Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
23-06-2024 12:34
Static task
static1
Behavioral task
behavioral1
Sample
06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe
-
Size
471KB
-
MD5
06026e4203f13fffe9d741a6872a75ae
-
SHA1
4bd5ff87c0efda2cafd1cb3254f46955d52a12ec
-
SHA256
ec530b5f552febe9631fb4d1fd90e74ef21be4093eb9cde42657bf2dfeb6a486
-
SHA512
37e9d3bf7a38fc16b323c49034f0c754dcd09d2c6c6679b4226bf9d8a659867b2ca27a8d2798f3e0a0ef1f3641761664a6d6b9a6a69ed84b4d2881a8324d3962
-
SSDEEP
6144:IFeLlS5FZCAv2wFR24biJjWti/9q7R/ck6pSDy4N5q39dVdnNn1u9/TPr5P6uzPY:CD6AvTFgJVWt49y5YeE8RhpQetCT
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 64 IoCs
Processes:
fahfmz.exefahfmz.exesvpkly.exesvpkly.exeftugqn.exeftugqn.exeftrwqx.exeftrwqx.exesdhezr.exesdhezr.exekdlhje.exekdlhje.exealhnei.exealhnei.exepuctqm.exepuctqm.exehxajee.exehxajee.exezmamur.exezmamur.exeudvudo.exeudvudo.exemotkqg.exemotkqg.exeevtngb.exeevtngb.exewgjdul.exewgjdul.exehgvgey.exehgvgey.exezdwemh.exezdwemh.exeosgceu.exeosgceu.exehopamd.exehopamd.exezreqzu.exezreqzu.exergftqq.exergftqq.exekdgryz.exekdgryz.exeefmmjs.exeefmmjs.exewmuhzo.exewmuhzo.exerpaclh.exerpaclh.exeevskrm.exeevskrm.exezqygdf.exezqygdf.exeusmbpg.exeusmbpg.exeonswaz.exeonswaz.exegctzqv.exegctzqv.exeyfqpem.exeyfqpem.exetelxfb.exetelxfb.exemiinst.exemiinst.exepid process 4876 fahfmz.exe 3896 fahfmz.exe 4508 svpkly.exe 4628 svpkly.exe 976 ftugqn.exe 2924 ftugqn.exe 3248 ftrwqx.exe 4688 ftrwqx.exe 4624 sdhezr.exe 2032 sdhezr.exe 4204 kdlhje.exe 4272 kdlhje.exe 2704 alhnei.exe 4284 alhnei.exe 4556 puctqm.exe 1076 puctqm.exe 2784 hxajee.exe 2728 hxajee.exe 4600 zmamur.exe 4320 zmamur.exe 4768 udvudo.exe 316 udvudo.exe 4616 motkqg.exe 1128 motkqg.exe 4116 evtngb.exe 4632 evtngb.exe 1340 wgjdul.exe 412 wgjdul.exe 2704 hgvgey.exe 3196 hgvgey.exe 1936 zdwemh.exe 3120 zdwemh.exe 5064 osgceu.exe 2996 osgceu.exe 1956 hopamd.exe 3492 hopamd.exe 3124 zreqzu.exe 3360 zreqzu.exe 3248 rgftqq.exe 4176 rgftqq.exe 2164 kdgryz.exe 1340 kdgryz.exe 3832 efmmjs.exe 2176 efmmjs.exe 2000 wmuhzo.exe 3548 wmuhzo.exe 1084 rpaclh.exe 5056 rpaclh.exe 2104 evskrm.exe 1696 evskrm.exe 5044 zqygdf.exe 1092 zqygdf.exe 872 usmbpg.exe 472 usmbpg.exe 804 onswaz.exe 1108 onswaz.exe 3248 gctzqv.exe 4428 gctzqv.exe 4204 yfqpem.exe 2240 yfqpem.exe 1540 telxfb.exe 4844 telxfb.exe 2584 miinst.exe 4088 miinst.exe -
Drops file in System32 directory 64 IoCs
Processes:
hopamd.exekdgryz.exeywipij.exebzugyk.exewmuuzw.exenwdxfs.exepdelwb.exezmamur.exeudvudo.exeonswaz.exegkojeu.exelgnpvf.exeududrk.exepoziac.exesdhezr.exehqrirx.exekgshic.exeuolsex.exeszmwui.exeindidp.exenxswcu.exemkpwck.exeqpkwwa.exeuiyqli.exezzjjyz.exeefmmjs.exeadrvha.exexvhmun.exemtpioi.exejzqvnx.exeqmcfoh.exeftugqn.exeemctvk.exenwhdhx.exeqjgsqx.exemiinst.exepvdvhm.exesotxox.exestxbuz.exezemlla.exergftqq.exeusmbpg.exegvipcs.exebparwy.exejqvwic.exebbreuq.exepuctqm.exetnefaj.exelhqmwa.exetuuozp.exexszekm.exefahfmz.exesppaxv.exeffqhts.exehrxynm.exeoyxljy.exeficavz.exekkjmhz.exeiekzmw.exeyytcyl.exedescription ioc process File opened for modification C:\Windows\SysWOW64\zreqzu.exe hopamd.exe File created C:\Windows\SysWOW64\efmmjs.exe kdgryz.exe File opened for modification C:\Windows\SysWOW64\schpwp.exe ywipij.exe File created