 yempbps.exe 2568 yempbps.exe -
Drops file in System32 directory 64 IoCs
Processes:
xflusyk.exeklisbvq.exednrukpd.exeqwzlcob.exeyhxchoc.exeeeipgju.exeadhffia.exeqmxsewi.exeukyvpkm.exerwxpwzz.exexclvkdw.exeqgsiudx.exeindtykg.exejljpdlk.execmxdodr.exetngnuwq.exeggswddb.exeezhccsj.exetldqavp.exenmavqlc.exepytaoqh.exewruzmrs.exemwaahxm.exezmddyfs.exendmtqgf.exetiquude.exejzbkahp.exeflxxhss.exedorzvni.exedadrjzm.exesdajywc.exeoxtgwuy.exentgtpqk.exexdlmynr.exewwuwnqn.exewgrwmsr.exezizctok.exejsroprt.exeakajaog.exedxlwaga.exexdubool.exeamsgkpq.exeqliiuiq.exespchlrh.exefamedqn.exeveftnah.exeknsqyzs.exempvxvti.exeneecxav.exefdiiifd.exeotxmrhp.exejemzvsw.exepiterwl.exeyvnfdkq.exewgsedav.exetcrvwlv.exewjoothi.exezijiwlo.exehnhfses.exevnsbozl.exemetdmjl.exedescription ioc process File opened for modification C:\Windows\SysWOW64\kdgxbyq.exe xflusyk.exe File created C:\Windows\SysWOW64\xclvkdw.exe klisbvq.exe File opened for modification C:\Windows\SysWOW64\qduxtpj.exe dnrukpd.exe File created C:\Windows\SysWOW64\akajaog.exe qwzlcob.exe File created C:\Windows\SysWOW64\lyseywi.exe yhxchoc.exe File created C:\Windows\SysWOW64\rulspja.exe eeipgju.exe File created C:\Windows\SysWOW64\ntchojy.exe adhffia.exe File opened for modification C:\Windows\SysWOW64\dcsvneg.exe qmxsewi.exe File opened for modification C:\Windows\SysWOW64\hatyysr.exe ukyvpkm.exe File created C:\Windows\SysWOW64\emrsfhx.exe rwxpwzz.exe File created C:\Windows\SysWOW64\kagysmt.exe xclvkdw.exe File created C:\Windows\SysWOW64\ciyxgqb.exe qgsiudx.exe File opened for modification C:\Windows\SysWOW64\vmywgsl.exe indtykg.exe File created C:\Windows\SysWOW64\vjmsmtq.exe jljpdlk.exe File created C:\Windows\SysWOW64\plzfwmp.exe cmxdodr.exe File created C:\Windows\SysWOW64\gdbqdfo.exe tngnuwq.exe File created C:\Windows\SysWOW64\dcsvneg.exe qmxsewi.exe File opened for modification C:\Windows\SysWOW64\txnzmmh.exe ggswddb.exe File created C:\Windows\SysWOW64\ovinsns.exe ezhccsj.exe File opened for modification C:\Windows\SysWOW64\axkvppg.exe tldqavp.exe File created C:\Windows\SysWOW64\zgglcyh.exe nmavqlc.exe File opened for modification C:\Windows\SysWOW64\ctlquug.exe pytaoqh.exe File created C:\Windows\SysWOW64\jqxcuzp.exe wruzmrs.exe File opened for modification C:\Windows\SysWOW64\zmddyfs.exe mwaahxm.exe File opened for modification C:\Windows\SysWOW64\mlyggfx.exe zmddyfs.exe File opened for modification C:\Windows\SysWOW64\zbhwyol.exe ndmtqgf.exe File opened for modification C:\Windows\SysWOW64\ggswddb.exe tiquude.exe File opened for modification C:\Windows\SysWOW64\tcrvwlv.exe jzbkahp.exe File created C:\Windows\SysWOW64\sjsryap.exe flxxhss.exe File opened for modification C:\Windows\SysWOW64\sjsryap.exe flxxhss.exe File opened for modification C:\Windows\SysWOW64\qnmbevn.exe dorzvni.exe File created C:\Windows\SysWOW64\moeozyz.exe dadrjzm.exe File opened for modification C:\Windows\SysWOW64\brbywdp.exe sdajywc.exe File opened for modification C:\Windows\SysWOW64\bvojeuw.exe oxtgwuy.exe File opened for modification C:\Windows\SysWOW64\xhhrfxx.exe ntgtpqk.exe File created C:\Windows\SysWOW64\hrlkoue.exe xdlmynr.exe File opened for modification C:\Windows\SysWOW64\jupzvyk.exe wwuwnqn.exe File opened for modification C:\Windows\SysWOW64\jemzvsw.exe wgrwmsr.exe File opened for modification C:\Windows\SysWOW64\myuecwp.exe zizctok.exe File opened for modification C:\Windows\SysWOW64\scgqcuz.exe jsroprt.exe File created C:\Windows\SysWOW64\nbvljwl.exe akajaog.exe File created C:\Windows\SysWOW64\tcrvwlv.exe jzbkahp.exe File opened for modification C:\Windows\SysWOW64\ndmtqgf.exe dxlwaga.exe File opened for modification C:\Windows\SysWOW64\gojmjrr.exe xdubool.exe File created C:\Windows\SysWOW64\moywvuu.exe amsgkpq.exe File created C:\Windows\SysWOW64\aoftilx.exe qliiuiq.exe File opened for modification C:\Windows\SysWOW64\crrryun.exe spchlrh.exe File created C:\Windows\SysWOW64\rzghmyk.exe famedqn.exe File created C:\Windows\SysWOW64\iuiwwin.exe veftnah.exe File opened for modification C:\Windows\SysWOW64\wdnthzy.exe knsqyzs.exe File opened for modification C:\Windows\SysWOW64\zgqaebn.exe mpvxvti.exe File opened for modification C:\Windows\SysWOW64\adhffia.exe neecxav.exe File created C:\Windows\SysWOW64\rtllqfj.exe fdiiifd.exe File opened for modification C:\Windows\SysWOW64\yhxchoc.exe otxmrhp.exe File opened for modification C:\Windows\SysWOW64\wrdxawv.exe jemzvsw.exe File opened for modification C:\Windows\SysWOW64\cyohhwr.exe piterwl.exe File opened for modification C:\Windows\SysWOW64\lliilsw.exe yvnfdkq.exe File created C:\Windows\SysWOW64\gutcbhi.exe wgsedav.exe File created C:\Windows\SysWOW64\gamxelb.exe tcrvwlv.exe File opened for modification C:\Windows\SysWOW64\jirrcqf.exe wjoothi.exe File created C:\Windows\SysWOW64\mzlkftm.exe zijiwlo.exe File created C:\Windows\SysWOW64\rywqnhz.exe hnhfses.exe File opened for modification C:\Windows\SysWOW64\ienvxiq.exe vnsbozl.exe File opened for modification C:\Windows\SysWOW64\yvnfdkq.exe metdmjl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
