Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 10:41
Static task
static1
Behavioral task
behavioral1
Sample
053cecb41b7f26f18803ce2c4ccc31ae_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
053cecb41b7f26f18803ce2c4ccc31ae_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
053cecb41b7f26f18803ce2c4ccc31ae_JaffaCakes118.exe
-
Size
525KB
-
MD5
053cecb41b7f26f18803ce2c4ccc31ae
-
SHA1
bb8d67a6011626bd89859fa4a1ea7f82ad8bc983
-
SHA256
3724498636d6faa08ce64a2e9e3cc91ffdc3fd3238715b6a95d2bd65d08e17d4
-
SHA512
d4b3689ca0c23f4d8a66cc26c4f8eab53eb8f4d371574e4e22fb68e9c735addfcc161b79282311eb7df1e7421f74596411c7775e8ccb8ab23684fc5767c6a525
-
SSDEEP
12288:wfEjYwprWJQnrCJy98ZmVyB3/lshbE7ok0VaxXcQW81VQK6I9t:wfJEaSrCFcAZtiI0vYxXcNCQk
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 64 IoCs
Processes:
qmxks.exeuvdpi.exewjgsd.exeomudf.exelkbdg.exeyawfo.exelccva.exeskpnm.exeaozae.exekrplr.exeuybij.exezlkyp.exebjynn.exejgjbw.exeveddf.exegdqbx.exepoflk.exefwqlr.exesywbd.exefordl.exesnugu.exefdpjd.exeooety.exebikjj.exeovczp.exebxiga.exelwmml.exeyupgb.exeibper.exeynqzv.exeimcwg.exeuoimr.exeerxwm.exertdey.exeboewf.exeoqkmr.exeymdwg.exelgjms.exevfvkc.exefpluq.exeplmef.execnsur.exepabkw.execuhzi.exemffkv.exezhlro.exemuuhu.exezkxkd.exejvmuq.exesxcfd.exefwxhu.exesqdxf.exefdunl.exesbppu.execabne.exepchcq.exewkvvk.exejebkv.exellnig.exeyftxz.exeimxvj.exeyrfqn.exeitvab.exeuvbim.exepid process 2736 qmxks.exe 2760 uvdpi.exe 1856 wjgsd.exe 1612 omudf.exe 2904 lkbdg.exe 556 yawfo.exe 1344 lccva.exe 2152 skpnm.exe 2664 aozae.exe 2112 krplr.exe 1928 uybij.exe 1900 zlkyp.exe 1448 bjynn.exe 2504 jgjbw.exe 2376 veddf.exe 1772 gdqbx.exe 3004 poflk.exe 2276 fwqlr.exe 2812 sywbd.exe 2832 fordl.exe 2596 snugu.exe 1756 fdpjd.exe 2288 ooety.exe 1796 bikjj.exe 1380 ovczp.exe 3068 bxiga.exe 1152 lwmml.exe 1576 yupgb.exe 2304 ibper.exe 2708 ynqzv.exe 1912 imcwg.exe 2496 uoimr.exe 696 erxwm.exe 2268 rtdey.exe 1584 boewf.exe 1032 oqkmr.exe 2052 ymdwg.exe 1244 lgjms.exe 2828 vfvkc.exe 2944 fpluq.exe 1064 plmef.exe 1628 cnsur.exe 1384 pabkw.exe 1676 cuhzi.exe 1888 mffkv.exe 1684 zhlro.exe 1880 muuhu.exe 3040 zkxkd.exe 2776 jvmuq.exe 1332 sxcfd.exe 832 fwxhu.exe 2848 sqdxf.exe 1524 fdunl.exe 844 sbppu.exe 2852 cabne.exe 1960 pchcq.exe 1620 wkvvk.exe 912 jebkv.exe 2244 llnig.exe 2228 yftxz.exe 2900 imxvj.exe 352 yrfqn.exe 1008 itvab.exe 1348 uvbim.exe -
Identifies Wine through registry keys 2 TTPs 64 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
sarmv.exendrni.exexrsky.exezpclg.exeaipqd.exehbplq.exemymen.exeefqgh.exepljlm.exeijplk.exegqoxf.exeecxbg.exesnugu.execddku.exerllfz.exeyejys.exepudyo.exeabalm.exeimxvj.exenzhbn.exegepaq.exejgydc.exextvxi.exerfgff.exewxijx.exeyboel.exeeezpm.exefdlll.exednomb.exeygrib.exennujy.exesengz.exeepqct.exedumvk.exeqjbqo.exehcono.exeehlss.exeeykeo.exepxodz.exetxejj.exewdart.exeurahb.exeymgak.exeunzji.exeypjue.exeigzze.exenyrae.exectxbw.exexhxsv.exelkfrf.exeokfzc.exehqfqh.exercoob.exegnniu.exeqmxks.exesywbd.exepxkrg.exenonps.exegyvpu.exeltwln.exeiksgv.exepabkw.exediejr.exeuiqed.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine sarmv.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine ndrni.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine xrsky.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine zpclg.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine aipqd.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine hbplq.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine mymen.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine efqgh.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine pljlm.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine ijplk.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine gqoxf.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine ecxbg.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine snugu.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine cddku.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine rllfz.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine yejys.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine pudyo.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine abalm.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine imxvj.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine nzhbn.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine gepaq.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine jgydc.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine xtvxi.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine rfgff.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine wxijx.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine yboel.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine eezpm.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine fdlll.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine dnomb.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine ygrib.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine nnujy.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine sengz.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine epqct.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine dumvk.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine qjbqo.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine hcono.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine ehlss.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine eykeo.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine pxodz.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine txejj.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine wdart.