C:\Windows\SysWOW64\uzgjjx.exe bzugyk.exe File created C:\Windows\SysWOW64\oxjknf.exe wmuuzw.exe File created C:\Windows\SysWOW64\hcufmy.exe nwdxfs.exe File created C:\Windows\SysWOW64\kgshic.exe pdelwb.exe File opened for modification C:\Windows\SysWOW64\udvudo.exe zmamur.exe File opened for modification C:\Windows\SysWOW64\motkqg.exe udvudo.exe File created C:\Windows\SysWOW64\gctzqv.exe onswaz.exe File opened for modification C:\Windows\SysWOW64\yomzrl.exe gkojeu.exe File created C:\Windows\SysWOW64\djlfix.exe lgnpvf.exe File created C:\Windows\SysWOW64\edypcy.exe ududrk.exe File created C:\Windows\SysWOW64\hrxynm.exe poziac.exe File created C:\Windows\SysWOW64\kdlhje.exe sdhezr.exe File opened for modification C:\Windows\SysWOW64\ztoyep.exe hqrirx.exe File created C:\Windows\SysWOW64\faycmd.exe kgshic.exe File opened for modification C:\Windows\SysWOW64\msbirp.exe uolsex.exe File opened for modification C:\Windows\SysWOW64\kkjmhz.exe szmwui.exe File created C:\Windows\SysWOW64\eandbh.exe indidp.exe File created C:\Windows\SysWOW64\izgjnv.exe nxswcu.exe File opened for modification C:\Windows\SysWOW64\ejbzmy.exe mkpwck.exe File opened for modification C:\Windows\SysWOW64\iekzmw.exe qpkwwa.exe File created C:\Windows\SysWOW64\pdelwb.exe uiyqli.exe File opened for modification C:\Windows\SysWOW64\optgqm.exe zzjjyz.exe File opened for modification C:\Windows\SysWOW64\wmuhzo.exe efmmjs.exe File created C:\Windows\SysWOW64\nulmqp.exe adrvha.exe File created C:\Windows\SysWOW64\smkuvk.exe xvhmun.exe File opened for modification C:\Windows\SysWOW64\eiqlee.exe mtpioi.exe File created C:\Windows\SysWOW64\bzugyk.exe jzqvnx.exe File created C:\Windows\SysWOW64\ovntvf.exe qmcfoh.exe File created C:\Windows\SysWOW64\ftrwqx.exe ftugqn.exe File created C:\Windows\SysWOW64\wmpwgx.exe emctvk.exe File opened for modification C:\Windows\SysWOW64\iyvytq.exe nwhdhx.exe File created C:\Windows\SysWOW64\indidp.exe qjgsqx.exe File opened for modification C:\Windows\SysWOW64\gkojeu.exe miinst.exe File opened for modification C:\Windows\SysWOW64\feybuq.exe pvdvhm.exe File created C:\Windows\SysWOW64\krjnco.exe sotxox.exe File opened for modification C:\Windows\SysWOW64\nwdxfs.exe stxbuz.exe File created C:\Windows\SysWOW64\uysgot.exe zemlla.exe File opened for modification C:\Windows\SysWOW64\kdgryz.exe rgftqq.exe File opened for modification C:\Windows\SysWOW64\onswaz.exe usmbpg.exe File opened for modification C:\Windows\SysWOW64\vssnuf.exe gvipcs.exe File created C:\Windows\SysWOW64\jqvwic.exe bparwy.exe File opened for modification C:\Windows\SysWOW64\bxhztp.exe jqvwic.exe File created C:\Windows\SysWOW64\tqrhlm.exe bbreuq.exe File created C:\Windows\SysWOW64\hxajee.exe puctqm.exe File opened for modification C:\Windows\SysWOW64\lnqikx.exe tnefaj.exe File created C:\Windows\SysWOW64\gvipcs.exe lhqmwa.exe File opened for modification C:\Windows\SysWOW64\jgahox.exe tuuozp.exe File opened for modification C:\Windows\SysWOW64\hrxynm.exe poziac.exe File created C:\Windows\SysWOW64\iyvytq.exe nwhdhx.exe File created C:\Windows\SysWOW64\pwwuyd.exe xszekm.exe File opened for modification C:\Windows\SysWOW64\eandbh.exe indidp.exe File opened for modification C:\Windows\SysWOW64\svpkly.exe fahfmz.exe File