03c35e1ee1b0bf6340cdb45773c9fd3e_JaffaCakes118.exelvdfhdt.exevjfiqkd.exeskpnmwp.exekkallbb.exewxfguhn.exelqcbdvq.exetjbbkct.exeachghek.exenscjpeh.exevaqbktr.exefzcyusy.exepggwerg.exectxtkvf.exepksotdk.execpjrpmn.exedescription pid process target process PID 2124 wrote to memory of 2696 2124 03c35e1ee1b0bf6340cdb45773c9fd3e_JaffaCakes118.exe lvdfhdt.exe PID 2124 wrote to memory of 2696 2124 03c35e1ee1b0bf6340cdb45773c9fd3e_JaffaCakes118.exe lvdfhdt.exe PID 2124 wrote to memory of 2696 2124 03c35e1ee1b0bf6340cdb45773c9fd3e_JaffaCakes118.exe lvdfhdt.exe PID 2124 wrote to memory of 2696 2124 03c35e1ee1b0bf6340cdb45773c9fd3e_JaffaCakes118.exe lvdfhdt.exe PID 2696 wrote to memory of 2596 2696 lvdfhdt.exe vjfiqkd.exe PID 2696 wrote to memory of 2596 2696 lvdfhdt.exe vjfiqkd.exe PID 2696 wrote to memory of 2596 2696 lvdfhdt.exe vjfiqkd.exe PID 2696 wrote to memory of 2596 2696 lvdfhdt.exe vjfiqkd.exe PID 2596 wrote to memory of 1664 2596 vjfiqkd.exe skpnmwp.exe PID 2596 wrote to memory of 1664 2596 vjfiqkd.exe skpnmwp.exe PID 2596 wrote to memory of 1664 2596 vjfiqkd.exe skpnmwp.exe PID 2596 wrote to memory of 1664 2596 vjfiqkd.exe skpnmwp.exe PID 1664 wrote to memory of 2292 1664 skpnmwp.exe kkallbb.exe PID 1664 wrote to memory of 2292 1664 skpnmwp.exe kkallbb.exe PID 1664 wrote to memory of 2292 1664 skpnmwp.exe kkallbb.exe PID 1664 wrote to memory of 2292 1664 skpnmwp.exe kkallbb.exe PID 2292 wrote to memory of 2280 2292 kkallbb.exe wxfguhn.exe PID 2292 wrote to memory of 2280 2292 kkallbb.exe wxfguhn.exe PID 2292 wrote to memory of 2280 2292 kkallbb.exe wxfguhn.exe PID 2292 wrote to memory of 2280 2292 kkallbb.exe wxfguhn.exe PID 2280 wrote to memory of 960 2280 wxfguhn.exe lqcbdvq.exe PID 2280 wrote to memory of 960 2280 wxfguhn.exe lqcbdvq.exe PID 2280 wrote to memory of 960 2280 wxfguhn.exe lqcbdvq.exe PID 2280 wrote to memory of 960 2280 wxfguhn.exe lqcbdvq.exe PID 960 wrote to memory of 1376 960 lqcbdvq.exe tjbbkct.exe PID 960 wrote to memory of 1376 960 lqcbdvq.exe tjbbkct.exe PID 960 wrote to memory of 1376 960 lqcbdvq.exe tjbbkct.exe PID 960 wrote to memory of 1376 960 lqcbdvq.exe tjbbkct.exe PID 1376 wrote to memory of 2920 1376 tjbbkct.exe achghek.exe PID 1376 wrote to memory of 2920 1376 tjbbkct.exe achghek.exe PID 1376 wrote to memory of 2920 1376 tjbbkct.exe achghek.exe PID 1376 wrote to memory of 2920 1376 tjbbkct.exe achghek.exe PID 2920 wrote to memory of 2924 2920 achghek.exe nscjpeh.exe PID 2920 wrote to memory of 2924 2920 achghek.exe nscjpeh.exe PID 2920 wrote to memory of 2924 2920 achghek.exe nscjpeh.exe PID 2920 wrote to memory of 2924 2920 achghek.exe nscjpeh.exe PID 2924 wrote to memory of 2560 2924 nscjpeh.exe vaqbktr.exe PID 2924 wrote to memory of 2560 2924 nscjpeh.exe vaqbktr.exe PID 2924 wrote to memory of 2560 2924 nscjpeh.exe vaqbktr.exe PID 2924 wrote to memory of 2560 2924 nscjpeh.exe vaqbktr.exe PID 2560 wrote to memory of 2644 2560 vaqbktr.exe fzcyusy.exe PID 2560 wrote to memory of 2644 2560 vaqbktr.exe fzcyusy.exe PID 2560 wrote to memory of 2644 2560 vaqbktr.exe fzcyusy.exe PID 2560 wrote to memory of 2644 2560 vaqbktr.exe fzcyusy.exe PID 2644 wrote to memory of 2876 2644 fzcyusy.exe pggwerg.exe PID 2644 wrote to memory of 2876 2644 fzcyusy.exe pggwerg.exe PID 2644 wrote to memory of 2876 2644 fzcyusy.exe pggwerg.exe PID 2644 wrote to memory of 2876 2644 fzcyusy.exe pggwerg.exe PID 2876 wrote to memory of 1444 2876 pggwerg.exe ctxtkvf.exe PID 2876 wrote to memory of 1444 2876 pggwerg.exe ctxtkvf.exe PID 2876 wrote to memory of 1444 2876 pggwerg.exe ctxtkvf.exe PID 2876 wrote to memory of 1444 2876 pggwerg.exe ctxtkvf.exe PID 1444 wrote to memory of 2072 1444 ctxtkvf.exe pksotdk.exe PID 1444 wrote to memory of 2072 1444 ctxtkvf.exe pksotdk.exe PID 1444 wrote to memory of 2072 1444 ctxtkvf.exe pksotdk.exe PID 1444 wrote to memory of 2072 1444 ctxtkvf.exe pksotdk.exe PID 2072 wrote to memory of 1992 2072 pksotdk.exe cpjrpmn.exe PID 2072 wrote to memory of 1992 2072 pksotdk.exe cpjrpmn.exe PID 2072 wrote to memory of 1992 2072 pksotdk.exe cpjrpmn.exe PID 2072 wrote to memory of 1992 2072 pksotdk.exe cpjrpmn.exe PID 1992 wrote to memory of 680 1992 cpjrpmn.exe moooakv.exe PID 1992 wrote to memory of 680 1992 cpjrpmn.exe moooakv.exe PID 1992 wrote to memory of 680 1992 cpjrpmn.exe moooakv.exe PID 1992 wrote to memory of 680 1992 cpjrpmn.exe moooakv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\03c35e1ee1b0bf6340cdb45773c9fd3e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\03c35e1ee1b0bf6340cdb45773c9fd3e_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\lvdfhdt.exeC:\Windows\system32\lvdfhdt.exe 636 "C:\Users\Admin\AppData\Local\Temp\03c35e1ee1b0bf6340cdb45773c9fd3e_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vjfiqkd.exeC:\Windows\system32\vjfiqkd.exe 620 "C:\Windows\SysWOW64\lvdfhdt.