Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
22-06-2024 22:30
Behavioral task
behavioral1
Sample
0426e2d9d31e1ec5ba1fb430157e2ade_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
0426e2d9d31e1ec5ba1fb430157e2ade_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
0426e2d9d31e1ec5ba1fb430157e2ade_JaffaCakes118.exe
-
Size
445KB
-
MD5
0426e2d9d31e1ec5ba1fb430157e2ade
-
SHA1
0e0e81f266e139c746dd16da9bb43b7bc6df588c
-
SHA256
a2e8e1f839693bb60e1a9b50987c7d4f4136a8da865d84662649dba65deed7f0
-
SHA512
0a6021022bb84d2f8f0ea186ed7ce1b7d37ca2160fb1efed20a26aed3ee6a6f94b01c642d2cd2184cb2fbe4cf63d70237e917c20ca29110059e13704693bbef0
-
SSDEEP
12288:cNo6BDYKR1kU+gLcnKNalKv1V0pjnGPz:cNJkU+aqzAP0Nn
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 64 IoCs
Processes:
mqfqple.execbcdzhg.exehwutelf.exeohsybfo.exebynbkft.exelfzgudb.exevipiihh.exeivggnkg.exesfwqjou.execeaotmu.exenabybhc.exezfsbxqf.exekbllfko.exeteiwsnv.exeezbghiv.exeupmoozz.exebxigapi.exenczjpxl.exeatumxgr.exenrpogox.exeaisrwoc.exekshtkri.exexjcwszo.exekhfzbhm.exeukujwka.exehapmflx.exeuzkpntd.exegbqezxh.exeqenpmaw.exeginkqos.exeqwozgvg.exednjcxvd.exeplmefdj.execcghomo.exepabkwmm.exezdrukpa.exembtxsxy.exezvzmmbk.exejgppzfq.exewwkshnw.exeiyqhtza.exevpskbzg.exeiccahdf.exesmrkcgl.exefdunlpq.exesbppupw.execeeahsc.exepgkhseh.exectcfyaf.exeovinsns.exetldqavp.exedwsanye.exeqqgqzci.exedobshlf.exeqfwvqtl.exeddzyhtr.exemkrnxae.exezxjdcec.exemveflei.exewjedjmn.exejahfsut.exewqciacy.exegbrtoxf.exewfaoskb.exepid process 2980 mqfqple.exe 2296 cbcdzhg.exe 2664 hwutelf.exe 2804 ohsybfo.exe 2468 bynbkft.exe 2108 lfzgudb.exe 2508 vipiihh.exe 2340 ivggnkg.exe 2828 sfwqjou.exe 3008 ceaotmu.exe 968 nabybhc.exe 1644 zfsbxqf.exe 1976 kbllfko.exe 1192 teiwsnv.exe 2952 ezbghiv.exe 1076 upmoozz.exe 2168 bxigapi.exe 1572 nczjpxl.exe 376 atumxgr.exe 1640 nrpogox.exe 948 aisrwoc.exe 1268 kshtkri.exe 2280 xjcwszo.exe 1848 khfzbhm.exe 2796 ukujwka.exe 1736 hapmflx.exe 2700 uzkpntd.exe 2592 gbqezxh.exe 2868 qenpmaw.exe 2628 ginkqos.exe 2136 qwozgvg.exe 1164 dnjcxvd.exe 2732 plmefdj.exe 1148 ccghomo.exe 2836 pabkwmm.exe 3000 zdrukpa.exe 2272 mbtxsxy.exe 964 zvzmmbk.exe 2252 jgppzfq.exe 2204 wwkshnw.exe 472 iyqhtza.exe 588 vpskbzg.exe 2452 iccahdf.exe 2300 smrkcgl.exe 2440 fdunlpq.exe 1448 sbppupw.exe 1180 ceeahsc.exe 1852 pgkhseh.exe 1772 ctcfyaf.exe 1952 ovinsns.exe 1812 tldqavp.exe 1628 dwsanye.exe 1636 qqgqzci.exe 2068 dobshlf.exe 2596 qfwvqtl.exe 2932 ddzyhtr.exe 1420 mkrnxae.exe 3028 zxjdcec.exe 3040 mveflei.exe 2872 wjedjmn.exe 1100 jahfsut.exe 2880 wqciacy.exe 2988 gbrtoxf.exe 3068 wfaoskb.exe -
Loads dropped DLL 64 IoCs
Processes:
0426e2d9d31e1ec5ba1fb430157e2ade_JaffaCakes118.exemqfqple.execbcdzhg.exehwutelf.exeohsybfo.exebynbkft.exelfzgudb.exevipiihh.exeivggnkg.exesfwqjou.execeaotmu.exenabybhc.exezfsbxqf.exekbllfko.exeteiwsnv.exeezbghiv.exeupmoozz.exebxigapi.exenczjpxl.exeatumxgr.exenrpogox.exeaisrwoc.exekshtkri.exexjcwszo.exekhfzbhm.exeukujwka.exehapmflx.exeuzkpntd.exegbqezxh.exeqenpmaw.exeginkqos.exeqwozgvg.exepid process 2964 0426e2d9d31e1ec5ba1fb430157e2ade_JaffaCakes118.exe 2964 0426e2d9d31e1ec5ba1fb430157e2ade_JaffaCakes118.exe 2980 mqfqple.exe 2980 mqfqple.exe 2296 cbcdzhg.exe 2296 cbcdzhg.exe 2664 hwutelf.exe 2664 hwutelf.exe 2804 ohsybfo.exe 2804 ohsybfo.exe 2468 bynbkft.exe 2468 bynbkft.exe 2108 lfzgudb.exe 2108 lfzgudb.exe 2508 vipiihh.exe 2508 vipiihh.exe 2340 ivggnkg.exe 2340 ivggnkg.exe 2828 sfwqjou.exe 2828 sfwqjou.exe 3008 ceaotmu.exe 3008 ceaotmu.exe 968 nabybhc.exe 968 nabybhc.exe 1644 zfsbxqf.exe 1644 zfsbxqf.exe 1976 kbllfko.exe 1976 kbllfko.exe 1192 teiwsnv.exe 1192 teiwsnv.exe 2952 ezbghiv.exe 2952 ezbghiv.exe 1076 upmoozz.exe 1076 upmoozz.exe 2168 bxigapi.exe 2168 bxigapi.exe 1572 nczjpxl.exe 1572 nczjpxl.exe 376 atumxgr.exe 376 atumxgr.exe 1640 nrpogox.exe 1640 nrpogox.exe 948 aisrwoc.exe 948 aisrwoc.exe 1268 kshtkri.exe 1268 kshtkri.exe 2280 xjcwszo.exe 2280 xjcwszo.exe 1848 khfzbhm.exe 1848 khfzbhm.exe 2796 ukujwka.exe 2796 ukujwka.exe 1736 hapmflx.exe 1736 hapmflx.exe 2700 uzkpntd.exe 2700 uzkpntd.exe 2592 gbqezxh.exe 2592 gbqezxh.exe 2868 qenpmaw.exe 2868 qenpmaw.exe 2628 ginkqos.exe 2628 ginkqos.exe 2136 qwozgvg.exe 2136 qwozgvg.exe -
Drops file in System32 directory 64 IoCs
Processes:
poigwlv.exeepbjuzq.exeljvhjqw.exenytepqt.exeokrnbsp.exezofiskz.exedgejugv.exedaxjccz.exeoezhaym.exetjgoukt.exexltjubb.exeysryssk.exeqqgqzci.exeiwxpjfo.exeyfyrjuy.exerskmfqp.exeujoxtbu.exeldampse.exeyzabxeb.exesmrkcgl.exeqztzznb.exeexahgcd.exevmlrxtk.exejflyjbr.exefkqnjye.exegedwspc.exeezbghiv.exeiyqhtza.exerryaafv.exeurxtjnz.exeohokpyb.exeszooecr.exedaigqgf.exesfwqjou.execpmoutk.exedwraawe.exezbnwjtr.exepvthjkl.exehvsjkoy.exegahryei.exeoysinaz.exeobneukx.exeerfgwdh.exegyvpupy.exekjxdyqt.exeopjbjqj.exesnleudn.exeduiqsar.exeqqlizok.exeiyjehvg.exekvxsocb.exexvhuqlx.exehcbpcrv.exexvxvnzz.exekkkswnq.exetubzlfy.exelzxceyi.exeiynqbpl.exehjqhmwc.exehmelbwq.exewxkonuj.exeyqjmslv.execqijqdo.exeelxqqqi.exedescription ioc process File created C:\Windows\SysWOW64\cfdjelt.exe poigwlv.exe File opened for modification C:\Windows\SysWOW64\rrhzglu.exe epbjuzq.exe File created C:\Windows\SysWOW64\vmlrxtk.exe ljvhjqw.exe File created C:\Windows\SysWOW64\wbjpcth.exe nytepqt.exe File created C:\Windows\SysWOW64\bjmpjau.exe okrnbsp.exe File created C:\Windows\SysWOW64\jzusfng.exe zofiskz.exe File created C:\Windows\SysWOW64\qwzlcob.exe dgejugv.exe File created C:\Windows\SysWOW64\pudyopd.exe daxjccz.exe File opened for