Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 12:09
Behavioral task
behavioral1
Sample
05da38d8eb1a58f2acb565f3ac94ebfb_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
05da38d8eb1a58f2acb565f3ac94ebfb_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
05da38d8eb1a58f2acb565f3ac94ebfb_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
05da38d8eb1a58f2acb565f3ac94ebfb
-
SHA1
294cfe8f3dd03aa1e481701193113a286748747f
-
SHA256
e6b3925d8d1525666ac2ce0cd520b5bbe5d767610de9bf761108c614659607e0
-
SHA512
2cbf8219c91b4a58a0b7cd94b34ab57a702642d78763390d68a4fa86191cef2c958f9985a77d4d749ffcadf54655063fb92a7debfaa00b44d51d516b4cacdeab
-
SSDEEP
24576:aQ1+/BP5Ht9+6n6d97AHqIui6+owoi7zRxnqZD6bvU5ABRsjPw:ae+/7P+Hd97Ug+o+fnGObM5ERMP
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 64 IoCs
Processes:
fisqvw.exehditkl.exedtqlff.exebfmyvi.exelnywgg.exehrtwmo.exerqftxn.exeorpgby.exebehwgc.exebxigap.exelwmmln.exelovwna.exevzkgad.exesxrhbk.execzhron.exezxorhm.exelniuqu.exeymdwgd.exeljurvl.exevfvkcg.exeidqmlo.exeppprii.execcghom.exehslcks.exeufvsqv.exebytxfp.exeopwznx.exeyoaxgw.exelmdaow.exetursau.exedwgcwx.exeneszgo.exedisukb.exektrihv.exexsukqd.exehujndg.exettepmg.exewsqvef.exejfakkj.exevhgsvv.exeixjvev.exepihatp.execknqmc.exepbisvk.execzlvdk.exemvefle.exewytqyh.exegiratl.exetzldct.exebdvqme.exeobqtcm.exevjmlob.exeidsbao.exeplftud.execjivdl.exepwslih.execyybuu.exejjwgro.exezofbvb.exejyuliw.exevsabti.exejnsrzm.exevljlnv.exefsnjgu.exepid process 2292 fisqvw.exe 2528 hditkl.exe 1516 dtqlff.exe 316 bfmyvi.exe 2860 lnywgg.exe 2588 hrtwmo.exe 1908 rqftxn.exe 2872 orpgby.exe 1596 behwgc.exe 2868 bxigap.exe 2704 lwmmln.exe 2956 lovwna.exe 1028 vzkgad.exe 2560 sxrhbk.exe 2000 czhron.exe 1376 zxorhm.exe 2884 lniuqu.exe 1624 ymdwgd.exe 2928 ljurvl.exe 2776 vfvkcg.exe 2556 idqmlo.exe 2380 ppprii.exe 1256 ccghom.exe 1612 hslcks.exe 836 ufvsqv.exe 1720 bytxfp.exe 2580 opwznx.exe 2924 yoaxgw.exe 2752 lmdaow.exe 2664 tursau.exe 2936 dwgcwx.exe 2796 neszgo.exe 2344 disukb.exe 1912 ktrihv.exe 612 xsukqd.exe 2904 hujndg.exe 2968 ttepmg.exe 2008 wsqvef.exe 2524 jfakkj.exe 2980 vhgsvv.exe 1288 ixjvev.exe 544 pihatp.exe 2684 cknqmc.exe 572 pbisvk.exe 3036 czlvdk.exe 1848 mvefle.exe 1212 wytqyh.exe 2772 giratl.exe 2156 tzldct.exe 1672 bdvqme.exe 112 obqtcm.exe 1548 vjmlob.exe 960 idsbao.exe 2320 plftud.exe 1312 cjivdl.exe 2912 pwslih.exe 1832 cyybuu.exe 2584 jjwgro.exe 1032 zofbvb.exe 1044 jyuliw.exe 1368 vsabti.exe 1632 jnsrzm.exe 3004 vljlnv.exe 2132 fsnjgu.exe -
Loads dropped DLL 64 IoCs
Processes:
05da38d8eb1a58f2acb565f3ac94ebfb_JaffaCakes118.exefisqvw.exehditkl.exedtqlff.exebfmyvi.exelnywgg.exehrtwmo.exerqftxn.exeorpgby.exebehwgc.exebxigap.exelwmmln.exelovwna.exevzkgad.exesxrhbk.execzhron.exezxorhm.exelniuqu.exeymdwgd.exeljurvl.exevfvkcg.exeidqmlo.exeppprii.execcghom.exehslcks.exeufvsqv.exebytxfp.exeopwznx.exeyoaxgw.exelmdaow.exetursau.exedwgcwx.exepid process 1844 05da38d8eb1a58f2acb565f3ac94ebfb_JaffaCakes118.exe 1844 05da38d8eb1a58f2acb565f3ac94ebfb_JaffaCakes118.exe 2292 fisqvw.exe 2292 fisqvw.exe 2528 hditkl.exe 2528 hditkl.exe 1516 dtqlff.exe 1516 dtqlff.exe 316 bfmyvi.exe 316 bfmyvi.exe 2860 lnywgg.exe 2860 lnywgg.exe 2588 hrtwmo.exe 2588 hrtwmo.exe 1908 rqftxn.exe 1908 rqftxn.exe 2872 orpgby.exe 2872 orpgby.exe 1596 behwgc.exe 1596 behwgc.exe 2868 bxigap.exe 2868 bxigap.exe 2704 lwmmln.exe 2704 lwmmln.exe 2956 lovwna.exe 2956 lovwna.exe 1028 vzkgad.exe 1028 vzkgad.exe 2560 sxrhbk.exe 2560 sxrhbk.exe 2000 czhron.exe 2000 czhron.exe 1376 zxorhm.exe 1376 zxorhm.exe 2884 lniuqu.exe 2884 lniuqu.exe 1624 ymdwgd.exe 1624 ymdwgd.exe 2928 ljurvl.exe 2928 ljurvl.exe 2776 vfvkcg.exe 2776 vfvkcg.exe 2556 idqmlo.exe 2556 idqmlo.exe 2380 ppprii.exe 2380 ppprii.exe 1256 ccghom.exe 1256 ccghom.exe 1612 hslcks.exe 1612 hslcks.exe 836 ufvsqv.exe 836 ufvsqv.exe 1720 bytxfp.exe 1720 bytxfp.exe 2580 opwznx.exe 2580 opwznx.exe 2924 yoaxgw.exe 2924 yoaxgw.exe 2752 lmdaow.exe 2752 lmdaow.exe 2664 tursau.exe 2664 tursau.exe 2936 dwgcwx.exe 2936 dwgcwx.exe -
Processes:
resource yara_rule behavioral1/memory/1844-7-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/1844-8-0x0000000000400000-0x0000000000742000-memory.dmp themida \Windows\SysWOW64\fisqvw.exe themida behavioral1/memory/2292-16-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/2292-17-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/2292-22-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/2292-29-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/2528-32-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/2528-31-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/2528-37-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/1516-57-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/316-67-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/2860-81-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/2588-89-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/1908-104-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/2872-111-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/1596-122-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/2868-133-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/2704-145-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/2956-155-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/1028-167-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/2560-177-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/2000-189-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/1376-196-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/2884-203-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/1624-210-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/2928-217-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/2776-224-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/2556-231-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