Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
22-06-2024 22:30
Behavioral task
behavioral1
Sample
0426e2d9d31e1ec5ba1fb430157e2ade_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
0426e2d9d31e1ec5ba1fb430157e2ade_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
0426e2d9d31e1ec5ba1fb430157e2ade_JaffaCakes118.exe
-
Size
445KB
-
MD5
0426e2d9d31e1ec5ba1fb430157e2ade
-
SHA1
0e0e81f266e139c746dd16da9bb43b7bc6df588c
-
SHA256
a2e8e1f839693bb60e1a9b50987c7d4f4136a8da865d84662649dba65deed7f0
-
SHA512
0a6021022bb84d2f8f0ea186ed7ce1b7d37ca2160fb1efed20a26aed3ee6a6f94b01c642d2cd2184cb2fbe4cf63d70237e917c20ca29110059e13704693bbef0
-
SSDEEP
12288:cNo6BDYKR1kU+gLcnKNalKv1V0pjnGPz:cNJkU+aqzAP0Nn
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 64 IoCs
Processes:
zcobiqg.exetwtqijo.exeepjonzi.exercbetdp.exebmqoggv.exeoziemcu.exebmrbsgt.exemismhau.exeykybtng.exelxqryqf.exetbseich.exegojuofg.exewskpsll.exehokzhfm.exervxxset.exedpdndqy.exercmcjmw.exeexespqv.exeowiphpd.exeysjipjd.exejnkswee.exelqnqjrg.exewprntqo.exejglqkyu.exewpsbnyu.exegltlusu.exewbetbcq.exeefoylvb.exetqltujd.exegldjamc.exervkonde.exedbcjblp.exeqotzhpo.exebkurpko.exeoipuxsu.exebvgkdwt.exeombmmwy.exebvhppvq.exelgxzkzf.exeywscshc.exelgyfvyc.exeyethegi.exejdffofp.exeoqodujo.exebdgsann.exeoqxigjl.exeybnsbms.exelktvels.exeyboyntx.exelogosxw.exewnktdoe.exeilewlwj.exewywlzai.exeguxwhvj.exetlsypdo.exeggjovzn.exeqfnmgxv.exedsfjlbt.exeqiaecjz.exeddrciny.exenghmvie.exebpnpyie.exeogishqc.exeynmprpj.exepid process 3364 zcobiqg.exe 4992 twtqijo.exe 4964 epjonzi.exe 4016 rcbetdp.exe 604 bmqoggv.exe 5060 oziemcu.exe 1948 bmrbsgt.exe 1592 mismhau.exe 636 ykybtng.exe 2256 lxqryqf.exe 3328 tbseich.exe 2484 gojuofg.exe 4088 wskpsll.exe 4000 hokzhfm.exe 3936 rvxxset.exe 4464 dpdndqy.exe 4416 rcmcjmw.exe 3188 exespqv.exe 4828 owiphpd.exe 4344 ysjipjd.exe 2636 jnkswee.exe 4272 lqnqjrg.exe 3848 wprntqo.exe 2520 jglqkyu.exe 740 wpsbnyu.exe 1704 gltlusu.exe 968 wbetbcq.exe 3144 efoylvb.exe 4784 tqltujd.exe 2556 gldjamc.exe 1528 rvkonde.exe 1972 dbcjblp.exe 2740 qotzhpo.exe 1552 bkurpko.exe 4504 oipuxsu.exe 4668 bvgkdwt.exe 4228 ombmmwy.exe 4324 bvhppvq.exe 2072 lgxzkzf.exe 2136 ywscshc.exe 212 lgyfvyc.exe 244 yethegi.exe 540 jdffofp.exe 2552 oqodujo.exe 2404 bdgsann.exe 1976 oqxigjl.exe 3784 ybnsbms.exe 2296 lktvels.exe 4488 yboyntx.exe 4680 logosxw.exe 4552 wnktdoe.exe 1092 ilewlwj.exe 3504 wywlzai.exe 2432 guxwhvj.exe 2332 tlsypdo.exe 1920 ggjovzn.exe 5004 qfnmgxv.exe 4876 dsfjlbt.exe 3336 qiaecjz.exe 2468 ddrciny.exe 1220 nghmvie.exe 396 bpnpyie.exe 3640 ogishqc.exe 1640 ynmprpj.exe -
Drops file in System32 directory 64 IoCs
Processes:
smnpffi.exeucsoiyl.exeodxhyvq.exetjkthcm.exetikobsc.exedwmxxhs.exewanyjtm.exekfrmumc.exeiihpgut.exemgxiqlc.exebqhweyp.exeuxbueam.exewjpitku.exelytmwcs.exepynvdnf.exewdyvjtn.exellfcyhg.exekhwjwxj.exescecdrs.exezclbnnr.exeeizklly.execonahwa.exevhdzkqy.exefaklarb.exehdxurpo.exeapzqmdi.exezgzyumf.exeofipdpn.exeamrgyaw.exeyouaqpq.exeveflurv.exesdolilo.exeevjzweb.exeguxwhvj.exeajfqopo.exemtodwvw.exehpbeous.exeygowfxc.exebrmueig.exejefodrn.exegfveukp.exeoqodujo.exeaafokor.execypkygi.exepmcfdrc.exerhvabxa.exeyfrftrf.exevogvszy.exekgmrvgt.exexvfqrhm.exeowcsyso.exeltehzcd.exenzdqnze.exenblzrwp.exefyyxjxh.exehoxbfvc.exeuktbxbp.exebmstkab.exebdgsann.exejyryaxr.exeqyooagi.exeqzmiqfc.exevhmmwye.exeescxfkq.exedescription ioc process File opened for modification C:\Windows\SysWOW64\fchrnno.exe smnpffi.exe File opened for modification C:\Windows\SysWOW64\hpbeous.exe ucsoiyl.exe File opened for modification C:\Windows\SysWOW64\bqhweyp.exe odxhyvq.exe File opened for modification C:\Windows\SysWOW64\gwuingk.exe tjkthcm.exe File opened for modification C:\Windows\SysWOW64\gvtepwa.exe tikobsc.exe File created C:\Windows\SysWOW64\rfthahk.exe dwmxxhs.exe File opened for modification C:\Windows\SysWOW64\jyiasbs.exe wanyjtm.exe File created C:\Windows\SysWOW64\ysabaqj.exe kfrmumc.exe File created C:\Windows\SysWOW64\yjexhvj.exe iihpgut.exe File opened for modification C:\Windows\SysWOW64\ztoyepj.exe mgxiqlc.exe File opened for modification C:\Windows\SysWOW64\ltehzcd.exe bqhweyp.exe File opened for modification C:\Windows\SysWOW64\hoewnjs.exe uxbueam.exe File opened for modification C:\Windows\SysWOW64\jaskbka.exe wjpitku.exe File created C:\Windows\SysWOW64\yllcbyz.exe lytmwcs.exe File created C:\Windows\SysWOW64\fzcdwod.exe pynvdnf.exe File opened for modification C:\Windows\SysWOW64\jqisoxl.exe wdyvjtn.exe File created C:\Windows\SysWOW64\yywsdcf.exe llfcyhg.exe File created C:\Windows\SysWOW64\xuohcbh.exe khwjwxj.exe File created C:\Windows\SysWOW64\cmbmqug.exe scecdrs.exe File opened for modification C:\Windows\SysWOW64\mtodwvw.exe zclbnnr.exe File opened for modification C:\Windows\SysWOW64\ryumuld.exe eizklly.exe File opened for modification C:\Windows\SysWOW64\qbwqmsz.exe conahwa.exe File created C:\Windows\SysWOW64\iuuxqux.exe vhdzkqy.exe File created C:\Windows\SysWOW64\syfoiah.exe faklarb.exe File created C:\Windows\SysWOW64\uqhkxsm.exe hdxurpo.exe File opened for modification C:\Windows\SysWOW64\ncroshh.exe apzqmdi.exe File created C:\Windows\SysWOW64\jfldekn.exe zgzyumf.exe File opened for modification C:\Windows\SysWOW64\chosgpf.exe ofipdpn.exe File created C:\Windows\SysWOW64\nzbeeec.exe amrgyaw.exe File opened for modification