opened for modification C:\Windows\SysWOW64\nrevjw.exe sppaxv.exe File created C:\Windows\SysWOW64\aiwcwt.exe ffqhts.exe File created C:\Windows\SysWOW64\ztoyep.exe hqrirx.exe File opened for modification C:\Windows\SysWOW64\zzjjyz.exe hrxynm.exe File opened for modification C:\Windows\SysWOW64\jpstsv.exe oyxljy.exe File created C:\Windows\SysWOW64\adrvha.exe ficavz.exe File created C:\Windows\SysWOW64\ffqhts.exe kkjmhz.exe File opened for modification C:\Windows\SysWOW64\dvnhnl.exe iekzmw.exe File opened for modification C:\Windows\SysWOW64\qmcfoh.exe yytcyl.exe -
Suspicious use of SetThreadContext 64 IoCs
Processes:
06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exefahfmz.exesvpkly.exeftugqn.exeftrwqx.exesdhezr.exekdlhje.exealhnei.exepuctqm.exehxajee.exezmamur.exeudvudo.exemotkqg.exeevtngb.exewgjdul.exehgvgey.exezdwemh.exeosgceu.exehopamd.exezreqzu.exergftqq.exekdgryz.exeefmmjs.exewmuhzo.exerpaclh.exeevskrm.exezqygdf.exeusmbpg.exeonswaz.exegctzqv.exeyfqpem.exetelxfb.exemiinst.exegkojeu.exeyomzrl.exeowzemp.exetnefaj.exelnqikx.exeemctvk.exewmpwgx.exelgnpvf.exedjlfix.exevnavwp.exeoyxljy.exejpstsv.exebsqjfm.exelhqmwa.exegvipcs.exevssnuf.exenwhdhx.exeiyvytq.exedtbteq.exeywipij.exeschpwp.exekfwnkg.exeficavz.exeadrvha.exenulmqp.exeffjcdg.exexmjftc.exesppaxv.exenrevjw.exeimkiup.execsbrju.exedescription pid process target process PID 2000 set thread context of 4884 2000 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe PID 4876 set thread context of 3896 4876 fahfmz.exe fahfmz.exe PID 4508 set thread context of 4628 4508 svpkly.exe svpkly.exe PID 976 set thread context of 2924 976 ftugqn.exe ftugqn.exe PID 3248 set thread context of 4688 3248 ftrwqx.exe ftrwqx.exe PID 4624 set thread context of 2032 4624 sdhezr.exe sdhezr.exe PID 4204 set thread context of 4272 4204 kdlhje.exe kdlhje.exe PID 2704 set thread context of 4284 2704 alhnei.exe alhnei.exe PID 4556 set thread context of 1076 4556 puctqm.exe puctqm.exe PID 2784 set thread context of 2728 2784 hxajee.exe hxajee.exe PID 4600 set thread context of 4320 4600 zmamur.exe zmamur.exe PID 4768 set thread context of 316 4768 udvudo.exe udvudo.exe PID 4616 set thread context of 1128 4616 motkqg.exe motkqg.exe PID 4116 set thread context of 4632 4116 evtngb.exe evtngb.exe PID 1340 set thread context of 412 1340 wgjdul.exe wgjdul.exe PID 2704 set thread context of 3196 2704 hgvgey.exe hgvgey.exe PID 1936 set thread context of 3120 1936 zdwemh.exe zdwemh.exe PID 5064 set thread context of 2996 5064 osgceu.exe osgceu.exe PID 1956 set thread context of 3492 1956 hopamd.exe hopamd.exe PID 3124 set thread context of 3360 3124 zreqzu.exe zreqzu.exe PID 3248 set thread context of 4176 3248 rgftqq.exe rgftqq.exe PID 2164 set thread context of 1340 2164 kdgryz.exe kdgryz.exe PID 3832 set thread context of 2176 3832 efmmjs.exe efmmjs.exe PID 2000 set thread context of 3548 2000 wmuhzo.exe wmuhzo.exe PID 1084 set thread context of 5056 1084 rpaclh.exe rpaclh.exe PID 2104 set thread context of 1696 2104 evskrm.exe evskrm.exe PID 5044 set thread context of 1092 5044 zqygdf.exe zqygdf.exe PID 872 set thread context of 472 872 usmbpg.exe usmbpg.exe PID 804 set thread context of 1108 804 onswaz.exe onswaz.exe PID 3248 set thread context