/2380-238-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/1256-245-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/1612-252-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/836-259-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/1720-266-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/2580-273-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/2924-280-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/2752-287-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/2664-294-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/2936-301-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/2796-308-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/2344-315-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/1912-322-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/612-329-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/2904-336-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/2968-343-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/2008-350-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/2524-357-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/2980-364-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/1288-371-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/544-378-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/2684-385-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/572-392-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/3036-399-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/1848-406-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/1212-413-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/2772-420-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/2156-427-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/1672-434-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/112-441-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/1548-448-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/960-455-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/2320-462-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/1312-469-0x0000000000400000-0x0000000000742000-memory.dmp themida behavioral1/memory/2912-476-0x0000000000400000-0x0000000000742000-memory.dmp themida -
Drops file in System32 directory 64 IoCs
Processes:
nnbcod.exejjwgro.exevqmixz.exencvcul.exetqlnoo.exehrtcxv.exeaejzgb.exeradkzz.execnqmvm.exessmuvk.exebidyxc.exezsbcxy.exehkgzgn.exeomfati.exemhorkl.exegtuqyf.exewxybgq.exevjcrce.exebcdgfv.exedwgcwx.exevkwrmf.exegsictm.exetjzufg.exedslzij.exectphut.exegvhmrk.exegqmbrk.exebfmyvi.exewsqvef.exeltflmu.exeyetazo.exenvxczi.exelbjllp.exektrihv.exegiumof.exeiyamlj.exeylrfqw.exebbqewi.exehujndg.exelhghrc.exelzbpin.exeeuvosb.exekjeglm.exemesdbp.exebmtyxa.exeyozwfl.exehgloqw.exegiratl.exesmmvfk.exehrtwmo.exelwmmln.exeybglqk.exeavujph.exexcqrie.exepjekmm.exevfvkcg.exexzaadf.exegmwzmh.exenaspvg.exedjeovn.exeyagmrf.exebqjxoq.exemgxboq.exevmpvmy.exedescription ioc process File opened for modification C:\Windows\SysWOW64\advfwl.exe nnbcod.exe File created C:\Windows\SysWOW64\zofbvb.exe jjwgro.exe File created C:\Windows\SysWOW64\fwngng.exe vqmixz.exe File created C:\Windows\SysWOW64\aaqfdt.exe ncvcul.exe File opened for modification C:\Windows\SysWOW64\gggqwx.exe tqlnoo.exe File opened for modification C:\Windows\SysWOW64\tlzsii.exe hrtcxv.exe File opened for modification C:\Windows\SysWOW64\nddcoj.exe aejzgb.exe File created C:\Windows\SysWOW64\eckzsd.exe radkzz.exe File created C:\Windows\SysWOW64\pahcaq.exe cnqmvm.exe File created C:\Windows\SysWOW64\frpxds.exe ssmuvk.exe File created C:\Windows\SysWOW64\okkoio.exe bidyxc.exe File opened for modification C:\Windows\SysWOW64\muiric.exe zsbcxy.exe File opened for modification C:\Windows\SysWOW64\rnwjtq.exe hkgzgn.exe File created C:\Windows\SysWOW64\bkicbq.exe omfati.exe File opened for modification C:\Windows\SysWOW64\zxrust.exe mhorkl.exe File opened for modification C:\Windows\SysWOW64\pvkalj.exe gtuqyf.exe File opened for modification C:\Windows\SysWOW64\ganmtl.exe wxybgq.exe File created C:\Windows\SysWOW64\iixulm.exe vjcrce.exe File created C:\Windows\SysWOW64\nejwqz.exe bcdgfv.exe File created C:\Windows\SysWOW64\neszgo.exe dwgcwx.exe File created C:\Windows\SysWOW64\iiquun.exe vkwrmf.exe File created C:\Windows\SysWOW64\qcgnop.exe gsictm.exe File created C:\Windows\SysWOW64\cpajdn.exe tjzufg.exe File opened for modification C:\Windows\SysWOW64\qmrgtw.exe dslzij.exe File created C:\Windows\SysWOW64\pskkdb.exe ctphut.exe File opened for modification C:\Windows\SysWOW64\spnbdo.exe gvhmrk.exe File created C:\Windows\SysWOW64\qtblff.exe gqmbrk.exe File created C:\Windows\SysWOW64\lnywgg.exe bfmyvi.exe File opened for modification C:\Windows\SysWOW64\jfakkj.exe wsqvef.exe File created C:\Windows\SysWOW64\yvlbxg.exe ltflmu.exe File opened for modification C:\Windows\SysWOW64\kyhpkt.exe yetazo.exe File opened for modification C:\Windows\SysWOW64\wjyapp.exe nvxczi.exe File created C:\Windows\SysWOW64\vmywgs.exe lbjllp.exe File created C:\Windows\SysWOW64\xsukqd.exe ktrihv.exe File created C:\Windows\SysWOW64\tzppfn.exe giumof.exe File created C:\Windows\SysWOW64\ykbhpo.exe iyamlj.exe File opened for modification C:\Windows\SysWOW64\knxvcj.exe ylrfqw.exe File opened for modification C:\Windows\SysWOW64\nvwthv.exe bbqewi.exe File opened for modification C:\Windows\SysWOW64\ttepmg.exe hujndg.exe File created C:\Windows\SysWOW64\vkwrmf.exe lhghrc.exe File opened for modification C:\Windows\SysWOW64\ythxts.exe lzbpin.exe File created C:\Windows\SysWOW64\owkyfe.exe euvosb.exe File opened for modification C:\Windows\SysWOW64\xwwwqq.exe kjeglm.exe File opened for modification C:\Windows\SysWOW64\ygztmt.exe mesdbp.exe File opened for modification C:\Windows\SysWOW64\odobfi.exe bmtyxa.exe File opened for modification C:\Windows\SysWOW64\lbjllp.exe