C:\Windows\SysWOW64\lbepwtx.exe youaqpq.exe File opened for modification C:\Windows\SysWOW64\fgvvpub.exe veflurv.exe File opened for modification C:\Windows\SysWOW64\fqgaopn.exe sdolilo.exe File opened for modification C:\Windows\SysWOW64\ouvxodi.exe evjzweb.exe File opened for modification C:\Windows\SysWOW64\tlsypdo.exe guxwhvj.exe File opened for modification C:\Windows\SysWOW64\nzhtwxu.exe ajfqopo.exe File opened for modification C:\Windows\SysWOW64\wasboue.exe mtodwvw.exe File opened for modification C:\Windows\SysWOW64\ukttuyq.exe hpbeous.exe File created C:\Windows\SysWOW64\mbfmlbb.exe ygowfxc.exe File opened for modification C:\Windows\SysWOW64\oatxhig.exe brmueig.exe File created C:\Windows\SysWOW64\xrxejvm.exe jefodrn.exe File created C:\Windows\SysWOW64\qawokep.exe gfveukp.exe File created C:\Windows\SysWOW64\bdgsann.exe oqodujo.exe File created C:\Windows\SysWOW64\qbcwlxp.exe aafokor.exe File opened for modification C:\Windows\SysWOW64\qlyaejg.exe cypkygi.exe File opened for modification C:\Windows\SysWOW64\czlcjvj.exe pmcfdrc.exe File created C:\Windows\SysWOW64\bghftwh.exe rhvabxa.exe File opened for modification C:\Windows\SysWOW64\iihpgut.exe yfrftrf.exe File created C:\Windows\SysWOW64\ibylydx.exe vogvszy.exe File opened for modification C:\Windows\SysWOW64\xqsuygt.exe kgmrvgt.exe File opened for modification C:\Windows\SysWOW64\kipgxll.exe xvfqrhm.exe File created C:\Windows\SysWOW64\cjuhmwn.exe owcsyso.exe File created C:\Windows\SysWOW64\ygowfxc.exe ltehzcd.exe File opened for modification C:\Windows\SysWOW64\amvotdd.exe nzdqnze.exe File created C:\Windows\SysWOW64\aocoxro.exe nblzrwp.exe File opened for modification C:\Windows\SysWOW64\sotasyn.exe fyyxjxh.exe File opened for modification C:\Windows\SysWOW64\ubprlzb.exe hoxbfvc.exe File created C:\Windows\SysWOW64\enimkfv.exe uktbxbp.exe File opened for modification C:\Windows\SysWOW64\ozkjpea.exe bmstkab.exe File created C:\Windows\SysWOW64\oqxigjl.exe bdgsann.exe File opened for modification C:\Windows\SysWOW64\tagivax.exe jyryaxr.exe File opened for modification C:\Windows\SysWOW64\elydgkh.exe qyooagi.exe File opened for modification C:\Windows\SysWOW64\cypkygi.exe qzmiqfc.exe File opened for modification C:\Windows\SysWOW64\foqkgod.exe vhmmwye.exe File opened for modification C:\Windows\SysWOW64\odahbfx.exe escxfkq.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0426e2d9d31e1ec5ba1fb430157e2ade_JaffaCakes118.exezcobiqg.exetwtqijo.exeepjonzi.exercbetdp.exebmqoggv.exeoziemcu.exebmrbsgt.exemismhau.exeykybtng.exelxqryqf.exetbseich.exegojuofg.exewskpsll.exehokzhfm.exervxxset.exedpdndqy.exercmcjmw.exeexespqv.exeowiphpd.exeysjipjd.exeweevfmk.exedescription pid process target process PID 4880 wrote to memory of 3364 4880 0426e2d9d31e1ec5ba1fb430157e2ade_JaffaCakes118.exe zcobiqg.exe PID 4880 wrote to memory of 3364 4880 0426e2d9d31e1ec5ba1fb430157e2ade_JaffaCakes118.exe zcobiqg.exe PID 4880 wrote to memory of 3364 4880 0426e2d9d31e1ec5ba1fb430157e2ade_JaffaCakes118.exe zcobiqg.exe PID 3364 wrote to memory of 4992 3364 zcobiqg.exe twtqijo.exe PID 3364 wrote to memory of 4992 3364 zcobiqg.exe twtqijo.exe PID 3364 wrote to memory of 4992 3364 zcobiqg.exe twtqijo.exe PID 4992 wrote to memory of 4964 4992 twtqijo.exe epjonzi.exe PID 4992 wrote to memory of 4964 4992 twtqijo.exe epjonzi.exe PID 4992 wrote to memory of 4964 4992 twtqijo.exe epjonzi.exe PID 4964 wrote to memory of 4016 4964 epjonzi.exe rcbetdp.exe PID 4964 wrote to memory of 4016 4964 epjonzi.exe rcbetdp.exe PID 4964 wrote to memory of 4016 4964 epjonzi.exe rcbetdp.exe PID 4016 wrote to memory of 604 4016 rcbetdp.exe bmqoggv.exe PID 4016 wrote to memory of 604 4016 rcbetdp.exe bmqoggv.exe PID 4016 wrote to memory of 604 4016 rcbetdp.exe bmqoggv.exe PID 604 wrote to memory of 5060 604 bmqoggv.exe oziemcu.exe PID 604 wrote to memory of 5060 604 bmqoggv.exe oziemcu.exe PID 604 wrote to memory of 5060 604 bmqoggv.exe oziemcu.exe PID 5060 wrote to memory of 1948 5060 oziemcu.exe bmrbsgt.exe PID 5060 wrote to memory of 1948 5060 oziemcu.exe bmrbsgt.exe PID 5060 wrote to memory of 1948 5060 oziemcu.exe bmrbsgt.exe PID 1948 wrote to memory of 1592 1948 bmrbsgt.exe mismhau.exe PID 1948 wrote to memory of 1592 1948 bmrbsgt.exe mismhau.exe PID 1948 wrote to memory of 1592 1948 bmrbsgt.exe mismhau.exe PID 1592 wrote to memory of 636 1592 mismhau.exe ykybtng.exe PID 1592 wrote to memory of 636 1592 mismhau.exe ykybtng.exe PID 1592 wrote to memory of 636 1592 mismhau.exe ykybtng.exe PID 636 wrote to memory of 2256 636 ykybtng.exe lxqryqf.exe PID 636 wrote to memory of 2256 636 ykybtng.exe lxqryqf.exe PID 636 wrote to memory of 2256 636 ykybtng.exe lxqryqf.exe PID 2256 wrote to memory of 3328 2256 lxqryqf.exe tbseich.exe PID 2256 wrote to memory of 3328 2256 lxqryqf.exe tbseich.exe PID 2256 wrote to memory of 3328 2256 lxqryqf.exe tbseich.exe PID 3328 wrote to memory of 2484 3328 tbseich.exe gojuofg.exe PID 3328 wrote to memory of 2484 3328 tbseich.exe gojuofg.exe PID 3328 wrote to memory of 2484 3328 tbseich.exe gojuofg.exe PID 2484 wrote to memory of 4088 2484 gojuofg.exe wskpsll.exe PID 2484 wrote to memory of 4088 2484 gojuofg.exe wskpsll.exe PID 2484 wrote to memory of 4088 2484 gojuofg.exe wskpsll.exe PID 4088 wrote to memory of 4000 4088 wskpsll.exe hokzhfm.exe PID 4088 wrote to memory of 4000 4088 