modification C:\Windows\SysWOW64\bcckjgs.exe oezhaym.exe File opened for modification C:\Windows\SysWOW64\gaaqdkz.exe tjgoukt.exe File opened for modification C:\Windows\SysWOW64\hvjtheq.exe xltjubb.exe File opened for modification C:\Windows\SysWOW64\limbasq.exe ysryssk.exe File created C:\Windows\SysWOW64\dobshlf.exe qqgqzci.exe File created C:\Windows\SysWOW64\vussanu.exe iwxpjfo.exe File created C:\Windows\SysWOW64\itzhhbl.exe yfyrjuy.exe File opened for modification C:\Windows\SysWOW64\bdaxstw.exe rskmfqp.exe File created C:\Windows\SysWOW64\dtlihej.exe ujoxtbu.exe File created C:\Windows\SysWOW64\ybvhyac.exe ldampse.exe File created C:\Windows\SysWOW64\ijplkhi.exe yzabxeb.exe File opened for modification C:\Windows\SysWOW64\fdunlpq.exe smrkcgl.exe File opened for modification C:\Windows\SysWOW64\dyociny.exe qztzznb.exe File created C:\Windows\SysWOW64\ozprbfr.exe exahgcd.exe File opened for modification C:\Windows\SysWOW64\hkoufbi.exe vmlrxtk.exe File created C:\Windows\SysWOW64\tijjweg.exe jflyjbr.exe File opened for modification C:\Windows\SysWOW64\rilpshk.exe fkqnjye.exe File opened for modification C:\Windows\SysWOW64\tvyzbxi.exe gedwspc.exe File created C:\Windows\SysWOW64\upmoozz.exe ezbghiv.exe File created C:\Windows\SysWOW64\vpskbzg.exe iyqhtza.exe File created C:\Windows\SysWOW64\hvyvels.exe rryaafv.exe File opened for modification C:\Windows\SysWOW64\dumdwin.exe urxtjnz.exe File created C:\Windows\SysWOW64\bxinygg.exe ohokpyb.exe File created C:\Windows\SysWOW64\fqjqnkx.exe szooecr.exe File created C:\Windows\SysWOW64\qqlizok.exe daigqgf.exe File created C:\Windows\SysWOW64\ceaotmu.exe sfwqjou.exe File opened for modification C:\Windows\SysWOW64\mvnlkap.exe cpmoutk.exe File opened for modification C:\Windows\SysWOW64\qqxpmii.exe dwraawe.exe File created C:\Windows\SysWOW64\lzizrbo.exe zbnwjtr.exe File created C:\Windows\SysWOW64\cuokssr.exe pvthjkl.exe File opened for modification C:\Windows\SysWOW64\rjshiwl.exe hvsjkoy.exe File created C:\Windows\SysWOW64\poigwlv.exe gahryei.exe File created C:\Windows\SysWOW64\bsyyynd.exe oysinaz.exe File created C:\Windows\SysWOW64\brihdsd.exe obneukx.exe File created C:\Windows\SysWOW64\udnbaqe.exe erfgwdh.exe File created C:\Windows\SysWOW64\toqsdpv.exe gyvpupy.exe File created C:\Windows\SysWOW64\anxqcdy.exe kjxdyqt.exe File opened for modification C:\Windows\SysWOW64\bneesqh.exe opjbjqj.exe File created C:\Windows\SysWOW64\flfhdek.exe snleudn.exe File opened for modification C:\Windows\SysWOW64\itdtbix.exe duiqsar.exe File opened for modification C:\Windows\SysWOW64\abalmrr.exe qqlizok.exe File created C:\Windows\SysWOW64\ycjrkid.exe iyjehvg.exe File opened for modification C:\Windows\SysWOW64\xmrvwdz.exe kvxsocb.exe File opened for modification C:\Windows\SysWOW64\kirjwow.exe xvhuqlx.exe File opened for modification C:\Windows\SysWOW64\utwsssa.exe hcbpcrv.exe File opened for modification C:\Windows\SysWOW64\ktsxwzf.exe xvxvnzz.exe File opened for modification C:\Windows\SysWOW64\xafuevw.exe kkkswnq.exe File created C:\Windows\SysWOW64\gkwbune.exe tubzlfy.exe File opened for modification C:\Windows\SysWOW64\ymgakch.exe lzxceyi.exe File created C:\Windows\SysWOW64\sbctwsz.exe iynqbpl.exe File opened for modification C:\Windows\SysWOW64\tlwpxbg.exe hjqhmwc.exe File opened for modification C:\Windows\SysWOW64\ucznjww.exe hmelbwq.exe File created C:\Windows\SysWOW64\jvfqwcg.exe wxkonuj.exe File created C:\Windows\SysWOW64\ibywnpb.exe yqjmslv.exe File created C:\Windows\SysWOW64\pkorjqa.exe cqijqdo.exe File created C:\Windows\SysWOW64\rbalgyo.exe elxqqqi.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0426e2d9d31e1ec5ba1fb430157e2ade_JaffaCakes118.exemqfqple.execbcdzhg.exehwutelf.exeohsybfo.exebynbkft.exelfzgudb.exevipiihh.exeivggnkg.exesfwqjou.execeaotmu.exenabybhc.exezfsbxqf.exekbllfko.exeteiwsnv.exeezbghiv.exedescription pid process target process PID 2964 wrote to memory of 2980 2964 0426e2d9d31e1ec5ba1fb430157e2ade_JaffaCakes118.exe mqfqple.exe PID 2964 wrote to memory of 2980 2964 0426e2d9d31e1ec5ba1fb430157e2ade_JaffaCakes118.exe mqfqple.exe PID 2964 wrote to memory of 2980 2964 0426e2d9d31e1ec5ba1fb430157e2ade_JaffaCakes118.exe mqfqple.exe PID 2964 wrote to memory of 2980 2964 0426e2d9d31e1ec5ba1fb430157e2ade_JaffaCakes118.exe mqfqple.exe PID 2980 wrote to memory of 2296 2980 mqfqple.exe cbcdzhg.exe PID 2980 wrote to memory of 2296 2980 mqfqple.exe cbcdzhg.exe PID 2980 wrote to memory of 2296 2980 mqfqple.exe cbcdzhg.exe PID 2980 wrote to memory of 2296 2980 mqfqple.exe cbcdzhg.exe PID 2296 wrote to memory of 2664 2296 cbcdzhg.exe hwutelf.exe PID 2296 wrote to memory of 2664 2296 cbcdzhg.exe hwutelf.exe PID 2296 wrote to memory of 2664 2296 cbcdzhg.exe hwutelf.exe PID 2296 wrote to memory of 2664 2296 cbcdzhg.exe hwutelf.exe PID 2664 wrote to memory of 2804 2664 hwutelf.exe ohsybfo.exe PID 2664 wrote to memory of 2804 2664 hwutelf.exe ohsybfo.exe PID 2664 wrote to memory of 2804 2664 hwutelf.exe ohsybfo.exe PID 2664 wrote to memory of 2804 2664 hwutelf.exe ohsybfo.exe PID 2804 wrote to memory of 2468 2804 ohsybfo.exe bynbkft.exe PID 2804 wrote to memory of 2468 2804 ohsybfo.exe bynbkft.exe PID 2804 wrote to memory of 2468 2804 ohsybfo.exe bynbkft.exe PID 2804 wrote to memory of 2468 2804 ohsybfo.exe bynbkft.exe PID 2468 wrote to memory of 2108 2468 bynbkft.exe lfzgudb.exe PID 2468 wrote to memory of 2108 2468 bynbkft.exe lfzgudb.exe PID 2468 wrote to memory of 2108 2468 bynbkft.exe lfzgudb.exe