yozwfl.exe File opened for modification C:\Windows\SysWOW64\uxoryw.exe hgloqw.exe File created C:\Windows\SysWOW64\tzldct.exe giratl.exe File created C:\Windows\SysWOW64\fkhyok.exe smmvfk.exe File opened for modification C:\Windows\SysWOW64\rqftxn.exe hrtwmo.exe File opened for modification C:\Windows\SysWOW64\lovwna.exe lwmmln.exe File created C:\Windows\SysWOW64\lzaoys.exe ybglqk.exe File created C:\Windows\SysWOW64\fxazam.exe avujph.exe File created C:\Windows\SysWOW64\hjcosd.exe xcqrie.exe File opened for modification C:\Windows\SysWOW64\cdkaxz.exe pjekmm.exe File opened for modification C:\Windows\SysWOW64\idqmlo.exe vfvkcg.exe File opened for modification C:\Windows\SysWOW64\kbgqoj.exe xzaadf.exe File created C:\Windows\SysWOW64\pxljzk.exe gmwzmh.exe File opened for modification C:\Windows\SysWOW64\arnsmo.exe naspvg.exe File created C:\Windows\SysWOW64\qizqev.exe djeovn.exe File created C:\Windows\SysWOW64\lzbpin.exe yagmrf.exe File opened for modification C:\Windows\SysWOW64\ospfzd.exe bqjxoq.exe File opened for modification C:\Windows\SysWOW64\zwsdxz.exe mgxboq.exe File opened for modification C:\Windows\SysWOW64\iovlxc.exe vmpvmy.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
05da38d8eb1a58f2acb565f3ac94ebfb_JaffaCakes118.exefisqvw.exehditkl.exedtqlff.exebfmyvi.exelnywgg.exehrtwmo.exerqftxn.exeorpgby.exebehwgc.exebxigap.exelwmmln.exelovwna.exevzkgad.exesxrhbk.execzhron.exezxorhm.exelniuqu.exeymdwgd.exeljurvl.exevfvkcg.exeidqmlo.exeppprii.execcghom.exehslcks.exeufvsqv.exebytxfp.exeopwznx.exeyoaxgw.exelmdaow.exetursau.exedwgcwx.exeneszgo.exedisukb.exektrihv.exexsukqd.exehujndg.exettepmg.exewsqvef.exejfakkj.exevhgsvv.exeixjvev.exepihatp.execknqmc.exepbisvk.execzlvdk.exemvefle.exewytqyh.exegiratl.exetzldct.exebdvqme.exeobqtcm.exevjmlob.exeidsbao.exeplftud.execjivdl.exepwslih.execyybuu.exejjwgro.exezofbvb.exejyuliw.exevsabti.exejnsrzm.exevljlnv.exepid process 1844 05da38d8eb1a58f2acb565f3ac94ebfb_JaffaCakes118.exe 2292 fisqvw.exe 2528 hditkl.exe 1516 dtqlff.exe 316 bfmyvi.exe 2860 lnywgg.exe 2588 hrtwmo.exe 1908 rqftxn.exe 2872 orpgby.exe 1596 behwgc.exe 2868 bxigap.exe 2704 lwmmln.exe 2956 lovwna.exe 1028 vzkgad.exe 2560 sxrhbk.exe 2000 czhron.exe 1376 zxorhm.exe 2884 lniuqu.exe 1624 ymdwgd.exe 2928 ljurvl.exe 2776 vfvkcg.exe 2556 idqmlo.exe 2380 ppprii.exe 1256 ccghom.exe 1612 hslcks.exe 836 ufvsqv.exe 1720 bytxfp.exe 2580 opwznx.exe 2924 yoaxgw.exe 2752 lmdaow.exe 2664 tursau.exe 2936 dwgcwx.exe 2796 neszgo.exe 2344 disukb.exe 1912 ktrihv.exe 612 xsukqd.exe 2904 hujndg.exe 2968 ttepmg.exe 2008 wsqvef.exe 2524 jfakkj.exe 2980 vhgsvv.exe 1288 ixjvev.exe 544 pihatp.exe 2684 cknqmc.exe 572 pbisvk.exe 3036 czlvdk.exe 1848 mvefle.exe 1212 wytqyh.exe 2772 giratl.exe 2156 tzldct.exe 1672 bdvqme.exe 112 obqtcm.exe 1548 vjmlob.exe 960 idsbao.exe 2320 plftud.exe 1312 cjivdl.exe 2912 pwslih.exe 1832 cyybuu.exe 2584 jjwgro.exe 1032 zofbvb.exe 1044 jyuliw.exe 1368 vsabti.exe 1632 jnsrzm.exe 3004 vljlnv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
05da38d8eb1a58f2acb565f3ac94ebfb_JaffaCakes118.exefisqvw.exehditkl.exedtqlff.exebfmyvi.exelnywgg.exehrtwmo.exerqftxn.exeorpgby.exebehwgc.exebxigap.exelwmmln.exelovwna.exevzkgad.exesxrhbk.execzhron.exedescription pid process target process PID 1844 wrote to memory of 2292 1844 05da38d8eb1a58f2acb565f3ac94ebfb_JaffaCakes118.exe fisqvw.exe PID 1844 wrote to memory of 2292 1844 05da38d8eb1a58f2acb565f3ac94ebfb_JaffaCakes118.exe fisqvw.exe PID 1844 wrote to memory of 2292 1844 05da38d8eb1a58f2acb565f3ac94ebfb_JaffaCakes118.exe fisqvw.exe PID 1844 wrote to memory of 2292 1844 05da38d8eb1a58f2acb565f3ac94ebfb_JaffaCakes118.exe fisqvw.exe PID 2292 wrote to memory of 2528 2292 fisqvw.exe hditkl.exe PID 2292 wrote to memory of 2528 2292 fisqvw.exe hditkl.exe PID 2292 wrote to memory of 2528 2292 fisqvw.exe hditkl.exe PID 2292 wrote to memory of 2528 2292 fisqvw.exe hditkl.exe PID 2528 wrote to memory of 1516 2528 hditkl.exe dtqlff.exe PID 2528 wrote to memory of 1516 2528 hditkl.exe dtqlff.exe PID 2528 wrote to memory of 1516 2528 hditkl.exe dtqlff.exe PID 2528 wrote to memory of 1516 2528 hditkl.exe dtqlff.exe PID 1516 wrote to memory of 316 1516 dtqlff.exe bfmyvi.exe PID 1516 wrote to memory of 316 1516 dtqlff.exe bfmyvi.exe PID 1516 wrote to memory of 316 1516 dtqlff.exe bfmyvi.exe PID 1516 wrote to memory of 316 1516 dtqlff.exe bfmyvi.exe PID 316 wrote to memory of 2860 316 bfmyvi.exe lnywgg.exe PID 316 wrote to memory of 2860 316 bfmyvi.exe lnywgg.exe PID 316 wrote to memory of 2860 316 bfmyvi.exe lnywgg.exe PID 316 wrote to memory of 2860 316 bfmyvi.exe lnywgg.exe PID 2860 wrote to memory of 2588 2860 lnywgg.exe hrtwmo.exe PID 2860 wrote to memory of 2588 2860 lnywgg.exe hrtwmo.exe PID 2860 wrote to memory of 2588 2860 lnywgg.exe hrtwmo.exe PID 2860 wrote to memory of 2588 2860 lnywgg.exe hrtwmo.exe PID 2588 wrote to memory of 1908 2588 hrtwmo.exe rqftxn.exe PID 2588 wrote to memory of 1908 2588 hrtwmo.exe rqftxn.exe PID 2588 wrote to memory of 1908 2588 hrtwmo.exe rqftxn.exe PID 2588 wrote to memory of 1908 2588 hrtwmo.exe rqftxn.exe PID 1908 wrote to memory of 2872 1908 rqftxn.exe orpgby.exe PID 1908 wrote to memory of 2872 1908 rqftxn.exe orpgby.exe PID 1908 wrote to memory of 2872 1908 rqftxn.exe orpgby.exe PID 1908 wrote to memory of 2872 1908 rqftxn.exe orpgby.exe PID 2872 wrote to memory of 1596 2872 orpgby.exe behwgc.exe PID 2872 wrote to memory of 1596 2872 orpgby.exe behwgc.exe PID 2872 wrote to memory of 1596 2872 orpgby.exe behwgc.exe PID 2872 wrote to memory of 1596 2872 orpgby.exe behwgc.exe PID 1596 wrote to memory of 2868 1596 behwgc.exe bxigap.exe PID 1596 wrote to memory of 2868 1596 behwgc.exe bxigap.exe PID 1596 wrote to memory of 2868 1596 behwgc.exe bxigap.exe PID 1596 wrote to memory of 2868 1596 behwgc.exe bxigap.exe PID 2868 wrote to memory