Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
23-06-2024 12:34
Static task
static1
Behavioral task
behavioral1
Sample
06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe
-
Size
471KB
-
MD5
06026e4203f13fffe9d741a6872a75ae
-
SHA1
4bd5ff87c0efda2cafd1cb3254f46955d52a12ec
-
SHA256
ec530b5f552febe9631fb4d1fd90e74ef21be4093eb9cde42657bf2dfeb6a486
-
SHA512
37e9d3bf7a38fc16b323c49034f0c754dcd09d2c6c6679b4226bf9d8a659867b2ca27a8d2798f3e0a0ef1f3641761664a6d6b9a6a69ed84b4d2881a8324d3962
-
SSDEEP
6144:IFeLlS5FZCAv2wFR24biJjWti/9q7R/ck6pSDy4N5q39dVdnNn1u9/TPr5P6uzPY:CD6AvTFgJVWt49y5YeE8RhpQetCT
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 64 IoCs
Processes:
bynbkf.exebynbkf.exesywbda.exesywbda.exeyquelx.exeyquelx.exexumzbr.exexumzbr.exehapmfl.exehapmfl.exeqtdudr.exeqtdudr.exewliptf.exewliptf.exedefscc.exedefscc.exenkifxe.exenkifxe.exelacvdw.exelacvdw.exeddzyht.exeddzyht.exeudzgfc.exeudzgfc.exeiljigt.exeiljigt.execjivdl.execjivdl.exewazjzw.exewazjzw.exenwodvs.exenwodvs.exefamgrx.exefamgrx.exethvjaw.exethvjaw.exehmchxj.exehmchxj.exezeoxqk.exezeoxqk.exefmfzrj.exefmfzrj.exezzlalp.exezzlalp.exeqkxuuc.exeqkxuuc.exekxlvgi.exekxlvgi.exectaykf.exectaykf.exetaifjn.exetaifjn.exehisijn.exehisijn.exewxcgbz.exewxcgbz.exekrxvnv.exekrxvnv.execjjlgw.execjjlgw.exernqjdr.exernqjdr.exeajnezn.exeajnezn.exepid process 2132 bynbkf.exe 2796 bynbkf.exe 2540 sywbda.exe 2528 sywbda.exe 1728 yquelx.exe 2880 yquelx.exe 308 xumzbr.exe 652 xumzbr.exe 2836 hapmfl.exe 620 hapmfl.exe 2064 qtdudr.exe 2916 qtdudr.exe 708 wliptf.exe 1816 wliptf.exe 2460 defscc.exe 1316 defscc.exe 928 nkifxe.exe 1844 nkifxe.exe 1500 lacvdw.exe 1588 lacvdw.exe 1644 ddzyht.exe 2960 ddzyht.exe 2904 udzgfc.exe 2752 udzgfc.exe 2560 iljigt.exe 3000 iljigt.exe 2868 cjivdl.exe 2980 cjivdl.exe 288 wazjzw.exe 1804 wazjzw.exe 1080 nwodvs.exe 316 nwodvs.exe 2008 famgrx.exe 2264 famgrx.exe 2296 thvjaw.exe 664 thvjaw.exe 1132 hmchxj.exe 1076 hmchxj.exe 1768 zeoxqk.exe 1536 zeoxqk.exe 1300 fmfzrj.exe 900 fmfzrj.exe 1792 zzlalp.exe 1992 zzlalp.exe 3056 qkxuuc.exe 2664 qkxuuc.exe 2776 kxlvgi.exe 2636 kxlvgi.exe 2672 ctaykf.exe 2828 ctaykf.exe 2548 taifjn.exe 2208 taifjn.exe 1860 hisijn.exe 2236 hisijn.exe 2172 wxcgbz.exe 2504 wxcgbz.exe 1304 krxvnv.exe 2100 krxvnv.exe 2696 cjjlgw.exe 2228 cjjlgw.exe 584 rnqjdr.exe 2928 rnqjdr.exe 2032 ajnezn.exe 1328 ajnezn.exe -
Loads dropped DLL 64 IoCs
Processes:
06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exebynbkf.exebynbkf.exesywbda.exesywbda.exeyquelx.exeyquelx.exexumzbr.exexumzbr.exehapmfl.exehapmfl.exeqtdudr.exeqtdudr.exewliptf.exewliptf.exedefscc.exedefscc.exenkifxe.exenkifxe.exelacvdw.exelacvdw.exeddzyht.exeddzyht.exeudzgfc.exeudzgfc.exeiljigt.exeiljigt.execjivdl.execjivdl.exewazjzw.exewazjzw.exenwodvs.exepid process 848 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe 848 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe 2132 bynbkf.exe 2132 bynbkf.exe 2796 bynbkf.exe 2796 bynbkf.exe 2540 sywbda.exe 2540 sywbda.exe 2528 sywbda.exe 2528 sywbda.exe 1728 yquelx.exe 1728 yquelx.exe 2880 yquelx.exe 2880 yquelx.exe 308 xumzbr.exe 308 xumzbr.exe 652 xumzbr.exe 652 xumzbr.exe 2836 hapmfl.exe 2836 hapmfl.exe 620 hapmfl.exe 620 hapmfl.exe 2064 qtdudr.exe 2064 qtdudr.exe 2916 qtdudr.exe 2916 qtdudr.exe 708 wliptf.exe 708 wliptf.exe 1816 wliptf.exe 1816 wliptf.exe 2460 defscc.exe 2460 defscc.exe 1316 defscc.exe 1316 defscc.exe 928 nkifxe.exe 928 nkifxe.exe 1844 nkifxe.exe 1844 nkifxe.exe 1500 lacvdw.exe 1500 lacvdw.exe 1588 lacvdw.exe 1588 lacvdw.exe 1644 ddzyht.exe 1644 ddzyht.exe 2960 ddzyht.exe 2960 ddzyht.exe 2904 udzgfc.exe 2904 udzgfc.exe 2752 udzgfc.exe 2752 udzgfc.exe 2560 iljigt.exe 2560 iljigt.exe 3000 iljigt.exe 3000 iljigt.exe 2868 cjivdl.exe 2868 cjivdl.exe 2980 cjivdl.exe 2980 cjivdl.exe 288 wazjzw.exe 288 wazjzw.exe 1804 wazjzw.exe 1804 wazjzw.exe 1080 nwodvs.exe 1080 nwodvs.exe -
Drops file in System32 directory 64 IoCs
Processes:
hapmfl.exedefscc.exeiljigt.exegjnlhu.exexjvtgd.exervaoxa.exeqbtqzj.exenjfptr.exeuktixz.exenkifxe.exernqjdr.exezmqzuv.exehkmuqh.exeuvectn.exepcmdjt.execcudkc.exebkpnap.exenapqzj.exeyqlbaj.exeqbztvy.exeddzyht.exedjiwwk.exetyxaqw.exeqmrgtw.exehmelbw.exemgqdtd.exelxyzqh.exeigzzer.exexirxdt.exewliptf.exedtjalj.exeoivbfe.exekhedru.exejwwhsx.execjjlgw.exeoviukr.exenmkakc.exenfqyuu.exeibfeti.exetfrrhf.exexloixy.exetaifjn.exefpwjdm.exezplvcf.exeobqhyj.exerurvpi.exeoyaibf.exefdmmxb.exegdsqxz.exebqhbaj.exexumzbr.exeueswrr.exeuhqodu.exektsxwz.exekvtcky.exebcckjg.exeotibfk.exexjjezo.exemuouuz.exedescription ioc process File opened for modification C:\Windows\SysWOW64\qtdudr.exe hapmfl.exe File opened for modification C:\Windows\SysWOW64\nkifxe.exe defscc.exe File opened for modification C:\Windows\SysWOW64\cjivdl.exe iljigt.exe File opened for modification C:\Windows\SysWOW64\xjvtgd.exe gjnlhu.exe File created C:\Windows\SysWOW64\oivbfe.exe xjvtgd.exe File created C:\Windows\SysWOW64\gdsqxz.exe rvaoxa.exe File opened for modification C:\Windows\SysWOW64\hmelbw.exe qbtqzj.exe File created C:\Windows\SysWOW64\eqnfas.exe njfptr.exe File created C:\Windows\SysWOW64\mgqdtd.exe uktixz.exe File created C:\Windows\SysWOW64\lacvdw.exe nkifxe.exe File opened for modification C:\Windows\SysWOW64\ajnezn.exe rnqjdr.exe File opened for modification C:\Windows\SysWOW64\qmrgtw.exe zmqzuv.exe File created C:\Windows\SysWOW64\bfaccn.exe hkmuqh.exe File opened for modification C:\Windows\SysWOW64\igzzer.exe uvectn.exe File opened for modification C:\Windows\SysWOW64\gjnlhu.exe pcmdjt.exe File created C:\Windows\SysWOW64\txrggy.exe ccudkc.exe File opened for modification C:\Windows\SysWOW64\lcbdth.exe bkpnap.exe File opened for modification C:\Windows\SysWOW64\bqhbaj.exe napqzj.exe File opened for modification C:\Windows\SysWOW64\nqgmva.exe yqlbaj.exe File created C:\Windows\SysWOW64\htlboq.exe qbztvy.exe File created C:\Windows\SysWOW64\udzgfc.exe ddzyht.exe File created C:\Windows\SysWOW64\uffrah.exe djiwwk.exe File created C:\Windows\SysWOW64\nmkakc.exe tyxaqw.exe File created C:\Windows\SysWOW64\kvtcky.exe qmrgtw.exe File opened for modification C:\Windows\SysWOW64\viligj.exe hmelbw.exe File opened for modification C:\Windows\SysWOW64\eqnfas.exe njfptr.exe