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\skpnmwp.exeC:\Windows\system32\skpnmwp.exe 616 "C:\Windows\SysWOW64\vjfiqkd.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\kkallbb.exeC:\Windows\system32\kkallbb.exe 624 "C:\Windows\SysWOW64\skpnmwp.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wxfguhn.exeC:\Windows\system32\wxfguhn.exe 612 "C:\Windows\SysWOW64\kkallbb.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\lqcbdvq.exeC:\Windows\system32\lqcbdvq.exe 712 "C:\Windows\SysWOW64\wxfguhn.exe"7⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tjbbkct.exeC:\Windows\system32\tjbbkct.exe 640 "C:\Windows\SysWOW64\lqcbdvq.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\achghek.exeC:\Windows\system32\achghek.exe 720 "C:\Windows\SysWOW64\tjbbkct.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nscjpeh.exeC:\Windows\system32\nscjpeh.exe 628 "C:\Windows\SysWOW64\achghek.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vaqbktr.exeC:\Windows\system32\vaqbktr.exe 728 "C:\Windows\SysWOW64\nscjpeh.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\fzcyusy.exeC:\Windows\system32\fzcyusy.exe 652 "C:\Windows\SysWOW64\vaqbktr.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\pggwerg.exeC:\Windows\system32\pggwerg.exe 736 "C:\Windows\SysWOW64\fzcyusy.exe"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ctxtkvf.exeC:\Windows\system32\ctxtkvf.exe 632 "C:\Windows\SysWOW64\pggwerg.exe"14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\pksotdk.exeC:\Windows\system32\pksotdk.exe 744 "C:\Windows\SysWOW64\ctxtkvf.exe"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cpjrpmn.exeC:\Windows\system32\cpjrpmn.exe 760 "C:\Windows\SysWOW64\pksotdk.exe"16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\moooakv.exeC:\Windows\system32\moooakv.exe 740 "C:\Windows\SysWOW64\cpjrpmn.exe"17⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\wkoyhfw.exeC:\Windows\system32\wkoyhfw.exe 764 "C:\Windows\SysWOW64\moooakv.exe"18⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\ddnmezm.exeC:\Windows\system32\ddnmezm.exe 752 "C:\Windows\SysWOW64\wkoyhfw.exe"19⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\txkyovo.exeC:\Windows\system32\txkyovo.exe 768 "C:\Windows\SysWOW64\ddnmezm.exe"20⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\gnnbwvu.exeC:\Windows\system32\gnnbwvu.exe 756 "C:\Windows\SysWOW64\txkyovo.exe"21⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\tawrczt.exeC:\Windows\system32\tawrczt.exe 784 "C:\Windows\SysWOW64\gnnbwvu.exe"22⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\dlmbpcz.exeC:\Windows\system32\dlmbpcz.exe 772 "C:\Windows\SysWOW64\tawrczt.exe"23⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\mnjmlff.exeC:\Windows\system32\mnjmlff.exe 776 "C:\Windows\SysWOW64\dlmbpcz.exe"24⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\zmeotnl.exeC:\Windows\system32\zmeotnl.exe 780 "C:\Windows\SysWOW64\mnjmlff.exe"25⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\khfzbhm.exeC:\Windows\system32\khfzbhm.exe 792 "C:\Windows\SysWOW64\zmeotnl.exe"26⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\xyzbjir.exeC:\Windows\system32\xyzbjir.exe 796 "C:\Windows\SysWOW64\khfzbhm.exe"27⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\ejyhgjz.exeC:\Windows\system32\ejyhgjz.exe 788 "C:\Windows\SysWOW64\xyzbjir.exe"28⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\rwqemfg.exeC:\Windows\system32\rwqemfg.exe 800 "C:\Windows\SysWOW64\ejyhgjz.exe"29⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\bducxeg.exeC:\Windows\system32\bducxeg.exe 804 "C:\Windows\SysWOW64\rwqemfg.exe"30⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\ljurvlt.exeC:\Windows\system32\ljurvlt.exe 812 "C:\Windows\SysWOW64\bducxeg.exe"31⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\yempbps.exeC:\Windows\system32\yempbps.exe 816 "C:\Windows\SysWOW64\ljurvlt.exe"32⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\idqmloz.exeC:\Windows\system32\idqmloz.exe 808 "C:\Windows\SysWOW64\yempbps.exe"33⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\scckvnh.exeC:\Windows\system32\scckvnh.exe 820 "C:\Windows\SysWOW64\idqmloz.exe"34⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\ccghomo.exeC:\Windows\system32\ccghomo.exe 824 "C:\Windows\SysWOW64\scckvnh.exe"35⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\pabkwmm.exeC:\Windows\system32\pabkwmm.exe 828 "C:\Windows\SysWOW64\ccghomo.exe"36⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\zznhhlt.exeC:\Windows\system32\zznhhlt.exe 832 "C:\Windows\SysWOW64\pabkwmm.exe"37⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\kyrfzjb.exeC:\Windows\system32\kyrfzjb.exe 836 "C:\Windows\SysWOW64\zznhhlt.exe"38⤵