of 2704 2868 bxigap.exe lwmmln.exe PID 2868 wrote to memory of 2704 2868 bxigap.exe lwmmln.exe PID 2868 wrote to memory of 2704 2868 bxigap.exe lwmmln.exe PID 2868 wrote to memory of 2704 2868 bxigap.exe lwmmln.exe PID 2704 wrote to memory of 2956 2704 lwmmln.exe lovwna.exe PID 2704 wrote to memory of 2956 2704 lwmmln.exe lovwna.exe PID 2704 wrote to memory of 2956 2704 lwmmln.exe lovwna.exe PID 2704 wrote to memory of 2956 2704 lwmmln.exe lovwna.exe PID 2956 wrote to memory of 1028 2956 lovwna.exe vzkgad.exe PID 2956 wrote to memory of 1028 2956 lovwna.exe vzkgad.exe PID 2956 wrote to memory of 1028 2956 lovwna.exe vzkgad.exe PID 2956 wrote to memory of 1028 2956 lovwna.exe vzkgad.exe PID 1028 wrote to memory of 2560 1028 vzkgad.exe sxrhbk.exe PID 1028 wrote to memory of 2560 1028 vzkgad.exe sxrhbk.exe PID 1028 wrote to memory of 2560 1028 vzkgad.exe sxrhbk.exe PID 1028 wrote to memory of 2560 1028 vzkgad.exe sxrhbk.exe PID 2560 wrote to memory of 2000 2560 sxrhbk.exe czhron.exe PID 2560 wrote to memory of 2000 2560 sxrhbk.exe czhron.exe PID 2560 wrote to memory of 2000 2560 sxrhbk.exe czhron.exe PID 2560 wrote to memory of 2000 2560 sxrhbk.exe czhron.exe PID 2000 wrote to memory of 1376 2000 czhron.exe zxorhm.exe PID 2000 wrote to memory of 1376 2000 czhron.exe zxorhm.exe PID 2000 wrote to memory of 1376 2000 czhron.exe zxorhm.exe PID 2000 wrote to memory of 1376 2000 czhron.exe zxorhm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\05da38d8eb1a58f2acb565f3ac94ebfb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\05da38d8eb1a58f2acb565f3ac94ebfb_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\fisqvw.exeC:\Windows\system32\fisqvw.exe 640 "C:\Users\Admin\AppData\Local\Temp\05da38d8eb1a58f2acb565f3ac94ebfb_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\hditkl.exeC:\Windows\system32\hditkl.exe 624 "C:\Windows\SysWOW64\fisqvw.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dtqlff.exeC:\Windows\system32\dtqlff.exe 632 "C:\Windows\SysWOW64\hditkl.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\bfmyvi.exeC:\Windows\system32\bfmyvi.exe 636 "C:\Windows\SysWOW64\dtqlff.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\lnywgg.exeC:\Windows\system32\lnywgg.exe 712 "C:\Windows\SysWOW64\bfmyvi.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\hrtwmo.exeC:\Windows\system32\hrtwmo.exe 628 "C:\Windows\SysWOW64\lnywgg.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rqftxn.exeC:\Windows\system32\rqftxn.exe 724 "C:\Windows\SysWOW64\hrtwmo.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\orpgby.exeC:\Windows\system32\orpgby.exe 652 "C:\Windows\SysWOW64\rqftxn.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\behwgc.exeC:\Windows\system32\behwgc.exe 736 "C:\Windows\SysWOW64\orpgby.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\bxigap.exeC:\Windows\system32\bxigap.exe 672 "C:\Windows\SysWOW64\behwgc.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\lwmmln.exeC:\Windows\system32\lwmmln.exe 744 "C:\Windows\SysWOW64\bxigap.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\lovwna.exeC:\Windows\system32\lovwna.exe 664 "C:\Windows\SysWOW64\lwmmln.exe"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vzkgad.exeC:\Windows\system32\vzkgad.exe 760 "C:\Windows\SysWOW64\lovwna.exe"14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sxrhbk.exeC:\Windows\system32\sxrhbk.exe 748 "C:\Windows\SysWOW64\vzkgad.exe"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\czhron.exeC:\Windows\system32\czhron.exe 772 "C:\Windows\SysWOW64\sxrhbk.exe"16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\zxorhm.exeC:\Windows\system32\zxorhm.exe 708 "C:\Windows\SysWOW64\czhron.exe"17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\lniuqu.exeC:\Windows\system32\lniuqu.exe 764 "C:\Windows\SysWOW64\zxorhm.exe"18⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\ymdwgd.exeC:\Windows\system32\ymdwgd.exe 776 "C:\Windows\SysWOW64\lniuqu.exe"19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\ljurvl.exeC:\Windows\system32\ljurvl.exe 756 "C:\Windows\SysWOW64\ymdwgd.exe"20⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\vfvkcg.exeC:\Windows\system32\vfvkcg.exe 792 "C:\Windows\SysWOW64\ljurvl.exe"21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\idqmlo.exeC:\Windows\system32\idqmlo.exe 768 "C:\Windows\SysWOW64\vfvkcg.exe"22⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\ppprii.exeC:\Windows\system32\ppprii.exe 788 "C:\Windows\SysWOW64\idqmlo.exe"23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\ccghom.exeC:\Windows\system32\ccghom.exe 780 "C:\Windows\SysWOW64\ppprii.exe"24⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\hslcks.exeC:\Windows\system32\hslcks.exe 796 "C:\Windows\SysWOW64\ccghom.exe"25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\ufvsqv.exeC:\Windows\system32\ufvsqv.exe 800 "C:\Windows\SysWOW64\hslcks.exe"26⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\bytxfp.exeC:\Windows\system32\bytxfp.exe 808 "C:\Windows\SysWOW64\ufvsqv.exe"27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\opwznx.exeC:\Windows\system32\opwznx.exe 784 "C:\Windows\SysWOW64\bytxfp.exe"28⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\yoaxgw.exeC:\Windows\system32\yoaxgw.exe 812 "C:\Windows\SysWOW64\opwznx.exe"29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\lmdaow.exeC:\Windows\system32\lmdaow.exe 816 "C:\Windows\SysWOW64\yoaxgw.exe"30⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\tursau.exeC:\Windows\system32\tursau.exe 820 "C:\Windows\SysWOW64\lmdaow.exe"31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\dwgcwx.exeC:\Windows\system32\dwgcwx.exe 824 "C:\Windows\SysWOW64\tursau.exe"32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\neszgo.exeC:\Windows\system32\neszgo.exe 828 "C:\Windows\SysWOW64\dwgcwx.exe"33⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\disukb.exeC:\Windows\system32\disukb.exe 844 "C:\Windows\SysWOW64\neszgo.exe"34⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\ktrihv.exeC:\Windows\system32\ktrihv.exe 832 "C:\Windows\SysWOW64\disukb.exe"35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\xsukqd.exeC:\Windows\system32\xsukqd.exe 804 "C:\Windows\SysWOW64\ktrihv.exe"36⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\hujndg.exeC:\Windows\system32\hujndg.exe 848 "C:\Windows\SysWOW64\xsukqd.exe"37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\ttepmg.exeC:\Windows\system32\ttepmg.exe 840 "C:\Windows\SysWOW64\hujndg.exe"38⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wsqvef.exeC:\Windows\system32\wsqvef.exe 852 "C:\Windows\SysWOW64\ttepmg.exe"39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\jfakkj.exeC:\Windows\system32\jfakkj.exe 836 "C:\Windows\SysWOW64\wsqvef.exe"40⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\vhgsvv.exeC:\Windows\system32\vhgsvv.exe 864 "C:\Windows\SysWOW64\jfakkj.exe"41⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\ixjvev.exeC:\Windows\system32\ixjvev.exe 856 "C:\Windows\SysWOW64\vhgsvv.exe"42⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\pihatp.exeC:\Windows\system32\pihatp.exe 868 "C:\Windows\SysWOW64\ixjvev.exe"43⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cknqmc.exeC:\Windows\system32\cknqmc.exe 872 "C:\Windows\SysWOW64\pihatp.exe"44⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\pbisvk.exeC:\Windows\system32\pbisvk.exe 860 "C:\Windows\SysWOW64\cknqmc.exe"45⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\czlvdk.exeC:\Windows\system32\czlvdk.exe 892 "C:\Windows\SysWOW64\pbisvk.exe"46⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\mvefle.exeC:\Windows\system32\mvefle.exe 880 "C:\Windows\SysWOW64\czlvdk.exe"47⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\wytqyh.exeC:\Windows\system32\wytqyh.exe 884 "C:\Windows\SysWOW64\mvefle.exe"48⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\giratl.exeC:\Windows\system32\giratl.exe 888 "C:\Windows\SysWOW64\wytqyh.exe"49⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\tzldct.exeC:\Windows\system32\tzldct.exe 876 "C:\Windows\SysWOW64\giratl.exe"50⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\bdvqme.exeC:\Windows\system32\bdvqme.exe 900 "C:\Windows\SysWOW64\tzldct.exe"51⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\obqtcm.exeC:\Windows\system32\obqtcm.exe 904 "C:\Windows\SysWOW64\bdvqme.exe"52⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\vjmlob.exeC:\Windows\system32\vjmlob.exe 908 "C:\Windows\SysWOW64\obqtcm.exe"53⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\idsbao.exeC:\Windows\system32\idsbao.exe 920 "C:\Windows\SysWOW64\vjmlob.exe"54⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\plftud.exeC:\Windows\system32\plftud.exe 912 "C:\Windows\SysWOW64\idsbao.exe"55⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cjivdl.exeC:\Windows\system32\cjivdl.exe 932 "C:\Windows\SysWOW64\plftud.exe"56⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\pwslih.exeC:\Windows\system32\pwslih.exe 916 "C:\Windows\SysWOW64\cjivdl.exe"57⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cyybuu.exeC:\Windows\system32\cyybuu.exe 896 "C:\Windows\SysWOW64\pwslih.exe"58⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\jjwgro.exeC:\Windows\system32\jjwgro.exe 928 "C:\Windows\SysWOW64\cyybuu.exe"59⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\zofbvb.exeC:\Windows\system32\zofbvb.exe 936 "C:\Windows\SysWOW64\jjwgro.exe"60⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\jyuliw.exeC:\Windows\system32\jyuliw.exe 940 "C:\Windows\SysWOW64\zofbvb.exe"61⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\vsabti.exeC:\Windows\system32\vsabti.exe 948 "C:\Windows\SysWOW64\jyuliw.exe"62⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\jnsrzm.exeC:\Windows\system32\jnsrzm.exe 944 "C:\Windows\SysWOW64\vsabti.exe"63⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\vljlnv.exeC:\Windows\system32\vljlnv.exe 924 "C:\Windows\SysWOW64\jnsrzm.exe"64⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\fsnjgu.exeC:\Windows\system32\fsnjgu.exe 952 "C:\Windows\SysWOW64\vljlnv.exe"65⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\sjiloc.exeC:\Windows\system32\sjiloc.exe 960 "C:\Windows\SysWOW64\fsnjgu.exe"66⤵
-
C:\Windows\SysWOW64\ctxwcf.exeC:\Windows\system32\ctxwcf.exe 964 "C:\Windows\SysWOW64\sjiloc.exe"67⤵
-
C:\Windows\SysWOW64\ushjhy.exeC:\Windows\system32\ushjhy.exe 968 "C:\Windows\SysWOW64\ctxwcf.exe"68⤵
-
C:\Windows\SysWOW64\hrcmpg.exeC:\Windows\system32\hrcmpg.exe 976 "C:\Windows\SysWOW64\ushjhy.exe"69⤵
-
C:\Windows\SysWOW64\rxdbfg.exeC:\Windows\system32\rxdbfg.exe 752 "C:\Windows\SysWOW64\hrcmpg.exe"70⤵
-
C:\Windows\SysWOW64\ewyeoo.exeC:\Windows\system32\ewyeoo.exe 980 "C:\Windows\SysWOW64\rxdbfg.exe"71⤵
-
C:\Windows\SysWOW64\rjptcs.exeC:\Windows\system32\rjptcs.exe 984 "C:\Windows\SysWOW64\ewyeoo.exe"72⤵
-
C:\Windows\SysWOW64\bxqrsz.exeC:\Windows\system32\bxqrsz.exe 988 "C:\Windows\SysWOW64\rjptcs.exe"73⤵
-
C:\Windows\SysWOW64\okzhyv.exeC:\Windows\system32\okzhyv.exe 996 "C:\Windows\SysWOW64\bxqrsz.exe"74⤵
-
C:\Windows\SysWOW64\ymprly.exeC:\Windows\system32\ymprly.exe 1000 "C:\Windows\SysWOW64\okzhyv.exe"75⤵
-
C:\Windows\SysWOW64\lhghrc.exeC:\Windows\system32\lhghrc.exe 992 "C:\Windows\SysWOW64\ymprly.exe"76⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\vkwrmf.exeC:\Windows\system32\vkwrmf.exe 1004 "C:\Windows\SysWOW64\lhghrc.exe"77⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\iiquun.exeC:\Windows\system32\iiquun.exe 1008 "C:\Windows\SysWOW64\vkwrmf.exe"78⤵
-
C:\Windows\SysWOW64\sloeii.exeC:\Windows\system32\sloeii.exe 1028 "C:\Windows\SysWOW64\iiquun.exe"79⤵
-