File opened for modification C:\Windows\SysWOW64\dkfgpa.exe mgqdtd.exe File opened for modification C:\Windows\SysWOW64\cwyhpi.exe lxyzqh.exe File created C:\Windows\SysWOW64\xhvczi.exe igzzer.exe File created C:\Windows\SysWOW64\oeoazx.exe xirxdt.exe File opened for modification C:\Windows\SysWOW64\defscc.exe wliptf.exe File created C:\Windows\SysWOW64\vpgvpn.exe dtjalj.exe File created C:\Windows\SysWOW64\fpwjdm.exe oivbfe.exe File created C:\Windows\SysWOW64\qbztvy.exe khedru.exe File opened for modification C:\Windows\SysWOW64\xirxdt.exe jwwhsx.exe File opened for modification C:\Windows\SysWOW64\rnqjdr.exe cjjlgw.exe File created C:\Windows\SysWOW64\gnukdr.exe oviukr.exe File opened for modification C:\Windows\SysWOW64\ccudkc.exe nmkakc.exe File opened for modification C:\Windows\SysWOW64\bkpnap.exe nfqyuu.exe File created C:\Windows\SysWOW64\zmqzuv.exe ibfeti.exe File opened for modification C:\Windows\SysWOW64\jqlmis.exe tfrrhf.exe File opened for modification C:\Windows\SysWOW64\rurvpi.exe xloixy.exe File opened for modification C:\Windows\SysWOW64\hisijn.exe taifjn.exe File created C:\Windows\SysWOW64\zckjxs.exe fpwjdm.exe File opened for modification C:\Windows\SysWOW64\omvsur.exe zplvcf.exe File created C:\Windows\SysWOW64\jwwhsx.exe obqhyj.exe File created C:\Windows\SysWOW64\gcjgph.exe rurvpi.exe File created C:\Windows\SysWOW64\fjmddl.exe oyaibf.exe File created C:\Windows\SysWOW64\wcnuvk.exe fdmmxb.exe File opened for modification C:\Windows\SysWOW64\uhqodu.exe gdsqxz.exe File created C:\Windows\SysWOW64\qjcmva.exe bqhbaj.exe File opened for modification C:\Windows\SysWOW64\hapmfl.exe xumzbr.exe File created C:\Windows\SysWOW64\cjivdl.exe iljigt.exe File created C:\Windows\SysWOW64\jmjhrq.exe ueswrr.exe File created C:\Windows\SysWOW64\apirdu.exe uhqodu.exe File created C:\Windows\SysWOW64\ybkawz.exe ktsxwz.exe File created C:\Windows\SysWOW64\bcckjg.exe kvtcky.exe File created C:\Windows\SysWOW64\pkmmjg.exe bcckjg.exe File created C:\Windows\SysWOW64\xirxdt.exe jwwhsx.exe File created C:\Windows\SysWOW64\ajjhha.exe otibfk.exe File opened for modification C:\Windows\SysWOW64\mnpcxj.exe xjjezo.exe File created C:\Windows\SysWOW64\duxcth.exe muouuz.exe File opened for modification C:\Windows\SysWOW64\txrggy.exe ccudkc.exe File created C:\Windows\SysWOW64\nqgmva.exe yqlbaj.exe -
Suspicious use of SetThreadContext 64 IoCs
Processes:
06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exebynbkf.exesywbda.exeyquelx.exexumzbr.exehapmfl.exeqtdudr.exewliptf.exedefscc.exenkifxe.exelacvdw.exeddzyht.exeudzgfc.exeiljigt.execjivdl.exewazjzw.exenwodvs.exefamgrx.exethvjaw.exehmchxj.exezeoxqk.exefmfzrj.exezzlalp.exeqkxuuc.exekxlvgi.exectaykf.exetaifjn.exehisijn.exewxcgbz.exekrxvnv.execjjlgw.exernqjdr.exeajnezn.exeoviukr.exegnukdr.exexjjezo.exemnpcxj.exeadhffi.exerzwibf.exejutdxj.exexgosif.exeoyaibf.exefjmddl.exeztpquu.exedjiwwk.exeuffrah.exeoalzmv.exegzthtw.exeueswrr.exejmjhrq.exevvomwy.exemuouuz.exeduxcth.exeuxmfpe.exedtjalj.exevpgvpn.exepcmdjt.exegjnlhu.exexjvtgd.exeoivbfe.exefpwjdm.exezckjxs.exerkkzwt.exelxyzqh.exedescription pid process target process PID 2180 set thread context of 848 2180 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe PID 2132 set thread context of 2796 2132 bynbkf.exe bynbkf.exe PID 2540 set thread context of 2528 2540 sywbda.exe sywbda.exe PID 1728 set thread context of 2880 1728 yquelx.exe yquelx.exe PID 308 set thread context of 652 308 xumzbr.exe xumzbr.exe PID 2836 set thread context of 620 2836 hapmfl.exe hapmfl.exe PID 2064 set thread context of 2916 2064 qtdudr.exe qtdudr.exe PID 708 set thread context of 1816 708 wliptf.exe wliptf.exe PID 2460 set thread context of 1316 2460 defscc.exe defscc.exe PID 928 set thread context of 1844 928 nkifxe.exe nkifxe.exe PID 1500 set thread context of 1588 1500 lacvdw.exe lacvdw.exe PID 1644 set thread context of 2960 1644 ddzyht.exe ddzyht.exe PID 2904 set thread context of 2752 2904 udzgfc.exe udzgfc.exe PID 2560 set thread context of 3000 2560 iljigt.exe iljigt.exe PID 2868 set thread context of 2980 2868 cjivdl.exe cjivdl.exe PID 288 set thread context of 1804 288 wazjzw.exe wazjzw.exe PID 1080 set thread context of 316 1080 nwodvs.exe nwodvs.exe PID 2008 set thread context of 2264 2008 famgrx.exe famgrx.exe PID 2296 set thread context of 664 2296 thvjaw.exe thvjaw.exe PID 1132 set thread context of 1076 1132 hmchxj.exe hmchxj.exe PID 1768 set thread context of 1536 1768 zeoxqk.exe zeoxqk.exe PID 1300 set thread context of 900 1300 fmfzrj.exe fmfzrj.exe PID 1792 set thread context of 1992 1792 zzlalp.exe zzlalp.exe PID 3056 set thread context of 2664 3056 qkxuuc.exe qkxuuc.exe PID 2776 set thread context of 2636 2776 kxlvgi.exe kxlvgi.exe PID 2672 set thread context of 2828 2672 ctaykf.exe ctaykf.exe PID 2548 set thread context of 2208 2548 taifjn.exe taifjn.exe PID 1860 set thread context of 2236 1860 hisijn.exe hisijn.exe PID 2172 set thread context of 2504 2172 wxcgbz.exe wxcgbz.exe PID 1304 set thread context of 2100 1304 krxvnv.exe krxvnv.exe PID 2696 set thread context of 2228 2696 cjjlgw.exe cjjlgw.exe PID 584 set thread context of 2928 584 rnqjdr.exe rnqjdr.exe PID 2032 set thread context of 1328 2032 ajnezn.exe ajnezn.exe PID 2900 set thread context of 2460 2900 oviukr.exe oviukr.exe PID 2012 set thread context of 2128 2012 gnukdr.exe gnukdr.exe PID 2188 set thread context of 2952 2188 xjjezo.exe xjjezo.exe PID 3064 set thread context of 1740 3064 mnpcxj.exe mnpcxj.exe PID 2684 set thread context of 2680 2684 adhffi.exe adhffi.exe PID 2872 set thread context of 2020 2872 rzwibf.exe rzwibf.exe PID 1520 set thread context of 1860 1520 jutdxj.exe jutdxj.exe PID 2492 set thread context of 2852 2492 xgosif.exe xgosif.exe PID 844 set thread context of 2008 844 oyaibf.exe oyaibf.exe PID 2740 set thread context of 2296 2740 fjmddl.exe fjmddl.exe PID 1096 set thread context of 908 1096 ztpquu.exe ztpquu.exe PID 1140 set thread context of 768 1140 djiwwk.exe djiwwk.exe PID 572 set thread context of 1820 572 uffrah.exe uffrah.exe PID 1972 set thread context of 2756 1972 oalzmv.exe oalzmv.exe PID 1780 set thread context of 2624 1780 gzthtw.exe gzthtw.exe PID 2792 set thread context of 