wskpsll.exe hokzhfm.exe PID 4088 wrote to memory of 4000 4088 wskpsll.exe hokzhfm.exe PID 4000 wrote to memory of 3936 4000 hokzhfm.exe rvxxset.exe PID 4000 wrote to memory of 3936 4000 hokzhfm.exe rvxxset.exe PID 4000 wrote to memory of 3936 4000 hokzhfm.exe rvxxset.exe PID 3936 wrote to memory of 4464 3936 rvxxset.exe dpdndqy.exe PID 3936 wrote to memory of 4464 3936 rvxxset.exe dpdndqy.exe PID 3936 wrote to memory of 4464 3936 rvxxset.exe dpdndqy.exe PID 4464 wrote to memory of 4416 4464 dpdndqy.exe rcmcjmw.exe PID 4464 wrote to memory of 4416 4464 dpdndqy.exe rcmcjmw.exe PID 4464 wrote to memory of 4416 4464 dpdndqy.exe rcmcjmw.exe PID 4416 wrote to memory of 3188 4416 rcmcjmw.exe exespqv.exe PID 4416 wrote to memory of 3188 4416 rcmcjmw.exe exespqv.exe PID 4416 wrote to memory of 3188 4416 rcmcjmw.exe exespqv.exe PID 3188 wrote to memory of 4828 3188 exespqv.exe owiphpd.exe PID 3188 wrote to memory of 4828 3188 exespqv.exe owiphpd.exe PID 3188 wrote to memory of 4828 3188 exespqv.exe owiphpd.exe PID 4828 wrote to memory of 4344 4828 owiphpd.exe ysjipjd.exe PID 4828 wrote to memory of 4344 4828 owiphpd.exe ysjipjd.exe PID 4828 wrote to memory of 4344 4828 owiphpd.exe ysjipjd.exe PID 4344 wrote to memory of 2636 4344 ysjipjd.exe jnkswee.exe PID 4344 wrote to memory of 2636 4344 ysjipjd.exe jnkswee.exe PID 4344 wrote to memory of 2636 4344 ysjipjd.exe jnkswee.exe PID 1968 wrote to memory of 4272 1968 weevfmk.exe lqnqjrg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0426e2d9d31e1ec5ba1fb430157e2ade_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0426e2d9d31e1ec5ba1fb430157e2ade_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\zcobiqg.exeC:\Windows\system32\zcobiqg.exe 1148 "C:\Users\Admin\AppData\Local\Temp\0426e2d9d31e1ec5ba1fb430157e2ade_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Windows\SysWOW64\twtqijo.exeC:\Windows\system32\twtqijo.exe 1156 "C:\Windows\SysWOW64\zcobiqg.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\epjonzi.exeC:\Windows\system32\epjonzi.exe 1160 "C:\Windows\SysWOW64\twtqijo.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\rcbetdp.exeC:\Windows\system32\rcbetdp.exe 1152 "C:\Windows\SysWOW64\epjonzi.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\SysWOW64\bmqoggv.exeC:\Windows\system32\bmqoggv.exe 1164 "C:\Windows\SysWOW64\rcbetdp.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:604 -
C:\Windows\SysWOW64\oziemcu.exeC:\Windows\system32\oziemcu.exe 1168 "C:\Windows\SysWOW64\bmqoggv.exe"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\bmrbsgt.exeC:\Windows\system32\bmrbsgt.exe 1172 "C:\Windows\SysWOW64\oziemcu.exe"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\mismhau.exeC:\Windows\system32\mismhau.exe 1176 "C:\Windows\SysWOW64\bmrbsgt.exe"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\ykybtng.exeC:\Windows\system32\ykybtng.exe 1184 "C:\Windows\SysWOW64\mismhau.exe"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\lxqryqf.exeC:\Windows\system32\lxqryqf.exe 1188 "C:\Windows\SysWOW64\ykybtng.exe"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\tbseich.exeC:\Windows\system32\tbseich.exe 1180 "C:\Windows\SysWOW64\lxqryqf.exe"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Windows\SysWOW64\gojuofg.exeC:\Windows\system32\gojuofg.exe 1192 "C:\Windows\SysWOW64\tbseich.exe"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\wskpsll.exeC:\Windows\system32\wskpsll.exe 1196 "C:\Windows\SysWOW64\gojuofg.exe"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\SysWOW64\hokzhfm.exeC:\Windows\system32\hokzhfm.exe 1204 "C:\Windows\SysWOW64\wskpsll.exe"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Windows\SysWOW64\rvxxset.exeC:\Windows\system32\rvxxset.exe 1200 "C:\Windows\SysWOW64\hokzhfm.exe"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\SysWOW64\dpdndqy.exeC:\Windows\system32\dpdndqy.exe 1208 "C:\Windows\SysWOW64\rvxxset.exe"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\SysWOW64\rcmcjmw.exeC:\Windows\system32\rcmcjmw.exe 1216 "C:\Windows\SysWOW64\dpdndqy.exe"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\SysWOW64\exespqv.exeC:\Windows\system32\exespqv.exe 1212 "C:\Windows\SysWOW64\rcmcjmw.exe"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\SysWOW64\owiphpd.exeC:\Windows\system32\owiphpd.exe 1220 "C:\Windows\SysWOW64\exespqv.exe"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\ysjipjd.exeC:\Windows\system32\ysjipjd.exe 1224 "C:\Windows\SysWOW64\owiphpd.exe"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\SysWOW64\jnkswee.exeC:\Windows\system32\jnkswee.exe 1232 "C:\Windows\SysWOW64\ysjipjd.exe"22⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\weevfmk.exeC:\Windows\system32\weevfmk.exe 1228 "C:\Windows\SysWOW64\jnkswee.exe"23⤵
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\lqnqjrg.exeC:\Windows\system32\lqnqjrg.exe 1240 "C:\Windows\SysWOW64\weevfmk.exe"24⤵
- Executes dropped EXE
PID:4272 -
C:\Windows\SysWOW64\wprntqo.exeC:\Windows\system32\wprntqo.exe 1244 "C:\Windows\SysWOW64\lqnqjrg.exe"25⤵
- Executes dropped EXE
PID:3848 -
C:\Windows\SysWOW64\jglqkyu.exeC:\Windows\system32\jglqkyu.exe 1248 "C:\Windows\SysWOW64\wprntqo.exe"26⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\wpsbnyu.exeC:\Windows\system32\wpsbnyu.exe 1128 "C:\Windows\SysWOW64\jglqkyu.exe"27⤵