PID 2468 wrote to memory of 2108 2468 bynbkft.exe lfzgudb.exe PID 2108 wrote to memory of 2508 2108 lfzgudb.exe vipiihh.exe PID 2108 wrote to memory of 2508 2108 lfzgudb.exe vipiihh.exe PID 2108 wrote to memory of 2508 2108 lfzgudb.exe vipiihh.exe PID 2108 wrote to memory of 2508 2108 lfzgudb.exe vipiihh.exe PID 2508 wrote to memory of 2340 2508 vipiihh.exe ivggnkg.exe PID 2508 wrote to memory of 2340 2508 vipiihh.exe ivggnkg.exe PID 2508 wrote to memory of 2340 2508 vipiihh.exe ivggnkg.exe PID 2508 wrote to memory of 2340 2508 vipiihh.exe ivggnkg.exe PID 2340 wrote to memory of 2828 2340 ivggnkg.exe sfwqjou.exe PID 2340 wrote to memory of 2828 2340 ivggnkg.exe sfwqjou.exe PID 2340 wrote to memory of 2828 2340 ivggnkg.exe sfwqjou.exe PID 2340 wrote to memory of 2828 2340 ivggnkg.exe sfwqjou.exe PID 2828 wrote to memory of 3008 2828 sfwqjou.exe ceaotmu.exe PID 2828 wrote to memory of 3008 2828 sfwqjou.exe ceaotmu.exe PID 2828 wrote to memory of 3008 2828 sfwqjou.exe ceaotmu.exe PID 2828 wrote to memory of 3008 2828 sfwqjou.exe ceaotmu.exe PID 3008 wrote to memory of 968 3008 ceaotmu.exe nabybhc.exe PID 3008 wrote to memory of 968 3008 ceaotmu.exe nabybhc.exe PID 3008 wrote to memory of 968 3008 ceaotmu.exe nabybhc.exe PID 3008 wrote to memory of 968 3008 ceaotmu.exe nabybhc.exe PID 968 wrote to memory of 1644 968 nabybhc.exe zfsbxqf.exe PID 968 wrote to memory of 1644 968 nabybhc.exe zfsbxqf.exe PID 968 wrote to memory of 1644 968 nabybhc.exe zfsbxqf.exe PID 968 wrote to memory of 1644 968 nabybhc.exe zfsbxqf.exe PID 1644 wrote to memory of 1976 1644 zfsbxqf.exe kbllfko.exe PID 1644 wrote to memory of 1976 1644 zfsbxqf.exe kbllfko.exe PID 1644 wrote to memory of 1976 1644 zfsbxqf.exe kbllfko.exe PID 1644 wrote to memory of 1976 1644 zfsbxqf.exe kbllfko.exe PID 1976 wrote to memory of 1192 1976 kbllfko.exe teiwsnv.exe PID 1976 wrote to memory of 1192 1976 kbllfko.exe teiwsnv.exe PID 1976 wrote to memory of 1192 1976 kbllfko.exe teiwsnv.exe PID 1976 wrote to memory of 1192 1976 kbllfko.exe teiwsnv.exe PID 1192 wrote to memory of 2952 1192 teiwsnv.exe ezbghiv.exe PID 1192 wrote to memory of 2952 1192 teiwsnv.exe ezbghiv.exe PID 1192 wrote to memory of 2952 1192 teiwsnv.exe ezbghiv.exe PID 1192 wrote to memory of 2952 1192 teiwsnv.exe ezbghiv.exe PID 2952 wrote to memory of 1076 2952 ezbghiv.exe upmoozz.exe PID 2952 wrote to memory of 1076 2952 ezbghiv.exe upmoozz.exe PID 2952 wrote to memory of 1076 2952 ezbghiv.exe upmoozz.exe PID 2952 wrote to memory of 1076 2952 ezbghiv.exe upmoozz.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0426e2d9d31e1ec5ba1fb430157e2ade_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0426e2d9d31e1ec5ba1fb430157e2ade_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\mqfqple.exeC:\Windows\system32\mqfqple.exe 476 "C:\Users\Admin\AppData\Local\Temp\0426e2d9d31e1ec5ba1fb430157e2ade_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\cbcdzhg.exeC:\Windows\system32\cbcdzhg.exe 532 "C:\Windows\SysWOW64\mqfqple.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\hwutelf.exeC:\Windows\system32\hwutelf.exe 544 "C:\Windows\SysWOW64\cbcdzhg.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\ohsybfo.exeC:\Windows\system32\ohsybfo.exe 536 "C:\Windows\SysWOW64\hwutelf.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\bynbkft.exeC:\Windows\system32\bynbkft.exe 548 "C:\Windows\SysWOW64\ohsybfo.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\lfzgudb.exeC:\Windows\system32\lfzgudb.exe 540 "C:\Windows\SysWOW64\bynbkft.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\vipiihh.exeC:\Windows\system32\vipiihh.exe 552 "C:\Windows\SysWOW64\lfzgudb.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\ivggnkg.exeC:\Windows\system32\ivggnkg.exe 556 "C:\Windows\SysWOW64\vipiihh.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\sfwqjou.exeC:\Windows\system32\sfwqjou.exe 568 "C:\Windows\SysWOW64\ivggnkg.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\ceaotmu.exeC:\Windows\system32\ceaotmu.exe 560 "C:\Windows\SysWOW64\sfwqjou.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\nabybhc.exeC:\Windows\system32\nabybhc.exe 584 "C:\Windows\SysWOW64\ceaotmu.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\SysWOW64\zfsbxqf.exeC:\Windows\system32\zfsbxqf.exe 564 "C:\Windows\SysWOW64\nabybhc.exe"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\kbllfko.exeC:\Windows\system32\kbllfko.exe 572 "C:\Windows\SysWOW64\zfsbxqf.exe"14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\teiwsnv.exeC:\Windows\system32\teiwsnv.exe 576 "C:\Windows\SysWOW64\kbllfko.exe"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\ezbghiv.exeC:\Windows\system32\ezbghiv.exe 592 "C:\Windows\SysWOW64\teiwsnv.exe"16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\upmoozz.exeC:\Windows\system32\upmoozz.exe 580 "C:\Windows\SysWOW64\ezbghiv.exe"17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1076 -
C:\Windows\SysWOW64\bxigapi.exeC:\Windows\system32\bxigapi.exe 588 "C:\Windows\SysWOW64\upmoozz.exe"18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2168 -
C:\Windows\SysWOW64\nczjpxl.exeC:\Windows\system32\nczjpxl.exe 596 "C:\Windows\SysWOW64\bxigapi.exe"19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1572 -
C:\Windows\SysWOW64\atumxgr.exeC:\Windows\system32\atumxgr.exe 600 "C:\Windows\SysWOW64\nczjpxl.exe"20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:376 -