2132 2792 ueswrr.exe ueswrr.exe PID 2524 set thread context of 2872 2524 jmjhrq.exe jmjhrq.exe PID 2712 set thread context of 1040 2712 vvomwy.exe vvomwy.exe PID 1584 set thread context of 2736 1584 muouuz.exe muouuz.exe PID 1184 set thread context of 2924 1184 duxcth.exe duxcth.exe PID 1296 set thread context of 2268 1296 uxmfpe.exe uxmfpe.exe PID 2084 set thread context of 776 2084 dtjalj.exe dtjalj.exe PID 2376 set thread context of 1708 2376 vpgvpn.exe vpgvpn.exe PID 1732 set thread context of 1692 1732 pcmdjt.exe pcmdjt.exe PID 2312 set thread context of 1828 2312 gjnlhu.exe gjnlhu.exe PID 2892 set thread context of 2240 2892 xjvtgd.exe xjvtgd.exe PID 3064 set thread context of 2788 3064 oivbfe.exe oivbfe.exe PID 2524 set thread context of 2984 2524 fpwjdm.exe fpwjdm.exe PID 2500 set thread context of 2964 2500 zckjxs.exe zckjxs.exe PID 1080 set thread context of 2028 1080 rkkzwt.exe rkkzwt.exe PID 2104 set thread context of 532 2104 lxyzqh.exe lxyzqh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exebynbkf.exebynbkf.exesywbda.exesywbda.exeyquelx.exeyquelx.exexumzbr.exedescription pid process target process PID 2180 wrote to memory of 848 2180 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe PID 2180 wrote to memory of 848 2180 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe PID 2180 wrote to memory of 848 2180 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe PID 2180 wrote to memory of 848 2180 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe PID 2180 wrote to memory of 848 2180 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe PID 2180 wrote to memory of 848 2180 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe PID 2180 wrote to memory of 848 2180 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe PID 2180 wrote to memory of 848 2180 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe PID 2180 wrote to memory of 848 2180 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe PID 2180 wrote to memory of 848 2180 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe PID 848 wrote to memory of 2132 848 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe bynbkf.exe PID 848 wrote to memory of 2132 848 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe bynbkf.exe PID 848 wrote to memory of 2132 848 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe bynbkf.exe PID 848 wrote to memory of 2132 848 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe bynbkf.exe PID 2132 wrote to memory of 2796 2132 bynbkf.exe bynbkf.exe PID 2132 wrote to memory of 2796 2132 bynbkf.exe bynbkf.exe PID 2132 wrote to memory of 2796 2132 bynbkf.exe bynbkf.exe PID 2132 wrote to memory of 2796 2132 bynbkf.exe bynbkf.exe PID 2132 wrote to memory of 2796 2132 bynbkf.exe bynbkf.exe PID 2132 wrote to memory of 2796 2132 bynbkf.exe bynbkf.exe PID 2132 wrote to memory of 2796 2132 bynbkf.exe bynbkf.exe PID 2132 wrote to memory of 2796 2132 bynbkf.exe bynbkf.exe PID 2132 wrote to memory of 2796 2132 bynbkf.exe bynbkf.exe PID 2132 wrote to memory of 2796 2132 bynbkf.exe bynbkf.exe PID 2796 wrote to memory of 2540 2796 bynbkf.exe sywbda.exe PID 2796 wrote to memory of 2540 2796 bynbkf.exe sywbda.exe PID 2796 wrote to memory of 2540 2796 bynbkf.exe sywbda.exe PID 2796 wrote to memory of 2540 2796 bynbkf.exe sywbda.exe PID 2540 wrote to memory of 2528 2540 sywbda.exe sywbda.exe PID 2540 wrote to memory of 2528 2540 sywbda.exe sywbda.exe PID 2540 wrote to memory of 2528 2540 sywbda.exe sywbda.exe PID 2540 wrote to memory of 2528 2540 sywbda.exe sywbda.exe PID 2540 wrote to memory of 2528 2540 sywbda.exe sywbda.exe PID 2540 wrote to memory of 2528 2540 sywbda.exe sywbda.exe PID 2540 wrote to memory of 2528 2540 sywbda.exe sywbda.exe PID 2540 wrote to memory of 2528 2540 sywbda.exe sywbda.exe PID 2540 wrote to memory of 2528 2540 sywbda.exe sywbda.exe PID 2540 wrote to memory of 2528 2540 sywbda.exe sywbda.exe PID 2528 wrote to memory of 1728 2528 sywbda.exe yquelx.exe PID 2528 wrote to memory of 1728 2528 sywbda.exe yquelx.exe PID 2528 wrote to memory of 1728 2528 sywbda.exe yquelx.exe PID 2528 wrote to memory of 1728 2528 sywbda.exe yquelx.exe PID 1728 wrote to memory of 2880 1728 yquelx.exe yquelx.exe PID 1728 wrote to memory of 2880 1728 yquelx.exe yquelx.exe PID 1728 wrote to memory of 2880 1728 yquelx.exe yquelx.exe PID 1728 wrote to memory of 2880 1728 yquelx.exe yquelx.exe PID 1728 wrote to memory of 2880 1728 yquelx.exe yquelx.exe PID 1728 wrote to memory of 2880 1728 yquelx.exe yquelx.exe PID 1728 wrote to memory of 2880 1728 yquelx.exe yquelx.exe PID 1728 wrote to memory of 2880 1728 yquelx.exe yquelx.exe PID 1728 wrote to memory of 2880 1728 yquelx.exe yquelx.exe PID 1728 wrote to memory of 2880 1728 yquelx.exe yquelx.exe PID 2880 wrote to memory of 308 2880 yquelx.exe xumzbr.exe PID 2880 wrote to memory of 308 2880 yquelx.exe xumzbr.exe PID 2880 wrote to memory of 308 2880 yquelx.exe xumzbr.exe PID 2880 wrote to memory of 308 2880 yquelx.exe xumzbr.exe PID 308 wrote to memory of 652 308 xumzbr.exe xumzbr.exe PID 308 wrote to memory of 652 308 xumzbr.exe xumzbr.exe PID 308 wrote to memory of 652 308 xumzbr.exe xumzbr.exe PID 308 wrote to memory of 652 308 xumzbr.exe xumzbr.exe PID 308 wrote to memory of 652 308 xumzbr.exe xumzbr.exe PID 308 wrote to memory of 652 308 xumzbr.exe xumzbr.exe PID 308 wrote to memory of 652 308 xumzbr.exe xumzbr.exe PID 308 wrote to memory of 652 308 xumzbr.exe xumzbr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\bynbkf.exeC:\Windows\system32\bynbkf.exe 488 "C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\bynbkf.exeC:\Windows\system32\bynbkf.exe 488 "C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\sywbda.exeC:\Windows\system32\sywbda.exe 452 "C:\Windows\SysWOW64\bynbkf.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\sywbda.exeC:\Windows\system32\sywbda.exe 452 "C:\Windows\SysWOW64\bynbkf.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\yquelx.exeC:\Windows\system32\yquelx.exe 452 "C:\Windows\SysWOW64\sywbda.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\yquelx.exeC:\Windows\system32\yquelx.exe 452 "C:\Windows\SysWOW64\sywbda.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\xumzbr.exeC:\Windows\system32\xumzbr.exe 452 "C:\Windows\SysWOW64\yquelx.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Windows\SysWOW64\xumzbr.exeC:\Windows\system32\xumzbr.exe 452 "C:\Windows\SysWOW64\yquelx.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:652 -