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine urahb.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine ymgak.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine unzji.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine ypjue.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine igzze.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine nyrae.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine ctxbw.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine xhxsv.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine lkfrf.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine okfzc.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine hqfqh.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine rcoob.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine gnniu.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine qmxks.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine sywbd.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine pxkrg.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine nonps.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine gyvpu.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine ltwln.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine iksgv.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine pabkw.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine diejr.exe Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine uiqed.exe -
Loads dropped DLL 64 IoCs
Processes:
053cecb41b7f26f18803ce2c4ccc31ae_JaffaCakes118.exeqmxks.exeuvdpi.exewjgsd.exeomudf.exelkbdg.exeyawfo.exelccva.exeskpnm.exeaozae.exekrplr.exeuybij.exezlkyp.exebjynn.exejgjbw.exeveddf.exegdqbx.exepoflk.exefwqlr.exesywbd.exefordl.exesnugu.exefdpjd.exeooety.exebikjj.exeovczp.exebxiga.exelwmml.exeyupgb.exeibper.exeynqzv.exeimcwg.exepid process 2804 053cecb41b7f26f18803ce2c4ccc31ae_JaffaCakes118.exe 2804 053cecb41b7f26f18803ce2c4ccc31ae_JaffaCakes118.exe 2736 qmxks.exe 2736 qmxks.exe 2760 uvdpi.exe 2760 uvdpi.exe 1856 wjgsd.exe 1856 wjgsd.exe 1612 omudf.exe 1612 omudf.exe 2904 lkbdg.exe 2904 lkbdg.exe 556 yawfo.exe 556 yawfo.exe 1344 lccva.exe 1344 lccva.exe 2152 skpnm.exe 2152 skpnm.exe 2664 aozae.exe 2664 aozae.exe 2112 krplr.exe 2112 krplr.exe 1928 uybij.exe 1928 uybij.exe 1900 zlkyp.exe 1900 zlkyp.exe 1448 bjynn.exe 1448 bjynn.exe 2504 jgjbw.exe 2504 jgjbw.exe 2376 veddf.exe 2376 veddf.exe 1772 gdqbx.exe 1772 gdqbx.exe 3004 poflk.exe 3004 poflk.exe 2276 fwqlr.exe 2276 fwqlr.exe 2812 sywbd.exe 2812 sywbd.exe 2832 fordl.exe 2832 fordl.exe 2596 snugu.exe 2596 snugu.exe 1756 fdpjd.exe 1756 fdpjd.exe 2288 ooety.exe 2288 ooety.exe 1796 bikjj.exe 1796 bikjj.exe 1380 ovczp.exe 1380 ovczp.exe 3068 bxiga.exe 3068 bxiga.exe 1152 lwmml.exe 1152 lwmml.exe 1576 yupgb.exe 1576 yupgb.exe 2304 ibper.exe 2304 ibper.exe 2708 ynqzv.exe 2708 ynqzv.exe 1912 imcwg.exe 1912 imcwg.exe -
Drops file in System32 directory 64 IoCs
Processes:
jrvox.exeunbku.exewsjrk.exewvtqk.exehbxes.exeefqgh.exetxejj.exepmrnr.exesrcwj.exeqycqx.exegmygo.exemeqzj.exeqsqxg.exedrsaw.execbdtn.exerblim.exednomb.exetdbjx.exeovczp.exeedvmy.exekcpgf.exexcnmi.exemowwm.exervqmy.exetqnvk.execabne.exerwwzi.exekrdor.exexflus.exefforl.exeisfjl.exeumdol.exeqmxks.exelkfrf.exenfezf.exewkdrg.exerrqpj.exewfigr.exeomudf.exekrplr.exedumvk.exebrahl.exeasggm.exetfffj.exeymdwg.exewokmc.exegicxh.exebeavd.exegqoxf.exexgapo.exenprkx.exenxcqz.exegoblb.exewdart.exefnuuv.exedzula.exekjcpm.execbqeq.exehsjuo.exedaemb.exejiyuo.exegtnhr.exebangu.exedescription ioc process File opened for modification C:\Windows\SysWOW64\whqqf.exe jrvox.exe File opened for modification C:\Windows\SysWOW64\hdvnc.exe unbku.exe File created C:\Windows\SysWOW64\jjeut.exe wsjrk.exe File created C:\Windows\SysWOW64\jicgq.exe wvtqk.exe File created C:\Windows\SysWOW64\urahb.exe hbxes.exe File opened for modification C:\Windows\SysWOW64\nifqu.exe efqgh.exe File opened for modification C:\Windows\SysWOW64\gvhmr.exe txejj.exe File created C:\Windows\SysWOW64\zxoyf.exe pmrnr.exe File created C:\Windows\SysWOW64\fhfzs.exe srcwj.exe File opened for modification C:\Windows\SysWOW64\amcnv.exe qycqx.exe File created C:\Windows\SysWOW64\tdbjx.exe gmygo.exe File created C:\Windows\SysWOW64\zvlbr.exe meqzj.exe File created C:\Windows\SysWOW64\drsaw.exe qsqxg.exe File opened for modification C:\Windows\SysWOW64\qhndf.exe drsaw.exe File created C:\Windows\SysWOW64\lpeqd.exe cbdtn.exe File opened for modification C:\Windows\SysWOW64\edrxx.exe rblim.exe File created C:\Windows\SysWOW64\qmipk.exe dnomb.exe File created C:\Windows\SysWOW64\gbwln.exe tdbjx.exe File opened for modification C:\Windows\SysWOW64\bxiga.exe ovczp.exe File created C:\Windows\SysWOW64\ruqgh.exe edvmy.exe File opened for modification C:\Windows\SysWOW64\uiqed.exe kcpgf.exe File created C:\Windows\SysWOW64\kpfco.exe xcnmi.exe File opened for modification C:\Windows\SysWOW64\zmqzu.exe mowwm.exe File opened for modification C:\Windows\SysWOW64\eulph.exe rvqmy.exe File created C:\Windows\SysWOW64\ygixs.exe tqnvk.exe File opened for modification C:\Windows\SysWOW64\pchcq.exe cabne.exe File opened for modification C:\Windows\SysWOW64\euqcq.exe rwwzi.exe File opened for modification C:\Windows\SysWOW64\yenlw.exe krdor.exe File created C:\Windows\SysWOW64\kdgxb.exe xflus.exe File created C:\Windows\SysWOW64\pqdby.exe fforl.exe File created C:\Windows\SysWOW64\vfwzr.exe isfjl.exe File opened for modification C:\Windows\SysWOW64\daemb.exe umdol.exe File created C:\Windows\SysWOW64\uvdpi.exe qmxks.exe File opened for modification C:\Windows\SysWOW64\yaaun.exe lkfrf.exe File created C:\Windows\SysWOW64\xtfpv.exe nfezf.exe File