- Executes dropped EXE
PID:740 -
C:\Windows\SysWOW64\gltlusu.exeC:\Windows\system32\gltlusu.exe 1256 "C:\Windows\SysWOW64\wpsbnyu.exe"28⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\wbetbcq.exeC:\Windows\system32\wbetbcq.exe 1252 "C:\Windows\SysWOW64\gltlusu.exe"29⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\efoylvb.exeC:\Windows\system32\efoylvb.exe 1276 "C:\Windows\SysWOW64\wbetbcq.exe"30⤵
- Executes dropped EXE
PID:3144 -
C:\Windows\SysWOW64\tqltujd.exeC:\Windows\system32\tqltujd.exe 1260 "C:\Windows\SysWOW64\efoylvb.exe"31⤵
- Executes dropped EXE
PID:4784 -
C:\Windows\SysWOW64\gldjamc.exeC:\Windows\system32\gldjamc.exe 1268 "C:\Windows\SysWOW64\tqltujd.exe"32⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\rvkonde.exeC:\Windows\system32\rvkonde.exe 1264 "C:\Windows\SysWOW64\gldjamc.exe"33⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\dbcjblp.exeC:\Windows\system32\dbcjblp.exe 1280 "C:\Windows\SysWOW64\rvkonde.exe"34⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\qotzhpo.exeC:\Windows\system32\qotzhpo.exe 1144 "C:\Windows\SysWOW64\dbcjblp.exe"35⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\bkurpko.exeC:\Windows\system32\bkurpko.exe 1288 "C:\Windows\SysWOW64\qotzhpo.exe"36⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\oipuxsu.exeC:\Windows\system32\oipuxsu.exe 1284 "C:\Windows\SysWOW64\bkurpko.exe"37⤵
- Executes dropped EXE
PID:4504 -
C:\Windows\SysWOW64\bvgkdwt.exeC:\Windows\system32\bvgkdwt.exe 1292 "C:\Windows\SysWOW64\oipuxsu.exe"38⤵
- Executes dropped EXE
PID:4668 -
C:\Windows\SysWOW64\ombmmwy.exeC:\Windows\system32\ombmmwy.exe 1300 "C:\Windows\SysWOW64\bvgkdwt.exe"39⤵
- Executes dropped EXE
PID:4228 -
C:\Windows\SysWOW64\bvhppvq.exeC:\Windows\system32\bvhppvq.exe 1304 "C:\Windows\SysWOW64\ombmmwy.exe"40⤵
- Executes dropped EXE
PID:4324 -
C:\Windows\SysWOW64\lgxzkzf.exeC:\Windows\system32\lgxzkzf.exe 1296 "C:\Windows\SysWOW64\bvhppvq.exe"41⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\ywscshc.exeC:\Windows\system32\ywscshc.exe 1312 "C:\Windows\SysWOW64\lgxzkzf.exe"42⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\lgyfvyc.exeC:\Windows\system32\lgyfvyc.exe 1316 "C:\Windows\SysWOW64\ywscshc.exe"43⤵
- Executes dropped EXE
PID:212 -
C:\Windows\SysWOW64\yethegi.exeC:\Windows\system32\yethegi.exe 1308 "C:\Windows\SysWOW64\lgyfvyc.exe"44⤵
- Executes dropped EXE
PID:244 -
C:\Windows\SysWOW64\jdffofp.exeC:\Windows\system32\jdffofp.exe 1320 "C:\Windows\SysWOW64\yethegi.exe"45⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\oqodujo.exeC:\Windows\system32\oqodujo.exe 1324 "C:\Windows\SysWOW64\jdffofp.exe"46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2552 -
C:\Windows\SysWOW64\bdgsann.exeC:\Windows\system32\bdgsann.exe 1332 "C:\Windows\SysWOW64\oqodujo.exe"47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2404 -
C:\Windows\SysWOW64\oqxigjl.exeC:\Windows\system32\oqxigjl.exe 1336 "C:\Windows\SysWOW64\bdgsann.exe"48⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\ybnsbms.exeC:\Windows\system32\ybnsbms.exe 1328 "C:\Windows\SysWOW64\oqxigjl.exe"49⤵
- Executes dropped EXE
PID:3784 -
C:\Windows\SysWOW64\lktvels.exeC:\Windows\system32\lktvels.exe 1340 "C:\Windows\SysWOW64\ybnsbms.exe"50⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\yboyntx.exeC:\Windows\system32\yboyntx.exe 1344 "C:\Windows\SysWOW64\lktvels.exe"51⤵
- Executes dropped EXE
PID:4488 -
C:\Windows\SysWOW64\logosxw.exeC:\Windows\system32\logosxw.exe 1356 "C:\Windows\SysWOW64\yboyntx.exe"52⤵
- Executes dropped EXE
PID:4680 -
C:\Windows\SysWOW64\wnktdoe.exeC:\Windows\system32\wnktdoe.exe 1352 "C:\Windows\SysWOW64\logosxw.exe"53⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\ilewlwj.exeC:\Windows\system32\ilewlwj.exe 1348 "C:\Windows\SysWOW64\wnktdoe.exe"54⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\wywlzai.exeC:\Windows\system32\wywlzai.exe 1364 "C:\Windows\SysWOW64\ilewlwj.exe"55⤵
- Executes dropped EXE
PID:3504 -
C:\Windows\SysWOW64\guxwhvj.exeC:\Windows\system32\guxwhvj.exe 1368 "C:\Windows\SysWOW64\wywlzai.exe"56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2432 -
C:\Windows\SysWOW64\tlsypdo.exeC:\Windows\system32\tlsypdo.exe 1124 "C:\Windows\SysWOW64\guxwhvj.exe"57⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\ggjovzn.exeC:\Windows\system32\ggjovzn.exe 1376 "C:\Windows\SysWOW64\tlsypdo.exe"58⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\qfnmgxv.exeC:\Windows\system32\qfnmgxv.exe 1384 "C:\Windows\SysWOW64\ggjovzn.exe"59⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\dsfjlbt.exeC:\Windows\system32\dsfjlbt.exe 1372 "C:\Windows\SysWOW64\qfnmgxv.exe"60⤵
- Executes dropped EXE
PID:4876 -
C:\Windows\SysWOW64\qiaecjz.exeC:\Windows\system32\qiaecjz.exe 1392 "C:\Windows\SysWOW64\dsfjlbt.exe"61⤵
- Executes dropped EXE
PID:3336 -
C:\Windows\SysWOW64\ddrciny.exeC:\Windows\system32\ddrciny.exe 1388 "C:\Windows\SysWOW64\qiaecjz.exe"62⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\nghmvie.exeC:\Windows\system32\nghmvie.exe 1380 "C:\Windows\SysWOW64\ddrciny.exe"63⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\bpnpyie.exeC:\Windows\system32\bpnpyie.exe 1400 "C:\Windows\SysWOW64\nghmvie.exe"64⤵
- Executes dropped EXE
PID:396 -
C:\Windows\SysWOW64\ogishqc.exeC:\Windows\system32\ogishqc.exe 1360 "C:\Windows\SysWOW64\bpnpyie.exe"65⤵