C:\Windows\SysWOW64\hapmfl.exeC:\Windows\system32\hapmfl.exe 452 "C:\Windows\SysWOW64\xumzbr.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2836 -
C:\Windows\SysWOW64\hapmfl.exeC:\Windows\system32\hapmfl.exe 452 "C:\Windows\SysWOW64\xumzbr.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:620 -
C:\Windows\SysWOW64\qtdudr.exeC:\Windows\system32\qtdudr.exe 452 "C:\Windows\SysWOW64\hapmfl.exe"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2064 -
C:\Windows\SysWOW64\qtdudr.exeC:\Windows\system32\qtdudr.exe 452 "C:\Windows\SysWOW64\hapmfl.exe"14⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2916 -
C:\Windows\SysWOW64\wliptf.exeC:\Windows\system32\wliptf.exe 452 "C:\Windows\SysWOW64\qtdudr.exe"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:708 -
C:\Windows\SysWOW64\wliptf.exeC:\Windows\system32\wliptf.exe 452 "C:\Windows\SysWOW64\qtdudr.exe"16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1816 -
C:\Windows\SysWOW64\defscc.exeC:\Windows\system32\defscc.exe 452 "C:\Windows\SysWOW64\wliptf.exe"17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2460 -
C:\Windows\SysWOW64\defscc.exeC:\Windows\system32\defscc.exe 452 "C:\Windows\SysWOW64\wliptf.exe"18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1316 -
C:\Windows\SysWOW64\nkifxe.exeC:\Windows\system32\nkifxe.exe 452 "C:\Windows\SysWOW64\defscc.exe"19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:928 -
C:\Windows\SysWOW64\nkifxe.exeC:\Windows\system32\nkifxe.exe 452 "C:\Windows\SysWOW64\defscc.exe"20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1844 -
C:\Windows\SysWOW64\lacvdw.exeC:\Windows\system32\lacvdw.exe 452 "C:\Windows\SysWOW64\nkifxe.exe"21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1500 -
C:\Windows\SysWOW64\lacvdw.exeC:\Windows\system32\lacvdw.exe 452 "C:\Windows\SysWOW64\nkifxe.exe"22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1588 -
C:\Windows\SysWOW64\ddzyht.exeC:\Windows\system32\ddzyht.exe 452 "C:\Windows\SysWOW64\lacvdw.exe"23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1644 -
C:\Windows\SysWOW64\ddzyht.exeC:\Windows\system32\ddzyht.exe 452 "C:\Windows\SysWOW64\lacvdw.exe"24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2960 -
C:\Windows\SysWOW64\udzgfc.exeC:\Windows\system32\udzgfc.exe 452 "C:\Windows\SysWOW64\ddzyht.exe"25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2904 -
C:\Windows\SysWOW64\udzgfc.exeC:\Windows\system32\udzgfc.exe 452 "C:\Windows\SysWOW64\ddzyht.exe"26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Windows\SysWOW64\iljigt.exeC:\Windows\system32\iljigt.exe 452 "C:\Windows\SysWOW64\udzgfc.exe"27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2560 -
C:\Windows\SysWOW64\iljigt.exeC:\Windows\system32\iljigt.exe 452 "C:\Windows\SysWOW64\udzgfc.exe"28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3000 -
C:\Windows\SysWOW64\cjivdl.exeC:\Windows\system32\cjivdl.exe 452 "C:\Windows\SysWOW64\iljigt.exe"29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2868 -
C:\Windows\SysWOW64\cjivdl.exeC:\Windows\system32\cjivdl.exe 452 "C:\Windows\SysWOW64\iljigt.exe"30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2980 -
C:\Windows\SysWOW64\wazjzw.exeC:\Windows\system32\wazjzw.exe 452 "C:\Windows\SysWOW64\cjivdl.exe"31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:288 -
C:\Windows\SysWOW64\wazjzw.exeC:\Windows\system32\wazjzw.exe 452 "C:\Windows\SysWOW64\cjivdl.exe"32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1804 -
C:\Windows\SysWOW64\nwodvs.exeC:\Windows\system32\nwodvs.exe 452 "C:\Windows\SysWOW64\wazjzw.exe"33⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1080 -
C:\Windows\SysWOW64\nwodvs.exeC:\Windows\system32\nwodvs.exe 452 "C:\Windows\SysWOW64\wazjzw.exe"34⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\famgrx.exeC:\Windows\system32\famgrx.exe 452 "C:\Windows\SysWOW64\nwodvs.exe"35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2008 -
C:\Windows\SysWOW64\famgrx.exeC:\Windows\system32\famgrx.exe 452 "C:\Windows\SysWOW64\nwodvs.exe"36⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\thvjaw.exeC:\Windows\system32\thvjaw.exe 452 "C:\Windows\SysWOW64\famgrx.exe"37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2296 -
C:\Windows\SysWOW64\thvjaw.exeC:\Windows\system32\thvjaw.exe 452 "C:\Windows\SysWOW64\famgrx.exe"38⤵
- Executes dropped EXE
PID:664 -
C:\Windows\SysWOW64\hmchxj.exeC:\Windows\system32\hmchxj.exe 452 "C:\Windows\SysWOW64\thvjaw.exe"39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1132 -
C:\Windows\SysWOW64\hmchxj.exeC:\Windows\system32\hmchxj.exe 452 "C:\Windows\SysWOW64\thvjaw.exe"40⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\zeoxqk.exeC:\Windows\system32\zeoxqk.exe 452 "C:\Windows\SysWOW64\hmchxj.exe"41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1768 -
C:\Windows\SysWOW64\zeoxqk.exeC:\Windows\system32\zeoxqk.exe 452 "C:\Windows\SysWOW64\hmchxj.exe"42⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\fmfzrj.exeC:\Windows\system32\fmfzrj.exe 452 "C:\Windows\SysWOW64\zeoxqk.exe"43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1300 -
C:\Windows\SysWOW64\fmfzrj.exeC:\Windows\system32\fmfzrj.exe 452 "C:\Windows\SysWOW64\zeoxqk.exe"44⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\zzlalp.exeC:\Windows\system32\zzlalp.exe 452 "C:\Windows\SysWOW64\fmfzrj.exe"45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1792 -
C:\Windows\SysWOW64\zzlalp.exeC:\Windows\system32\zzlalp.exe 452 "C:\Windows\SysWOW64\fmfzrj.exe"46⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\qkxuuc.exeC:\Windows\system32\qkxuuc.exe 452 "C:\Windows\SysWOW64\zzlalp.exe"47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3056 -
C:\Windows\SysWOW64\qkxuuc.exeC:\Windows\system32\qkxuuc.exe 452 "C:\Windows\SysWOW64\zzlalp.exe"48⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\kxlvgi.exeC:\Windows\system32\kxlvgi.exe 452 "C:\Windows\SysWOW64\qkxuuc.exe"49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2776 -