C:\Windows\SysWOW64\hpozmv.exeC:\Windows\system32\hpozmv.exe 1016 "C:\Windows\SysWOW64\sloeii.exe"80⤵
-
C:\Windows\SysWOW64\radkzz.exeC:\Windows\system32\radkzz.exe 1012 "C:\Windows\SysWOW64\hpozmv.exe"81⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\eckzsd.exeC:\Windows\system32\eckzsd.exe 1020 "C:\Windows\SysWOW64\radkzz.exe"82⤵
-
C:\Windows\SysWOW64\rpbpyh.exeC:\Windows\system32\rpbpyh.exe 1032 "C:\Windows\SysWOW64\eckzsd.exe"83⤵
-
C:\Windows\SysWOW64\ejhxjt.exeC:\Windows\system32\ejhxjt.exe 1040 "C:\Windows\SysWOW64\rpbpyh.exe"84⤵
-
C:\Windows\SysWOW64\rhczst.exeC:\Windows\system32\rhczst.exe 1056 "C:\Windows\SysWOW64\ejhxjt.exe"85⤵
-
C:\Windows\SysWOW64\avdxib.exeC:\Windows\system32\avdxib.exe 1036 "C:\Windows\SysWOW64\rhczst.exe"86⤵
-
C:\Windows\SysWOW64\giumof.exeC:\Windows\system32\giumof.exe 1048 "C:\Windows\SysWOW64\avdxib.exe"87⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\tzppfn.exeC:\Windows\system32\tzppfn.exe 1060 "C:\Windows\SysWOW64\giumof.exe"88⤵
-
C:\Windows\SysWOW64\cnqmvm.exeC:\Windows\system32\cnqmvm.exe 1052 "C:\Windows\SysWOW64\tzppfn.exe"89⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\pahcaq.exeC:\Windows\system32\pahcaq.exe 1044 "C:\Windows\SysWOW64\cnqmvm.exe"90⤵
-
C:\Windows\SysWOW64\zdxmot.exeC:\Windows\system32\zdxmot.exe 1064 "C:\Windows\SysWOW64\pahcaq.exe"91⤵
-
C:\Windows\SysWOW64\mygctx.exeC:\Windows\system32\mygctx.exe 1068 "C:\Windows\SysWOW64\zdxmot.exe"92⤵
-
C:\Windows\SysWOW64\wadnpa.exeC:\Windows\system32\wadnpa.exe 972 "C:\Windows\SysWOW64\mygctx.exe"93⤵
-
C:\Windows\SysWOW64\jzypxa.exeC:\Windows\system32\jzypxa.exe 1080 "C:\Windows\SysWOW64\wadnpa.exe"94⤵
-
C:\Windows\SysWOW64\qkxuuc.exeC:\Windows\system32\qkxuuc.exe 1092 "C:\Windows\SysWOW64\jzypxa.exe"95⤵
-
C:\Windows\SysWOW64\gsictm.exeC:\Windows\system32\gsictm.exe 1076 "C:\Windows\SysWOW64\qkxuuc.exe"96⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\qcgnop.exeC:\Windows\system32\qcgnop.exe 1088 "C:\Windows\SysWOW64\gsictm.exe"97⤵
-
C:\Windows\SysWOW64\ghgisu.exeC:\Windows\system32\ghgisu.exe 1084 "C:\Windows\SysWOW64\qcgnop.exe"98⤵
-
C:\Windows\SysWOW64\qrvkfx.exeC:\Windows\system32\qrvkfx.exe 1100 "C:\Windows\SysWOW64\ghgisu.exe"99⤵
-
C:\Windows\SysWOW64\diynof.exeC:\Windows\system32\diynof.exe 1096 "C:\Windows\SysWOW64\qrvkfx.exe"100⤵
-
C:\Windows\SysWOW64\qgtqxf.exeC:\Windows\system32\qgtqxf.exe 1104 "C:\Windows\SysWOW64\diynof.exe"101⤵
-
C:\Windows\SysWOW64\afxnpe.exeC:\Windows\system32\afxnpe.exe 1108 "C:\Windows\SysWOW64\qgtqxf.exe"102⤵
-
C:\Windows\SysWOW64\kinxch.exeC:\Windows\system32\kinxch.exe 1112 "C:\Windows\SysWOW64\afxnpe.exe"103⤵
-
C:\Windows\SysWOW64\wktnou.exeC:\Windows\system32\wktnou.exe 1116 "C:\Windows\SysWOW64\kinxch.exe"104⤵
-
C:\Windows\SysWOW64\jxkduy.exeC:\Windows\system32\jxkduy.exe 1120 "C:\Windows\SysWOW64\wktnou.exe"105⤵
-
C:\Windows\SysWOW64\wzqsfc.exeC:\Windows\system32\wzqsfc.exe 1124 "C:\Windows\SysWOW64\jxkduy.exe"106⤵
-
C:\Windows\SysWOW64\gcgdaf.exeC:\Windows\system32\gcgdaf.exe 1128 "C:\Windows\SysWOW64\wzqsfc.exe"107⤵
-
C:\Windows\SysWOW64\temsms.exeC:\Windows\system32\temsms.exe 1136 "C:\Windows\SysWOW64\gcgdaf.exe"108⤵
-
C:\Windows\SysWOW64\grdiro.exeC:\Windows\system32\grdiro.exe 1140 "C:\Windows\SysWOW64\temsms.exe"109⤵
-
C:\Windows\SysWOW64\stjqda.exeC:\Windows\system32\stjqda.exe 1132 "C:\Windows\SysWOW64\grdiro.exe"110⤵
-
C:\Windows\SysWOW64\cvzaqd.exeC:\Windows\system32\cvzaqd.exe 1144 "C:\Windows\SysWOW64\stjqda.exe"111⤵
-
C:\Windows\SysWOW64\sihvui.exeC:\Windows\system32\sihvui.exe 1148 "C:\Windows\SysWOW64\cvzaqd.exe"112⤵
-
C:\Windows\SysWOW64\ckwgpm.exeC:\Windows\system32\ckwgpm.exe 1152 "C:\Windows\SysWOW64\sihvui.exe"113⤵
-
C:\Windows\SysWOW64\pmcvby.exeC:\Windows\system32\pmcvby.exe 1156 "C:\Windows\SysWOW64\ckwgpm.exe"114⤵
-
C:\Windows\SysWOW64\cdxyjg.exeC:\Windows\system32\cdxyjg.exe 1164 "C:\Windows\SysWOW64\pmcvby.exe"115⤵
-
C:\Windows\SysWOW64\pbabsg.exeC:\Windows\system32\pbabsg.exe 1160 "C:\Windows\SysWOW64\cdxyjg.exe"116⤵
-
C:\Windows\SysWOW64\zeplfk.exeC:\Windows\system32\zeplfk.exe 1168 "C:\Windows\SysWOW64\pbabsg.exe"117⤵
-
C:\Windows\SysWOW64\mrzbln.exeC:\Windows\system32\mrzbln.exe 1072 "C:\Windows\SysWOW64\zeplfk.exe"118⤵
-
C:\Windows\SysWOW64\vfaqjv.exeC:\Windows\system32\vfaqjv.exe 1176 "C:\Windows\SysWOW64\mrzbln.exe"119⤵
-
C:\Windows\SysWOW64\ivutsv.exeC:\Windows\system32\ivutsv.exe 1180 "C:\Windows\SysWOW64\vfaqjv.exe"120⤵
-
C:\Windows\SysWOW64\vqmixz.exeC:\Windows\system32\vqmixz.exe 1184 "C:\Windows\SysWOW64\ivutsv.exe"121⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\fwngng.exeC:\Windows\system32\fwngng.exe 1188 "C:\Windows\SysWOW64\vqmixz.exe"122⤵
-
C:\Windows\SysWOW64\sjewtk.exeC:\Windows\system32\sjewtk.exe 1192 "C:\Windows\SysWOW64\fwngng.exe"123⤵
-
C:\Windows\SysWOW64\fizyck.exeC:\Windows\system32\fizyck.exe 1200 "C:\Windows\SysWOW64\sjewtk.exe"124⤵
-
C:\Windows\SysWOW64\plojxn.exeC:\Windows\system32\plojxn.exe 1196 "C:\Windows\SysWOW64\fizyck.exe"125⤵
-
C:\Windows\SysWOW64\cnuyia.exeC:\Windows\system32\cnuyia.exe 1204 "C:\Windows\SysWOW64\plojxn.exe"126⤵
-
C:\Windows\SysWOW64\pamooe.exeC:\Windows\system32\pamooe.exe 1208 "C:\Windows\SysWOW64\cnuyia.exe"127⤵
-
C:\Windows\SysWOW64\zonled.exeC:\Windows\system32\zonled.exe 1212 "C:\Windows\SysWOW64\pamooe.exe"128⤵
-
C:\Windows\SysWOW64\lehovl.exeC:\Windows\system32\lehovl.exe 1220 "C:\Windows\SysWOW64\zonled.exe"129⤵
-
C:\Windows\SysWOW64\ygnwgy.exeC:\Windows\system32\ygnwgy.exe 1216 "C:\Windows\SysWOW64\lehovl.exe"130⤵
-
C:\Windows\SysWOW64\ltflmu.exeC:\Windows\system32\ltflmu.exe 1236 "C:\Windows\SysWOW64\ygnwgy.exe"131⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\yvlbxg.exeC:\Windows\system32\yvlbxg.exe 1224 "C:\Windows\SysWOW64\ltflmu.exe"132⤵
-
C:\Windows\SysWOW64\iyamlj.exeC:\Windows\system32\iyamlj.exe 1232 "C:\Windows\SysWOW64\yvlbxg.exe"133⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\ykbhpo.exeC:\Windows\system32\ykbhpo.exe 1240 "C:\Windows\SysWOW64\iyamlj.exe"134⤵