- Executes dropped EXE
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\tmscpro.exeC:\Windows\system32\tmscpro.exe 840 "C:\Windows\SysWOW64\kyrfzjb.exe"39⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\eitmxlp.exeC:\Windows\system32\eitmxlp.exe 848 "C:\Windows\SysWOW64\tmscpro.exe"40⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\ryopftu.exeC:\Windows\system32\ryopftu.exe 844 "C:\Windows\SysWOW64\eitmxlp.exe"41⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\ajdzbwb.exeC:\Windows\system32\ajdzbwb.exe 852 "C:\Windows\SysWOW64\ryopftu.exe"42⤵
- Executes dropped EXE
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\nagcjxg.exeC:\Windows\system32\nagcjxg.exe 748 "C:\Windows\SysWOW64\ajdzbwb.exe"43⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\yhkauvo.exeC:\Windows\system32\yhkauvo.exe 860 "C:\Windows\SysWOW64\nagcjxg.exe"44⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\kbqpfis.exeC:\Windows\system32\kbqpfis.exe 864 "C:\Windows\SysWOW64\yhkauvo.exe"45⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\xzlsoqq.exeC:\Windows\system32\xzlsoqq.exe 868 "C:\Windows\SysWOW64\kbqpfis.exe"46⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\hcicjle.exeC:\Windows\system32\hcicjle.exe 880 "C:\Windows\SysWOW64\xzlsoqq.exe"47⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\rxbnrgf.exeC:\Windows\system32\rxbnrgf.exe 872 "C:\Windows\SysWOW64\hcicjle.exe"48⤵
- Executes dropped EXE
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\ezhccsj.exeC:\Windows\system32\ezhccsj.exe 876 "C:\Windows\SysWOW64\rxbnrgf.exe"49⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\ovinsns.exeC:\Windows\system32\ovinsns.exe 888 "C:\Windows\SysWOW64\ezhccsj.exe"50⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\tldqavp.exeC:\Windows\system32\tldqavp.exe 856 "C:\Windows\SysWOW64\ovinsns.exe"51⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\axkvppg.exeC:\Windows\system32\axkvppg.exe 892 "C:\Windows\SysWOW64\tldqavp.exe"52⤵
- Executes dropped EXE
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\ostsvse.exeC:\Windows\system32\ostsvse.exe 896 "C:\Windows\SysWOW64\axkvppg.exe"53⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\yrfqnrm.exeC:\Windows\system32\yrfqnrm.exe 904 "C:\Windows\SysWOW64\ostsvse.exe"54⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\itvabms.exeC:\Windows\system32\itvabms.exe 884 "C:\Windows\SysWOW64\yrfqnrm.exe"55⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\seklopy.exeC:\Windows\system32\seklopy.exe 908 "C:\Windows\SysWOW64\itvabms.exe"56⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\euffeye.exeC:\Windows\system32\euffeye.exe 916 "C:\Windows\SysWOW64\seklopy.exe"57⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\rtiingk.exeC:\Windows\system32\rtiingk.exe 932 "C:\Windows\SysWOW64\euffeye.exe"58⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\csmnxej.exeC:\Windows\system32\csmnxej.exe 912 "C:\Windows\SysWOW64\rtiingk.exe"59⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mrqlidr.exeC:\Windows\system32\mrqlidr.exe 920 "C:\Windows\SysWOW64\csmnxej.exe"60⤵
- Executes dropped EXE
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\zqtnqdw.exeC:\Windows\system32\zqtnqdw.exe 924 "C:\Windows\SysWOW64\mrqlidr.exe"61⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\jpxljce.exeC:\Windows\system32\jpxljce.exe 936 "C:\Windows\SysWOW64\zqtnqdw.exe"62⤵
- Executes dropped EXE
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\trmvwfk.exeC:\Windows\system32\trmvwfk.exe 928 "C:\Windows\SysWOW64\jpxljce.exe"63⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\dnngeal.exeC:\Windows\system32\dnngeal.exe 940 "C:\Windows\SysWOW64\trmvwfk.exe"64⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\qliiuiq.exeC:\Windows\system32\qliiuiq.exe 944 "C:\Windows\SysWOW64\dnngeal.exe"65⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\aoftilx.exeC:\Windows\system32\aoftilx.exe 948 "C:\Windows\SysWOW64\qliiuiq.exe"66⤵
-
C:\Windows\SysWOW64\nmavqlc.exeC:\Windows\system32\nmavqlc.exe 900 "C:\Windows\SysWOW64\aoftilx.exe"67⤵
- Identifies Wine through registry keys
- Drops file in System32 directory
-
C:\Windows\SysWOW64\zgglcyh.exeC:\Windows\system32\zgglcyh.exe 960 "C:\Windows\SysWOW64\nmavqlc.exe"68⤵
-
C:\Windows\SysWOW64\mfbgkgm.exeC:\Windows\system32\mfbgkgm.exe 956 "C:\Windows\SysWOW64\zgglcyh.exe"69⤵
-
C:\Windows\SysWOW64\whqqfjs.exeC:\Windows\system32\whqqfjs.exe 964 "C:\Windows\SysWOW64\mfbgkgm.exe"70⤵
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\juiolfr.exeC:\Windows\system32\juiolfr.exe 968 "C:\Windows\SysWOW64\whqqfjs.exe"71⤵
-
C:\Windows\SysWOW64\tjidbme.exeC:\Windows\system32\tjidbme.exe 988 "C:\Windows\SysWOW64\juiolfr.exe"72⤵