C:\Windows\SysWOW64\kxlvgi.exeC:\Windows\system32\kxlvgi.exe 452 "C:\Windows\SysWOW64\qkxuuc.exe"50⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\ctaykf.exeC:\Windows\system32\ctaykf.exe 452 "C:\Windows\SysWOW64\kxlvgi.exe"51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2672 -
C:\Windows\SysWOW64\ctaykf.exeC:\Windows\system32\ctaykf.exe 452 "C:\Windows\SysWOW64\kxlvgi.exe"52⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\taifjn.exeC:\Windows\system32\taifjn.exe 452 "C:\Windows\SysWOW64\ctaykf.exe"53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2548 -
C:\Windows\SysWOW64\taifjn.exeC:\Windows\system32\taifjn.exe 452 "C:\Windows\SysWOW64\ctaykf.exe"54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2208 -
C:\Windows\SysWOW64\hisijn.exeC:\Windows\system32\hisijn.exe 452 "C:\Windows\SysWOW64\taifjn.exe"55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1860 -
C:\Windows\SysWOW64\hisijn.exeC:\Windows\system32\hisijn.exe 452 "C:\Windows\SysWOW64\taifjn.exe"56⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\wxcgbz.exeC:\Windows\system32\wxcgbz.exe 452 "C:\Windows\SysWOW64\hisijn.exe"57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2172 -
C:\Windows\SysWOW64\wxcgbz.exeC:\Windows\system32\wxcgbz.exe 452 "C:\Windows\SysWOW64\hisijn.exe"58⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\krxvnv.exeC:\Windows\system32\krxvnv.exe 452 "C:\Windows\SysWOW64\wxcgbz.exe"59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1304 -
C:\Windows\SysWOW64\krxvnv.exeC:\Windows\system32\krxvnv.exe 452 "C:\Windows\SysWOW64\wxcgbz.exe"60⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\cjjlgw.exeC:\Windows\system32\cjjlgw.exe 452 "C:\Windows\SysWOW64\krxvnv.exe"61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2696 -
C:\Windows\SysWOW64\cjjlgw.exeC:\Windows\system32\cjjlgw.exe 452 "C:\Windows\SysWOW64\krxvnv.exe"62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2228 -
C:\Windows\SysWOW64\rnqjdr.exeC:\Windows\system32\rnqjdr.exe 452 "C:\Windows\SysWOW64\cjjlgw.exe"63⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:584 -
C:\Windows\SysWOW64\rnqjdr.exeC:\Windows\system32\rnqjdr.exe 452 "C:\Windows\SysWOW64\cjjlgw.exe"64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2928 -
C:\Windows\SysWOW64\ajnezn.exeC:\Windows\system32\ajnezn.exe 452 "C:\Windows\SysWOW64\rnqjdr.exe"65⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2032 -
C:\Windows\SysWOW64\ajnezn.exeC:\Windows\system32\ajnezn.exe 452 "C:\Windows\SysWOW64\rnqjdr.exe"66⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\oviukr.exeC:\Windows\system32\oviukr.exe 452 "C:\Windows\SysWOW64\ajnezn.exe"67⤵
- Suspicious use of SetThreadContext
PID:2900 -
C:\Windows\SysWOW64\oviukr.exeC:\Windows\system32\oviukr.exe 452 "C:\Windows\SysWOW64\ajnezn.exe"68⤵
- Drops file in System32 directory
PID:2460 -
C:\Windows\SysWOW64\gnukdr.exeC:\Windows\system32\gnukdr.exe 480 "C:\Windows\SysWOW64\oviukr.exe"69⤵
- Suspicious use of SetThreadContext
PID:2012 -
C:\Windows\SysWOW64\gnukdr.exeC:\Windows\system32\gnukdr.exe 480 "C:\Windows\SysWOW64\oviukr.exe"70⤵PID:2128
-
C:\Windows\SysWOW64\xjjezo.exeC:\Windows\system32\xjjezo.exe 452 "C:\Windows\SysWOW64\gnukdr.exe"71⤵
- Suspicious use of SetThreadContext
PID:2188 -
C:\Windows\SysWOW64\xjjezo.exeC:\Windows\system32\xjjezo.exe 452 "C:\Windows\SysWOW64\gnukdr.exe"72⤵
- Drops file in System32 directory
PID:2952 -
C:\Windows\SysWOW64\mnpcxj.exeC:\Windows\system32\mnpcxj.exe 452 "C:\Windows\SysWOW64\xjjezo.exe"73⤵
- Suspicious use of SetThreadContext
PID:3064 -
C:\Windows\SysWOW64\mnpcxj.exeC:\Windows\system32\mnpcxj.exe 452 "C:\Windows\SysWOW64\xjjezo.exe"74⤵PID:1740
-
C:\Windows\SysWOW64\adhffi.exeC:\Windows\system32\adhffi.exe 452 "C:\Windows\SysWOW64\mnpcxj.exe"75⤵
- Suspicious use of SetThreadContext
PID:2684 -
C:\Windows\SysWOW64\adhffi.exeC:\Windows\system32\adhffi.exe 452 "C:\Windows\SysWOW64\mnpcxj.exe"76⤵PID:2680
-
C:\Windows\SysWOW64\rzwibf.exeC:\Windows\system32\rzwibf.exe 452 "C:\Windows\SysWOW64\adhffi.exe"77⤵
- Suspicious use of SetThreadContext
PID:2872 -
C:\Windows\SysWOW64\rzwibf.exeC:\Windows\system32\rzwibf.exe 452 "C:\Windows\SysWOW64\adhffi.exe"78⤵PID:2020
-
C:\Windows\SysWOW64\jutdxj.exeC:\Windows\system32\jutdxj.exe 452 "C:\Windows\SysWOW64\rzwibf.exe"79⤵
- Suspicious use of SetThreadContext
PID:1520 -
C:\Windows\SysWOW64\jutdxj.exeC:\Windows\system32\jutdxj.exe 452 "C:\Windows\SysWOW64\rzwibf.exe"80⤵PID:1860
-
C:\Windows\SysWOW64\xgosif.exeC:\Windows\system32\xgosif.exe 452 "C:\Windows\SysWOW64\jutdxj.exe"81⤵
- Suspicious use of SetThreadContext
PID:2492 -
C:\Windows\SysWOW64\xgosif.exeC:\Windows\system32\xgosif.exe 452 "C:\Windows\SysWOW64\jutdxj.exe"82⤵PID:2852
-
C:\Windows\SysWOW64\oyaibf.exeC:\Windows\system32\oyaibf.exe 452 "C:\Windows\SysWOW64\xgosif.exe"83⤵
- Suspicious use of SetThreadContext
PID:844 -
C:\Windows\SysWOW64\oyaibf.exeC:\Windows\system32\oyaibf.exe 452 "C:\Windows\SysWOW64\xgosif.exe"84⤵
- Drops file in System32 directory
PID:2008 -
C:\Windows\SysWOW64\fjmddl.exeC:\Windows\system32\fjmddl.exe 452 "C:\Windows\SysWOW64\oyaibf.exe"85⤵
- Suspicious use of SetThreadContext
PID:2740 -
C:\Windows\SysWOW64\fjmddl.exeC:\Windows\system32\fjmddl.exe 452 "C:\Windows\SysWOW64\oyaibf.exe"86⤵PID:2296
-
C:\Windows\SysWOW64\ztpquu.exeC:\Windows\system32\ztpquu.exe 452 "C:\Windows\SysWOW64\fjmddl.exe"87⤵
- Suspicious use of SetThreadContext
PID:1096 -
C:\Windows\SysWOW64\ztpquu.exeC:\Windows\system32\ztpquu.exe 452 "C:\Windows\SysWOW64\fjmddl.exe"88⤵PID:908
-
C:\Windows\SysWOW64\djiwwk.exeC:\Windows\system32\djiwwk.exe 452 "C:\Windows\SysWOW64\ztpquu.exe"89⤵
- Suspicious use of SetThreadContext
PID:1140 -
C:\Windows\SysWOW64\djiwwk.exeC:\Windows\system32\djiwwk.exe 452 "C:\Windows\SysWOW64\ztpquu.exe"90⤵
- Drops file in System32 directory
PID:768 -
C:\Windows\SysWOW64\uffrah.exeC:\Windows\system32\uffrah.exe 452 "C:\Windows\SysWOW64\djiwwk.exe"91⤵
- Suspicious use of SetThreadContext
PID:572 -
C:\Windows\SysWOW64\uffrah.exeC:\Windows\system32\uffrah.exe 452 "C:\Windows\SysWOW64\djiwwk.exe"92⤵PID:1820
-