- Executes dropped EXE
PID:3640 -
C:\Windows\SysWOW64\ynmprpj.exeC:\Windows\system32\ynmprpj.exe 1116 "C:\Windows\SysWOW64\ogishqc.exe"66⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\ldpsixp.exeC:\Windows\system32\ldpsixp.exe 1412 "C:\Windows\SysWOW64\ynmprpj.exe"67⤵PID:368
-
C:\Windows\SysWOW64\yqyhntn.exeC:\Windows\system32\yqyhntn.exe 1396 "C:\Windows\SysWOW64\ldpsixp.exe"68⤵PID:2988
-
C:\Windows\SysWOW64\ldqxtxm.exeC:\Windows\system32\ldqxtxm.exe 1416 "C:\Windows\SysWOW64\yqyhntn.exe"69⤵PID:3460
-
C:\Windows\SysWOW64\yyhvzbt.exeC:\Windows\system32\yyhvzbt.exe 1424 "C:\Windows\SysWOW64\ldqxtxm.exe"70⤵PID:2864
-
C:\Windows\SysWOW64\ixlsjzs.exeC:\Windows\system32\ixlsjzs.exe 1428 "C:\Windows\SysWOW64\yyhvzbt.exe"71⤵PID:3520
-
C:\Windows\SysWOW64\vogvszy.exeC:\Windows\system32\vogvszy.exe 1420 "C:\Windows\SysWOW64\ixlsjzs.exe"72⤵
- Drops file in System32 directory
PID:3356 -
C:\Windows\SysWOW64\ibylydx.exeC:\Windows\system32\ibylydx.exe 1436 "C:\Windows\SysWOW64\vogvszy.exe"73⤵PID:4892
-
C:\Windows\SysWOW64\ticiqce.exeC:\Windows\system32\ticiqce.exe 1432 "C:\Windows\SysWOW64\ibylydx.exe"74⤵PID:5048
-
C:\Windows\SysWOW64\gvtywgd.exeC:\Windows\system32\gvtywgd.exe 1444 "C:\Windows\SysWOW64\ticiqce.exe"75⤵PID:3684
-
C:\Windows\SysWOW64\tilnckc.exeC:\Windows\system32\tilnckc.exe 1440 "C:\Windows\SysWOW64\gvtywgd.exe"76⤵PID:884
-
C:\Windows\SysWOW64\gygqkkh.exeC:\Windows\system32\gygqkkh.exe 1456 "C:\Windows\SysWOW64\tilnckc.exe"77⤵PID:2452
-
C:\Windows\SysWOW64\ttxgqog.exeC:\Windows\system32\ttxgqog.exe 1448 "C:\Windows\SysWOW64\gygqkkh.exe"78⤵PID:3920
-
C:\Windows\SysWOW64\dwnqdrv.exeC:\Windows\system32\dwnqdrv.exe 1452 "C:\Windows\SysWOW64\ttxgqog.exe"79⤵PID:3960
-
C:\Windows\SysWOW64\qjwojvt.exeC:\Windows\system32\qjwojvt.exe 1464 "C:\Windows\SysWOW64\dwnqdrv.exe"80⤵PID:440
-
C:\Windows\SysWOW64\dwoepzs.exeC:\Windows\system32\dwoepzs.exe 1460 "C:\Windows\SysWOW64\qjwojvt.exe"81⤵PID:1676
-
C:\Windows\SysWOW64\ndsbhpa.exeC:\Windows\system32\ndsbhpa.exe 1468 "C:\Windows\SysWOW64\dwoepzs.exe"82⤵PID:916
-
C:\Windows\SysWOW64\bqkrnty.exeC:\Windows\system32\bqkrnty.exe 1472 "C:\Windows\SysWOW64\ndsbhpa.exe"83⤵PID:2876
-
C:\Windows\SysWOW64\lpooysg.exeC:\Windows\system32\lpooysg.exe 1480 "C:\Windows\SysWOW64\bqkrnty.exe"84⤵PID:4140
-
C:\Windows\SysWOW64\bqlwzbw.exeC:\Windows\system32\bqlwzbw.exe 1484 "C:\Windows\SysWOW64\lpooysg.exe"85⤵PID:4508
-
C:\Windows\SysWOW64\lpxcjad.exeC:\Windows\system32\lpxcjad.exe 1488 "C:\Windows\SysWOW64\bqlwzbw.exe"86⤵PID:3424
-
C:\Windows\SysWOW64\ykgrpwc.exeC:\Windows\system32\ykgrpwc.exe 1476 "C:\Windows\SysWOW64\lpxcjad.exe"87⤵PID:1808
-
C:\Windows\SysWOW64\lbjuyei.exeC:\Windows\system32\lbjuyei.exe 1492 "C:\Windows\SysWOW64\ykgrpwc.exe"88⤵PID:4936
-
C:\Windows\SysWOW64\yotklih.exeC:\Windows\system32\yotklih.exe 1500 "C:\Windows\SysWOW64\lbjuyei.exe"89⤵PID:1784
-
C:\Windows\SysWOW64\iyiuzlv.exeC:\Windows\system32\iyiuzlv.exe 1496 "C:\Windows\SysWOW64\yotklih.exe"90⤵PID:940
-
C:\Windows\SysWOW64\vplxhls.exeC:\Windows\system32\vplxhls.exe 1508 "C:\Windows\SysWOW64\iyiuzlv.exe"91⤵PID:2884
-
C:\Windows\SysWOW64\ayrzkks.exeC:\Windows\system32\ayrzkks.exe 1504 "C:\Windows\SysWOW64\vplxhls.exe"92⤵PID:1936
-
C:\Windows\SysWOW64\olbpqor.exeC:\Windows\system32\olbpqor.exe 1516 "C:\Windows\SysWOW64\ayrzkks.exe"93⤵PID:4468
-
C:\Windows\SysWOW64\ywqadrx.exeC:\Windows\system32\ywqadrx.exe 1520 "C:\Windows\SysWOW64\olbpqor.exe"94⤵PID:448
-
C:\Windows\SysWOW64\ljiprve.exeC:\Windows\system32\ljiprve.exe 1524 "C:\Windows\SysWOW64\ywqadrx.exe"95⤵PID:2032
-
C:\Windows\SysWOW64\ywrnxrd.exeC:\Windows\system32\ywrnxrd.exe 1528 "C:\Windows\SysWOW64\ljiprve.exe"96⤵PID:3984
-
C:\Windows\SysWOW64\ljjddvc.exeC:\Windows\system32\ljjddvc.exe 1548 "C:\Windows\SysWOW64\ywrnxrd.exe"97⤵PID:872
-
C:\Windows\SysWOW64\vuynqyi.exeC:\Windows\system32\vuynqyi.exe 1532 "C:\Windows\SysWOW64\ljjddvc.exe"98⤵PID:2812
-
C:\Windows\SysWOW64\ihqdwcp.exeC:\Windows\system32\ihqdwcp.exe 1536 "C:\Windows\SysWOW64\vuynqyi.exe"99⤵PID:1216
-
C:\Windows\SysWOW64\vuzscgo.exeC:\Windows\system32\vuzscgo.exe 1560 "C:\Windows\SysWOW64\ihqdwcp.exe"100⤵PID:1584
-
C:\Windows\SysWOW64\ihrihbm.exeC:\Windows\system32\ihrihbm.exe 1512 "C:\Windows\SysWOW64\vuzscgo.exe"101⤵PID:3004
-
C:\Windows\SysWOW64\srgtdft.exeC:\Windows\system32\srgtdft.exe 1544 "C:\Windows\SysWOW64\ihrihbm.exe"102⤵PID:2192
-
C:\Windows\SysWOW64\gtmvget.exeC:\Windows\system32\gtmvget.exe 1580 "C:\Windows\SysWOW64\srgtdft.exe"103⤵PID:1564
-
C:\Windows\SysWOW64\trhyomy.exeC:\Windows\system32\trhyomy.exe 1540 "C:\Windows\SysWOW64\gtmvget.exe"104⤵PID:808
-
C:\Windows\SysWOW64\gezwuix.exeC:\Windows\system32\gezwuix.exe 1552 "C:\Windows\SysWOW64\trhyomy.exe"105⤵PID:4516
-
C:\Windows\SysWOW64\qddtehf.exeC:\Windows\system32\qddtehf.exe 1564 "C:\Windows\SysWOW64\gezwuix.exe"106⤵PID:3020
-
C:\Windows\SysWOW64\dcgwnpc.exeC:\Windows\system32\dcgwnpc.exe 1556 "C:\Windows\SysWOW64\qddtehf.exe"107⤵PID:4564
-
C:\Windows\SysWOW64\qppmttj.exeC:\Windows\system32\qppmttj.exe 1576 "C:\Windows\SysWOW64\dcgwnpc.exe"108⤵PID:208
-
C:\Windows\SysWOW64\aobjlsi.exeC:\Windows\system32\aobjlsi.exe 1568 "C:\Windows\SysWOW64\qppmttj.exe"109⤵PID:4768
-
C:\Windows\SysWOW64\nblzrwp.exeC:\Windows\system32\nblzrwp.exe 1584 "C:\Windows\SysWOW64\aobjlsi.exe"110⤵
- Drops file in System32 directory