-
C:\Windows\SysWOW64\gwathqd.exeC:\Windows\system32\gwathqd.exe 972 "C:\Windows\SysWOW64\tjidbme.exe"73⤵
-
C:\Windows\SysWOW64\tuvwqyj.exeC:\Windows\system32\tuvwqyj.exe 976 "C:\Windows\SysWOW64\gwathqd.exe"74⤵
-
C:\Windows\SysWOW64\davtoyw.exeC:\Windows\system32\davtoyw.exe 980 "C:\Windows\SysWOW64\tuvwqyj.exe"75⤵
-
C:\Windows\SysWOW64\qzqwwgb.exeC:\Windows\system32\qzqwwgb.exe 984 "C:\Windows\SysWOW64\davtoyw.exe"76⤵
-
C:\Windows\SysWOW64\dplyfoz.exeC:\Windows\system32\dplyfoz.exe 992 "C:\Windows\SysWOW64\qzqwwgb.exe"77⤵
-
C:\Windows\SysWOW64\qoobnoe.exeC:\Windows\system32\qoobnoe.exe 996 "C:\Windows\SysWOW64\dplyfoz.exe"78⤵
-
C:\Windows\SysWOW64\zqdmbrl.exeC:\Windows\system32\zqdmbrl.exe 1000 "C:\Windows\SysWOW64\qoobnoe.exe"79⤵
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\mpyoraq.exeC:\Windows\system32\mpyoraq.exe 1004 "C:\Windows\SysWOW64\zqdmbrl.exe"80⤵
-
C:\Windows\SysWOW64\wrnzfdx.exeC:\Windows\system32\wrnzfdx.exe 1008 "C:\Windows\SysWOW64\mpyoraq.exe"81⤵
-
C:\Windows\SysWOW64\jefokgd.exeC:\Windows\system32\jefokgd.exe 1012 "C:\Windows\SysWOW64\wrnzfdx.exe"82⤵
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\wglwwli.exeC:\Windows\system32\wglwwli.exe 1016 "C:\Windows\SysWOW64\jefokgd.exe"83⤵
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\gjagjoo.exeC:\Windows\system32\gjagjoo.exe 1032 "C:\Windows\SysWOW64\wglwwli.exe"84⤵
-
C:\Windows\SysWOW64\wvjbntl.exeC:\Windows\system32\wvjbntl.exe 1020 "C:\Windows\SysWOW64\gjagjoo.exe"85⤵
-
C:\Windows\SysWOW64\gbjzlby.exeC:\Windows\system32\gbjzlby.exe 1028 "C:\Windows\SysWOW64\wvjbntl.exe"86⤵
-
C:\Windows\SysWOW64\saebujd.exeC:\Windows\system32\saebujd.exe 1036 "C:\Windows\SysWOW64\gbjzlby.exe"87⤵
-
C:\Windows\SysWOW64\fqzecrb.exeC:\Windows\system32\fqzecrb.exe 1040 "C:\Windows\SysWOW64\saebujd.exe"88⤵
-
C:\Windows\SysWOW64\spchlrh.exeC:\Windows\system32\spchlrh.exe 1044 "C:\Windows\SysWOW64\fqzecrb.exe"89⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\crrryun.exeC:\Windows\system32\crrryun.exe 1052 "C:\Windows\SysWOW64\spchlrh.exe"90⤵
-
C:\Windows\SysWOW64\pqmupcs.exeC:\Windows\system32\pqmupcs.exe 1048 "C:\Windows\SysWOW64\crrryun.exe"91⤵
-
C:\Windows\SysWOW64\cghpxdy.exeC:\Windows\system32\cghpxdy.exe 1060 "C:\Windows\SysWOW64\pqmupcs.exe"92⤵
-
C:\Windows\SysWOW64\mrwzkge.exeC:\Windows\system32\mrwzkge.exe 1056 "C:\Windows\SysWOW64\cghpxdy.exe"93⤵
-
C:\Windows\SysWOW64\zizctok.exeC:\Windows\system32\zizctok.exe 1076 "C:\Windows\SysWOW64\mrwzkge.exe"94⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\myuecwp.exeC:\Windows\system32\myuecwp.exe 1064 "C:\Windows\SysWOW64\zizctok.exe"95⤵
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\wjjpxzw.exeC:\Windows\system32\wjjpxzw.exe 952 "C:\Windows\SysWOW64\myuecwp.exe"96⤵
-
C:\Windows\SysWOW64\mnrktet.exeC:\Windows\system32\mnrktet.exe 1072 "C:\Windows\SysWOW64\wjjpxzw.exe"97⤵
-
C:\Windows\SysWOW64\vbshrmg.exeC:\Windows\system32\vbshrmg.exe 1080 "C:\Windows\SysWOW64\mnrktet.exe"98⤵
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\asnkaul.exeC:\Windows\system32\asnkaul.exe 1084 "C:\Windows\SysWOW64\vbshrmg.exe"99⤵
-
C:\Windows\SysWOW64\nfezfqk.exeC:\Windows\system32\nfezfqk.exe 1088 "C:\Windows\SysWOW64\asnkaul.exe"100⤵
-
C:\Windows\SysWOW64\xpukttq.exeC:\Windows\system32\xpukttq.exe 1096 "C:\Windows\SysWOW64\nfezfqk.exe"101⤵
-
C:\Windows\SysWOW64\kgpnbbw.exeC:\Windows\system32\kgpnbbw.exe 1092 "C:\Windows\SysWOW64\xpukttq.exe"102⤵
-
C:\Windows\SysWOW64\xejpsjb.exeC:\Windows\system32\xejpsjb.exe 1100 "C:\Windows\SysWOW64\kgpnbbw.exe"103⤵
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\hskfijh.exeC:\Windows\system32\hskfijh.exe 1108 "C:\Windows\SysWOW64\xejpsjb.exe"104⤵
-
C:\Windows\SysWOW64\ujnhqrm.exeC:\Windows\system32\ujnhqrm.exe 1104 "C:\Windows\SysWOW64\hskfijh.exe"105⤵
-
C:\Windows\SysWOW64\gzikzzs.exeC:\Windows\system32\gzikzzs.exe 1112 "C:\Windows\SysWOW64\ujnhqrm.exe"106⤵
-
C:\Windows\SysWOW64\tycnizx.exeC:\Windows\system32\tycnizx.exe 1116 "C:\Windows\SysWOW64\gzikzzs.exe"107⤵
-
C:\Windows\SysWOW64\dasxdcd.exeC:\Windows\system32\dasxdcd.exe 1120 "C:\Windows\SysWOW64\tycnizx.exe"108⤵
-
C:\Windows\SysWOW64\qzvallj.exeC:\Windows\system32\qzvallj.exe 1124 "C:\Windows\SysWOW64\dasxdcd.exe"109⤵
-
C:\Windows\SysWOW64\dppcuth.exeC:\Windows\system32\dppcuth.exe 1128 "C:\Windows\SysWOW64\qzvallj.exe"110⤵
-
C:\Windows\SysWOW64\qokfdtm.exeC:\Windows\system32\qokfdtm.exe 1132 "C:\Windows\SysWOW64\dppcuth.exe"111⤵
-
C:\Windows\SysWOW64\aulvtaz.exeC:\Windows\system32\aulvtaz.exe 1140 "C:\Windows\SysWOW64\qokfdtm.exe"112⤵
-
C:\Windows\SysWOW64\nsoxbix.exeC:\Windows\system32\nsoxbix.exe 1144 "C:\Windows\SysWOW64\aulvtaz.exe"113⤵
-
C:\Windows\SysWOW64\zjiasjc.exeC:\Windows\system32\zjiasjc.exe 1136 "C:\Windows\SysWOW64\nsoxbix.exe"114⤵
-