of 4428 3248 gctzqv.exe gctzqv.exe PID 4204 set thread context of 2240 4204 yfqpem.exe yfqpem.exe PID 1540 set thread context of 4844 1540 telxfb.exe telxfb.exe PID 2584 set thread context of 4088 2584 miinst.exe miinst.exe PID 2784 set thread context of 4948 2784 gkojeu.exe gkojeu.exe PID 5044 set thread context of 4404 5044 yomzrl.exe yomzrl.exe PID 1788 set thread context of 2308 1788 owzemp.exe owzemp.exe PID 3592 set thread context of 4440 3592 tnefaj.exe tnefaj.exe PID 4500 set thread context of 4476 4500 lnqikx.exe lnqikx.exe PID 2228 set thread context of 4376 2228 emctvk.exe emctvk.exe PID 3692 set thread context of 4804 3692 wmpwgx.exe wmpwgx.exe PID 4488 set thread context of 5012 4488 lgnpvf.exe lgnpvf.exe PID 3628 set thread context of 5044 3628 djlfix.exe djlfix.exe PID 1816 set thread context of 2208 1816 vnavwp.exe vnavwp.exe PID 1836 set thread context of 4260 1836 oyxljy.exe oyxljy.exe PID 3624 set thread context of 2756 3624 jpstsv.exe jpstsv.exe PID 2464 set thread context of 2416 2464 bsqjfm.exe bsqjfm.exe PID 3080 set thread context of 3168 3080 lhqmwa.exe lhqmwa.exe PID 3632 set thread context of 2452 3632 gvipcs.exe gvipcs.exe PID 4256 set thread context of 4912 4256 vssnuf.exe vssnuf.exe PID 3784 set thread context of 1336 3784 nwhdhx.exe nwhdhx.exe PID 2816 set thread context of 4012 2816 iyvytq.exe iyvytq.exe PID 4532 set thread context of 2116 4532 dtbteq.exe dtbteq.exe PID 1856 set thread context of 3624 1856 ywipij.exe ywipij.exe PID 4556 set thread context of 3984 4556 schpwp.exe schpwp.exe PID 3684 set thread context of 2892 3684 kfwnkg.exe kfwnkg.exe PID 4984 set thread context of 3348 4984 ficavz.exe ficavz.exe PID 1016 set thread context of 2380 1016 adrvha.exe adrvha.exe PID 1136 set thread context of 2704 1136 nulmqp.exe nulmqp.exe PID 3784 set thread context of 2312 3784 ffjcdg.exe ffjcdg.exe PID 2816 set thread context of 1308 2816 xmjftc.exe xmjftc.exe PID 3832 set thread context of 3720 3832 sppaxv.exe sppaxv.exe PID 2040 set thread context of 4480 2040 nrevjw.exe nrevjw.exe PID 1936 set thread context of 4896 1936 imkiup.exe imkiup.exe PID 2248 set thread context of 864 2248 csbrju.exe csbrju.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exefahfmz.exefahfmz.exesvpkly.exesvpkly.exeftugqn.exeftugqn.exeftrwqx.exeftrwqx.exesdhezr.exedescription pid process target process PID 2000 wrote to memory of 4884 2000 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe PID 2000 wrote to memory of 4884 2000 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe PID 2000 wrote to memory of 4884 2000 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe PID 2000 wrote to memory of 4884 2000 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe PID 2000 wrote to memory of 4884 2000 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe PID 2000 wrote to memory of 4884 2000 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe PID 2000 wrote to memory of 4884 2000 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe PID 2000 wrote to memory of 4884 2000 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe PID 2000 wrote to memory of 4884 2000 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe PID 4884 wrote to memory of 4876 4884 