PID:3888 -
C:\Windows\SysWOW64\aocoxro.exeC:\Windows\system32\aocoxro.exe 1120 "C:\Windows\SysWOW64\nblzrwp.exe"111⤵PID:5008
-
C:\Windows\SysWOW64\kyszkvu.exeC:\Windows\system32\kyszkvu.exe 1592 "C:\Windows\SysWOW64\aocoxro.exe"112⤵PID:312
-
C:\Windows\SysWOW64\yljoqyt.exeC:\Windows\system32\yljoqyt.exe 1588 "C:\Windows\SysWOW64\kyszkvu.exe"113⤵PID:4868
-
C:\Windows\SysWOW64\lytmwcs.exeC:\Windows\system32\lytmwcs.exe 1600 "C:\Windows\SysWOW64\yljoqyt.exe"114⤵
- Drops file in System32 directory
PID:3612 -
C:\Windows\SysWOW64\yllcbyz.exeC:\Windows\system32\yllcbyz.exe 1596 "C:\Windows\SysWOW64\lytmwcs.exe"115⤵PID:5088
-
C:\Windows\SysWOW64\ispzuxy.exeC:\Windows\system32\ispzuxy.exe 1608 "C:\Windows\SysWOW64\yllcbyz.exe"116⤵PID:5020
-
C:\Windows\SysWOW64\vjrccfe.exeC:\Windows\system32\vjrccfe.exe 1604 "C:\Windows\SysWOW64\ispzuxy.exe"117⤵PID:2676
-
C:\Windows\SysWOW64\iwbsijc.exeC:\Windows\system32\iwbsijc.exe 1612 "C:\Windows\SysWOW64\vjrccfe.exe"118⤵PID:2664
-
C:\Windows\SysWOW64\vjthonb.exeC:\Windows\system32\vjthonb.exe 1616 "C:\Windows\SysWOW64\iwbsijc.exe"119⤵PID:1680
-
C:\Windows\SysWOW64\fuisbiq.exeC:\Windows\system32\fuisbiq.exe 1624 "C:\Windows\SysWOW64\vjthonb.exe"120⤵PID:900
-
C:\Windows\SysWOW64\tdodehi.exeC:\Windows\system32\tdodehi.exe 1620 "C:\Windows\SysWOW64\fuisbiq.exe"121⤵PID:3900
-
C:\Windows\SysWOW64\fujxnpn.exeC:\Windows\system32\fujxnpn.exe 1140 "C:\Windows\SysWOW64\tdodehi.exe"122⤵PID:4020
-
C:\Windows\SysWOW64\thbvttm.exeC:\Windows\system32\thbvttm.exe 1632 "C:\Windows\SysWOW64\fujxnpn.exe"123⤵PID:864
-
C:\Windows\SysWOW64\crqfowa.exeC:\Windows\system32\crqfowa.exe 1640 "C:\Windows\SysWOW64\thbvttm.exe"124⤵PID:1108
-
C:\Windows\SysWOW64\qbwiros.exeC:\Windows\system32\qbwiros.exe 1644 "C:\Windows\SysWOW64\crqfowa.exe"125⤵PID:3348
-
C:\Windows\SysWOW64\dooyxsz.exeC:\Windows\system32\dooyxsz.exe 1636 "C:\Windows\SysWOW64\qbwiros.exe"126⤵PID:4448
-
C:\Windows\SysWOW64\qejafaw.exeC:\Windows\system32\qejafaw.exe 1656 "C:\Windows\SysWOW64\dooyxsz.exe"127⤵PID:4348
-
C:\Windows\SysWOW64\apylsdl.exeC:\Windows\system32\apylsdl.exe 1652 "C:\Windows\SysWOW64\qejafaw.exe"128⤵PID:5104
-
C:\Windows\SysWOW64\ncqbyhk.exeC:\Windows\system32\ncqbyhk.exe 1648 "C:\Windows\SysWOW64\apylsdl.exe"129⤵PID:64
-
C:\Windows\SysWOW64\apzqmdi.exeC:\Windows\system32\apzqmdi.exe 1136 "C:\Windows\SysWOW64\ncqbyhk.exe"130⤵
- Drops file in System32 directory
PID:4588 -
C:\Windows\SysWOW64\ncroshh.exeC:\Windows\system32\ncroshh.exe 1664 "C:\Windows\SysWOW64\apzqmdi.exe"131⤵PID:4224
-
C:\Windows\SysWOW64\xmgqfkn.exeC:\Windows\system32\xmgqfkn.exe 1668 "C:\Windows\SysWOW64\ncroshh.exe"132⤵PID:1124
-
C:\Windows\SysWOW64\lwmbijn.exeC:\Windows\system32\lwmbijn.exe 1672 "C:\Windows\SysWOW64\xmgqfkn.exe"133⤵PID:3476
-
C:\Windows\SysWOW64\ymherjt.exeC:\Windows\system32\ymherjt.exe 1676 "C:\Windows\SysWOW64\lwmbijn.exe"134⤵PID:4940
-
C:\Windows\SysWOW64\iltbbib.exeC:\Windows\system32\iltbbib.exe 1680 "C:\Windows\SysWOW64\ymherjt.exe"135⤵PID:3392
-
C:\Windows\SysWOW64\vkoesqy.exeC:\Windows\system32\vkoesqy.exe 1688 "C:\Windows\SysWOW64\iltbbib.exe"136⤵PID:4460
-
C:\Windows\SysWOW64\ixguxuf.exeC:\Windows\system32\ixguxuf.exe 1692 "C:\Windows\SysWOW64\vkoesqy.exe"137⤵PID:2976
-
C:\Windows\SysWOW64\nkpjdye.exeC:\Windows\system32\nkpjdye.exe 1684 "C:\Windows\SysWOW64\ixguxuf.exe"138⤵PID:3368
-
C:\Windows\SysWOW64\axhzjuc.exeC:\Windows\system32\axhzjuc.exe 1696 "C:\Windows\SysWOW64\nkpjdye.exe"139⤵PID:4260
-
C:\Windows\SysWOW64\khwjwxj.exeC:\Windows\system32\khwjwxj.exe 1700 "C:\Windows\SysWOW64\axhzjuc.exe"140⤵
- Drops file in System32 directory
PID:3080 -
C:\Windows\SysWOW64\xuohcbh.exeC:\Windows\system32\xuohcbh.exe 1708 "C:\Windows\SysWOW64\khwjwxj.exe"141⤵PID:2656
-
C:\Windows\SysWOW64\khxxifo.exeC:\Windows\system32\khxxifo.exe 1712 "C:\Windows\SysWOW64\xuohcbh.exe"142⤵PID:3192
-
C:\Windows\SysWOW64\uhjuado.exeC:\Windows\system32\uhjuado.exe 1716 "C:\Windows\SysWOW64\khxxifo.exe"143⤵PID:2836
-
C:\Windows\SysWOW64\ictkgzv.exeC:\Windows\system32\ictkgzv.exe 1764 "C:\Windows\SysWOW64\uhjuado.exe"144⤵PID:1204
-
C:\Windows\SysWOW64\vswnphs.exeC:\Windows\system32\vswnphs.exe 1704 "C:\Windows\SysWOW64\ictkgzv.exe"145⤵PID:1896
-
C:\Windows\SysWOW64\iffcvlz.exeC:\Windows\system32\iffcvlz.exe 1720 "C:\Windows\SysWOW64\vswnphs.exe"146⤵PID:3744
-
C:\Windows\SysWOW64\vsxsapy.exeC:\Windows\system32\vsxsapy.exe 1724 "C:\Windows\SysWOW64\iffcvlz.exe"147⤵PID:1132
-
C:\Windows\SysWOW64\fzbplox.exeC:\Windows\system32\fzbplox.exe 1728 "C:\Windows\SysWOW64\vsxsapy.exe"148⤵PID:1708
-
C:\Windows\SysWOW64\pynvdnf.exeC:\Windows\system32\pynvdnf.exe 1732 "C:\Windows\SysWOW64\fzbplox.exe"149⤵
- Drops file in System32 directory
PID:1928 -
C:\Windows\SysWOW64\fzcdwod.exeC:\Windows\system32\fzcdwod.exe 1740 "C:\Windows\SysWOW64\pynvdnf.exe"150⤵PID:3416
-
C:\Windows\SysWOW64\pcznsrj.exeC:\Windows\system32\pcznsrj.exe 1756 "C:\Windows\SysWOW64\fzcdwod.exe"151⤵PID:3688
-
C:\Windows\SysWOW64\dlgqvqj.exeC:\Windows\system32\dlgqvqj.exe 1744 "C:\Windows\SysWOW64\pcznsrj.exe"152⤵PID:2128
-
C:\Windows\SysWOW64\qkatdqp.exeC:\Windows\system32\qkatdqp.exe 1628 "C:\Windows\SysWOW64\dlgqvqj.exe"153⤵PID:4248
-
C:\Windows\SysWOW64\ajfqopo.exeC:\Windows\system32\ajfqopo.exe 1752 "C:\Windows\SysWOW64\qkatdqp.exe"154⤵
- Drops file in System32 directory
PID:1616 -