created C:\Windows\SysWOW64\euqcq.exe rwwzi.exe File created C:\Windows\SysWOW64\jiyuo.exe wkdrg.exe File opened for modification C:\Windows\SysWOW64\ehlss.exe rrqpj.exe File opened for modification C:\Windows\SysWOW64\jzowd.exe wfigr.exe File opened for modification C:\Windows\SysWOW64\lkbdg.exe omudf.exe File created C:\Windows\SysWOW64\uybij.exe krplr.exe File created C:\Windows\SysWOW64\qthqs.exe dumvk.exe File opened for modification C:\Windows\SysWOW64\ohdct.exe brahl.exe File created C:\Windows\SysWOW64\jgydc.exe asggm.exe File opened for modification C:\Windows\SysWOW64\ywais.exe tfffj.exe File opened for modification C:\Windows\SysWOW64\lgjms.exe ymdwg.exe File opened for modification C:\Windows\SysWOW64\jefok.exe wokmc.exe File opened for modification C:\Windows\SysWOW64\tyxaq.exe gicxh.exe File created C:\Windows\SysWOW64\ouvyu.exe beavd.exe File opened for modification C:\Windows\SysWOW64\qfpuv.exe gqoxf.exe File opened for modification C:\Windows\SysWOW64\kecsx.exe xgapo.exe File opened for modification C:\Windows\SysWOW64\xdran.exe nprkx.exe File opened for modification C:\Windows\SysWOW64\aofti.exe nxcqz.exe File created C:\Windows\SysWOW64\qvfjt.exe goblb.exe File opened for modification C:\Windows\SysWOW64\gjagj.exe wdart.exe File opened for modification C:\Windows\SysWOW64\pmgrf.exe fnuuv.exe File opened for modification C:\Windows\SysWOW64\nnujy.exe dzula.exe File opened for modification C:\Windows\SysWOW64\xhxsv.exe kjcpm.exe File created C:\Windows\SysWOW64\pzthy.exe cbqeq.exe File opened for modification C:\Windows\SysWOW64\unbku.exe hsjuo.exe File opened for modification C:\Windows\SysWOW64\qrzgk.exe daemb.exe File opened for modification C:\Windows\SysWOW64\wzbxx.exe jiyuo.exe File opened for modification C:\Windows\SysWOW64\sjika.exe gtnhr.exe File opened for modification C:\Windows\SysWOW64\loowk.exe bangu.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
053cecb41b7f26f18803ce2c4ccc31ae_JaffaCakes118.exeqmxks.exeuvdpi.exewjgsd.exeomudf.exelkbdg.exeyawfo.exelccva.exeskpnm.exeaozae.exekrplr.exeuybij.exezlkyp.exebjynn.exejgjbw.exeveddf.exedescription pid process target process PID 2804 wrote to memory of 2736 2804 053cecb41b7f26f18803ce2c4ccc31ae_JaffaCakes118.exe qmxks.exe PID 2804 wrote to memory of 2736 2804 053cecb41b7f26f18803ce2c4ccc31ae_JaffaCakes118.exe qmxks.exe PID 2804 wrote to memory of 2736 2804 053cecb41b7f26f18803ce2c4ccc31ae_JaffaCakes118.exe qmxks.exe PID 2804 wrote to memory of 2736 2804 053cecb41b7f26f18803ce2c4ccc31ae_JaffaCakes118.exe qmxks.exe PID 2736 wrote to memory of 2760 2736 qmxks.exe uvdpi.exe PID 2736 wrote to memory of 2760 2736 qmxks.exe uvdpi.exe PID 2736 wrote to memory of 2760 2736 qmxks.exe uvdpi.exe PID 2736 wrote to memory of 2760 2736 qmxks.exe uvdpi.exe PID 2760 wrote to memory of 1856 2760 uvdpi.exe wjgsd.exe PID 2760 wrote to memory of 1856 2760 uvdpi.exe wjgsd.exe PID 2760 wrote to memory of 1856 2760 uvdpi.exe wjgsd.exe PID 2760 wrote to memory of 1856 2760 uvdpi.exe wjgsd.exe PID 1856 wrote to memory of 1612 1856 wjgsd.exe omudf.exe PID 1856 wrote to memory of 1612 1856 wjgsd.exe omudf.exe PID 1856 wrote to memory of 1612 1856 wjgsd.exe omudf.exe PID 1856 wrote to memory of 1612 1856 wjgsd.exe omudf.exe PID 1612 wrote to memory of 2904 1612 omudf.exe lkbdg.exe PID 1612 wrote to memory of 2904 1612 omudf.exe lkbdg.exe PID 1612 wrote to memory of 2904 1612 omudf.exe lkbdg.exe PID 1612 wrote to memory of 2904 1612 omudf.exe lkbdg.exe PID 2904 wrote to memory of 556 2904 lkbdg.exe yawfo.exe PID 2904 wrote to memory of 556 2904 lkbdg.exe yawfo.exe PID 2904 wrote to memory of 556 2904 lkbdg.exe yawfo.exe PID 2904 wrote to memory of 556 2904 lkbdg.exe yawfo.exe PID 556 wrote to memory of 1344 556 yawfo.exe lccva.exe PID 556 wrote to memory of 1344 556 yawfo.exe lccva.exe PID 556 wrote to memory of 1344 556 yawfo.exe lccva.exe PID 556 wrote to memory of 1344 556 yawfo.exe lccva.exe PID 1344 wrote to memory of 2152 1344 lccva.exe skpnm.exe PID 1344 wrote to memory of 2152 1344 lccva.exe skpnm.exe PID 1344 wrote to memory of 2152 1344 lccva.exe skpnm.exe PID 1344 wrote to memory of 2152 1344 lccva.exe skpnm.exe PID 2152 wrote to memory of 2664 2152 skpnm.exe aozae.exe PID 2152 wrote to memory of 2664 2152 skpnm.exe aozae.exe PID 2152 wrote to memory of 2664 2152 skpnm.exe aozae.exe PID 2152 wrote to memory of 2664 2152 skpnm.exe aozae.exe PID 2664 wrote to memory of 2112 2664 aozae.exe krplr.exe PID 2664 wrote to memory of 2112 2664 aozae.exe krplr.exe PID 2664 wrote to memory of 2112 2664 aozae.exe krplr.exe PID 2664 wrote to memory of 2112 2664 aozae.exe krplr.exe PID 2112 wrote to memory of 1928 2112 krplr.exe uybij.exe PID 2112 wrote to memory of 1928 2112 krplr.exe uybij.exe PID 2112 wrote to memory of 1928 2112 krplr.exe uybij.exe PID 2112 wrote to memory of 1928 2112 krplr.exe uybij.exe PID 1928 wrote to memory of 1900 1928 uybij.exe zlkyp.exe PID 1928 wrote to memory of 1900 1928 uybij.exe zlkyp.exe PID 1928 wrote to memory of 1900 1928 uybij.exe zlkyp.exe PID 1928 wrote to memory of 1900 1928 uybij.exe zlkyp.exe PID 1900 wrote to memory of 1448 1900 zlkyp.exe bjynn.exe PID 1900 wrote to memory of 1448 1900 zlkyp.exe bjynn.exe PID 1900 wrote to memory of 1448 1900 zlkyp.exe bjynn.exe PID 1900 wrote to memory of 1448 1900 zlkyp.exe bjynn.exe PID 1448 wrote to memory of 2504 1448 bjynn.exe jgjbw.exe PID 1448 wrote to memory of 2504 1448 bjynn.exe jgjbw.exe PID 1448 wrote to memory of 2504 1448 bjynn.exe jgjbw.exe PID 1448 wrote to memory of 2504 1448 bjynn.exe jgjbw.exe PID 2504 wrote to memory of 2376 2504 jgjbw.exe veddf.exe PID 2504 wrote to memory of 2376 2504 jgjbw.exe veddf.exe PID 2504 wrote to memory of 2376 2504 jgjbw.exe veddf.exe PID 2504 wrote to memory of 2376 2504 jgjbw.exe veddf.exe PID 2376 wrote to memory of 1772 2376 veddf.exe gdqbx.exe PID 2376 wrote to memory of 1772 2376 veddf.exe gdqbx.exe PID 2376 wrote to memory of 1772 2376 veddf.exe gdqbx.exe PID 2376 wrote to memory of 1772 2376 veddf.exe gdqbx.