C:\Windows\SysWOW64\nrpogox.exeC:\Windows\system32\nrpogox.exe 604 "C:\Windows\SysWOW64\atumxgr.exe"21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1640 -
C:\Windows\SysWOW64\aisrwoc.exeC:\Windows\system32\aisrwoc.exe 612 "C:\Windows\SysWOW64\nrpogox.exe"22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:948 -
C:\Windows\SysWOW64\kshtkri.exeC:\Windows\system32\kshtkri.exe 608 "C:\Windows\SysWOW64\aisrwoc.exe"23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1268 -
C:\Windows\SysWOW64\xjcwszo.exeC:\Windows\system32\xjcwszo.exe 616 "C:\Windows\SysWOW64\kshtkri.exe"24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2280 -
C:\Windows\SysWOW64\khfzbhm.exeC:\Windows\system32\khfzbhm.exe 620 "C:\Windows\SysWOW64\xjcwszo.exe"25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1848 -
C:\Windows\SysWOW64\ukujwka.exeC:\Windows\system32\ukujwka.exe 628 "C:\Windows\SysWOW64\khfzbhm.exe"26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2796 -
C:\Windows\SysWOW64\hapmflx.exeC:\Windows\system32\hapmflx.exe 632 "C:\Windows\SysWOW64\ukujwka.exe"27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1736 -
C:\Windows\SysWOW64\uzkpntd.exeC:\Windows\system32\uzkpntd.exe 636 "C:\Windows\SysWOW64\hapmflx.exe"28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2700 -
C:\Windows\SysWOW64\gbqezxh.exeC:\Windows\system32\gbqezxh.exe 624 "C:\Windows\SysWOW64\uzkpntd.exe"29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2592 -
C:\Windows\SysWOW64\qenpmaw.exeC:\Windows\system32\qenpmaw.exe 640 "C:\Windows\SysWOW64\gbqezxh.exe"30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2868 -
C:\Windows\SysWOW64\ginkqos.exeC:\Windows\system32\ginkqos.exe 644 "C:\Windows\SysWOW64\qenpmaw.exe"31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2628 -
C:\Windows\SysWOW64\qwozgvg.exeC:\Windows\system32\qwozgvg.exe 648 "C:\Windows\SysWOW64\ginkqos.exe"32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2136 -
C:\Windows\SysWOW64\dnjcxvd.exeC:\Windows\system32\dnjcxvd.exe 652 "C:\Windows\SysWOW64\qwozgvg.exe"33⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\plmefdj.exeC:\Windows\system32\plmefdj.exe 656 "C:\Windows\SysWOW64\dnjcxvd.exe"34⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\ccghomo.exeC:\Windows\system32\ccghomo.exe 660 "C:\Windows\SysWOW64\plmefdj.exe"35⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\pabkwmm.exeC:\Windows\system32\pabkwmm.exe 664 "C:\Windows\SysWOW64\ccghomo.exe"36⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\zdrukpa.exeC:\Windows\system32\zdrukpa.exe 680 "C:\Windows\SysWOW64\pabkwmm.exe"37⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\mbtxsxy.exeC:\Windows\system32\mbtxsxy.exe 684 "C:\Windows\SysWOW64\zdrukpa.exe"38⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\zvzmmbk.exeC:\Windows\system32\zvzmmbk.exe 668 "C:\Windows\SysWOW64\mbtxsxy.exe"39⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\jgppzfq.exeC:\Windows\system32\jgppzfq.exe 688 "C:\Windows\SysWOW64\zvzmmbk.exe"40⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\wwkshnw.exeC:\Windows\system32\wwkshnw.exe 672 "C:\Windows\SysWOW64\jgppzfq.exe"41⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\iyqhtza.exeC:\Windows\system32\iyqhtza.exe 704 "C:\Windows\SysWOW64\wwkshnw.exe"42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:472 -
C:\Windows\SysWOW64\vpskbzg.exeC:\Windows\system32\vpskbzg.exe 676 "C:\Windows\SysWOW64\iyqhtza.exe"43⤵
- Executes dropped EXE
PID:588 -
C:\Windows\SysWOW64\iccahdf.exeC:\Windows\system32\iccahdf.exe 692 "C:\Windows\SysWOW64\vpskbzg.exe"44⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\smrkcgl.exeC:\Windows\system32\smrkcgl.exe 700 "C:\Windows\SysWOW64\iccahdf.exe"45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2300 -
C:\Windows\SysWOW64\fdunlpq.exeC:\Windows\system32\fdunlpq.exe 712 "C:\Windows\SysWOW64\smrkcgl.exe"46⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\sbppupw.exeC:\Windows\system32\sbppupw.exe 716 "C:\Windows\SysWOW64\fdunlpq.exe"47⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\ceeahsc.exeC:\Windows\system32\ceeahsc.exe 696 "C:\Windows\SysWOW64\sbppupw.exe"48⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\pgkhseh.exeC:\Windows\system32\pgkhseh.exe 708 "C:\Windows\SysWOW64\ceeahsc.exe"49⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\ctcfyaf.exeC:\Windows\system32\ctcfyaf.exe 736 "C:\Windows\SysWOW64\pgkhseh.exe"50⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\ovinsns.exeC:\Windows\system32\ovinsns.exe 720 "C:\Windows\SysWOW64\ctcfyaf.exe"51⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\tldqavp.exeC:\Windows\system32\tldqavp.exe 732 "C:\Windows\SysWOW64\ovinsns.exe"52⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\dwsanye.exeC:\Windows\system32\dwsanye.exe 728 "C:\Windows\SysWOW64\tldqavp.exe"53⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\qqgqzci.exeC:\Windows\system32\qqgqzci.exe 724 "C:\Windows\SysWOW64\dwsanye.exe"54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1636 -