C:\Windows\SysWOW64\mhddbri.exeC:\Windows\system32\mhddbri.exe 1148 "C:\Windows\SysWOW64\zjiasjc.exe"115⤵
-
C:\Windows\SysWOW64\wktnouo.exeC:\Windows\system32\wktnouo.exe 1152 "C:\Windows\SysWOW64\mhddbri.exe"116⤵
-
C:\Windows\SysWOW64\jmhdzgt.exeC:\Windows\system32\jmhdzgt.exe 1156 "C:\Windows\SysWOW64\wktnouo.exe"117⤵
-
C:\Windows\SysWOW64\wdbfihy.exeC:\Windows\system32\wdbfihy.exe 1068 "C:\Windows\SysWOW64\jmhdzgt.exe"118⤵
-
C:\Windows\SysWOW64\jtwiqpe.exeC:\Windows\system32\jtwiqpe.exe 1160 "C:\Windows\SysWOW64\wdbfihy.exe"119⤵
-
C:\Windows\SysWOW64\wszlzxj.exeC:\Windows\system32\wszlzxj.exe 1168 "C:\Windows\SysWOW64\jtwiqpe.exe"120⤵
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\jiufqxh.exeC:\Windows\system32\jiufqxh.exe 1172 "C:\Windows\SysWOW64\wszlzxj.exe"121⤵
-
C:\Windows\SysWOW64\swvdgeu.exeC:\Windows\system32\swvdgeu.exe 1176 "C:\Windows\SysWOW64\jiufqxh.exe"122⤵
-
C:\Windows\SysWOW64\fjeslit.exeC:\Windows\system32\fjeslit.exe 1180 "C:\Windows\SysWOW64\swvdgeu.exe"123⤵
-
C:\Windows\SysWOW64\putdzlh.exeC:\Windows\system32\putdzlh.exe 1184 "C:\Windows\SysWOW64\fjeslit.exe"124⤵
-
C:\Windows\SysWOW64\ckwgpmf.exeC:\Windows\system32\ckwgpmf.exe 1188 "C:\Windows\SysWOW64\putdzlh.exe"125⤵
-
C:\Windows\SysWOW64\pjriyuk.exeC:\Windows\system32\pjriyuk.exe 1192 "C:\Windows\SysWOW64\ckwgpmf.exe"126⤵
-
C:\Windows\SysWOW64\czmlgcq.exeC:\Windows\system32\czmlgcq.exe 1196 "C:\Windows\SysWOW64\pjriyuk.exe"127⤵
-
C:\Windows\SysWOW64\mnnixbd.exeC:\Windows\system32\mnnixbd.exe 1204 "C:\Windows\SysWOW64\czmlgcq.exe"128⤵
-
C:\Windows\SysWOW64\zeplfka.exeC:\Windows\system32\zeplfka.exe 1200 "C:\Windows\SysWOW64\mnnixbd.exe"129⤵
-
C:\Windows\SysWOW64\mrzblnh.exeC:\Windows\system32\mrzblnh.exe 1212 "C:\Windows\SysWOW64\zeplfka.exe"130⤵
-
C:\Windows\SysWOW64\wbolgqn.exeC:\Windows\system32\wbolgqn.exe 1208 "C:\Windows\SysWOW64\mrzblnh.exe"131⤵
-
C:\Windows\SysWOW64\jsroprt.exeC:\Windows\system32\jsroprt.exe 1216 "C:\Windows\SysWOW64\wbolgqn.exe"132⤵
- Identifies Wine through registry keys
- Drops file in System32 directory
-
C:\Windows\SysWOW64\scgqcuz.exeC:\Windows\system32\scgqcuz.exe 1220 "C:\Windows\SysWOW64\jsroprt.exe"133⤵
-
C:\Windows\SysWOW64\ftbtlcf.exeC:\Windows\system32\ftbtlcf.exe 1228 "C:\Windows\SysWOW64\scgqcuz.exe"134⤵
-
C:\Windows\SysWOW64\sjewtkc.exeC:\Windows\system32\sjewtkc.exe 1224 "C:\Windows\SysWOW64\ftbtlcf.exe"135⤵
-
C:\Windows\SysWOW64\critmjk.exeC:\Windows\system32\critmjk.exe 1248 "C:\Windows\SysWOW64\sjewtkc.exe"136⤵
-
C:\Windows\SysWOW64\nqmywir.exeC:\Windows\system32\nqmywir.exe 1232 "C:\Windows\SysWOW64\critmjk.exe"137⤵
-
C:\Windows\SysWOW64\zgpbfix.exeC:\Windows\system32\zgpbfix.exe 1240 "C:\Windows\SysWOW64\nqmywir.exe"138⤵
-
C:\Windows\SysWOW64\jrfdald.exeC:\Windows\system32\jrfdald.exe 1164 "C:\Windows\SysWOW64\zgpbfix.exe"139⤵
-
C:\Windows\SysWOW64\whzgitj.exeC:\Windows\system32\whzgitj.exe 1260 "C:\Windows\SysWOW64\jrfdald.exe"140⤵
-
C:\Windows\SysWOW64\jgcjrtg.exeC:\Windows\system32\jgcjrtg.exe 1244 "C:\Windows\SysWOW64\whzgitj.exe"141⤵
-
C:\Windows\SysWOW64\tmvghbu.exeC:\Windows\system32\tmvghbu.exe 1256 "C:\Windows\SysWOW64\jgcjrtg.exe"142⤵
-
C:\Windows\SysWOW64\gkyjqjz.exeC:\Windows\system32\gkyjqjz.exe 1252 "C:\Windows\SysWOW64\tmvghbu.exe"143⤵
-
C:\Windows\SysWOW64\tbsmyrf.exeC:\Windows\system32\tbsmyrf.exe 1268 "C:\Windows\SysWOW64\gkyjqjz.exe"144⤵
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\gznohrc.exeC:\Windows\system32\gznohrc.exe 1264 "C:\Windows\SysWOW64\tbsmyrf.exe"145⤵
-
C:\Windows\SysWOW64\sqqrxzi.exeC:\Windows\system32\sqqrxzi.exe 1272 "C:\Windows\SysWOW64\gznohrc.exe"146⤵
-
C:\Windows\SysWOW64\uergohv.exeC:\Windows\system32\uergohv.exe 1284 "C:\Windows\SysWOW64\sqqrxzi.exe"147⤵
-
C:\Windows\SysWOW64\huljwhs.exeC:\Windows\system32\huljwhs.exe 1292 "C:\Windows\SysWOW64\uergohv.exe"148⤵
-
C:\Windows\SysWOW64\uhdzclz.exeC:\Windows\system32\uhdzclz.exe 1276 "C:\Windows\SysWOW64\huljwhs.exe"149⤵
-
C:\Windows\SysWOW64\essjxof.exeC:\Windows\system32\essjxof.exe 1300 "C:\Windows\SysWOW64\uhdzclz.exe"150⤵
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\rinmgwl.exeC:\Windows\system32\rinmgwl.exe 1304 "C:\Windows\SysWOW64\essjxof.exe"151⤵
-
C:\Windows\SysWOW64\btdwtzr.exeC:\Windows\system32\btdwtzr.exe 1280 "C:\Windows\SysWOW64\rinmgwl.exe"152⤵
-
C:\Windows\SysWOW64\okfzczx.exeC:\Windows\system32\okfzczx.exe 1308 "C:\Windows\SysWOW64\btdwtzr.exe"153⤵
-
C:\Windows\SysWOW64\biackhu.exeC:\Windows\system32\biackhu.exe 1296 "C:\Windows\SysWOW64\okfzczx.exe"154⤵
-
C:\Windows\SysWOW64\llqmflj.exeC:\Windows\system32\llqmflj.exe 1288 "C:\Windows\SysWOW64\biackhu.exe"155⤵
-
C:\Windows\SysWOW64\yjkpolg.exeC:\Windows\system32\yjkpolg.exe 1316 "C:\Windows\SysWOW64\llqmflj.exe"156⤵
-
C:\Windows\SysWOW64\kanrxtm.exeC:\Windows\system32\kanrxtm.exe 1312 "C:\Windows\SysWOW64\yjkpolg.exe"157⤵
-
C:\Windows\SysWOW64\xqiufbr.exeC:\Windows\system32\xqiufbr.exe 1324 "C:\Windows\SysWOW64\kanrxtm.exe"158⤵