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\053cecb41b7f26f18803ce2c4ccc31ae_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\053cecb41b7f26f18803ce2c4ccc31ae_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\qmxks.exeC:\Windows\system32\qmxks.exe 644 "C:\Users\Admin\AppData\Local\Temp\053cecb41b7f26f18803ce2c4ccc31ae_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\uvdpi.exeC:\Windows\system32\uvdpi.exe 612 "C:\Windows\SysWOW64\qmxks.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wjgsd.exeC:\Windows\system32\wjgsd.exe 620 "C:\Windows\SysWOW64\uvdpi.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\omudf.exeC:\Windows\system32\omudf.exe 624 "C:\Windows\SysWOW64\wjgsd.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\lkbdg.exeC:\Windows\system32\lkbdg.exe 628 "C:\Windows\SysWOW64\omudf.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\yawfo.exeC:\Windows\system32\yawfo.exe 712 "C:\Windows\SysWOW64\lkbdg.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\lccva.exeC:\Windows\system32\lccva.exe 720 "C:\Windows\SysWOW64\yawfo.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\skpnm.exeC:\Windows\system32\skpnm.exe 724 "C:\Windows\SysWOW64\lccva.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\aozae.exeC:\Windows\system32\aozae.exe 708 "C:\Windows\SysWOW64\skpnm.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\krplr.exeC:\Windows\system32\krplr.exe 716 "C:\Windows\SysWOW64\aozae.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\uybij.exeC:\Windows\system32\uybij.exe 732 "C:\Windows\SysWOW64\krplr.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\zlkyp.exeC:\Windows\system32\zlkyp.exe 736 "C:\Windows\SysWOW64\uybij.exe"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\bjynn.exeC:\Windows\system32\bjynn.exe 664 "C:\Windows\SysWOW64\zlkyp.exe"14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\jgjbw.exeC:\Windows\system32\jgjbw.exe 616 "C:\Windows\SysWOW64\bjynn.exe"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\veddf.exeC:\Windows\system32\veddf.exe 632 "C:\Windows\SysWOW64\jgjbw.exe"16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\gdqbx.exeC:\Windows\system32\gdqbx.exe 748 "C:\Windows\SysWOW64\veddf.exe"17⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\poflk.exeC:\Windows\system32\poflk.exe 760 "C:\Windows\SysWOW64\gdqbx.exe"18⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\fwqlr.exeC:\Windows\system32\fwqlr.exe 752 "C:\Windows\SysWOW64\poflk.exe"19⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\sywbd.exeC:\Windows\system32\sywbd.exe 764 "C:\Windows\SysWOW64\fwqlr.exe"20⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
-
C:\Windows\SysWOW64\fordl.exeC:\Windows\system32\fordl.exe 768 "C:\Windows\SysWOW64\sywbd.exe"21⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\snugu.exeC:\Windows\system32\snugu.exe 772 "C:\Windows\SysWOW64\fordl.exe"22⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
-
C:\Windows\SysWOW64\fdpjd.exeC:\Windows\system32\fdpjd.exe 756 "C:\Windows\SysWOW64\snugu.exe"23⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\ooety.exeC:\Windows\system32\ooety.exe 780 "C:\Windows\SysWOW64\fdpjd.exe"24⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\bikjj.exeC:\Windows\system32\bikjj.exe 776 "C:\Windows\SysWOW64\ooety.exe"25⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\ovczp.exeC:\Windows\system32\ovczp.exe 792 "C:\Windows\SysWOW64\bikjj.exe"26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Windows\SysWOW64\bxiga.exeC:\Windows\system32\bxiga.exe 788 "C:\Windows\SysWOW64\ovczp.exe"27⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\lwmml.exeC:\Windows\system32\lwmml.exe 800 "C:\Windows\SysWOW64\bxiga.exe"28⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\yupgb.exeC:\Windows\system32\yupgb.exe 784 "C:\Windows\SysWOW64\lwmml.exe"29⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\ibper.exeC:\Windows\system32\ibper.exe 808 "C:\Windows\SysWOW64\yupgb.exe"30⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\ynqzv.exeC:\Windows\system32\ynqzv.exe 804 "C:\Windows\SysWOW64\ibper.exe"31⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\imcwg.exeC:\Windows\system32\imcwg.exe 816 "C:\Windows\SysWOW64\ynqzv.exe"32⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\uoimr.exeC:\Windows\system32\uoimr.exe 796 "C:\Windows\SysWOW64\imcwg.exe"33⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\erxwm.exeC:\Windows\system32\erxwm.exe 820 "C:\Windows\SysWOW64\uoimr.exe"34⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\rtdey.exeC:\Windows\system32\rtdey.exe 812 "C:\Windows\SysWOW64\erxwm.exe"35⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\boewf.exeC:\Windows\system32\boewf.exe 828 "C:\Windows\SysWOW64\rtdey.exe"36⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\oqkmr.exeC:\Windows\system32\oqkmr.exe 832 "C:\Windows\SysWOW64\boewf.exe"37⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\ymdwg.exeC:\Windows\system32\ymdwg.exe 836 "C:\Windows\SysWOW64\oqkmr.exe"38⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\lgjms.exeC:\Windows\system32\lgjms.exe 840 "C:\Windows\SysWOW64\ymdwg.exe"39⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\vfvkc.exeC:\Windows\system32\vfvkc.exe 844 "C:\Windows\SysWOW64\lgjms.exe"40⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\fpluq.exeC:\Windows\system32\fpluq.exe 848 "C:\Windows\SysWOW64\vfvkc.exe"41⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\plmef.exeC:\Windows\system32\plmef.exe 864 "C:\Windows\SysWOW64\fpluq.exe"42⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cnsur.exeC:\Windows\system32\cnsur.exe 852 "C:\Windows\SysWOW64\plmef.exe"43⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\pabkw.exeC:\Windows\system32\pabkw.exe 860 "C:\Windows\SysWOW64\cnsur.exe"44⤵