-
C:\Windows\SysWOW64\zqbenw.exeC:\Windows\system32\zqbenw.exe 1252 "C:\Windows\SysWOW64\ykbhpo.exe"135⤵
-
C:\Windows\SysWOW64\nltuta.exeC:\Windows\system32\nltuta.exe 1228 "C:\Windows\SysWOW64\zqbenw.exe"136⤵
-
C:\Windows\SysWOW64\zcowbi.exeC:\Windows\system32\zcowbi.exe 1248 "C:\Windows\SysWOW64\nltuta.exe"137⤵
-
C:\Windows\SysWOW64\jqomrh.exeC:\Windows\system32\jqomrh.exe 1244 "C:\Windows\SysWOW64\zcowbi.exe"138⤵
-
C:\Windows\SysWOW64\wgjoap.exeC:\Windows\system32\wgjoap.exe 1256 "C:\Windows\SysWOW64\jqomrh.exe"139⤵
-
C:\Windows\SysWOW64\jipelc.exeC:\Windows\system32\jipelc.exe 1260 "C:\Windows\SysWOW64\wgjoap.exe"140⤵
-
C:\Windows\SysWOW64\wzshuc.exeC:\Windows\system32\wzshuc.exe 1276 "C:\Windows\SysWOW64\jipelc.exe"141⤵
-
C:\Windows\SysWOW64\jmbwig.exeC:\Windows\system32\jmbwig.exe 1268 "C:\Windows\SysWOW64\wzshuc.exe"142⤵
-
C:\Windows\SysWOW64\sacuyn.exeC:\Windows\system32\sacuyn.exe 1264 "C:\Windows\SysWOW64\jmbwig.exe"143⤵
-
C:\Windows\SysWOW64\fyfwgo.exeC:\Windows\system32\fyfwgo.exe 1272 "C:\Windows\SysWOW64\sacuyn.exe"144⤵
-
C:\Windows\SysWOW64\tlommr.exeC:\Windows\system32\tlommr.exe 1280 "C:\Windows\SysWOW64\fyfwgo.exe"145⤵
-
C:\Windows\SysWOW64\crpkkz.exeC:\Windows\system32\crpkkz.exe 1284 "C:\Windows\SysWOW64\tlommr.exe"146⤵
-
C:\Windows\SysWOW64\pmhzqd.exeC:\Windows\system32\pmhzqd.exe 1292 "C:\Windows\SysWOW64\crpkkz.exe"147⤵
-
C:\Windows\SysWOW64\csquel.exeC:\Windows\system32\csquel.exe 1288 "C:\Windows\SysWOW64\pmhzqd.exe"148⤵
-
C:\Windows\SysWOW64\pfikkp.exeC:\Windows\system32\pfikkp.exe 1296 "C:\Windows\SysWOW64\csquel.exe"149⤵
-
C:\Windows\SysWOW64\cvcmsx.exeC:\Windows\system32\cvcmsx.exe 1300 "C:\Windows\SysWOW64\pfikkp.exe"150⤵
-
C:\Windows\SysWOW64\lkdkjf.exeC:\Windows\system32\lkdkjf.exe 1304 "C:\Windows\SysWOW64\cvcmsx.exe"151⤵
-
C:\Windows\SysWOW64\yagmrf.exeC:\Windows\system32\yagmrf.exe 1308 "C:\Windows\SysWOW64\lkdkjf.exe"152⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\lzbpin.exeC:\Windows\system32\lzbpin.exe 1312 "C:\Windows\SysWOW64\yagmrf.exe"153⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\ythxts.exeC:\Windows\system32\ythxts.exe 1320 "C:\Windows\SysWOW64\lzbpin.exe"154⤵
-
C:\Windows\SysWOW64\lgyuzw.exeC:\Windows\system32\lgyuzw.exe 1316 "C:\Windows\SysWOW64\ythxts.exe"155⤵
-
C:\Windows\SysWOW64\yiecki.exeC:\Windows\system32\yiecki.exe 1324 "C:\Windows\SysWOW64\lgyuzw.exe"156⤵
-
C:\Windows\SysWOW64\ihiavh.exeC:\Windows\system32\ihiavh.exe 1332 "C:\Windows\SysWOW64\yiecki.exe"157⤵
-
C:\Windows\SysWOW64\vfdcdh.exeC:\Windows\system32\vfdcdh.exe 1328 "C:\Windows\SysWOW64\ihiavh.exe"158⤵
-
C:\Windows\SysWOW64\fitnzk.exeC:\Windows\system32\fitnzk.exe 1336 "C:\Windows\SysWOW64\vfdcdh.exe"159⤵
-
C:\Windows\SysWOW64\rkhckx.exeC:\Windows\system32\rkhckx.exe 1340 "C:\Windows\SysWOW64\fitnzk.exe"160⤵
-
C:\Windows\SysWOW64\fxqsqa.exeC:\Windows\system32\fxqsqa.exe 1348 "C:\Windows\SysWOW64\rkhckx.exe"161⤵
-
C:\Windows\SysWOW64\rzwibf.exeC:\Windows\system32\rzwibf.exe 1344 "C:\Windows\SysWOW64\fxqsqa.exe"162⤵
-
C:\Windows\SysWOW64\bbmsoi.exeC:\Windows\system32\bbmsoi.exe 1352 "C:\Windows\SysWOW64\rzwibf.exe"163⤵
-
C:\Windows\SysWOW64\oaovxq.exeC:\Windows\system32\oaovxq.exe 1356 "C:\Windows\SysWOW64\bbmsoi.exe"164⤵
-
C:\Windows\SysWOW64\bqjxoq.exeC:\Windows\system32\bqjxoq.exe 1364 "C:\Windows\SysWOW64\oaovxq.exe"165⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\ospfzd.exeC:\Windows\system32\ospfzd.exe 1360 "C:\Windows\SysWOW64\bqjxoq.exe"166⤵
-
C:\Windows\SysWOW64\xvfpmg.exeC:\Windows\system32\xvfpmg.exe 1368 "C:\Windows\SysWOW64\ospfzd.exe"167⤵
-
C:\Windows\SysWOW64\kthsvo.exeC:\Windows\system32\kthsvo.exe 1372 "C:\Windows\SysWOW64\xvfpmg.exe"168⤵
-
C:\Windows\SysWOW64\xkcveo.exeC:\Windows\system32\xkcveo.exe 1376 "C:\Windows\SysWOW64\kthsvo.exe"169⤵
-
C:\Windows\SysWOW64\kmilpb.exeC:\Windows\system32\kmilpb.exe 1380 "C:\Windows\SysWOW64\xkcveo.exe"170⤵
-
C:\Windows\SysWOW64\xzaadf.exeC:\Windows\system32\xzaadf.exe 1388 "C:\Windows\SysWOW64\kmilpb.exe"171⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\kbgqoj.exeC:\Windows\system32\kbgqoj.exe 1384 "C:\Windows\SysWOW64\xzaadf.exe"172⤵
-
C:\Windows\SysWOW64\xrblxr.exeC:\Windows\system32\xrblxr.exe 1392 "C:\Windows\SysWOW64\kbgqoj.exe"173⤵
-
C:\Windows\SysWOW64\huqvku.exeC:\Windows\system32\huqvku.exe 1400 "C:\Windows\SysWOW64\xrblxr.exe"174⤵
-
C:\Windows\SysWOW64\uslytv.exeC:\Windows\system32\uslytv.exe 1404 "C:\Windows\SysWOW64\huqvku.exe"175⤵
-
C:\Windows\SysWOW64\gurneh.exeC:\Windows\system32\gurneh.exe 1408 "C:\Windows\SysWOW64\uslytv.exe"176⤵
-
C:\Windows\SysWOW64\qxoyzk.exeC:\Windows\system32\qxoyzk.exe 1412 "C:\Windows\SysWOW64\gurneh.exe"177⤵
-
C:\Windows\SysWOW64\dkynfo.exeC:\Windows\system32\dkynfo.exe 1396 "C:\Windows\SysWOW64\qxoyzk.exe"178⤵
-
C:\Windows\SysWOW64\qjbqoo.exeC:\Windows\system32\qjbqoo.exe 1416 "C:\Windows\SysWOW64\dkynfo.exe"179⤵
-
C:\Windows\SysWOW64\ddhgzb.exeC:\Windows\system32\ddhgzb.exe 1420 "C:\Windows\SysWOW64\qjbqoo.exe"180⤵
-
C:\Windows\SysWOW64\nnwqme.exeC:\Windows\system32\nnwqme.exe 1428 "C:\Windows\SysWOW64\ddhgzb.exe"181⤵
-
C:\Windows\SysWOW64\zhcygi.exeC:\Windows\system32\zhcygi.exe 1424 "C:\Windows\SysWOW64\nnwqme.exe"182⤵
-
C:\Windows\SysWOW64\mgxboq.exeC:\Windows\system32\mgxboq.exe 1436 "C:\Windows\SysWOW64\zhcygi.exe"183⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\zwsdxz.exeC:\Windows\system32\zwsdxz.exe 1432 "C:\Windows\SysWOW64\mgxboq.exe"184⤵
-
C:\Windows\SysWOW64\evvggz.exeC:\Windows\system32\evvggz.exe 1444 "C:\Windows\SysWOW64\zwsdxz.exe"185⤵
-
C:\Windows\SysWOW64\oxkqtc.exeC:\Windows\system32\oxkqtc.exe 1440 "C:\Windows\SysWOW64\evvggz.exe"186⤵
-
C:\Windows\SysWOW64\bwftbk.exeC:\Windows\system32\bwftbk.exe 1448 "C:\Windows\SysWOW64\oxkqtc.exe"187⤵