C:\Windows\SysWOW64\dobshlf.exeC:\Windows\system32\dobshlf.exe 740 "C:\Windows\SysWOW64\qqgqzci.exe"55⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\qfwvqtl.exeC:\Windows\system32\qfwvqtl.exe 744 "C:\Windows\SysWOW64\dobshlf.exe"56⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\ddzyhtr.exeC:\Windows\system32\ddzyhtr.exe 748 "C:\Windows\SysWOW64\qfwvqtl.exe"57⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\mkrnxae.exeC:\Windows\system32\mkrnxae.exe 752 "C:\Windows\SysWOW64\ddzyhtr.exe"58⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\zxjdcec.exeC:\Windows\system32\zxjdcec.exe 756 "C:\Windows\SysWOW64\mkrnxae.exe"59⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\mveflei.exeC:\Windows\system32\mveflei.exe 760 "C:\Windows\SysWOW64\zxjdcec.exe"60⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\wjedjmn.exeC:\Windows\system32\wjedjmn.exe 764 "C:\Windows\SysWOW64\mveflei.exe"61⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\jahfsut.exeC:\Windows\system32\jahfsut.exe 784 "C:\Windows\SysWOW64\wjedjmn.exe"62⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\wqciacy.exeC:\Windows\system32\wqciacy.exe 768 "C:\Windows\SysWOW64\jahfsut.exe"63⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\gbrtoxf.exeC:\Windows\system32\gbrtoxf.exe 780 "C:\Windows\SysWOW64\wqciacy.exe"64⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\wfaoskb.exeC:\Windows\system32\wfaoskb.exe 776 "C:\Windows\SysWOW64\gbrtoxf.exe"65⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\gqpyfoq.exeC:\Windows\system32\gqpyfoq.exe 788 "C:\Windows\SysWOW64\wfaoskb.exe"66⤵PID:1616
-
C:\Windows\SysWOW64\sgkbnon.exeC:\Windows\system32\sgkbnon.exe 772 "C:\Windows\SysWOW64\gqpyfoq.exe"67⤵PID:1748
-
C:\Windows\SysWOW64\fiqihaa.exeC:\Windows\system32\fiqihaa.exe 808 "C:\Windows\SysWOW64\sgkbnon.exe"68⤵PID:2332
-
C:\Windows\SysWOW64\szllpix.exeC:\Windows\system32\szllpix.exe 792 "C:\Windows\SysWOW64\fiqihaa.exe"69⤵PID:1708
-
C:\Windows\SysWOW64\fxnoyid.exeC:\Windows\system32\fxnoyid.exe 804 "C:\Windows\SysWOW64\szllpix.exe"70⤵PID:1488
-
C:\Windows\SysWOW64\padylmj.exeC:\Windows\system32\padylmj.exe 820 "C:\Windows\SysWOW64\fxnoyid.exe"71⤵PID:596
-
C:\Windows\SysWOW64\cyybuup.exeC:\Windows\system32\cyybuup.exe 796 "C:\Windows\SysWOW64\padylmj.exe"72⤵PID:1476
-
C:\Windows\SysWOW64\ppadccu.exeC:\Windows\system32\ppadccu.exe 812 "C:\Windows\SysWOW64\cyybuup.exe"73⤵PID:1840
-
C:\Windows\SysWOW64\ydtbabh.exeC:\Windows\system32\ydtbabh.exe 832 "C:\Windows\SysWOW64\ppadccu.exe"74⤵PID:856
-
C:\Windows\SysWOW64\ltwwjkf.exeC:\Windows\system32\ltwwjkf.exe 800 "C:\Windows\SysWOW64\ydtbabh.exe"75⤵PID:1680
-
C:\Windows\SysWOW64\ysryssk.exeC:\Windows\system32\ysryssk.exe 828 "C:\Windows\SysWOW64\ltwwjkf.exe"76⤵
- Drops file in System32 directory
PID:1776 -
C:\Windows\SysWOW64\limbasq.exeC:\Windows\system32\limbasq.exe 816 "C:\Windows\SysWOW64\ysryssk.exe"77⤵PID:2344
-
C:\Windows\SysWOW64\yzoejan.exeC:\Windows\system32\yzoejan.exe 844 "C:\Windows\SysWOW64\limbasq.exe"78⤵PID:2352
-
C:\Windows\SysWOW64\inpbhha.exeC:\Windows\system32\inpbhha.exe 836 "C:\Windows\SysWOW64\yzoejan.exe"79⤵PID:2228
-
C:\Windows\SysWOW64\vlkepqg.exeC:\Windows\system32\vlkepqg.exe 840 "C:\Windows\SysWOW64\inpbhha.exe"80⤵PID:2056
-
C:\Windows\SysWOW64\iybtvlf.exeC:\Windows\system32\iybtvlf.exe 848 "C:\Windows\SysWOW64\vlkepqg.exe"81⤵PID:2608
-
C:\Windows\SysWOW64\rfurlts.exeC:\Windows\system32\rfurlts.exe 856 "C:\Windows\SysWOW64\iybtvlf.exe"82⤵PID:2940
-
C:\Windows\SysWOW64\edxtubx.exeC:\Windows\system32\edxtubx.exe 824 "C:\Windows\SysWOW64\rfurlts.exe"83⤵PID:2772
-
C:\Windows\SysWOW64\ruswdjv.exeC:\Windows\system32\ruswdjv.exe 876 "C:\Windows\SysWOW64\edxtubx.exe"84⤵PID:2672
-
C:\Windows\SysWOW64\esmrljb.exeC:\Windows\system32\esmrljb.exe 860 "C:\Windows\SysWOW64\ruswdjv.exe"85⤵PID:2584
-
C:\Windows\SysWOW64\rjptcsg.exeC:\Windows\system32\rjptcsg.exe 864 "C:\Windows\SysWOW64\esmrljb.exe"86⤵PID:1112
-
C:\Windows\SysWOW64\bxqrszt.exeC:\Windows\system32\bxqrszt.exe 868 "C:\Windows\SysWOW64\rjptcsg.exe"87⤵PID:2908
-
C:\Windows\SysWOW64\okzhyvs.exeC:\Windows\system32\okzhyvs.exe 852 "C:\Windows\SysWOW64\bxqrszt.exe"88⤵PID:2864
-
C:\Windows\SysWOW64\bacjgdy.exeC:\Windows\system32\bacjgdy.exe 872 "C:\Windows\SysWOW64\okzhyvs.exe"89⤵PID:1540
-
C:\Windows\SysWOW64\ncizspc.exeC:\Windows\system32\ncizspc.exe 880 "C:\Windows\SysWOW64\bacjgdy.exe"90⤵PID:916
-
C:\Windows\SysWOW64\atdcaqh.exeC:\Windows\system32\atdcaqh.exe 884 "C:\Windows\SysWOW64\ncizspc.exe"91⤵PID:1800
-
C:\Windows\SysWOW64\kdsmvto.exeC:\Windows\system32\kdsmvto.exe 888 "C:\Windows\SysWOW64\atdcaqh.exe"92⤵PID:776
-
C:\Windows\SysWOW64\xunpebt.exeC:\Windows\system32\xunpebt.exe 892 "C:\Windows\SysWOW64\kdsmvto.exe"93⤵PID:1264
-
C:\Windows\SysWOW64\ksqjnjr.exeC:\Windows\system32\ksqjnjr.exe 900 "C:\Windows\SysWOW64\xunpebt.exe"94⤵PID:1480
-
C:\Windows\SysWOW64\uvfuaef.exeC:\Windows\system32\uvfuaef.exe 896 "C:\Windows\SysWOW64\ksqjnjr.exe"95⤵PID:412
-
C:\Windows\SysWOW64\hxljlrk.exeC:\Windows\system32\hxljlrk.exe 904 "C:\Windows\SysWOW64\uvfuaef.exe"96⤵PID:1928
-
C:\Windows\SysWOW64\tngmczp.exeC:\Windows\system32\tngmczp.exe 908 "C:\Windows\SysWOW64\hxljlrk.exe"97⤵PID:796
-
C:\Windows\SysWOW64\gmjplzn.exeC:\Windows\system32\gmjplzn.exe 928 "C:\Windows\SysWOW64\tngmczp.exe"98⤵PID:2000
-
C:\Windows\SysWOW64\qoyzycb.exeC:\Windows\system32\qoyzycb.exe 912 "C:\Windows\SysWOW64\gmjplzn.exe"99⤵PID:1068
-
C:\Windows\SysWOW64\gbzucpy.exeC:\Windows\system32\gbzucpy.exe 924 "C:\Windows\SysWOW64\qoyzycb.exe"100⤵PID:2424
-
C:\Windows\SysWOW64\ihzksxd.exeC:\Windows\system32\ihzksxd.exe 916 "C:\Windows\SysWOW64\gbzucpy.exe"101⤵PID:604
-
C:\Windows\SysWOW64\vfcmaxi.exeC:\Windows\system32\vfcmaxi.exe 936 "C:\Windows\SysWOW64\ihzksxd.exe"102⤵PID:2160
-
C:\Windows\SysWOW64\iwxpjfo.exeC:\Windows\system32\iwxpjfo.exe 920 "C:\Windows\SysWOW64\vfcmaxi.exe"103⤵
- Drops file in System32 directory
PID:772 -