- Executes dropped EXE
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\cuhzi.exeC:\Windows\system32\cuhzi.exe 868 "C:\Windows\SysWOW64\pabkw.exe"45⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mffkv.exeC:\Windows\system32\mffkv.exe 872 "C:\Windows\SysWOW64\cuhzi.exe"46⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\zhlro.exeC:\Windows\system32\zhlro.exe 824 "C:\Windows\SysWOW64\mffkv.exe"47⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\muuhu.exeC:\Windows\system32\muuhu.exe 856 "C:\Windows\SysWOW64\zhlro.exe"48⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\zkxkd.exeC:\Windows\system32\zkxkd.exe 880 "C:\Windows\SysWOW64\muuhu.exe"49⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\jvmuq.exeC:\Windows\system32\jvmuq.exe 888 "C:\Windows\SysWOW64\zkxkd.exe"50⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\sxcfd.exeC:\Windows\system32\sxcfd.exe 884 "C:\Windows\SysWOW64\jvmuq.exe"51⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\fwxhu.exeC:\Windows\system32\fwxhu.exe 892 "C:\Windows\SysWOW64\sxcfd.exe"52⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\sqdxf.exeC:\Windows\system32\sqdxf.exe 876 "C:\Windows\SysWOW64\fwxhu.exe"53⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\fdunl.exeC:\Windows\system32\fdunl.exe 912 "C:\Windows\SysWOW64\sqdxf.exe"54⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\sbppu.exeC:\Windows\system32\sbppu.exe 900 "C:\Windows\SysWOW64\fdunl.exe"55⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cabne.exeC:\Windows\system32\cabne.exe 904 "C:\Windows\SysWOW64\sbppu.exe"56⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\pchcq.exeC:\Windows\system32\pchcq.exe 908 "C:\Windows\SysWOW64\cabne.exe"57⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\wkvvk.exeC:\Windows\system32\wkvvk.exe 920 "C:\Windows\SysWOW64\pchcq.exe"58⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\jebkv.exeC:\Windows\system32\jebkv.exe 916 "C:\Windows\SysWOW64\wkvvk.exe"59⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\llnig.exeC:\Windows\system32\llnig.exe 928 "C:\Windows\SysWOW64\jebkv.exe"60⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\yftxz.exeC:\Windows\system32\yftxz.exe 924 "C:\Windows\SysWOW64\llnig.exe"61⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\imxvj.exeC:\Windows\system32\imxvj.exe 936 "C:\Windows\SysWOW64\yftxz.exe"62⤵
- Executes dropped EXE
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\yrfqn.exeC:\Windows\system32\yrfqn.exe 896 "C:\Windows\SysWOW64\imxvj.exe"63⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\itvab.exeC:\Windows\system32\itvab.exe 944 "C:\Windows\SysWOW64\yrfqn.exe"64⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\uvbim.exeC:\Windows\system32\uvbim.exe 932 "C:\Windows\SysWOW64\itvab.exe"65⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\iikys.exeC:\Windows\system32\iikys.exe 960 "C:\Windows\SysWOW64\uvbim.exe"66⤵
-
C:\Windows\SysWOW64\ukqnd.exeC:\Windows\system32\ukqnd.exe 948 "C:\Windows\SysWOW64\iikys.exe"67⤵
-
C:\Windows\SysWOW64\enoyy.exeC:\Windows\system32\enoyy.exe 952 "C:\Windows\SysWOW64\ukqnd.exe"68⤵
-
C:\Windows\SysWOW64\rpunk.exeC:\Windows\system32\rpunk.exe 956 "C:\Windows\SysWOW64\enoyy.exe"69⤵
-
C:\Windows\SysWOW64\efpqs.exeC:\Windows\system32\efpqs.exe 968 "C:\Windows\SysWOW64\rpunk.exe"70⤵
-
C:\Windows\SysWOW64\rejtb.exeC:\Windows\system32\rejtb.exe 964 "C:\Windows\SysWOW64\efpqs.exe"71⤵
-
C:\Windows\SysWOW64\dumvk.exeC:\Windows\system32\dumvk.exe 976 "C:\Windows\SysWOW64\rejtb.exe"72⤵
- Identifies Wine through registry keys
- Drops file in System32 directory
-
C:\Windows\SysWOW64\qthqs.exeC:\Windows\system32\qthqs.exe 972 "C:\Windows\SysWOW64\dumvk.exe"73⤵
-
C:\Windows\SysWOW64\avwao.exeC:\Windows\system32\avwao.exe 988 "C:\Windows\SysWOW64\qthqs.exe"74⤵
-
C:\Windows\SysWOW64\nxcqz.exeC:\Windows\system32\nxcqz.exe 980 "C:\Windows\SysWOW64\avwao.exe"75⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\aofti.exeC:\Windows\system32\aofti.exe 992 "C:\Windows\SysWOW64\nxcqz.exe"76⤵
-
C:\Windows\SysWOW64\nmavq.exeC:\Windows\system32\nmavq.exe 984 "C:\Windows\SysWOW64\aofti.exe"77⤵
-
C:\Windows\SysWOW64\advyz.exeC:\Windows\system32\advyz.exe 1008 "C:\Windows\SysWOW64\nmavq.exe"78⤵
-
C:\Windows\SysWOW64\jrvox.exeC:\Windows\system32\jrvox.exe 996 "C:\Windows\SysWOW64\advyz.exe"79⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\whqqf.exeC:\Windows\system32\whqqf.exe 1000 "C:\Windows\SysWOW64\jrvox.exe"80⤵
-
C:\Windows\SysWOW64\jgtto.exeC:\Windows\system32\jgtto.exe 1004 "C:\Windows\SysWOW64\whqqf.exe"81⤵
-
C:\Windows\SysWOW64\wwowx.exeC:\Windows\system32\wwowx.exe 1016 "C:\Windows\SysWOW64\jgtto.exe"82⤵
-
C:\Windows\SysWOW64\ghdgk.exeC:\Windows\system32\ghdgk.exe 1012 "C:\Windows\SysWOW64\wwowx.exe"83⤵
-
C:\Windows\SysWOW64\tygjs.exeC:\Windows\system32\tygjs.exe 1020 "C:\Windows\SysWOW64\ghdgk.exe"84⤵
-
C:\Windows\SysWOW64\goblb.exeC:\Windows\system32\goblb.exe 1028 "C:\Windows\SysWOW64\tygjs.exe"85⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\qvfjt.exeC:\Windows\system32\qvfjt.exe 1032 "C:\Windows\SysWOW64\goblb.exe"86⤵