C:\Windows\SysWOW64\oalzmv.exeC:\Windows\system32\oalzmv.exe 452 "C:\Windows\SysWOW64\uffrah.exe"93⤵
- Suspicious use of SetThreadContext
PID:1972 -
C:\Windows\SysWOW64\oalzmv.exeC:\Windows\system32\oalzmv.exe 452 "C:\Windows\SysWOW64\uffrah.exe"94⤵PID:2756
-
C:\Windows\SysWOW64\gzthtw.exeC:\Windows\system32\gzthtw.exe 452 "C:\Windows\SysWOW64\oalzmv.exe"95⤵
- Suspicious use of SetThreadContext
PID:1780 -
C:\Windows\SysWOW64\gzthtw.exeC:\Windows\system32\gzthtw.exe 452 "C:\Windows\SysWOW64\oalzmv.exe"96⤵PID:2624
-
C:\Windows\SysWOW64\ueswrr.exeC:\Windows\system32\ueswrr.exe 452 "C:\Windows\SysWOW64\gzthtw.exe"97⤵
- Suspicious use of SetThreadContext
PID:2792 -
C:\Windows\SysWOW64\ueswrr.exeC:\Windows\system32\ueswrr.exe 452 "C:\Windows\SysWOW64\gzthtw.exe"98⤵
- Drops file in System32 directory
PID:2132 -
C:\Windows\SysWOW64\jmjhrq.exeC:\Windows\system32\jmjhrq.exe 452 "C:\Windows\SysWOW64\ueswrr.exe"99⤵
- Suspicious use of SetThreadContext
PID:2524 -
C:\Windows\SysWOW64\jmjhrq.exeC:\Windows\system32\jmjhrq.exe 452 "C:\Windows\SysWOW64\ueswrr.exe"100⤵PID:2872
-
C:\Windows\SysWOW64\vvomwy.exeC:\Windows\system32\vvomwy.exe 452 "C:\Windows\SysWOW64\jmjhrq.exe"101⤵
- Suspicious use of SetThreadContext
PID:2712 -
C:\Windows\SysWOW64\vvomwy.exeC:\Windows\system32\vvomwy.exe 452 "C:\Windows\SysWOW64\jmjhrq.exe"102⤵PID:1040
-
C:\Windows\SysWOW64\muouuz.exeC:\Windows\system32\muouuz.exe 452 "C:\Windows\SysWOW64\vvomwy.exe"103⤵
- Suspicious use of SetThreadContext
PID:1584 -
C:\Windows\SysWOW64\muouuz.exeC:\Windows\system32\muouuz.exe 452 "C:\Windows\SysWOW64\vvomwy.exe"104⤵
- Drops file in System32 directory
PID:2736 -
C:\Windows\SysWOW64\duxcth.exeC:\Windows\system32\duxcth.exe 452 "C:\Windows\SysWOW64\muouuz.exe"105⤵
- Suspicious use of SetThreadContext
PID:1184 -
C:\Windows\SysWOW64\duxcth.exeC:\Windows\system32\duxcth.exe 452 "C:\Windows\SysWOW64\muouuz.exe"106⤵PID:2924
-
C:\Windows\SysWOW64\uxmfpe.exeC:\Windows\system32\uxmfpe.exe 452 "C:\Windows\SysWOW64\duxcth.exe"107⤵
- Suspicious use of SetThreadContext
PID:1296 -
C:\Windows\SysWOW64\uxmfpe.exeC:\Windows\system32\uxmfpe.exe 452 "C:\Windows\SysWOW64\duxcth.exe"108⤵PID:2268
-
C:\Windows\SysWOW64\dtjalj.exeC:\Windows\system32\dtjalj.exe 452 "C:\Windows\SysWOW64\uxmfpe.exe"109⤵
- Suspicious use of SetThreadContext
PID:2084 -
C:\Windows\SysWOW64\dtjalj.exeC:\Windows\system32\dtjalj.exe 452 "C:\Windows\SysWOW64\uxmfpe.exe"110⤵
- Drops file in System32 directory
PID:776 -
C:\Windows\SysWOW64\vpgvpn.exeC:\Windows\system32\vpgvpn.exe 452 "C:\Windows\SysWOW64\dtjalj.exe"111⤵
- Suspicious use of SetThreadContext
PID:2376 -
C:\Windows\SysWOW64\vpgvpn.exeC:\Windows\system32\vpgvpn.exe 452 "C:\Windows\SysWOW64\dtjalj.exe"112⤵PID:1708
-
C:\Windows\SysWOW64\pcmdjt.exeC:\Windows\system32\pcmdjt.exe 452 "C:\Windows\SysWOW64\vpgvpn.exe"113⤵
- Suspicious use of SetThreadContext
PID:1732 -
C:\Windows\SysWOW64\pcmdjt.exeC:\Windows\system32\pcmdjt.exe 452 "C:\Windows\SysWOW64\vpgvpn.exe"114⤵
- Drops file in System32 directory
PID:1692 -
C:\Windows\SysWOW64\gjnlhu.exeC:\Windows\system32\gjnlhu.exe 452 "C:\Windows\SysWOW64\pcmdjt.exe"115⤵
- Suspicious use of SetThreadContext
PID:2312 -
C:\Windows\SysWOW64\gjnlhu.exeC:\Windows\system32\gjnlhu.exe 452 "C:\Windows\SysWOW64\pcmdjt.exe"116⤵
- Drops file in System32 directory
PID:1828 -
C:\Windows\SysWOW64\xjvtgd.exeC:\Windows\system32\xjvtgd.exe 452 "C:\Windows\SysWOW64\gjnlhu.exe"117⤵
- Suspicious use of SetThreadContext
PID:2892 -
C:\Windows\SysWOW64\xjvtgd.exeC:\Windows\system32\xjvtgd.exe 452 "C:\Windows\SysWOW64\gjnlhu.exe"118⤵
- Drops file in System32 directory
PID:2240 -
C:\Windows\SysWOW64\oivbfe.exeC:\Windows\system32\oivbfe.exe 452 "C:\Windows\SysWOW64\xjvtgd.exe"119⤵
- Suspicious use of SetThreadContext
PID:3064 -
C:\Windows\SysWOW64\oivbfe.exeC:\Windows\system32\oivbfe.exe 452 "C:\Windows\SysWOW64\xjvtgd.exe"120⤵
- Drops file in System32 directory
PID:2788 -
C:\Windows\SysWOW64\fpwjdm.exeC:\Windows\system32\fpwjdm.exe 452 "C:\Windows\SysWOW64\oivbfe.exe"121⤵
- Suspicious use of SetThreadContext
PID:2524 -
C:\Windows\SysWOW64\fpwjdm.exeC:\Windows\system32\fpwjdm.exe 452 "C:\Windows\SysWOW64\oivbfe.exe"122⤵
- Drops file in System32 directory
PID:2984 -
C:\Windows\SysWOW64\zckjxs.exeC:\Windows\system32\zckjxs.exe 452 "C:\Windows\SysWOW64\fpwjdm.exe"123⤵
- Suspicious use of SetThreadContext
PID:2500 -
C:\Windows\SysWOW64\zckjxs.exeC:\Windows\system32\zckjxs.exe 452 "C:\Windows\SysWOW64\fpwjdm.exe"124⤵PID:2964
-
C:\Windows\SysWOW64\rkkzwt.exeC:\Windows\system32\rkkzwt.exe 452 "C:\Windows\SysWOW64\zckjxs.exe"125⤵
- Suspicious use of SetThreadContext
PID:1080 -
C:\Windows\SysWOW64\rkkzwt.exeC:\Windows\system32\rkkzwt.exe 452 "C:\Windows\SysWOW64\zckjxs.exe"126⤵PID:2028
-
C:\Windows\SysWOW64\lxyzqh.exeC:\Windows\system32\lxyzqh.exe 452 "C:\Windows\SysWOW64\rkkzwt.exe"127⤵
- Suspicious use of SetThreadContext
PID:2104 -
C:\Windows\SysWOW64\lxyzqh.exeC:\Windows\system32\lxyzqh.exe 452 "C:\Windows\SysWOW64\rkkzwt.exe"128⤵
- Drops file in System32 directory
PID:532 -
C:\Windows\SysWOW64\cwyhpi.exeC:\Windows\system32\cwyhpi.exe 452 "C:\Windows\SysWOW64\lxyzqh.exe"129⤵PID:988
-
C:\Windows\SysWOW64\cwyhpi.exeC:\Windows\system32\cwyhpi.exe 452 "C:\Windows\SysWOW64\lxyzqh.exe"130⤵PID:2064
-
C:\Windows\SysWOW64\qbffud.exeC:\Windows\system32\qbffud.exe 452 "C:\Windows\SysWOW64\cwyhpi.exe"131⤵PID:1136
-
C:\Windows\SysWOW64\qbffud.exeC:\Windows\system32\qbffud.exe 452 "C:\Windows\SysWOW64\cwyhpi.exe"132⤵PID:2032
-
C:\Windows\SysWOW64\cwlfoj.exeC:\Windows\system32\cwlfoj.exe 452 "C:\Windows\SysWOW64\qbffud.exe"133⤵PID:2484
-
C:\Windows\SysWOW64\cwlfoj.exeC:\Windows\system32\cwlfoj.exe 452 "C:\Windows\SysWOW64\qbffud.exe"134⤵PID:1788
-
C:\Windows\SysWOW64\tyxaqw.exeC:\Windows\system32\tyxaqw.exe 452 "C:\Windows\SysWOW64\cwlfoj.exe"135⤵PID:888
-
C:\Windows\SysWOW64\tyxaqw.exeC:\Windows\system32\tyxaqw.exe 452 "C:\Windows\SysWOW64\cwlfoj.exe"136⤵
- Drops file in System32 directory
PID:2900 -
C:\Windows\SysWOW64\nmkakc.exeC:\Windows\system32\nmkakc.exe 452 "C:\Windows\SysWOW64\tyxaqw.exe"137⤵PID:2112
-
C:\Windows\SysWOW64\nmkakc.exeC:\Windows\system32\nmkakc.exe 452 "C:\Windows\SysWOW64\tyxaqw.exe"138⤵
- Drops file in System32 directory