C:\Windows\SysWOW64\nzhtwxu.exeC:\Windows\system32\nzhtwxu.exe 1748 "C:\Windows\SysWOW64\ajfqopo.exe"155⤵PID:4284
-
C:\Windows\SysWOW64\auricbs.exeC:\Windows\system32\auricbs.exe 1768 "C:\Windows\SysWOW64\nzhtwxu.exe"156⤵PID:1724
-
C:\Windows\SysWOW64\nhigifr.exeC:\Windows\system32\nhigifr.exe 1772 "C:\Windows\SysWOW64\auricbs.exe"157⤵PID:404
-
C:\Windows\SysWOW64\auswwby.exeC:\Windows\system32\auswwby.exe 1776 "C:\Windows\SysWOW64\nhigifr.exe"158⤵PID:1828
-
C:\Windows\SysWOW64\kxpgjee.exeC:\Windows\system32\kxpgjee.exe 1760 "C:\Windows\SysWOW64\auswwby.exe"159⤵PID:964
-
C:\Windows\SysWOW64\xszwpid.exeC:\Windows\system32\xszwpid.exe 1780 "C:\Windows\SysWOW64\kxpgjee.exe"160⤵PID:4816
-
C:\Windows\SysWOW64\kfrmumc.exeC:\Windows\system32\kfrmumc.exe 1788 "C:\Windows\SysWOW64\xszwpid.exe"161⤵
- Drops file in System32 directory
PID:3040 -
C:\Windows\SysWOW64\ysabaqj.exeC:\Windows\system32\ysabaqj.exe 1784 "C:\Windows\SysWOW64\kfrmumc.exe"162⤵PID:4528
-
C:\Windows\SysWOW64\irmzlgi.exeC:\Windows\system32\irmzlgi.exe 1792 "C:\Windows\SysWOW64\ysabaqj.exe"163⤵PID:4476
-
C:\Windows\SysWOW64\vqhcboo.exeC:\Windows\system32\vqhcboo.exe 1796 "C:\Windows\SysWOW64\irmzlgi.exe"164⤵PID:4216
-
C:\Windows\SysWOW64\fptzmnv.exeC:\Windows\system32\fptzmnv.exe 1804 "C:\Windows\SysWOW64\vqhcboo.exe"165⤵PID:3524
-
C:\Windows\SysWOW64\scdxrru.exeC:\Windows\system32\scdxrru.exe 1800 "C:\Windows\SysWOW64\fptzmnv.exe"166⤵PID:3940
-
C:\Windows\SysWOW64\fpumxvt.exeC:\Windows\system32\fpumxvt.exe 1236 "C:\Windows\SysWOW64\scdxrru.exe"167⤵PID:764
-
C:\Windows\SysWOW64\scecdrs.exeC:\Windows\system32\scecdrs.exe 1816 "C:\Windows\SysWOW64\fpumxvt.exe"168⤵
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\cmbmqug.exeC:\Windows\system32\cmbmqug.exe 1408 "C:\Windows\SysWOW64\scecdrs.exe"169⤵PID:1084
-
C:\Windows\SysWOW64\pzlceyf.exeC:\Windows\system32\pzlceyf.exe 1404 "C:\Windows\SysWOW64\cmbmqug.exe"170⤵PID:5112
-
C:\Windows\SysWOW64\cmcskcd.exeC:\Windows\system32\cmcskcd.exe 1824 "C:\Windows\SysWOW64\pzlceyf.exe"171⤵PID:2420
-
C:\Windows\SysWOW64\qzmiqfc.exeC:\Windows\system32\qzmiqfc.exe 1832 "C:\Windows\SysWOW64\cmcskcd.exe"172⤵
- Drops file in System32 directory
PID:3068 -
C:\Windows\SysWOW64\cypkygi.exeC:\Windows\system32\cypkygi.exe 1828 "C:\Windows\SysWOW64\qzmiqfc.exe"173⤵
- Drops file in System32 directory
PID:5044 -
C:\Windows\SysWOW64\qlyaejg.exeC:\Windows\system32\qlyaejg.exe 1836 "C:\Windows\SysWOW64\cypkygi.exe"174⤵PID:1908
-
C:\Windows\SysWOW64\anokrnv.exeC:\Windows\system32\anokrnv.exe 1844 "C:\Windows\SysWOW64\qlyaejg.exe"175⤵PID:468
-
C:\Windows\SysWOW64\nafixqu.exeC:\Windows\system32\nafixqu.exe 1848 "C:\Windows\SysWOW64\anokrnv.exe"176⤵PID:3628
-
C:\Windows\SysWOW64\avxydms.exeC:\Windows\system32\avxydms.exe 1840 "C:\Windows\SysWOW64\nafixqu.exe"177⤵PID:2208
-
C:\Windows\SysWOW64\kubvvla.exeC:\Windows\system32\kubvvla.exe 1852 "C:\Windows\SysWOW64\avxydms.exe"178⤵PID:2576
-
C:\Windows\SysWOW64\xlwyetx.exeC:\Windows\system32\xlwyetx.exe 1052 "C:\Windows\SysWOW64\kubvvla.exe"179⤵PID:3076
-
C:\Windows\SysWOW64\kynokxe.exeC:\Windows\system32\kynokxe.exe 1864 "C:\Windows\SysWOW64\xlwyetx.exe"180⤵PID:1952
-
C:\Windows\SysWOW64\xtfdptd.exeC:\Windows\system32\xtfdptd.exe 1860 "C:\Windows\SysWOW64\kynokxe.exe"181⤵PID:1008
-
C:\Windows\SysWOW64\kgotvxc.exeC:\Windows\system32\kgotvxc.exe 1868 "C:\Windows\SysWOW64\xtfdptd.exe"182⤵PID:3052
-
C:\Windows\SysWOW64\uiediai.exeC:\Windows\system32\uiediai.exe 1872 "C:\Windows\SysWOW64\kgotvxc.exe"183⤵PID:620
-
C:\Windows\SysWOW64\zvvtoeh.exeC:\Windows\system32\zvvtoeh.exe 1876 "C:\Windows\SysWOW64\uiediai.exe"184⤵PID:1728
-
C:\Windows\SysWOW64\nqnruio.exeC:\Windows\system32\nqnruio.exe 1880 "C:\Windows\SysWOW64\zvvtoeh.exe"185⤵PID:4060
-
C:\Windows\SysWOW64\adwhidm.exeC:\Windows\system32\adwhidm.exe 1736 "C:\Windows\SysWOW64\nqnruio.exe"186⤵PID:3732
-
C:\Windows\SysWOW64\kgmrvgt.exeC:\Windows\system32\kgmrvgt.exe 1888 "C:\Windows\SysWOW64\adwhidm.exe"187⤵
- Drops file in System32 directory
PID:2292 -
C:\Windows\SysWOW64\xqsuygt.exeC:\Windows\system32\xqsuygt.exe 1892 "C:\Windows\SysWOW64\kgmrvgt.exe"188⤵PID:1888
-
C:\Windows\SysWOW64\ksyjjsx.exeC:\Windows\system32\ksyjjsx.exe 1900 "C:\Windows\SysWOW64\xqsuygt.exe"189⤵PID:3132
-
C:\Windows\SysWOW64\unzurny.exeC:\Windows\system32\unzurny.exe 1896 "C:\Windows\SysWOW64\ksyjjsx.exe"190⤵PID:2388
-
C:\Windows\SysWOW64\haqjxrf.exeC:\Windows\system32\haqjxrf.exe 1908 "C:\Windows\SysWOW64\unzurny.exe"191⤵PID:4712
-
C:\Windows\SysWOW64\unahdnd.exeC:\Windows\system32\unahdnd.exe 1912 "C:\Windows\SysWOW64\haqjxrf.exe"192⤵PID:2992
-
C:\Windows\SysWOW64\hmdctvb.exeC:\Windows\system32\hmdctvb.exe 1904 "C:\Windows\SysWOW64\unahdnd.exe"193⤵PID:4544
-
C:\Windows\SysWOW64\vzmazzi.exeC:\Windows\system32\vzmazzi.exe 1920 "C:\Windows\SysWOW64\hmdctvb.exe"194⤵PID:2480
-
C:\Windows\SysWOW64\fyyxjxh.exeC:\Windows\system32\fyyxjxh.exe 1916 "C:\Windows\SysWOW64\vzmazzi.exe"195⤵
- Drops file in System32 directory
PID:1176 -
C:\Windows\SysWOW64\sotasyn.exeC:\Windows\system32\sotasyn.exe 1924 "C:\Windows\SysWOW64\fyyxjxh.exe"196⤵PID:4484
-
C:\Windows\SysWOW64\cvxxdwu.exeC:\Windows\system32\cvxxdwu.exe 1928 "C:\Windows\SysWOW64\sotasyn.exe"197⤵PID:1596
-
C:\Windows\SysWOW64\pipnqat.exeC:\Windows\system32\pipnqat.exe 1932 "C:\Windows\SysWOW64\cvxxdwu.exe"198⤵PID:2336
-