-
C:\Windows\SysWOW64\dmilc.exeC:\Windows\system32\dmilc.exe 1036 "C:\Windows\SysWOW64\qvfjt.exe"87⤵
-
C:\Windows\SysWOW64\nwxwp.exeC:\Windows\system32\nwxwp.exe 1052 "C:\Windows\SysWOW64\dmilc.exe"88⤵
-
C:\Windows\SysWOW64\anszy.exeC:\Windows\system32\anszy.exe 940 "C:\Windows\SysWOW64\nwxwp.exe"89⤵
-
C:\Windows\SysWOW64\mpyor.exeC:\Windows\system32\mpyor.exe 1060 "C:\Windows\SysWOW64\anszy.exe"90⤵
-
C:\Windows\SysWOW64\wokmc.exeC:\Windows\system32\wokmc.exe 1044 "C:\Windows\SysWOW64\mpyor.exe"91⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\jefok.exeC:\Windows\system32\jefok.exe 1056 "C:\Windows\SysWOW64\wokmc.exe"92⤵
-
C:\Windows\SysWOW64\wdart.exeC:\Windows\system32\wdart.exe 1048 "C:\Windows\SysWOW64\jefok.exe"93⤵
- Identifies Wine through registry keys
- Drops file in System32 directory
-
C:\Windows\SysWOW64\gjagj.exeC:\Windows\system32\gjagj.exe 1068 "C:\Windows\SysWOW64\wdart.exe"94⤵
-
C:\Windows\SysWOW64\thvja.exeC:\Windows\system32\thvja.exe 1064 "C:\Windows\SysWOW64\gjagj.exe"95⤵
-
C:\Windows\SysWOW64\gyymi.exeC:\Windows\system32\gyymi.exe 1076 "C:\Windows\SysWOW64\thvja.exe"96⤵
-
C:\Windows\SysWOW64\twtor.exeC:\Windows\system32\twtor.exe 1080 "C:\Windows\SysWOW64\gyymi.exe"97⤵
-
C:\Windows\SysWOW64\gnorz.exeC:\Windows\system32\gnorz.exe 1072 "C:\Windows\SysWOW64\twtor.exe"98⤵
-
C:\Windows\SysWOW64\pboop.exeC:\Windows\system32\pboop.exe 1084 "C:\Windows\SysWOW64\gnorz.exe"99⤵
-
C:\Windows\SysWOW64\crrry.exeC:\Windows\system32\crrry.exe 1088 "C:\Windows\SysWOW64\pboop.exe"100⤵
-
C:\Windows\SysWOW64\pqmup.exeC:\Windows\system32\pqmup.exe 1092 "C:\Windows\SysWOW64\crrry.exe"101⤵
-
C:\Windows\SysWOW64\cddku.exeC:\Windows\system32\cddku.exe 1096 "C:\Windows\SysWOW64\pqmup.exe"102⤵
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\pxkrg.exeC:\Windows\system32\pxkrg.exe 1100 "C:\Windows\SysWOW64\cddku.exe"103⤵
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\cveuo.exeC:\Windows\system32\cveuo.exe 1104 "C:\Windows\SysWOW64\pxkrg.exe"104⤵
-
C:\Windows\SysWOW64\lkfrf.exeC:\Windows\system32\lkfrf.exe 1108 "C:\Windows\SysWOW64\cveuo.exe"105⤵
- Identifies Wine through registry keys
- Drops file in System32 directory
-
C:\Windows\SysWOW64\yaaun.exeC:\Windows\system32\yaaun.exe 1112 "C:\Windows\SysWOW64\lkfrf.exe"106⤵
-
C:\Windows\SysWOW64\lrdxw.exeC:\Windows\system32\lrdxw.exe 1116 "C:\Windows\SysWOW64\yaaun.exe"107⤵
-
C:\Windows\SysWOW64\ypxzm.exeC:\Windows\system32\ypxzm.exe 1120 "C:\Windows\SysWOW64\lrdxw.exe"108⤵
-
C:\Windows\SysWOW64\dgscv.exeC:\Windows\system32\dgscv.exe 1124 "C:\Windows\SysWOW64\ypxzm.exe"109⤵
-
C:\Windows\SysWOW64\nfezf.exeC:\Windows\system32\nfezf.exe 1128 "C:\Windows\SysWOW64\dgscv.exe"110⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\xtfpv.exeC:\Windows\system32\xtfpv.exe 1132 "C:\Windows\SysWOW64\nfezf.exe"111⤵
-
C:\Windows\SysWOW64\hsjuo.exeC:\Windows\system32\hsjuo.exe 1140 "C:\Windows\SysWOW64\xtfpv.exe"112⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\unbku.exeC:\Windows\system32\unbku.exe 1136 "C:\Windows\SysWOW64\hsjuo.exe"113⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\hdvnc.exeC:\Windows\system32\hdvnc.exe 1148 "C:\Windows\SysWOW64\unbku.exe"114⤵
-
C:\Windows\SysWOW64\rolxp.exeC:\Windows\system32\rolxp.exe 1156 "C:\Windows\SysWOW64\hdvnc.exe"115⤵
-
C:\Windows\SysWOW64\brahl.exeC:\Windows\system32\brahl.exe 1152 "C:\Windows\SysWOW64\rolxp.exe"116⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\ohdct.exeC:\Windows\system32\ohdct.exe 1144 "C:\Windows\SysWOW64\brahl.exe"117⤵
-
C:\Windows\SysWOW64\yohie.exeC:\Windows\system32\yohie.exe 1164 "C:\Windows\SysWOW64\ohdct.exe"118⤵
-
C:\Windows\SysWOW64\linpp.exeC:\Windows\system32\linpp.exe 1160 "C:\Windows\SysWOW64\yohie.exe"119⤵
-
C:\Windows\SysWOW64\yhisy.exeC:\Windows\system32\yhisy.exe 1172 "C:\Windows\SysWOW64\linpp.exe"120⤵
-
C:\Windows\SysWOW64\kxlvg.exeC:\Windows\system32\kxlvg.exe 1176 "C:\Windows\SysWOW64\yhisy.exe"121⤵
-
C:\Windows\SysWOW64\xwgxx.exeC:\Windows\system32\xwgxx.exe 1168 "C:\Windows\SysWOW64\kxlvg.exe"122⤵
-
C:\Windows\SysWOW64\kmaag.exeC:\Windows\system32\kmaag.exe 1180 "C:\Windows\SysWOW64\xwgxx.exe"123⤵
-
C:\Windows\SysWOW64\uabxw.exeC:\Windows\system32\uabxw.exe 1040 "C:\Windows\SysWOW64\kmaag.exe"124⤵
-
C:\Windows\SysWOW64\hreae.exeC:\Windows\system32\hreae.exe 1188 "C:\Windows\SysWOW64\uabxw.exe"125⤵
-
C:\Windows\SysWOW64\upzdn.exeC:\Windows\system32\upzdn.exe 1196 "C:\Windows\SysWOW64\hreae.exe"126⤵
-
C:\Windows\SysWOW64\hgtxv.exeC:\Windows\system32\hgtxv.exe 1192 "C:\Windows\SysWOW64\upzdn.exe"127⤵
-
C:\Windows\SysWOW64\rijir.exeC:\Windows\system32\rijir.exe 1200 "C:\Windows\SysWOW64\hgtxv.exe"128⤵
-
C:\Windows\SysWOW64\dkpxc.exeC:\Windows\system32\dkpxc.exe 1204 "C:\Windows\SysWOW64\rijir.exe"129⤵
-
C:\Windows\SysWOW64\njbvm.exeC:\Windows\system32\njbvm.exe 1212 "C:\Windows\SysWOW64\dkpxc.exe"130⤵
-
C:\Windows\SysWOW64\dwbqq.exeC:\Windows\system32\dwbqq.exe 1208 "C:\Windows\SysWOW64\njbvm.exe"131⤵
-
C:\Windows\SysWOW64\nyrae.exeC:\Windows\system32\nyrae.exe 1224 "C:\Windows\SysWOW64\dwbqq.exe"132⤵
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\xjolz.exeC:\Windows\system32\xjolz.exe 1184 "C:\Windows\SysWOW64\nyrae.exe"133⤵
-
C:\Windows\SysWOW64\kzjnh.exeC:\Windows\system32\kzjnh.exe 1220 "C:\Windows\SysWOW64\xjolz.exe"134⤵
-
C:\Windows\SysWOW64\xyeqq.exeC:\Windows\system32\xyeqq.exe 1228 "C:\Windows\SysWOW64\kzjnh.exe"135⤵
-
C:\Windows\SysWOW64\hbtad.exeC:\Windows\system32\hbtad.exe 1236 "C:\Windows\SysWOW64\xyeqq.exe"136⤵
-
C:\Windows\SysWOW64\urwdm.exeC:\Windows\system32\urwdm.exe 1232 "C:\Windows\SysWOW64\hbtad.exe"137⤵