PID:1592 -
C:\Windows\SysWOW64\ccudkc.exeC:\Windows\system32\ccudkc.exe 452 "C:\Windows\SysWOW64\nmkakc.exe"139⤵PID:2652
-
C:\Windows\SysWOW64\ccudkc.exeC:\Windows\system32\ccudkc.exe 452 "C:\Windows\SysWOW64\nmkakc.exe"140⤵
- Drops file in System32 directory
PID:3056 -
C:\Windows\SysWOW64\txrggy.exeC:\Windows\system32\txrggy.exe 452 "C:\Windows\SysWOW64\ccudkc.exe"141⤵PID:2784
-
C:\Windows\SysWOW64\txrggy.exeC:\Windows\system32\txrggy.exe 452 "C:\Windows\SysWOW64\ccudkc.exe"142⤵PID:2640
-
C:\Windows\SysWOW64\hfjipy.exeC:\Windows\system32\hfjipy.exe 452 "C:\Windows\SysWOW64\txrggy.exe"143⤵PID:3036
-
C:\Windows\SysWOW64\hfjipy.exeC:\Windows\system32\hfjipy.exe 452 "C:\Windows\SysWOW64\txrggy.exe"144⤵PID:1520
-
C:\Windows\SysWOW64\wkigmt.exeC:\Windows\system32\wkigmt.exe 452 "C:\Windows\SysWOW64\hfjipy.exe"145⤵PID:2412
-
C:\Windows\SysWOW64\wkigmt.exeC:\Windows\system32\wkigmt.exe 452 "C:\Windows\SysWOW64\hfjipy.exe"146⤵PID:2816
-
C:\Windows\SysWOW64\qxvggz.exeC:\Windows\system32\qxvggz.exe 452 "C:\Windows\SysWOW64\wkigmt.exe"147⤵PID:1420
-
C:\Windows\SysWOW64\qxvggz.exeC:\Windows\system32\qxvggz.exe 452 "C:\Windows\SysWOW64\wkigmt.exe"148⤵PID:2836
-
C:\Windows\SysWOW64\hblbcd.exeC:\Windows\system32\hblbcd.exe 452 "C:\Windows\SysWOW64\qxvggz.exe"149⤵PID:2932
-
C:\Windows\SysWOW64\hblbcd.exeC:\Windows\system32\hblbcd.exe 452 "C:\Windows\SysWOW64\qxvggz.exe"150⤵PID:2088
-
C:\Windows\SysWOW64\wicmdv.exeC:\Windows\system32\wicmdv.exe 452 "C:\Windows\SysWOW64\hblbcd.exe"151⤵PID:1856
-
C:\Windows\SysWOW64\wicmdv.exeC:\Windows\system32\wicmdv.exe 452 "C:\Windows\SysWOW64\hblbcd.exe"152⤵PID:892
-
C:\Windows\SysWOW64\knjbiq.exeC:\Windows\system32\knjbiq.exe 452 "C:\Windows\SysWOW64\wicmdv.exe"153⤵PID:1148
-
C:\Windows\SysWOW64\knjbiq.exeC:\Windows\system32\knjbiq.exe 452 "C:\Windows\SysWOW64\wicmdv.exe"154⤵PID:600
-
C:\Windows\SysWOW64\ufnrbq.exeC:\Windows\system32\ufnrbq.exe 452 "C:\Windows\SysWOW64\knjbiq.exe"155⤵PID:2156
-
C:\Windows\SysWOW64\ufnrbq.exeC:\Windows\system32\ufnrbq.exe 452 "C:\Windows\SysWOW64\knjbiq.exe"156⤵PID:1900
-
C:\Windows\SysWOW64\levzar.exeC:\Windows\system32\levzar.exe 452 "C:\Windows\SysWOW64\ufnrbq.exe"157⤵PID:2196
-
C:\Windows\SysWOW64\levzar.exeC:\Windows\system32\levzar.exe 452 "C:\Windows\SysWOW64\ufnrbq.exe"158⤵PID:2124
-
C:\Windows\SysWOW64\fdmmxb.exeC:\Windows\system32\fdmmxb.exe 452 "C:\Windows\SysWOW64\levzar.exe"159⤵PID:2768
-
C:\Windows\SysWOW64\fdmmxb.exeC:\Windows\system32\fdmmxb.exe 452 "C:\Windows\SysWOW64\levzar.exe"160⤵
- Drops file in System32 directory
PID:2896 -
C:\Windows\SysWOW64\wcnuvk.exeC:\Windows\system32\wcnuvk.exe 452 "C:\Windows\SysWOW64\fdmmxb.exe"161⤵PID:2544
-
C:\Windows\SysWOW64\wcnuvk.exeC:\Windows\system32\wcnuvk.exe 452 "C:\Windows\SysWOW64\fdmmxb.exe"162⤵PID:2808
-
C:\Windows\SysWOW64\kkefwk.exeC:\Windows\system32\kkefwk.exe 452 "C:\Windows\SysWOW64\wcnuvk.exe"163⤵PID:2576
-
C:\Windows\SysWOW64\kkefwk.exeC:\Windows\system32\kkefwk.exe 452 "C:\Windows\SysWOW64\wcnuvk.exe"164⤵PID:548
-
C:\Windows\SysWOW64\zplvcf.exeC:\Windows\system32\zplvcf.exe 452 "C:\Windows\SysWOW64\kkefwk.exe"165⤵PID:2476
-
C:\Windows\SysWOW64\zplvcf.exeC:\Windows\system32\zplvcf.exe 452 "C:\Windows\SysWOW64\kkefwk.exe"166⤵
- Drops file in System32 directory
PID:1808 -
C:\Windows\SysWOW64\omvsur.exeC:\Windows\system32\omvsur.exe 452 "C:\Windows\SysWOW64\zplvcf.exe"167⤵PID:2584
-
C:\Windows\SysWOW64\omvsur.exeC:\Windows\system32\omvsur.exe 452 "C:\Windows\SysWOW64\zplvcf.exe"168⤵PID:2400
-
C:\Windows\SysWOW64\acoyeh.exeC:\Windows\system32\acoyeh.exe 452 "C:\Windows\SysWOW64\omvsur.exe"169⤵PID:1964
-
C:\Windows\SysWOW64\acoyeh.exeC:\Windows\system32\acoyeh.exe 452 "C:\Windows\SysWOW64\omvsur.exe"170⤵PID:2696
-
C:\Windows\SysWOW64\rvaoxa.exeC:\Windows\system32\rvaoxa.exe 452 "C:\Windows\SysWOW64\acoyeh.exe"171⤵PID:1348
-
C:\Windows\SysWOW64\rvaoxa.exeC:\Windows\system32\rvaoxa.exe 452 "C:\Windows\SysWOW64\acoyeh.exe"172⤵
- Drops file in System32 directory
PID:1476 -
C:\Windows\SysWOW64\gdsqxz.exeC:\Windows\system32\gdsqxz.exe 452 "C:\Windows\SysWOW64\rvaoxa.exe"173⤵PID:2588
-
C:\Windows\SysWOW64\gdsqxz.exeC:\Windows\system32\gdsqxz.exe 452 "C:\Windows\SysWOW64\rvaoxa.exe"174⤵
- Drops file in System32 directory
PID:1136 -
C:\Windows\SysWOW64\uhqodu.exeC:\Windows\system32\uhqodu.exe 452 "C:\Windows\SysWOW64\gdsqxz.exe"175⤵PID:572
-
C:\Windows\SysWOW64\uhqodu.exeC:\Windows\system32\uhqodu.exe 452 "C:\Windows\SysWOW64\gdsqxz.exe"176⤵
- Drops file in System32 directory
PID:1300 -
C:\Windows\SysWOW64\apirdu.exeC:\Windows\system32\apirdu.exe 452 "C:\Windows\SysWOW64\uhqodu.exe"177⤵PID:1652
-
C:\Windows\SysWOW64\apirdu.exeC:\Windows\system32\apirdu.exe 452 "C:\Windows\SysWOW64\uhqodu.exe"178⤵PID:1604
-
C:\Windows\SysWOW64\vzkmvv.exeC:\Windows\system32\vzkmvv.exe 452 "C:\Windows\SysWOW64\apirdu.exe"179⤵PID:2288
-
C:\Windows\SysWOW64\vzkmvv.exeC:\Windows\system32\vzkmvv.exe 452 "C:\Windows\SysWOW64\apirdu.exe"180⤵PID:1704
-
C:\Windows\SysWOW64\jdjbsq.exeC:\Windows\system32\jdjbsq.exe 452 "C:\Windows\SysWOW64\vzkmvv.exe"181⤵PID:2688
-
C:\Windows\SysWOW64\jdjbsq.exeC:\Windows\system32\jdjbsq.exe 452 "C:\Windows\SysWOW64\vzkmvv.exe"182⤵PID:3068
-
C:\Windows\SysWOW64\bcrjrr.exeC:\Windows\system32\bcrjrr.exe 452 "C:\Windows\SysWOW64\jdjbsq.exe"183⤵PID:2524
-
C:\Windows\SysWOW64\bcrjrr.exeC:\Windows\system32\bcrjrr.exe 452 "C:\Windows\SysWOW64\jdjbsq.exe"184⤵PID:2620
-
C:\Windows\SysWOW64\phqhxm.exeC:\Windows\system32\phqhxm.exe 452 "C:\Windows\SysWOW64\bcrjrr.exe"185⤵PID:1736
-
C:\Windows\SysWOW64\phqhxm.exeC:\Windows\system32\phqhxm.exe 452 "C:\Windows\SysWOW64\bcrjrr.exe"186⤵PID:2548
-
C:\Windows\SysWOW64\goypvn.exeC:\Windows\system32\goypvn.exe 452 "C:\Windows\SysWOW64\phqhxm.exe"187⤵PID:2356
-
C:\Windows\SysWOW64\goypvn.exeC:\Windows\system32\goypvn.exe 452 "C:\Windows\SysWOW64\phqhxm.exe"188⤵PID:2300
-
C:\Windows\SysWOW64\vsxnti.exeC:\Windows\system32\vsxnti.exe 452 "C:\Windows\SysWOW64\goypvn.exe"189⤵PID:836
-
C:\Windows\SysWOW64\vsxnti.exeC:\Windows\system32\vsxnti.exe 452 "C:\Windows\SysWOW64\goypvn.exe"190⤵PID:1996
-
C:\Windows\SysWOW64\ktsxwz.exeC:\Windows\system32\ktsxwz.exe 452 "C:\Windows\SysWOW64\vsxnti.exe"191⤵PID:2116
-