C:\Windows\SysWOW64\cvgdwes.exeC:\Windows\system32\cvgdwes.exe 1004 "C:\Windows\SysWOW64\pipnqat.exe"199⤵PID:1992
-
C:\Windows\SysWOW64\pmbffex.exeC:\Windows\system32\pmbffex.exe 1940 "C:\Windows\SysWOW64\cvgdwes.exe"200⤵PID:2416
-
C:\Windows\SysWOW64\chtvliw.exeC:\Windows\system32\chtvliw.exe 1944 "C:\Windows\SysWOW64\pmbffex.exe"201⤵PID:228
-
C:\Windows\SysWOW64\puctqmv.exeC:\Windows\system32\puctqmv.exe 1952 "C:\Windows\SysWOW64\chtvliw.exe"202⤵PID:2308
-
C:\Windows\SysWOW64\ztoqblc.exeC:\Windows\system32\ztoqblc.exe 1956 "C:\Windows\SysWOW64\puctqmv.exe"203⤵PID:1044
-
C:\Windows\SysWOW64\ngyghpb.exeC:\Windows\system32\ngyghpb.exe 1948 "C:\Windows\SysWOW64\ztoqblc.exe"204⤵PID:4432
-
C:\Windows\SysWOW64\aebipph.exeC:\Windows\system32\aebipph.exe 1960 "C:\Windows\SysWOW64\ngyghpb.exe"205⤵PID:5116
-
C:\Windows\SysWOW64\kefgioo.exeC:\Windows\system32\kefgioo.exe 1076 "C:\Windows\SysWOW64\aebipph.exe"206⤵PID:4396
-
C:\Windows\SysWOW64\xuajqwu.exeC:\Windows\system32\xuajqwu.exe 1968 "C:\Windows\SysWOW64\kefgioo.exe"207⤵PID:3664
-
C:\Windows\SysWOW64\khrywat.exeC:\Windows\system32\khrywat.exe 1972 "C:\Windows\SysWOW64\xuajqwu.exe"208⤵PID:2436
-
C:\Windows\SysWOW64\xcbocdr.exeC:\Windows\system32\xcbocdr.exe 1936 "C:\Windows\SysWOW64\khrywat.exe"209⤵PID:4580
-
C:\Windows\SysWOW64\kpseizq.exeC:\Windows\system32\kpseizq.exe 1984 "C:\Windows\SysWOW64\xcbocdr.exe"210⤵PID:4800
-
C:\Windows\SysWOW64\usiovce.exeC:\Windows\system32\usiovce.exe 1856 "C:\Windows\SysWOW64\kpseizq.exe"211⤵PID:2464
-
C:\Windows\SysWOW64\hfzmbgd.exeC:\Windows\system32\hfzmbgd.exe 1988 "C:\Windows\SysWOW64\usiovce.exe"212⤵PID:3216
-
C:\Windows\SysWOW64\uajbgkc.exeC:\Windows\system32\uajbgkc.exe 1992 "C:\Windows\SysWOW64\hfzmbgd.exe"213⤵PID:1540
-
C:\Windows\SysWOW64\ezvzzjk.exeC:\Windows\system32\ezvzzjk.exe 2000 "C:\Windows\SysWOW64\uajbgkc.exe"214⤵PID:1696
-
C:\Windows\SysWOW64\smnpffi.exeC:\Windows\system32\smnpffi.exe 2004 "C:\Windows\SysWOW64\ezvzzjk.exe"215⤵
- Drops file in System32 directory
PID:4836 -
C:\Windows\SysWOW64\fchrnno.exeC:\Windows\system32\fchrnno.exe 1996 "C:\Windows\SysWOW64\smnpffi.exe"216⤵PID:4692
-
C:\Windows\SysWOW64\sxrhtrn.exeC:\Windows\system32\sxrhtrn.exe 2008 "C:\Windows\SysWOW64\fchrnno.exe"217⤵PID:4428
-
C:\Windows\SysWOW64\fkixzul.exeC:\Windows\system32\fkixzul.exe 2016 "C:\Windows\SysWOW64\sxrhtrn.exe"218⤵PID:4472
-
C:\Windows\SysWOW64\pnyhmqs.exeC:\Windows\system32\pnyhmqs.exe 2020 "C:\Windows\SysWOW64\fkixzul.exe"219⤵PID:4908
-
C:\Windows\SysWOW64\capxatq.exeC:\Windows\system32\capxatq.exe 2024 "C:\Windows\SysWOW64\pnyhmqs.exe"220⤵PID:3212
-
C:\Windows\SysWOW64\pvzugxx.exeC:\Windows\system32\pvzugxx.exe 1980 "C:\Windows\SysWOW64\capxatq.exe"221⤵PID:3996
-
C:\Windows\SysWOW64\cirklbw.exeC:\Windows\system32\cirklbw.exe 2028 "C:\Windows\SysWOW64\pvzugxx.exe"222⤵PID:2640
-
C:\Windows\SysWOW64\mhviwae.exeC:\Windows\system32\mhviwae.exe 2032 "C:\Windows\SysWOW64\cirklbw.exe"223⤵PID:3752
-
C:\Windows\SysWOW64\zxxkeab.exeC:\Windows\system32\zxxkeab.exe 2036 "C:\Windows\SysWOW64\mhviwae.exe"224⤵PID:1840
-
C:\Windows\SysWOW64\mwsnnih.exeC:\Windows\system32\mwsnnih.exe 2044 "C:\Windows\SysWOW64\zxxkeab.exe"225⤵PID:4288
-
C:\Windows\SysWOW64\afzqqih.exeC:\Windows\system32\afzqqih.exe 2040 "C:\Windows\SysWOW64\mwsnnih.exe"226⤵PID:232
-
C:\Windows\SysWOW64\kioalln.exeC:\Windows\system32\kioalln.exe 2052 "C:\Windows\SysWOW64\afzqqih.exe"227⤵PID:4804
-
C:\Windows\SysWOW64\xvfqrhm.exeC:\Windows\system32\xvfqrhm.exe 2060 "C:\Windows\SysWOW64\kioalln.exe"228⤵
- Drops file in System32 directory
PID:1940 -
C:\Windows\SysWOW64\kipgxll.exeC:\Windows\system32\kipgxll.exe 2064 "C:\Windows\SysWOW64\xvfqrhm.exe"229⤵PID:860
-
C:\Windows\SysWOW64\pdhddor.exeC:\Windows\system32\pdhddor.exe 1104 "C:\Windows\SysWOW64\kipgxll.exe"230⤵PID:3556
-
C:\Windows\SysWOW64\zclbnnr.exeC:\Windows\system32\zclbnnr.exe 2072 "C:\Windows\SysWOW64\pdhddor.exe"231⤵
- Drops file in System32 directory
PID:4048 -
C:\Windows\SysWOW64\mtodwvw.exeC:\Windows\system32\mtodwvw.exe 2068 "C:\Windows\SysWOW64\zclbnnr.exe"232⤵
- Drops file in System32 directory
PID:5096 -
C:\Windows\SysWOW64\wasboue.exeC:\Windows\system32\wasboue.exe 2080 "C:\Windows\SysWOW64\mtodwvw.exe"233⤵PID:4928
-
C:\Windows\SysWOW64\mbpjhvc.exeC:\Windows\system32\mbpjhvc.exe 2076 "C:\Windows\SysWOW64\wasboue.exe"234⤵PID:2620
-
C:\Windows\SysWOW64\wdetcyi.exeC:\Windows\system32\wdetcyi.exe 2084 "C:\Windows\SysWOW64\mbpjhvc.exe"235⤵PID:888
-
C:\Windows\SysWOW64\jqwjich.exeC:\Windows\system32\jqwjich.exe 2092 "C:\Windows\SysWOW64\wdetcyi.exe"236⤵PID:2492
-
C:\Windows\SysWOW64\xdfzogg.exeC:\Windows\system32\xdfzogg.exe 2088 "C:\Windows\SysWOW64\jqwjich.exe"237⤵PID:1548
-
C:\Windows\SysWOW64\hkrwyxn.exeC:\Windows\system32\hkrwyxn.exe 2096 "C:\Windows\SysWOW64\xdfzogg.exe"238⤵PID:988
-
C:\Windows\SysWOW64\uxbueam.exeC:\Windows\system32\uxbueam.exe 2104 "C:\Windows\SysWOW64\hkrwyxn.exe"239⤵
- Drops file in System32 directory
PID:3240 -
C:\Windows\SysWOW64\hoewnjs.exeC:\Windows\system32\hoewnjs.exe 2108 "C:\Windows\SysWOW64\uxbueam.exe"240⤵PID:3776
-
C:\Windows\SysWOW64\rviufhz.exeC:\Windows\system32\rviufhz.exe 2112 "C:\Windows\SysWOW64\hoewnjs.exe"241⤵PID:4308
-
C:\Windows\SysWOW64\eizklly.exeC:\Windows\system32\eizklly.exe 2012 "C:\Windows\SysWOW64\rviufhz.exe"242⤵
- Drops file in System32 directory
PID:1088