-
C:\Windows\SysWOW64\hmfta.exeC:\Windows\system32\hmfta.exe 1252 "C:\Windows\SysWOW64\urwdm.exe"138⤵
-
C:\Windows\SysWOW64\rsgqq.exeC:\Windows\system32\rsgqq.exe 1240 "C:\Windows\SysWOW64\hmfta.exe"139⤵
-
C:\Windows\SysWOW64\drjly.exeC:\Windows\system32\drjly.exe 1244 "C:\Windows\SysWOW64\rsgqq.exe"140⤵
-
C:\Windows\SysWOW64\resje.exeC:\Windows\system32\resje.exe 1248 "C:\Windows\SysWOW64\drjly.exe"141⤵
-
C:\Windows\SysWOW64\agitr.exeC:\Windows\system32\agitr.exe 1256 "C:\Windows\SysWOW64\resje.exe"142⤵
-
C:\Windows\SysWOW64\nfloi.exeC:\Windows\system32\nfloi.exe 1264 "C:\Windows\SysWOW64\agitr.exe"143⤵
-
C:\Windows\SysWOW64\avfqr.exeC:\Windows\system32\avfqr.exe 1260 "C:\Windows\SysWOW64\nfloi.exe"144⤵
-
C:\Windows\SysWOW64\kjgoh.exeC:\Windows\system32\kjgoh.exe 1268 "C:\Windows\SysWOW64\avfqr.exe"145⤵
-
C:\Windows\SysWOW64\xabqp.exeC:\Windows\system32\xabqp.exe 1272 "C:\Windows\SysWOW64\kjgoh.exe"146⤵
-
C:\Windows\SysWOW64\kyety.exeC:\Windows\system32\kyety.exe 1276 "C:\Windows\SysWOW64\xabqp.exe"147⤵
-
C:\Windows\SysWOW64\xpywg.exeC:\Windows\system32\xpywg.exe 1280 "C:\Windows\SysWOW64\kyety.exe"148⤵
-
C:\Windows\SysWOW64\kntzx.exeC:\Windows\system32\kntzx.exe 1284 "C:\Windows\SysWOW64\xpywg.exe"149⤵
-
C:\Windows\SysWOW64\ttuon.exeC:\Windows\system32\ttuon.exe 1288 "C:\Windows\SysWOW64\kntzx.exe"150⤵
-
C:\Windows\SysWOW64\golmt.exeC:\Windows\system32\golmt.exe 1292 "C:\Windows\SysWOW64\ttuon.exe"151⤵
-
C:\Windows\SysWOW64\tfgob.exeC:\Windows\system32\tfgob.exe 744 "C:\Windows\SysWOW64\golmt.exe"152⤵
-
C:\Windows\SysWOW64\dther.exeC:\Windows\system32\dther.exe 1300 "C:\Windows\SysWOW64\tfgob.exe"153⤵
-
C:\Windows\SysWOW64\qgqtf.exeC:\Windows\system32\qgqtf.exe 1308 "C:\Windows\SysWOW64\dther.exe"154⤵
-
C:\Windows\SysWOW64\diejr.exeC:\Windows\system32\diejr.exe 1296 "C:\Windows\SysWOW64\qgqtf.exe"155⤵
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\qyzmz.exeC:\Windows\system32\qyzmz.exe 1324 "C:\Windows\SysWOW64\diejr.exe"156⤵
-
C:\Windows\SysWOW64\vpuoi.exeC:\Windows\system32\vpuoi.exe 1312 "C:\Windows\SysWOW64\qyzmz.exe"157⤵
-
C:\Windows\SysWOW64\edvmy.exeC:\Windows\system32\edvmy.exe 1320 "C:\Windows\SysWOW64\vpuoi.exe"158⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\ruqgh.exeC:\Windows\system32\ruqgh.exe 1316 "C:\Windows\SysWOW64\edvmy.exe"159⤵
-
C:\Windows\SysWOW64\ephem.exeC:\Windows\system32\ephem.exe 1328 "C:\Windows\SysWOW64\ruqgh.exe"160⤵
-
C:\Windows\SysWOW64\oviuk.exeC:\Windows\system32\oviuk.exe 1332 "C:\Windows\SysWOW64\ephem.exe"161⤵
-
C:\Windows\SysWOW64\bqzjq.exeC:\Windows\system32\bqzjq.exe 1304 "C:\Windows\SysWOW64\oviuk.exe"162⤵
-
C:\Windows\SysWOW64\okfzc.exeC:\Windows\system32\okfzc.exe 1340 "C:\Windows\SysWOW64\bqzjq.exe"163⤵
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\yjjwm.exeC:\Windows\system32\yjjwm.exe 1348 "C:\Windows\SysWOW64\okfzc.exe"164⤵
-
C:\Windows\SysWOW64\lhezd.exeC:\Windows\system32\lhezd.exe 1344 "C:\Windows\SysWOW64\yjjwm.exe"165⤵
-
C:\Windows\SysWOW64\yyhcl.exeC:\Windows\system32\yyhcl.exe 1352 "C:\Windows\SysWOW64\lhezd.exe"166⤵
-
C:\Windows\SysWOW64\hmizb.exeC:\Windows\system32\hmizb.exe 1356 "C:\Windows\SysWOW64\yyhcl.exe"167⤵
-
C:\Windows\SysWOW64\ucdck.exeC:\Windows\system32\ucdck.exe 1360 "C:\Windows\SysWOW64\hmizb.exe"168⤵
-
C:\Windows\SysWOW64\hbxes.exeC:\Windows\system32\hbxes.exe 1336 "C:\Windows\SysWOW64\ucdck.exe"169⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\urahb.exeC:\Windows\system32\urahb.exe 1368 "C:\Windows\SysWOW64\hbxes.exe"170⤵
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\hqvkk.exeC:\Windows\system32\hqvkk.exe 1364 "C:\Windows\SysWOW64\urahb.exe"171⤵
-
C:\Windows\SysWOW64\rwwzi.exeC:\Windows\system32\rwwzi.exe 1380 "C:\Windows\SysWOW64\hqvkk.exe"172⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\euqcq.exeC:\Windows\system32\euqcq.exe 1376 "C:\Windows\SysWOW64\rwwzi.exe"173⤵
-
C:\Windows\SysWOW64\rllfz.exeC:\Windows\system32\rllfz.exe 1384 "C:\Windows\SysWOW64\euqcq.exe"174⤵
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\avjpm.exeC:\Windows\system32\avjpm.exe 1392 "C:\Windows\SysWOW64\rllfz.exe"175⤵
-
C:\Windows\SysWOW64\nmdsd.exeC:\Windows\system32\nmdsd.exe 1388 "C:\Windows\SysWOW64\avjpm.exe"176⤵
-
C:\Windows\SysWOW64\ylipn.exeC:\Windows\system32\ylipn.exe 1396 "C:\Windows\SysWOW64\nmdsd.exe"177⤵
-
C:\Windows\SysWOW64\lgzft.exeC:\Windows\system32\lgzft.exe 1400 "C:\Windows\SysWOW64\ylipn.exe"178⤵
-
C:\Windows\SysWOW64\umacj.exeC:\Windows\system32\umacj.exe 1404 "C:\Windows\SysWOW64\lgzft.exe"179⤵
-
C:\Windows\SysWOW64\hlufs.exeC:\Windows\system32\hlufs.exe 1412 "C:\Windows\SysWOW64\umacj.exe"180⤵
-
C:\Windows\SysWOW64\uymvf.exeC:\Windows\system32\uymvf.exe 1408 "C:\Windows\SysWOW64\hlufs.exe"181⤵
-
C:\Windows\SysWOW64\eabft.exeC:\Windows\system32\eabft.exe 1420 "C:\Windows\SysWOW64\uymvf.exe"182⤵
-
C:\Windows\SysWOW64\rzwib.exeC:\Windows\system32\rzwib.exe 1416 "C:\Windows\SysWOW64\eabft.exe"183⤵
-
C:\Windows\SysWOW64\byifm.exeC:\Windows\system32\byifm.exe 1436 "C:\Windows\SysWOW64\rzwib.exe"184⤵
-
C:\Windows\SysWOW64\oaovx.exeC:\Windows\system32\oaovx.exe 1372 "C:\Windows\SysWOW64\byifm.exe"185⤵
-
C:\Windows\SysWOW64\bqjxo.exeC:\Windows\system32\bqjxo.exe 1428 "C:\Windows\SysWOW64\oaovx.exe"186⤵
-
C:\Windows\SysWOW64\lbzab.exeC:\Windows\system32\lbzab.exe 1432 "C:\Windows\SysWOW64\bqjxo.exe"187⤵
-
C:\Windows\SysWOW64\yrtdj.exeC:\Windows\system32\yrtdj.exe 1440 "C:\Windows\SysWOW64\lbzab.exe"188⤵
-
C:\Windows\SysWOW64\liwfs.exeC:\Windows\system32\liwfs.exe 1444 "C:\Windows\SysWOW64\yrtdj.exe"189⤵
-
C:\Windows\SysWOW64\ygrib.exeC:\Windows\system32\ygrib.exe 1448 "C:\Windows\SysWOW64\liwfs.exe"190⤵