C:\Windows\SysWOW64\ktsxwz.exeC:\Windows\system32\ktsxwz.exe 452 "C:\Windows\SysWOW64\vsxnti.exe"192⤵
- Drops file in System32 directory
PID:1368 -
C:\Windows\SysWOW64\ybkawz.exeC:\Windows\system32\ybkawz.exe 452 "C:\Windows\SysWOW64\ktsxwz.exe"193⤵PID:1640
-
C:\Windows\SysWOW64\ybkawz.exeC:\Windows\system32\ybkawz.exe 452 "C:\Windows\SysWOW64\ktsxwz.exe"194⤵PID:1616
-
C:\Windows\SysWOW64\nfqyuu.exeC:\Windows\system32\nfqyuu.exe 452 "C:\Windows\SysWOW64\ybkawz.exe"195⤵PID:2120
-
C:\Windows\SysWOW64\nfqyuu.exeC:\Windows\system32\nfqyuu.exe 452 "C:\Windows\SysWOW64\ybkawz.exe"196⤵
- Drops file in System32 directory
PID:2484 -
C:\Windows\SysWOW64\bkpnap.exeC:\Windows\system32\bkpnap.exe 452 "C:\Windows\SysWOW64\nfqyuu.exe"197⤵PID:1292
-
C:\Windows\SysWOW64\bkpnap.exeC:\Windows\system32\bkpnap.exe 452 "C:\Windows\SysWOW64\nfqyuu.exe"198⤵
- Drops file in System32 directory
PID:1652 -
C:\Windows\SysWOW64\lcbdth.exeC:\Windows\system32\lcbdth.exe 452 "C:\Windows\SysWOW64\bkpnap.exe"199⤵PID:1600
-
C:\Windows\SysWOW64\lcbdth.exeC:\Windows\system32\lcbdth.exe 452 "C:\Windows\SysWOW64\bkpnap.exe"200⤵PID:2288
-
C:\Windows\SysWOW64\zksgth.exeC:\Windows\system32\zksgth.exe 452 "C:\Windows\SysWOW64\lcbdth.exe"201⤵PID:2652
-
C:\Windows\SysWOW64\zksgth.exeC:\Windows\system32\zksgth.exe 452 "C:\Windows\SysWOW64\lcbdth.exe"202⤵PID:2676
-
C:\Windows\SysWOW64\qgijpl.exeC:\Windows\system32\qgijpl.exe 452 "C:\Windows\SysWOW64\zksgth.exe"203⤵PID:2784
-
C:\Windows\SysWOW64\qgijpl.exeC:\Windows\system32\qgijpl.exe 452 "C:\Windows\SysWOW64\zksgth.exe"204⤵PID:1664
-
C:\Windows\SysWOW64\ibfeti.exeC:\Windows\system32\ibfeti.exe 452 "C:\Windows\SysWOW64\qgijpl.exe"205⤵PID:3036
-
C:\Windows\SysWOW64\ibfeti.exeC:\Windows\system32\ibfeti.exe 452 "C:\Windows\SysWOW64\qgijpl.exe"206⤵
- Drops file in System32 directory
PID:940 -
C:\Windows\SysWOW64\zmqzuv.exeC:\Windows\system32\zmqzuv.exe 452 "C:\Windows\SysWOW64\ibfeti.exe"207⤵PID:308
-
C:\Windows\SysWOW64\zmqzuv.exeC:\Windows\system32\zmqzuv.exe 452 "C:\Windows\SysWOW64\ibfeti.exe"208⤵
- Drops file in System32 directory
PID:2820 -
C:\Windows\SysWOW64\qmrgtw.exeC:\Windows\system32\qmrgtw.exe 452 "C:\Windows\SysWOW64\zmqzuv.exe"209⤵PID:1420
-
C:\Windows\SysWOW64\qmrgtw.exeC:\Windows\system32\qmrgtw.exe 452 "C:\Windows\SysWOW64\zmqzuv.exe"210⤵
- Drops file in System32 directory
PID:1428 -
C:\Windows\SysWOW64\kvtcky.exeC:\Windows\system32\kvtcky.exe 452 "C:\Windows\SysWOW64\qmrgtw.exe"211⤵PID:332
-
C:\Windows\SysWOW64\kvtcky.exeC:\Windows\system32\kvtcky.exe 452 "C:\Windows\SysWOW64\qmrgtw.exe"212⤵
- Drops file in System32 directory
PID:1240 -
C:\Windows\SysWOW64\bcckjg.exeC:\Windows\system32\bcckjg.exe 452 "C:\Windows\SysWOW64\kvtcky.exe"213⤵PID:2372
-
C:\Windows\SysWOW64\bcckjg.exeC:\Windows\system32\bcckjg.exe 452 "C:\Windows\SysWOW64\kvtcky.exe"214⤵
- Drops file in System32 directory
PID:2360 -
C:\Windows\SysWOW64\pkmmjg.exeC:\Windows\system32\pkmmjg.exe 452 "C:\Windows\SysWOW64\bcckjg.exe"215⤵PID:2376
-
C:\Windows\SysWOW64\pkmmjg.exeC:\Windows\system32\pkmmjg.exe 452 "C:\Windows\SysWOW64\bcckjg.exe"216⤵PID:3048
-
C:\Windows\SysWOW64\hkmuqh.exeC:\Windows\system32\hkmuqh.exe 452 "C:\Windows\SysWOW64\pkmmjg.exe"217⤵PID:2152
-
C:\Windows\SysWOW64\hkmuqh.exeC:\Windows\system32\hkmuqh.exe 452 "C:\Windows\SysWOW64\pkmmjg.exe"218⤵
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\bfaccn.exeC:\Windows\system32\bfaccn.exe 452 "C:\Windows\SysWOW64\hkmuqh.exe"219⤵PID:2312
-
C:\Windows\SysWOW64\bfaccn.exeC:\Windows\system32\bfaccn.exe 452 "C:\Windows\SysWOW64\hkmuqh.exe"220⤵PID:2800
-
C:\Windows\SysWOW64\kbpxgr.exeC:\Windows\system32\kbpxgr.exe 452 "C:\Windows\SysWOW64\bfaccn.exe"221⤵PID:2688
-
C:\Windows\SysWOW64\kbpxgr.exeC:\Windows\system32\kbpxgr.exe 452 "C:\Windows\SysWOW64\bfaccn.exe"222⤵PID:2868
-
C:\Windows\SysWOW64\wrqdih.exeC:\Windows\system32\wrqdih.exe 452 "C:\Windows\SysWOW64\kbpxgr.exe"223⤵PID:2532
-
C:\Windows\SysWOW64\wrqdih.exeC:\Windows\system32\wrqdih.exe 452 "C:\Windows\SysWOW64\kbpxgr.exe"224⤵PID:2536
-
C:\Windows\SysWOW64\qbtqzj.exeC:\Windows\system32\qbtqzj.exe 452 "C:\Windows\SysWOW64\wrqdih.exe"225⤵PID:3020
-
C:\Windows\SysWOW64\qbtqzj.exeC:\Windows\system32\qbtqzj.exe 452 "C:\Windows\SysWOW64\wrqdih.exe"226⤵
- Drops file in System32 directory
PID:2848 -
C:\Windows\SysWOW64\hmelbw.exeC:\Windows\system32\hmelbw.exe 452 "C:\Windows\SysWOW64\qbtqzj.exe"227⤵PID:308
-
C:\Windows\SysWOW64\hmelbw.exeC:\Windows\system32\hmelbw.exe 452 "C:\Windows\SysWOW64\qbtqzj.exe"228⤵
- Drops file in System32 directory
PID:2584 -
C:\Windows\SysWOW64\viligj.exeC:\Windows\system32\viligj.exe 452 "C:\Windows\SysWOW64\hmelbw.exe"229⤵PID:1120
-
C:\Windows\SysWOW64\viligj.exeC:\Windows\system32\viligj.exe 452 "C:\Windows\SysWOW64\hmelbw.exe"230⤵PID:692
-
C:\Windows\SysWOW64\napqzj.exeC:\Windows\system32\napqzj.exe 452 "C:\Windows\SysWOW64\viligj.exe"231⤵PID:1348
-
C:\Windows\SysWOW64\napqzj.exeC:\Windows\system32\napqzj.exe 452 "C:\Windows\SysWOW64\viligj.exe"232⤵
- Drops file in System32 directory
PID:912 -
C:\Windows\SysWOW64\bqhbaj.exeC:\Windows\system32\bqhbaj.exe 452 "C:\Windows\SysWOW64\napqzj.exe"233⤵PID:1768
-
C:\Windows\SysWOW64\bqhbaj.exeC:\Windows\system32\bqhbaj.exe 452 "C:\Windows\SysWOW64\napqzj.exe"234⤵
- Drops file in System32 directory
PID:1660 -
C:\Windows\SysWOW64\qjcmva.exeC:\Windows\system32\qjcmva.exe 452 "C:\Windows\SysWOW64\bqhbaj.exe"235⤵PID:1424
-
C:\Windows\SysWOW64\qjcmva.exeC:\Windows\system32\qjcmva.exe 452 "C:\Windows\SysWOW64\bqhbaj.exe"236⤵PID:1556
-
C:\Windows\SysWOW64\huozef.exeC:\Windows\system32\huozef.exe 452 "C:\Windows\SysWOW64\qjcmva.exe"237⤵PID:2348
-
C:\Windows\SysWOW64\huozef.exeC:\Windows\system32\huozef.exe 452 "C:\Windows\SysWOW64\qjcmva.exe"238⤵PID:1780
-
C:\Windows\SysWOW64\yqlbaj.exeC:\Windows\system32\yqlbaj.exe 452 "C:\Windows\SysWOW64\huozef.exe"239⤵PID:1916
-
C:\Windows\SysWOW64\yqlbaj.exeC:\Windows\system32\yqlbaj.exe 452 "C:\Windows\SysWOW64\huozef.exe"240⤵
- Drops file in System32 directory
PID:1628 -
C:\Windows\SysWOW64\nqgmva.exeC:\Windows\system32\nqgmva.exe 452 "C:\Windows\SysWOW64\yqlbaj.exe"241⤵PID:2708
-
C:\Windows\SysWOW64\nqgmva.exeC:\Windows\system32\nqgmva.exe 452 "C:\Windows\SysWOW64\yqlbaj.exe"242⤵PID:1540