-
C:\Windows\SysWOW64\oqljnx.exeC:\Windows\system32\oqljnx.exe 1452 "C:\Windows\SysWOW64\bwftbk.exe"188⤵
-
C:\Windows\SysWOW64\booddx.exeC:\Windows\system32\booddx.exe 1460 "C:\Windows\SysWOW64\oqljnx.exe"189⤵
-
C:\Windows\SysWOW64\krdora.exeC:\Windows\system32\krdora.exe 1456 "C:\Windows\SysWOW64\booddx.exe"190⤵
-
C:\Windows\SysWOW64\avdjvn.exeC:\Windows\system32\avdjvn.exe 1468 "C:\Windows\SysWOW64\krdora.exe"191⤵
-
C:\Windows\SysWOW64\kjeglm.exeC:\Windows\system32\kjeglm.exe 1476 "C:\Windows\SysWOW64\avdjvn.exe"192⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\xwwwqq.exeC:\Windows\system32\xwwwqq.exe 1484 "C:\Windows\SysWOW64\kjeglm.exe"193⤵
-
C:\Windows\SysWOW64\kycmcd.exeC:\Windows\system32\kycmcd.exe 1464 "C:\Windows\SysWOW64\xwwwqq.exe"194⤵
-
C:\Windows\SysWOW64\ujrwxg.exeC:\Windows\system32\ujrwxg.exe 1480 "C:\Windows\SysWOW64\kycmcd.exe"195⤵
-
C:\Windows\SysWOW64\knzrbl.exeC:\Windows\system32\knzrbl.exe 1472 "C:\Windows\SysWOW64\ujrwxg.exe"196⤵
-
C:\Windows\SysWOW64\uqpboo.exeC:\Windows\system32\uqpboo.exe 1488 "C:\Windows\SysWOW64\knzrbl.exe"197⤵
-
C:\Windows\SysWOW64\gojexw.exeC:\Windows\system32\gojexw.exe 1492 "C:\Windows\SysWOW64\uqpboo.exe"198⤵
-
C:\Windows\SysWOW64\tfezfx.exeC:\Windows\system32\tfezfx.exe 1496 "C:\Windows\SysWOW64\gojexw.exe"199⤵
-
C:\Windows\SysWOW64\ghkorj.exeC:\Windows\system32\ghkorj.exe 1500 "C:\Windows\SysWOW64\tfezfx.exe"200⤵
-
C:\Windows\SysWOW64\qjizmm.exeC:\Windows\system32\qjizmm.exe 1508 "C:\Windows\SysWOW64\ghkorj.exe"201⤵
-
C:\Windows\SysWOW64\dlooyr.exeC:\Windows\system32\dlooyr.exe 1504 "C:\Windows\SysWOW64\qjizmm.exe"202⤵
-
C:\Windows\SysWOW64\qyxedu.exeC:\Windows\system32\qyxedu.exe 1516 "C:\Windows\SysWOW64\dlooyr.exe"203⤵
-
C:\Windows\SysWOW64\dxahmd.exeC:\Windows\system32\dxahmd.exe 1512 "C:\Windows\SysWOW64\qyxedu.exe"204⤵
-
C:\Windows\SysWOW64\mdtwck.exeC:\Windows\system32\mdtwck.exe 1520 "C:\Windows\SysWOW64\dxahmd.exe"205⤵
-
C:\Windows\SysWOW64\cpbrgp.exeC:\Windows\system32\cpbrgp.exe 1536 "C:\Windows\SysWOW64\mdtwck.exe"206⤵
-
C:\Windows\SysWOW64\msqcbs.exeC:\Windows\system32\msqcbs.exe 1524 "C:\Windows\SysWOW64\cpbrgp.exe"207⤵
-
C:\Windows\SysWOW64\wdgmow.exeC:\Windows\system32\wdgmow.exe 1172 "C:\Windows\SysWOW64\msqcbs.exe"208⤵
-
C:\Windows\SysWOW64\mhohsb.exeC:\Windows\system32\mhohsb.exe 1544 "C:\Windows\SysWOW64\wdgmow.exe"209⤵
-
C:\Windows\SysWOW64\wvpeii.exeC:\Windows\system32\wvpeii.exe 1532 "C:\Windows\SysWOW64\mhohsb.exe"210⤵
-
C:\Windows\SysWOW64\jiyuom.exeC:\Windows\system32\jiyuom.exe 1540 "C:\Windows\SysWOW64\wvpeii.exe"211⤵
-
C:\Windows\SysWOW64\wzbxxm.exeC:\Windows\system32\wzbxxm.exe 1548 "C:\Windows\SysWOW64\jiyuom.exe"212⤵
-
C:\Windows\SysWOW64\fnuuvu.exeC:\Windows\system32\fnuuvu.exe 1556 "C:\Windows\SysWOW64\wzbxxm.exe"213⤵
-
C:\Windows\SysWOW64\vrcpzh.exeC:\Windows\system32\vrcpzh.exe 1552 "C:\Windows\SysWOW64\fnuuvu.exe"214⤵
-
C:\Windows\SysWOW64\fygmjg.exeC:\Windows\system32\fygmjg.exe 1560 "C:\Windows\SysWOW64\vrcpzh.exe"215⤵
-
C:\Windows\SysWOW64\ssmuvk.exeC:\Windows\system32\ssmuvk.exe 1564 "C:\Windows\SysWOW64\fygmjg.exe"216⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\frpxds.exeC:\Windows\system32\frpxds.exe 1568 "C:\Windows\SysWOW64\ssmuvk.exe"217⤵
-
C:\Windows\SysWOW64\slvmpf.exeC:\Windows\system32\slvmpf.exe 1572 "C:\Windows\SysWOW64\frpxds.exe"218⤵
-
C:\Windows\SysWOW64\cvkxka.exeC:\Windows\system32\cvkxka.exe 1588 "C:\Windows\SysWOW64\slvmpf.exe"219⤵
-
C:\Windows\SysWOW64\omfati.exeC:\Windows\system32\omfati.exe 1576 "C:\Windows\SysWOW64\cvkxka.exe"220⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\bkicbq.exeC:\Windows\system32\bkicbq.exe 1596 "C:\Windows\SysWOW64\omfati.exe"221⤵
-
C:\Windows\SysWOW64\oeoknv.exeC:\Windows\system32\oeoknv.exe 1580 "C:\Windows\SysWOW64\bkicbq.exe"222⤵
-
C:\Windows\SysWOW64\ypduay.exeC:\Windows\system32\ypduay.exe 1600 "C:\Windows\SysWOW64\oeoknv.exe"223⤵
-
C:\Windows\SysWOW64\otepel.exeC:\Windows\system32\otepel.exe 1592 "C:\Windows\SysWOW64\ypduay.exe"224⤵
-
C:\Windows\SysWOW64\yetazo.exeC:\Windows\system32\yetazo.exe 1604 "C:\Windows\SysWOW64\otepel.exe"225⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\kyhpkt.exeC:\Windows\system32\kyhpkt.exe 1608 "C:\Windows\SysWOW64\yetazo.exe"226⤵
-
C:\Windows\SysWOW64\ylrfqw.exeC:\Windows\system32\ylrfqw.exe 1612 "C:\Windows\SysWOW64\kyhpkt.exe"227⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\knxvcj.exeC:\Windows\system32\knxvcj.exe 1584 "C:\Windows\SysWOW64\ylrfqw.exe"228⤵
-
C:\Windows\SysWOW64\uxmfpe.exeC:\Windows\system32\uxmfpe.exe 1616 "C:\Windows\SysWOW64\knxvcj.exe"229⤵
-
C:\Windows\SysWOW64\hrsnir.exeC:\Windows\system32\hrsnir.exe 1620 "C:\Windows\SysWOW64\uxmfpe.exe"230⤵
-
C:\Windows\SysWOW64\uekdou.exeC:\Windows\system32\uekdou.exe 1628 "C:\Windows\SysWOW64\hrsnir.exe"231⤵
-
C:\Windows\SysWOW64\hdefxv.exeC:\Windows\system32\hdefxv.exe 1640 "C:\Windows\SysWOW64\uekdou.exe"232⤵
-
C:\Windows\SysWOW64\uthifd.exeC:\Windows\system32\uthifd.exe 1632 "C:\Windows\SysWOW64\hdefxv.exe"233⤵
-
C:\Windows\SysWOW64\wexssg.exeC:\Windows\system32\wexssg.exe 1528 "C:\Windows\SysWOW64\uthifd.exe"234⤵
-
C:\Windows\SysWOW64\jurvbo.exeC:\Windows\system32\jurvbo.exe 1644 "C:\Windows\SysWOW64\wexssg.exe"235⤵
-
C:\Windows\SysWOW64\vtmyko.exeC:\Windows\system32\vtmyko.exe 1636 "C:\Windows\SysWOW64\jurvbo.exe"236⤵
-
C:\Windows\SysWOW64\fznviw.exeC:\Windows\system32\fznviw.exe 1652 "C:\Windows\SysWOW64\vtmyko.exe"237⤵
-
C:\Windows\SysWOW64\vlvqmj.exeC:\Windows\system32\vlvqmj.exe 1624 "C:\Windows\SysWOW64\fznviw.exe"238⤵
-
C:\Windows\SysWOW64\fokaze.exeC:\Windows\system32\fokaze.exe 1656 "C:\Windows\SysWOW64\vlvqmj.exe"239⤵
-
C:\Windows\SysWOW64\sqqikq.exeC:\Windows\system32\sqqikq.exe 1668 "C:\Windows\SysWOW64\fokaze.exe"240⤵
-
C:\Windows\SysWOW64\fdiyqu.exeC:\Windows\system32\fdiyqu.exe 1660 "C:\Windows\SysWOW64\sqqikq.exe"241⤵