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\hjgsw.exeC:\Windows\system32\hjgsw.exe 1452 "C:\Windows\SysWOW64\ygrib.exe"191⤵
-
C:\Windows\SysWOW64\uhjvf.exeC:\Windows\system32\uhjvf.exe 1456 "C:\Windows\SysWOW64\hjgsw.exe"192⤵
-
C:\Windows\SysWOW64\hbplq.exeC:\Windows\system32\hbplq.exe 1460 "C:\Windows\SysWOW64\uhjvf.exe"193⤵
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\uaknz.exeC:\Windows\system32\uaknz.exe 1472 "C:\Windows\SysWOW64\hbplq.exe"194⤵
-
C:\Windows\SysWOW64\hqfqh.exeC:\Windows\system32\hqfqh.exe 1464 "C:\Windows\SysWOW64\uaknz.exe"195⤵
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\rfgff.exeC:\Windows\system32\rfgff.exe 1476 "C:\Windows\SysWOW64\hqfqh.exe"196⤵
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\dviio.exeC:\Windows\system32\dviio.exe 1468 "C:\Windows\SysWOW64\rfgff.exe"197⤵
-
C:\Windows\SysWOW64\qudlw.exeC:\Windows\system32\qudlw.exe 1484 "C:\Windows\SysWOW64\dviio.exe"198⤵
-
C:\Windows\SysWOW64\dkynf.exeC:\Windows\system32\dkynf.exe 1480 "C:\Windows\SysWOW64\qudlw.exe"199⤵
-
C:\Windows\SysWOW64\qjbqo.exeC:\Windows\system32\qjbqo.exe 1488 "C:\Windows\SysWOW64\dkynf.exe"200⤵
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\aptoe.exeC:\Windows\system32\aptoe.exe 1504 "C:\Windows\SysWOW64\qjbqo.exe"201⤵
-
C:\Windows\SysWOW64\nnwqm.exeC:\Windows\system32\nnwqm.exe 1492 "C:\Windows\SysWOW64\aptoe.exe"202⤵
-
C:\Windows\SysWOW64\aertd.exeC:\Windows\system32\aertd.exe 1496 "C:\Windows\SysWOW64\nnwqm.exe"203⤵
-
C:\Windows\SysWOW64\ncmol.exeC:\Windows\system32\ncmol.exe 1508 "C:\Windows\SysWOW64\aertd.exe"204⤵
-
C:\Windows\SysWOW64\ztpqu.exeC:\Windows\system32\ztpqu.exe 1500 "C:\Windows\SysWOW64\ncmol.exe"205⤵
-
C:\Windows\SysWOW64\bhpok.exeC:\Windows\system32\bhpok.exe 1512 "C:\Windows\SysWOW64\ztpqu.exe"206⤵
-
C:\Windows\SysWOW64\oxkqt.exeC:\Windows\system32\oxkqt.exe 1516 "C:\Windows\SysWOW64\bhpok.exe"207⤵
-
C:\Windows\SysWOW64\bwftb.exeC:\Windows\system32\bwftb.exe 1524 "C:\Windows\SysWOW64\oxkqt.exe"208⤵
-
C:\Windows\SysWOW64\omiwk.exeC:\Windows\system32\omiwk.exe 1520 "C:\Windows\SysWOW64\bwftb.exe"209⤵
-
C:\Windows\SysWOW64\bdcyb.exeC:\Windows\system32\bdcyb.exe 1528 "C:\Windows\SysWOW64\omiwk.exe"210⤵
-
C:\Windows\SysWOW64\krdor.exeC:\Windows\system32\krdor.exe 1532 "C:\Windows\SysWOW64\bdcyb.exe"211⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\yenlw.exeC:\Windows\system32\yenlw.exe 1536 "C:\Windows\SysWOW64\krdor.exe"212⤵
-
C:\Windows\SysWOW64\kcpgf.exeC:\Windows\system32\kcpgf.exe 1540 "C:\Windows\SysWOW64\yenlw.exe"213⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\uiqed.exeC:\Windows\system32\uiqed.exe 1548 "C:\Windows\SysWOW64\kcpgf.exe"214⤵
- Identifies Wine through registry keys
-
C:\Windows\SysWOW64\hhlgm.exeC:\Windows\system32\hhlgm.exe 1544 "C:\Windows\SysWOW64\uiqed.exe"215⤵
-
C:\Windows\SysWOW64\uxgju.exeC:\Windows\system32\uxgju.exe 1556 "C:\Windows\SysWOW64\hhlgm.exe"216⤵
-
C:\Windows\SysWOW64\eivth.exeC:\Windows\system32\eivth.exe 1552 "C:\Windows\SysWOW64\uxgju.exe"217⤵
-
C:\Windows\SysWOW64\umdol.exeC:\Windows\system32\umdol.exe 1564 "C:\Windows\SysWOW64\eivth.exe"218⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\daemb.exeC:\Windows\system32\daemb.exe 1560 "C:\Windows\SysWOW64\umdol.exe"219⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\qrzgk.exeC:\Windows\system32\qrzgk.exe 1568 "C:\Windows\SysWOW64\daemb.exe"220⤵
-
C:\Windows\SysWOW64\dpujb.exeC:\Windows\system32\dpujb.exe 1572 "C:\Windows\SysWOW64\qrzgk.exe"221⤵
-
C:\Windows\SysWOW64\qgwmj.exeC:\Windows\system32\qgwmj.exe 1580 "C:\Windows\SysWOW64\dpujb.exe"222⤵
-
C:\Windows\SysWOW64\deros.exeC:\Windows\system32\deros.exe 1576 "C:\Windows\SysWOW64\qgwmj.exe"223⤵
-
C:\Windows\SysWOW64\nhhzf.exeC:\Windows\system32\nhhzf.exe 1424 "C:\Windows\SysWOW64\deros.exe"224⤵
-
C:\Windows\SysWOW64\ajnor.exeC:\Windows\system32\ajnor.exe 1588 "C:\Windows\SysWOW64\nhhzf.exe"225⤵
-
C:\Windows\SysWOW64\nweew.exeC:\Windows\system32\nweew.exe 1596 "C:\Windows\SysWOW64\ajnor.exe"226⤵
-
C:\Windows\SysWOW64\zqkui.exeC:\Windows\system32\zqkui.exe 1592 "C:\Windows\SysWOW64\nweew.exe"227⤵
-
C:\Windows\SysWOW64\mofxy.exeC:\Windows\system32\mofxy.exe 1600 "C:\Windows\SysWOW64\zqkui.exe"228⤵
-
C:\Windows\SysWOW64\wdgmo.exeC:\Windows\system32\wdgmo.exe 1604 "C:\Windows\SysWOW64\mofxy.exe"229⤵
-
C:\Windows\SysWOW64\jtjpx.exeC:\Windows\system32\jtjpx.exe 1612 "C:\Windows\SysWOW64\wdgmo.exe"230⤵
-
C:\Windows\SysWOW64\wkdrg.exeC:\Windows\system32\wkdrg.exe 1608 "C:\Windows\SysWOW64\jtjpx.exe"231⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\jiyuo.exeC:\Windows\system32\jiyuo.exe 1624 "C:\Windows\SysWOW64\wkdrg.exe"232⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\wzbxx.exeC:\Windows\system32\wzbxx.exe 1616 "C:\Windows\SysWOW64\jiyuo.exe"233⤵
-
C:\Windows\SysWOW64\fnuuv.exeC:\Windows\system32\fnuuv.exe 1620 "C:\Windows\SysWOW64\wzbxx.exe"234⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\pmgrf.exeC:\Windows\system32\pmgrf.exe 1632 "C:\Windows\SysWOW64\fnuuv.exe"235⤵
-
C:\Windows\SysWOW64\ckauo.exeC:\Windows\system32\ckauo.exe 1628 "C:\Windows\SysWOW64\pmgrf.exe"236⤵
-
C:\Windows\SysWOW64\pbdxw.exeC:\Windows\system32\pbdxw.exe 1636 "C:\Windows\SysWOW64\ckauo.exe"237⤵
-
C:\Windows\SysWOW64\zlths.exeC:\Windows\system32\zlths.exe 1644 "C:\Windows\SysWOW64\pbdxw.exe"238⤵
-
C:\Windows\SysWOW64\mycxx.exeC:\Windows\system32\mycxx.exe 1584 "C:\Windows\SysWOW64\zlths.exe"239⤵
-
C:\Windows\SysWOW64\zpfag.exeC:\Windows\system32\zpfag.exe 1652 "C:\Windows\SysWOW64\mycxx.exe"240⤵
-
C:\Windows\SysWOW64\jzukt.exeC:\Windows\system32\jzukt.exe 1648 "C:\Windows\SysWOW64\zpfag.exe"241⤵