C:\Windows\SysWOW64\vussanu.exeC:\Windows\system32\vussanu.exe 952 "C:\Windows\SysWOW64\iwxpjfo.exe"104⤵PID:2092
-
C:\Windows\SysWOW64\ilnuinr.exeC:\Windows\system32\ilnuinr.exe 940 "C:\Windows\SysWOW64\vussanu.exe"105⤵PID:2876
-
C:\Windows\SysWOW64\rznsyve.exeC:\Windows\system32\rznsyve.exe 960 "C:\Windows\SysWOW64\ilnuinr.exe"106⤵PID:2696
-
C:\Windows\SysWOW64\emfhezd.exeC:\Windows\system32\emfhezd.exe 932 "C:\Windows\SysWOW64\rznsyve.exe"107⤵PID:2580
-
C:\Windows\SysWOW64\rcaknzi.exeC:\Windows\system32\rcaknzi.exe 944 "C:\Windows\SysWOW64\emfhezd.exe"108⤵PID:2540
-
C:\Windows\SysWOW64\eegayln.exeC:\Windows\system32\eegayln.exe 948 "C:\Windows\SysWOW64\rcaknzi.exe"109⤵PID:2172
-
C:\Windows\SysWOW64\rvichus.exeC:\Windows\system32\rvichus.exe 968 "C:\Windows\SysWOW64\eegayln.exe"110⤵PID:1740
-
C:\Windows\SysWOW64\bfyfcxz.exeC:\Windows\system32\bfyfcxz.exe 964 "C:\Windows\SysWOW64\rvichus.exe"111⤵PID:2644
-
C:\Windows\SysWOW64\nhevnbl.exeC:\Windows\system32\nhevnbl.exe 976 "C:\Windows\SysWOW64\bfyfcxz.exe"112⤵PID:3024
-
C:\Windows\SysWOW64\ayzxwjj.exeC:\Windows\system32\ayzxwjj.exe 972 "C:\Windows\SysWOW64\nhevnbl.exe"113⤵PID:1376
-
C:\Windows\SysWOW64\nocaero.exeC:\Windows\system32\nocaero.exe 980 "C:\Windows\SysWOW64\ayzxwjj.exe"114⤵PID:1604
-
C:\Windows\SysWOW64\anwdnsu.exeC:\Windows\system32\anwdnsu.exe 984 "C:\Windows\SysWOW64\nocaero.exe"115⤵PID:1768
-
C:\Windows\SysWOW64\kqmniva.exeC:\Windows\system32\kqmniva.exe 956 "C:\Windows\SysWOW64\anwdnsu.exe"116⤵PID:564
-
C:\Windows\SysWOW64\xssvuhe.exeC:\Windows\system32\xssvuhe.exe 992 "C:\Windows\SysWOW64\kqmniva.exe"117⤵PID:452
-
C:\Windows\SysWOW64\kfjsadd.exeC:\Windows\system32\kfjsadd.exe 1000 "C:\Windows\SysWOW64\xssvuhe.exe"118⤵PID:1080
-
C:\Windows\SysWOW64\xhpalqp.exeC:\Windows\system32\xhpalqp.exe 988 "C:\Windows\SysWOW64\kfjsadd.exe"119⤵PID:2408
-
C:\Windows\SysWOW64\jxkduyn.exeC:\Windows\system32\jxkduyn.exe 1012 "C:\Windows\SysWOW64\xhpalqp.exe"120⤵PID:1492
-
C:\Windows\SysWOW64\tllasxa.exeC:\Windows\system32\tllasxa.exe 1004 "C:\Windows\SysWOW64\jxkduyn.exe"121⤵PID:1504
-
C:\Windows\SysWOW64\gycqxbz.exeC:\Windows\system32\gycqxbz.exe 996 "C:\Windows\SysWOW64\tllasxa.exe"122⤵PID:2080
-
C:\Windows\SysWOW64\tpxsgje.exeC:\Windows\system32\tpxsgje.exe 1008 "C:\Windows\SysWOW64\gycqxbz.exe"123⤵PID:2288
-
C:\Windows\SysWOW64\grdiroj.exeC:\Windows\system32\grdiroj.exe 1028 "C:\Windows\SysWOW64\tpxsgje.exe"124⤵PID:2240
-
C:\Windows\SysWOW64\tpylawo.exeC:\Windows\system32\tpylawo.exe 1032 "C:\Windows\SysWOW64\grdiroj.exe"125⤵PID:2360
-
C:\Windows\SysWOW64\cvzaqdb.exeC:\Windows\system32\cvzaqdb.exe 1020 "C:\Windows\SysWOW64\tpylawo.exe"126⤵PID:972
-
C:\Windows\SysWOW64\putdzlh.exeC:\Windows\system32\putdzlh.exe 1016 "C:\Windows\SysWOW64\cvzaqdb.exe"127⤵PID:1632
-
C:\Windows\SysWOW64\ckwgpmf.exeC:\Windows\system32\ckwgpmf.exe 1044 "C:\Windows\SysWOW64\putdzlh.exe"128⤵PID:2576
-
C:\Windows\SysWOW64\pjriyuk.exeC:\Windows\system32\pjriyuk.exe 1036 "C:\Windows\SysWOW64\ckwgpmf.exe"129⤵PID:2776
-
C:\Windows\SysWOW64\czmlgcq.exeC:\Windows\system32\czmlgcq.exe 1048 "C:\Windows\SysWOW64\pjriyuk.exe"130⤵PID:2516
-
C:\Windows\SysWOW64\mnnixbd.exeC:\Windows\system32\mnnixbd.exe 1052 "C:\Windows\SysWOW64\czmlgcq.exe"131⤵PID:2336
-
C:\Windows\SysWOW64\zeplfka.exeC:\Windows\system32\zeplfka.exe 1068 "C:\Windows\SysWOW64\mnnixbd.exe"132⤵PID:1136
-
C:\Windows\SysWOW64\mrzblnh.exeC:\Windows\system32\mrzblnh.exe 1040 "C:\Windows\SysWOW64\zeplfka.exe"133⤵PID:952
-
C:\Windows\SysWOW64\ytfiwsl.exeC:\Windows\system32\ytfiwsl.exe 1056 "C:\Windows\SysWOW64\mrzblnh.exe"134⤵PID:3056
-
C:\Windows\SysWOW64\ljilnaj.exeC:\Windows\system32\ljilnaj.exe 1060 "C:\Windows\SysWOW64\ytfiwsl.exe"135⤵PID:2812
-
C:\Windows\SysWOW64\vxiidhw.exeC:\Windows\system32\vxiidhw.exe 1084 "C:\Windows\SysWOW64\ljilnaj.exe"136⤵PID:540
-
C:\Windows\SysWOW64\iodlmqc.exeC:\Windows\system32\iodlmqc.exe 1072 "C:\Windows\SysWOW64\vxiidhw.exe"137⤵PID:1900
-
C:\Windows\SysWOW64\vmyouqh.exeC:\Windows\system32\vmyouqh.exe 1080 "C:\Windows\SysWOW64\iodlmqc.exe"138⤵PID:1656
-
C:\Windows\SysWOW64\idbrdyf.exeC:\Windows\system32\idbrdyf.exe 1064 "C:\Windows\SysWOW64\vmyouqh.exe"139⤵PID:1204
-
C:\Windows\SysWOW64\snqbybt.exeC:\Windows\system32\snqbybt.exe 1092 "C:\Windows\SysWOW64\idbrdyf.exe"140⤵PID:1064
-
C:\Windows\SysWOW64\ehwjjgx.exeC:\Windows\system32\ehwjjgx.exe 1076 "C:\Windows\SysWOW64\snqbybt.exe"141⤵PID:1728
-
C:\Windows\SysWOW64\rgrlsod.exeC:\Windows\system32\rgrlsod.exe 1104 "C:\Windows\SysWOW64\ehwjjgx.exe"142⤵PID:1340
-
C:\Windows\SysWOW64\ewmobwa.exeC:\Windows\system32\ewmobwa.exe 1116 "C:\Windows\SysWOW64\rgrlsod.exe"143⤵PID:2120
-
C:\Windows\SysWOW64\rvprjwg.exeC:\Windows\system32\rvprjwg.exe 1100 "C:\Windows\SysWOW64\ewmobwa.exe"144⤵PID:892
-
C:\Windows\SysWOW64\eljtsem.exeC:\Windows\system32\eljtsem.exe 1088 "C:\Windows\SysWOW64\rvprjwg.exe"145⤵PID:1972
-
C:\Windows\SysWOW64\oakrqmz.exeC:\Windows\system32\oakrqmz.exe 1096 "C:\Windows\SysWOW64\eljtsem.exe"146⤵PID:1932
-
C:\Windows\SysWOW64\bncgwpx.exeC:\Windows\system32\bncgwpx.exe 1108 "C:\Windows\SysWOW64\oakrqmz.exe"147⤵PID:2560
-
C:\Windows\SysWOW64\odwjeqd.exeC:\Windows\system32\odwjeqd.exe 1112 "C:\Windows\SysWOW64\bncgwpx.exe"148⤵PID:1712
-
C:\Windows\SysWOW64\afdzqch.exeC:\Windows\system32\afdzqch.exe 1124 "C:\Windows\SysWOW64\odwjeqd.exe"149⤵PID:2784
-
C:\Windows\SysWOW64\kqsbdfo.exeC:\Windows\system32\kqsbdfo.exe 1128 "C:\Windows\SysWOW64\afdzqch.exe"150⤵PID:2060
-