-
C:\Windows\SysWOW64\hejjvjf.exeC:\Windows\system32\hejjvjf.exe 1320 "C:\Windows\SysWOW64\xqiufbr.exe"159⤵
-
C:\Windows\SysWOW64\uddmejc.exeC:\Windows\system32\uddmejc.exe 1328 "C:\Windows\SysWOW64\hejjvjf.exe"160⤵
-
C:\Windows\SysWOW64\htgpmri.exeC:\Windows\system32\htgpmri.exe 1336 "C:\Windows\SysWOW64\uddmejc.exe"161⤵
-
C:\Windows\SysWOW64\rwwziuo.exeC:\Windows\system32\rwwziuo.exe 1332 "C:\Windows\SysWOW64\htgpmri.exe"162⤵
-
C:\Windows\SysWOW64\hiwumzt.exeC:\Windows\system32\hiwumzt.exe 1340 "C:\Windows\SysWOW64\rwwziuo.exe"163⤵
-
C:\Windows\SysWOW64\qwwschy.exeC:\Windows\system32\qwwschy.exe 1344 "C:\Windows\SysWOW64\hiwumzt.exe"164⤵
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\dnrukpd.exeC:\Windows\system32\dnrukpd.exe 1348 "C:\Windows\SysWOW64\qwwschy.exe"165⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\qduxtpj.exeC:\Windows\system32\qduxtpj.exe 1356 "C:\Windows\SysWOW64\dnrukpd.exe"166⤵
-
C:\Windows\SysWOW64\aojhosp.exeC:\Windows\system32\aojhosp.exe 1352 "C:\Windows\SysWOW64\qduxtpj.exe"167⤵
-
C:\Windows\SysWOW64\neecxav.exeC:\Windows\system32\neecxav.exe 1360 "C:\Windows\SysWOW64\aojhosp.exe"168⤵
- Identifies Wine through registry keys
- Drops file in System32 directory
-
C:\Windows\SysWOW64\adhffia.exeC:\Windows\system32\adhffia.exe 1364 "C:\Windows\SysWOW64\neecxav.exe"169⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\ntchojy.exeC:\Windows\system32\ntchojy.exe 1372 "C:\Windows\SysWOW64\adhffia.exe"170⤵
-
C:\Windows\SysWOW64\akxkxre.exeC:\Windows\system32\akxkxre.exe 1236 "C:\Windows\SysWOW64\ntchojy.exe"171⤵
-
C:\Windows\SysWOW64\jyxhvyr.exeC:\Windows\system32\jyxhvyr.exe 1376 "C:\Windows\SysWOW64\akxkxre.exe"172⤵
-
C:\Windows\SysWOW64\wwskdgo.exeC:\Windows\system32\wwskdgo.exe 1380 "C:\Windows\SysWOW64\jyxhvyr.exe"173⤵
-
C:\Windows\SysWOW64\jnvnmgu.exeC:\Windows\system32\jnvnmgu.exe 1388 "C:\Windows\SysWOW64\wwskdgo.exe"174⤵
-
C:\Windows\SysWOW64\wdqqupz.exeC:\Windows\system32\wdqqupz.exe 1384 "C:\Windows\SysWOW64\jnvnmgu.exe"175⤵
-
C:\Windows\SysWOW64\gofaisg.exeC:\Windows\system32\gofaisg.exe 1396 "C:\Windows\SysWOW64\wdqqupz.exe"176⤵
-
C:\Windows\SysWOW64\tfidqsl.exeC:\Windows\system32\tfidqsl.exe 1392 "C:\Windows\SysWOW64\gofaisg.exe"177⤵
-
C:\Windows\SysWOW64\gddxzar.exeC:\Windows\system32\gddxzar.exe 1404 "C:\Windows\SysWOW64\tfidqsl.exe"178⤵
-
C:\Windows\SysWOW64\qgsiudx.exeC:\Windows\system32\qgsiudx.exe 1400 "C:\Windows\SysWOW64\gddxzar.exe"179⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\ciyxgqb.exeC:\Windows\system32\ciyxgqb.exe 1412 "C:\Windows\SysWOW64\qgsiudx.exe"180⤵
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\pytaoqh.exeC:\Windows\system32\pytaoqh.exe 1368 "C:\Windows\SysWOW64\ciyxgqb.exe"181⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\ctlquug.exeC:\Windows\system32\ctlquug.exe 1416 "C:\Windows\SysWOW64\pytaoqh.exe"182⤵
-
C:\Windows\SysWOW64\mwaahxm.exeC:\Windows\system32\mwaahxm.exe 1420 "C:\Windows\SysWOW64\ctlquug.exe"183⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\zmddyfs.exeC:\Windows\system32\zmddyfs.exe 1424 "C:\Windows\SysWOW64\mwaahxm.exe"184⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\mlyggfx.exeC:\Windows\system32\mlyggfx.exe 1428 "C:\Windows\SysWOW64\zmddyfs.exe"185⤵
-
C:\Windows\SysWOW64\wnnquid.exeC:\Windows\system32\wnnquid.exe 1432 "C:\Windows\SysWOW64\mlyggfx.exe"186⤵
-
C:\Windows\SysWOW64\jmitcqj.exeC:\Windows\system32\jmitcqj.exe 1436 "C:\Windows\SysWOW64\wnnquid.exe"187⤵
-
C:\Windows\SysWOW64\tluqnpr.exeC:\Windows\system32\tluqnpr.exe 1440 "C:\Windows\SysWOW64\jmitcqj.exe"188⤵
-
C:\Windows\SysWOW64\gnagguv.exeC:\Windows\system32\gnagguv.exe 1444 "C:\Windows\SysWOW64\tluqnpr.exe"189⤵
-
C:\Windows\SysWOW64\tdvipca.exeC:\Windows\system32\tdvipca.exe 1448 "C:\Windows\SysWOW64\gnagguv.exe"190⤵
-
C:\Windows\SysWOW64\guxdxky.exeC:\Windows\system32\guxdxky.exe 1452 "C:\Windows\SysWOW64\tdvipca.exe"191⤵
-
C:\Windows\SysWOW64\piqanjl.exeC:\Windows\system32\piqanjl.exe 1468 "C:\Windows\SysWOW64\guxdxky.exe"192⤵
-
C:\Windows\SysWOW64\cgtdwsr.exeC:\Windows\system32\cgtdwsr.exe 1456 "C:\Windows\SysWOW64\piqanjl.exe"193⤵
-
C:\Windows\SysWOW64\pxogeaw.exeC:\Windows\system32\pxogeaw.exe 1464 "C:\Windows\SysWOW64\cgtdwsr.exe"194⤵
-
C:\Windows\SysWOW64\cnjjvau.exeC:\Windows\system32\cnjjvau.exe 1408 "C:\Windows\SysWOW64\pxogeaw.exe"195⤵
-
C:\Windows\SysWOW64\hmlleiz.exeC:\Windows\system32\hmlleiz.exe 1480 "C:\Windows\SysWOW64\cnjjvau.exe"196⤵
-
C:\Windows\SysWOW64\rpbwrlg.exeC:\Windows\system32\rpbwrlg.exe 1472 "C:\Windows\SysWOW64\hmlleiz.exe"197⤵
-
C:\Windows\SysWOW64\drhdcys.exeC:\Windows\system32\drhdcys.exe 1476 "C:\Windows\SysWOW64\rpbwrlg.exe"198⤵
-
C:\Windows\SysWOW64\qhcglyp.exeC:\Windows\system32\qhcglyp.exe 1484 "C:\Windows\SysWOW64\drhdcys.exe"199⤵
-