C:\Windows\SysWOW64\pgnemft.exeC:\Windows\system32\pgnemft.exe 1120 "C:\Windows\SysWOW64\kqsbdfo.exe"151⤵PID:2936
-
C:\Windows\SysWOW64\cxqhuoz.exeC:\Windows\system32\cxqhuoz.exe 1152 "C:\Windows\SysWOW64\pgnemft.exe"152⤵PID:2496
-
C:\Windows\SysWOW64\pzwwoad.exeC:\Windows\system32\pzwwoad.exe 1132 "C:\Windows\SysWOW64\cxqhuoz.exe"153⤵PID:2604
-
C:\Windows\SysWOW64\zjlhbdj.exeC:\Windows\system32\zjlhbdj.exe 1136 "C:\Windows\SysWOW64\pzwwoad.exe"154⤵PID:1548
-
C:\Windows\SysWOW64\lagjjdp.exeC:\Windows\system32\lagjjdp.exe 1144 "C:\Windows\SysWOW64\zjlhbdj.exe"155⤵PID:1896
-
C:\Windows\SysWOW64\yqjmslv.exeC:\Windows\system32\yqjmslv.exe 1156 "C:\Windows\SysWOW64\lagjjdp.exe"156⤵
- Drops file in System32 directory
PID:1552 -
C:\Windows\SysWOW64\ibywnpb.exeC:\Windows\system32\ibywnpb.exe 1140 "C:\Windows\SysWOW64\yqjmslv.exe"157⤵PID:2164
-
C:\Windows\SysWOW64\yfyrjuy.exeC:\Windows\system32\yfyrjuy.exe 1164 "C:\Windows\SysWOW64\ibywnpb.exe"158⤵
- Drops file in System32 directory
PID:1456 -
C:\Windows\SysWOW64\itzhhbl.exeC:\Windows\system32\itzhhbl.exe 1160 "C:\Windows\SysWOW64\yfyrjuy.exe"159⤵PID:592
-
C:\Windows\SysWOW64\vkujqji.exeC:\Windows\system32\vkujqji.exe 1148 "C:\Windows\SysWOW64\itzhhbl.exe"160⤵PID:2448
-
C:\Windows\SysWOW64\iiwmyko.exeC:\Windows\system32\iiwmyko.exe 1172 "C:\Windows\SysWOW64\vkujqji.exe"161⤵PID:852
-
C:\Windows\SysWOW64\slmxmnu.exeC:\Windows\system32\slmxmnu.exe 1188 "C:\Windows\SysWOW64\iiwmyko.exe"162⤵PID:992
-
C:\Windows\SysWOW64\ejhzuva.exeC:\Windows\system32\ejhzuva.exe 1176 "C:\Windows\SysWOW64\slmxmnu.exe"163⤵PID:1048
-
C:\Windows\SysWOW64\rajcldf.exeC:\Windows\system32\rajcldf.exe 1168 "C:\Windows\SysWOW64\ejhzuva.exe"164⤵PID:2024
-
C:\Windows\SysWOW64\eyeftdl.exeC:\Windows\system32\eyeftdl.exe 1180 "C:\Windows\SysWOW64\rajcldf.exe"165⤵PID:1760
-
C:\Windows\SysWOW64\rskmfqp.exeC:\Windows\system32\rskmfqp.exe 1184 "C:\Windows\SysWOW64\eyeftdl.exe"166⤵
- Drops file in System32 directory
PID:2844 -
C:\Windows\SysWOW64\bdaxstw.exeC:\Windows\system32\bdaxstw.exe 1196 "C:\Windows\SysWOW64\rskmfqp.exe"167⤵PID:2316
-
C:\Windows\SysWOW64\oqruyxu.exeC:\Windows\system32\oqruyxu.exe 1192 "C:\Windows\SysWOW64\bdaxstw.exe"168⤵PID:896
-
C:\Windows\SysWOW64\bsxcjbh.exeC:\Windows\system32\bsxcjbh.exe 1212 "C:\Windows\SysWOW64\oqruyxu.exe"169⤵PID:2520
-
C:\Windows\SysWOW64\lvnmfen.exeC:\Windows\system32\lvnmfen.exe 1208 "C:\Windows\SysWOW64\bsxcjbh.exe"170⤵PID:2504
-
C:\Windows\SysWOW64\ylipnms.exeC:\Windows\system32\ylipnms.exe 1204 "C:\Windows\SysWOW64\lvnmfen.exe"171⤵PID:2816
-
C:\Windows\SysWOW64\kkkswnq.exeC:\Windows\system32\kkkswnq.exe 1224 "C:\Windows\SysWOW64\ylipnms.exe"172⤵
- Drops file in System32 directory
PID:1096 -
C:\Windows\SysWOW64\xafuevw.exeC:\Windows\system32\xafuevw.exe 1200 "C:\Windows\SysWOW64\kkkswnq.exe"173⤵PID:3044
-
C:\Windows\SysWOW64\hlufsyc.exeC:\Windows\system32\hlufsyc.exe 1216 "C:\Windows\SysWOW64\xafuevw.exe"174⤵PID:2736
-
C:\Windows\SysWOW64\ufbnlko.exeC:\Windows\system32\ufbnlko.exe 1220 "C:\Windows\SysWOW64\hlufsyc.exe"175⤵PID:844
-
C:\Windows\SysWOW64\haskrgn.exeC:\Windows\system32\haskrgn.exe 1228 "C:\Windows\SysWOW64\ufbnlko.exe"176⤵PID:1452
-
C:\Windows\SysWOW64\uuysctr.exeC:\Windows\system32\uuysctr.exe 1232 "C:\Windows\SysWOW64\haskrgn.exe"177⤵PID:324
-
C:\Windows\SysWOW64\hstvlbx.exeC:\Windows\system32\hstvlbx.exe 1244 "C:\Windows\SysWOW64\uuysctr.exe"178⤵PID:572
-
C:\Windows\SysWOW64\ujoxtbu.exeC:\Windows\system32\ujoxtbu.exe 1236 "C:\Windows\SysWOW64\hstvlbx.exe"179⤵
- Drops file in System32 directory
PID:1684 -
C:\Windows\SysWOW64\dtlihej.exeC:\Windows\system32\dtlihej.exe 1248 "C:\Windows\SysWOW64\ujoxtbu.exe"180⤵PID:2708
-
C:\Windows\SysWOW64\qnrxarn.exeC:\Windows\system32\qnrxarn.exe 1252 "C:\Windows\SysWOW64\dtlihej.exe"181⤵PID:704
-
C:\Windows\SysWOW64\dmmajrt.exeC:\Windows\system32\dmmajrt.exe 1240 "C:\Windows\SysWOW64\qnrxarn.exe"182⤵PID:276
-
C:\Windows\SysWOW64\qchdrzq.exeC:\Windows\system32\qchdrzq.exe 1260 "C:\Windows\SysWOW64\dmmajrt.exe"183⤵PID:1912
-
C:\Windows\SysWOW64\anenfcf.exeC:\Windows\system32\anenfcf.exe 1268 "C:\Windows\SysWOW64\qchdrzq.exe"184⤵PID:1724
-
C:\Windows\SysWOW64\mhkvqoj.exeC:\Windows\system32\mhkvqoj.exe 1256 "C:\Windows\SysWOW64\anenfcf.exe"185⤵PID:2680
-
C:\Windows\SysWOW64\zffxzpo.exeC:\Windows\system32\zffxzpo.exe 1264 "C:\Windows\SysWOW64\mhkvqoj.exe"186⤵PID:2476
-
C:\Windows\SysWOW64\mwaahxm.exeC:\Windows\system32\mwaahxm.exe 1272 "C:\Windows\SysWOW64\zffxzpo.exe"187⤵PID:2328
-
C:\Windows\SysWOW64\zmddyfs.exeC:\Windows\system32\zmddyfs.exe 1276 "C:\Windows\SysWOW64\mwaahxm.exe"188⤵PID:1792
-
C:\Windows\SysWOW64\mlyggfx.exeC:\Windows\system32\mlyggfx.exe 1280 "C:\Windows\SysWOW64\zmddyfs.exe"189⤵PID:2752
-
C:\Windows\SysWOW64\wzydwnk.exeC:\Windows\system32\wzydwnk.exe 1284 "C:\Windows\SysWOW64\mlyggfx.exe"190⤵PID:2484
-
C:\Windows\SysWOW64\jptyfvi.exeC:\Windows\system32\jptyfvi.exe 1288 "C:\Windows\SysWOW64\wzydwnk.exe"191⤵PID:2472
-
C:\Windows\SysWOW64\wgoaovn.exeC:\Windows\system32\wgoaovn.exe 1308 "C:\Windows\SysWOW64\jptyfvi.exe"192⤵PID:2052
-
C:\Windows\SysWOW64\gqlljyu.exeC:\Windows\system32\gqlljyu.exe 1292 "C:\Windows\SysWOW64\wgoaovn.exe"193⤵PID:1336
-
C:\Windows\SysWOW64\vvlgfly.exeC:\Windows\system32\vvlgfly.exe 1304 "C:\Windows\SysWOW64\gqlljyu.exe"194⤵PID:888
-
C:\Windows\SysWOW64\ffbqaof.exeC:\Windows\system32\ffbqaof.exe 1296 "C:\Windows\SysWOW64\vvlgfly.exe"195⤵PID:1704
-
C:\Windows\SysWOW64\piqanjl.exeC:\Windows\system32\piqanjl.exe 1316 "C:\Windows\SysWOW64\ffbqaof.exe"196⤵PID:1612
-
C:\Windows\SysWOW64\fuyvrxi.exeC:\Windows\system32\fuyvrxi.exe 1328 "C:\Windows\SysWOW64\piqanjl.exe"197⤵PID:1784
-
C:\Windows\SysWOW64\pazthev.exeC:\Windows\system32\pazthev.exe 1300 "C:\Windows\SysWOW64\fuyvrxi.exe"198⤵PID:1596
-
C:\Windows\SysWOW64\czuwyeb.exeC:\Windows\system32\czuwyeb.exe 1312 "C:\Windows\SysWOW64\pazthev.exe"199⤵PID:1984
-
C:\Windows\SysWOW64\hmlleiz.exeC:\Windows\system32\hmlleiz.exe 1332 "C:\Windows\SysWOW64\czuwyeb.exe"200⤵PID:2104
-
C:\Windows\SysWOW64\rambuqm.exeC:\Windows\system32\rambuqm.exe 1336 "C:\Windows\SysWOW64\hmlleiz.exe"201⤵PID:2148
-
C:\Windows\SysWOW64\enwyatl.exeC:\Windows\system32\enwyatl.exe 1320 "C:\Windows\SysWOW64\rambuqm.exe"202⤵PID:2420
-
C:\Windows\SysWOW64\reybiur.exeC:\Windows\system32\reybiur.exe 1324 "C:\Windows\SysWOW64\enwyatl.exe"203⤵PID:2788
-
C:\Windows\SysWOW64\dgejugv.exeC:\Windows\system32\dgejugv.exe 1340 "C:\Windows\SysWOW64\reybiur.exe"204⤵
- Drops file in System32 directory
PID:2916 -
C:\Windows\SysWOW64\qwzlcob.exeC:\Windows\system32\qwzlcob.exe 1348 "C:\Windows\SysWOW64\dgejugv.exe"205⤵PID:2820
-
C:\Windows\SysWOW64\akajaog.exeC:\Windows\system32\akajaog.exe 1356 "C:\Windows\SysWOW64\qwzlcob.exe"206⤵PID:1332
-
C:\Windows\SysWOW64\nxjygrm.exeC:\Windows\system32\nxjygrm.exe 1344 "C:\Windows\SysWOW64\akajaog.exe"207⤵PID:960
-
C:\Windows\SysWOW64\azporer.exeC:\Windows\system32\azporer.exe 1364 "C:\Windows\SysWOW64\nxjygrm.exe"208⤵PID:2384
-
C:\Windows\SysWOW64\kcnyfhx.exeC:\Windows\system32\kcnyfhx.exe 1360 "C:\Windows\SysWOW64\azporer.exe"209⤵PID:3048
-
C:\Windows\SysWOW64\zontjmu.exeC:\Windows\system32\zontjmu.exe 1352 "C:\Windows\SysWOW64\kcnyfhx.exe"210⤵PID:3060
-
C:\Windows\SysWOW64\juojhuh.exeC:\Windows\system32\juojhuh.exe 1372 "C:\Windows\SysWOW64\zontjmu.exe"211⤵PID:644
-
C:\Windows\SysWOW64\wtjmpcn.exeC:\Windows\system32\wtjmpcn.exe 1380 "C:\Windows\SysWOW64\juojhuh.exe"212⤵PID:812
-
C:\Windows\SysWOW64\jjloycs.exeC:\Windows\system32\jjloycs.exe 1368 "C:\Windows\SysWOW64\wtjmpcn.exe"213⤵PID:2196
-
C:\Windows\SysWOW64\tubzlfy.exeC:\Windows\system32\tubzlfy.exe 1376 "C:\Windows\SysWOW64\jjloycs.exe"214⤵
- Drops file in System32 directory
PID:1996 -
C:\Windows\SysWOW64\gkwbune.exeC:\Windows\system32\gkwbune.exe 1384 "C:\Windows\SysWOW64\tubzlfy.exe"215⤵PID:2656
-
C:\Windows\SysWOW64\tjqecoc.exeC:\Windows\system32\tjqecoc.exe 1388 "C:\Windows\SysWOW64\gkwbune.exe"216⤵PID:2492
-
C:\Windows\SysWOW64\gzthtwh.exeC:\Windows\system32\gzthtwh.exe 1392 "C:\Windows\SysWOW64\tjqecoc.exe"217⤵PID:2720
-
C:\Windows\SysWOW64\sbzoeil.exeC:\Windows\system32\sbzoeil.exe 1404 "C:\Windows\SysWOW64\gzthtwh.exe"218⤵PID:2856
-
C:\Windows\SysWOW64\fsurnir.exeC:\Windows\system32\fsurnir.exe 1396 "C:\Windows\SysWOW64\sbzoeil.exe"219⤵PID:2600
-
C:\Windows\SysWOW64\sipuwqx.exeC:\Windows\system32\sipuwqx.exe 1412 "C:\Windows\SysWOW64\fsurnir.exe"220⤵PID:956
-
C:\Windows\SysWOW64\cwprmyk.exeC:\Windows\system32\cwprmyk.exe 1400 "C:\Windows\SysWOW64\sipuwqx.exe"221⤵PID:3036
-
C:\Windows\SysWOW64\pvsuugh.exeC:\Windows\system32\pvsuugh.exe 1408 "C:\Windows\SysWOW64\cwprmyk.exe"222⤵PID:2860
-
C:\Windows\SysWOW64\clnwlgn.exeC:\Windows\system32\clnwlgn.exe 1416 "C:\Windows\SysWOW64\pvsuugh.exe"223⤵PID:2824
-
C:\Windows\SysWOW64\lochyjt.exeC:\Windows\system32\lochyjt.exe 1436 "C:\Windows\SysWOW64\clnwlgn.exe"224⤵PID:1992
-
C:\Windows\SysWOW64\ymfkhsz.exeC:\Windows\system32\ymfkhsz.exe 1420 "C:\Windows\SysWOW64\lochyjt.exe"225⤵PID:1172
-
C:\Windows\SysWOW64\ldampse.exeC:\Windows\system32\ldampse.exe 1424 "C:\Windows\SysWOW64\ymfkhsz.exe"226⤵
- Drops file in System32 directory
PID:2996 -
C:\Windows\SysWOW64\ybvhyac.exeC:\Windows\system32\ybvhyac.exe 1428 "C:\Windows\SysWOW64\ldampse.exe"227⤵PID:2404
-
C:\Windows\SysWOW64\lsqkgih.exeC:\Windows\system32\lsqkgih.exe 1448 "C:\Windows\SysWOW64\ybvhyac.exe"228⤵PID:1716
-
C:\Windows\SysWOW64\vgqhepu.exeC:\Windows\system32\vgqhepu.exe 1440 "C:\Windows\SysWOW64\lsqkgih.exe"229⤵PID:2792
-
C:\Windows\SysWOW64\itixklt.exeC:\Windows\system32\itixklt.exe 1456 "C:\Windows\SysWOW64\vgqhepu.exe"230⤵PID:1936
-
C:\Windows\SysWOW64\vvomwyy.exeC:\Windows\system32\vvomwyy.exe 1444 "C:\Windows\SysWOW64\itixklt.exe"231⤵PID:2612
-
C:\Windows\SysWOW64\hmjpegd.exeC:\Windows\system32\hmjpegd.exe 1468 "C:\Windows\SysWOW64\vvomwyy.exe"232⤵PID:2128
-
C:\Windows\SysWOW64\ukmsngj.exeC:\Windows\system32\ukmsngj.exe 1452 "C:\Windows\SysWOW64\hmjpegd.exe"233⤵PID:2852
-
C:\Windows\SysWOW64\eqmhlow.exeC:\Windows\system32\eqmhlow.exe 1432 "C:\Windows\SysWOW64\ukmsngj.exe"234⤵PID:1676
-
C:\Windows\SysWOW64\rphkuwt.exeC:\Windows\system32\rphkuwt.exe 1460 "C:\Windows\SysWOW64\eqmhlow.exe"235⤵PID:576
-
C:\Windows\SysWOW64\efcncwz.exeC:\Windows\system32\efcncwz.exe 1464 "C:\Windows\SysWOW64\rphkuwt.exe"236⤵PID:2648
-
C:\Windows\SysWOW64\refplee.exeC:\Windows\system32\refplee.exe 1472 "C:\Windows\SysWOW64\efcncwz.exe"237⤵PID:2244
-
C:\Windows\SysWOW64\euzstmk.exeC:\Windows\system32\euzstmk.exe 1480 "C:\Windows\SysWOW64\refplee.exe"238⤵PID:2284
-
C:\Windows\SysWOW64\oxpchpq.exeC:\Windows\system32\oxpchpq.exe 1484 "C:\Windows\SysWOW64\euzstmk.exe"239⤵PID:2912
-
C:\Windows\SysWOW64\azvssuv.exeC:\Windows\system32\azvssuv.exe 1492 "C:\Windows\SysWOW64\oxpchpq.exe"240⤵PID:2348
-
C:\Windows\SysWOW64\nmmigyt.exeC:\Windows\system32\nmmigyt.exe 1496 "C:\Windows\SysWOW64\azvssuv.exe"241⤵PID:2372
-
C:\Windows\SysWOW64\xanfwfg.exeC:\Windows\system32\xanfwfg.exe 1476 "C:\Windows\SysWOW64\nmmigyt.exe"242⤵PID:2616