C:\Windows\SysWOW64\dgejugv.exeC:\Windows\system32\dgejugv.exe 1492 "C:\Windows\SysWOW64\qhcglyp.exe"200⤵
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\qwzlcob.exeC:\Windows\system32\qwzlcob.exe 1488 "C:\Windows\SysWOW64\dgejugv.exe"201⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\akajaog.exeC:\Windows\system32\akajaog.exe 1496 "C:\Windows\SysWOW64\qwzlcob.exe"202⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\nbvljwl.exeC:\Windows\system32\nbvljwl.exe 1500 "C:\Windows\SysWOW64\akajaog.exe"203⤵
-
C:\Windows\SysWOW64\awmbpak.exeC:\Windows\system32\awmbpak.exe 1504 "C:\Windows\SysWOW64\nbvljwl.exe"204⤵
-
C:\Windows\SysWOW64\kcnyfhx.exeC:\Windows\system32\kcnyfhx.exe 1508 "C:\Windows\SysWOW64\awmbpak.exe"205⤵
-
C:\Windows\SysWOW64\ujrwxgf.exeC:\Windows\system32\ujrwxgf.exe 1512 "C:\Windows\SysWOW64\kcnyfhx.exe"206⤵
-
C:\Windows\SysWOW64\hwjmdcd.exeC:\Windows\system32\hwjmdcd.exe 1460 "C:\Windows\SysWOW64\ujrwxgf.exe"207⤵
-
C:\Windows\SysWOW64\umdolkj.exeC:\Windows\system32\umdolkj.exe 1520 "C:\Windows\SysWOW64\hwjmdcd.exe"208⤵
-
C:\Windows\SysWOW64\daembrw.exeC:\Windows\system32\daembrw.exe 1524 "C:\Windows\SysWOW64\umdolkj.exe"209⤵
-
C:\Windows\SysWOW64\rnobhvv.exeC:\Windows\system32\rnobhvv.exe 1528 "C:\Windows\SysWOW64\daembrw.exe"210⤵
-
C:\Windows\SysWOW64\deqeyva.exeC:\Windows\system32\deqeyva.exe 1532 "C:\Windows\SysWOW64\rnobhvv.exe"211⤵
-
C:\Windows\SysWOW64\npgolyh.exeC:\Windows\system32\npgolyh.exe 1536 "C:\Windows\SysWOW64\deqeyva.exe"212⤵
-
C:\Windows\SysWOW64\armwxll.exeC:\Windows\system32\armwxll.exe 1540 "C:\Windows\SysWOW64\npgolyh.exe"213⤵
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\nhhzflr.exeC:\Windows\system32\nhhzflr.exe 1544 "C:\Windows\SysWOW64\armwxll.exe"214⤵
-
C:\Windows\SysWOW64\axjcotw.exeC:\Windows\system32\axjcotw.exe 1548 "C:\Windows\SysWOW64\nhhzflr.exe"215⤵
-
C:\Windows\SysWOW64\nweewbu.exeC:\Windows\system32\nweewbu.exe 1552 "C:\Windows\SysWOW64\axjcotw.exe"216⤵
-
C:\Windows\SysWOW64\wkfcujh.exeC:\Windows\system32\wkfcujh.exe 1560 "C:\Windows\SysWOW64\nweewbu.exe"217⤵
-
C:\Windows\SysWOW64\jbaedjm.exeC:\Windows\system32\jbaedjm.exe 1556 "C:\Windows\SysWOW64\wkfcujh.exe"218⤵
-
C:\Windows\SysWOW64\wruzmrs.exeC:\Windows\system32\wruzmrs.exe 1564 "C:\Windows\SysWOW64\jbaedjm.exe"219⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\jqxcuzp.exeC:\Windows\system32\jqxcuzp.exe 1568 "C:\Windows\SysWOW64\wruzmrs.exe"220⤵
-
C:\Windows\SysWOW64\wgsedav.exeC:\Windows\system32\wgsedav.exe 1572 "C:\Windows\SysWOW64\jqxcuzp.exe"221⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\gutcbhi.exeC:\Windows\system32\gutcbhi.exe 1576 "C:\Windows\SysWOW64\wgsedav.exe"222⤵
-
C:\Windows\SysWOW64\tlnejpo.exeC:\Windows\system32\tlnejpo.exe 1580 "C:\Windows\SysWOW64\gutcbhi.exe"223⤵
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\gjqhspl.exeC:\Windows\system32\gjqhspl.exe 1584 "C:\Windows\SysWOW64\tlnejpo.exe"224⤵
-
C:\Windows\SysWOW64\salkbxr.exeC:\Windows\system32\salkbxr.exe 1588 "C:\Windows\SysWOW64\gjqhspl.exe"225⤵
-
C:\Windows\SysWOW64\fygmjgw.exeC:\Windows\system32\fygmjgw.exe 1592 "C:\Windows\SysWOW64\salkbxr.exe"226⤵
-
C:\Windows\SysWOW64\pehcznj.exeC:\Windows\system32\pehcznj.exe 1596 "C:\Windows\SysWOW64\fygmjgw.exe"227⤵
-
C:\Windows\SysWOW64\czyafji.exeC:\Windows\system32\czyafji.exe 1600 "C:\Windows\SysWOW64\pehcznj.exe"228⤵
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\pqtuwrg.exeC:\Windows\system32\pqtuwrg.exe 1604 "C:\Windows\SysWOW64\czyafji.exe"229⤵
-
C:\Windows\SysWOW64\zeusmyt.exeC:\Windows\system32\zeusmyt.exe 1612 "C:\Windows\SysWOW64\pqtuwrg.exe"230⤵
-
C:\Windows\SysWOW64\mrlhsus.exeC:\Windows\system32\mrlhsus.exe 1516 "C:\Windows\SysWOW64\zeusmyt.exe"231⤵
-
C:\Windows\SysWOW64\zhgkacx.exeC:\Windows\system32\zhgkacx.exe 1620 "C:\Windows\SysWOW64\mrlhsus.exe"232⤵
-
C:\Windows\SysWOW64\ivhhykk.exeC:\Windows\system32\ivhhykk.exe 1616 "C:\Windows\SysWOW64\zhgkacx.exe"233⤵
-
C:\Windows\SysWOW64\vmbkhsq.exeC:\Windows\system32\vmbkhsq.exe 1624 "C:\Windows\SysWOW64\ivhhykk.exe"234⤵
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\ikenpsn.exeC:\Windows\system32\ikenpsn.exe 1628 "C:\Windows\SysWOW64\vmbkhsq.exe"235⤵
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\vbzpyat.exeC:\Windows\system32\vbzpyat.exe 1636 "C:\Windows\SysWOW64\ikenpsn.exe"236⤵
-
C:\Windows\SysWOW64\izushjz.exeC:\Windows\system32\izushjz.exe 1632 "C:\Windows\SysWOW64\vbzpyat.exe"237⤵
-
C:\Windows\SysWOW64\sfuixim.exeC:\Windows\system32\sfuixim.exe 1644 "C:\Windows\SysWOW64\izushjz.exe"238⤵
-
C:\Windows\SysWOW64\fepkfqj.exeC:\Windows\system32\fepkfqj.exe 1640 "C:\Windows\SysWOW64\sfuixim.exe"239⤵
-
C:\Windows\SysWOW64\susnwyp.exeC:\Windows\system32\susnwyp.exe 1652 "C:\Windows\SysWOW64\fepkfqj.exe"240⤵
-
C:\Windows\SysWOW64\ftnqezu.exeC:\Windows\system32\ftnqezu.exe 1648 "C:\Windows\SysWOW64\susnwyp.exe"241⤵