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe fahfmz.exe PID 4884 wrote to memory of 4876 4884 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe fahfmz.exe PID 4884 wrote to memory of 4876 4884 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe fahfmz.exe PID 4876 wrote to memory of 3896 4876 fahfmz.exe fahfmz.exe PID 4876 wrote to memory of 3896 4876 fahfmz.exe fahfmz.exe PID 4876 wrote to memory of 3896 4876 fahfmz.exe fahfmz.exe PID 4876 wrote to memory of 3896 4876 fahfmz.exe fahfmz.exe PID 4876 wrote to memory of 3896 4876 fahfmz.exe fahfmz.exe PID 4876 wrote to memory of 3896 4876 fahfmz.exe fahfmz.exe PID 4876 wrote to memory of 3896 4876 fahfmz.exe fahfmz.exe PID 4876 wrote to memory of 3896 4876 fahfmz.exe fahfmz.exe PID 4876 wrote to memory of 3896 4876 fahfmz.exe fahfmz.exe PID 3896 wrote to memory of 4508 3896 fahfmz.exe svpkly.exe PID 3896 wrote to memory of 4508 3896 fahfmz.exe svpkly.exe PID 3896 wrote to memory of 4508 3896 fahfmz.exe svpkly.exe PID 4508 wrote to memory of 4628 4508 svpkly.exe svpkly.exe PID 4508 wrote to memory of 4628 4508 svpkly.exe svpkly.exe PID 4508 wrote to memory of 4628 4508 svpkly.exe svpkly.exe PID 4508 wrote to memory of 4628 4508 svpkly.exe svpkly.exe PID 4508 wrote to memory of 4628 4508 svpkly.exe svpkly.exe PID 4508 wrote to memory of 4628 4508 svpkly.exe svpkly.exe PID 4508 wrote to memory of 4628 4508 svpkly.exe svpkly.exe PID 4508 wrote to memory of 4628 4508 svpkly.exe svpkly.exe PID 4508 wrote to memory of 4628 4508 svpkly.exe svpkly.exe PID 4628 wrote to memory of 976 4628 svpkly.exe ftugqn.exe PID 4628 wrote to memory of 976 4628 svpkly.exe ftugqn.exe PID 4628 wrote to memory of 976 4628 svpkly.exe ftugqn.exe PID 976 wrote to memory of 2924 976 ftugqn.exe ftugqn.exe PID 976 wrote to memory of 2924 976 ftugqn.exe ftugqn.exe PID 976 wrote to memory of 2924 976 ftugqn.exe ftugqn.exe PID 976 wrote to memory of 2924 976 ftugqn.exe ftugqn.exe PID 976 wrote to memory of 2924 976 ftugqn.exe ftugqn.exe PID 976 wrote to memory of 2924 976 ftugqn.exe ftugqn.exe PID 976 wrote to memory of 2924 976 ftugqn.exe ftugqn.exe PID 976 wrote to memory of 2924 976 ftugqn.exe ftugqn.exe PID 976 wrote to memory of 2924 976 ftugqn.exe ftugqn.exe PID 2924 wrote to memory of 3248 2924 ftugqn.exe ftrwqx.exe PID 2924 wrote to memory of 3248 2924 ftugqn.exe ftrwqx.exe PID 2924 wrote to memory of 3248 2924 ftugqn.exe ftrwqx.exe PID 3248 wrote to memory of 4688 3248 ftrwqx.exe ftrwqx.exe PID 3248 wrote to memory of 4688 3248 ftrwqx.exe ftrwqx.exe PID 3248 wrote to memory of 4688 3248 ftrwqx.exe ftrwqx.exe PID 3248 wrote to memory of 4688 3248 ftrwqx.exe ftrwqx.exe PID 3248 wrote to memory of 4688 3248 ftrwqx.exe ftrwqx.exe PID 3248 wrote to memory of 4688 3248 ftrwqx.exe ftrwqx.exe PID 3248 wrote to memory of 4688 3248 ftrwqx.exe ftrwqx.exe PID 3248 wrote to memory of 4688 3248 ftrwqx.exe ftrwqx.exe PID 3248 wrote to memory of 4688 3248 ftrwqx.exe ftrwqx.exe PID 4688 wrote to memory of 4624 4688 ftrwqx.exe sdhezr.exe PID 4688 wrote to memory of 4624 4688 ftrwqx.exe sdhezr.exe PID 4688 wrote to memory of 4624 4688 ftrwqx.exe sdhezr.exe PID 4624 wrote to memory of 2032 4624 sdhezr.exe sdhezr.exe PID 4624 wrote to memory of 2032 4624 sdhezr.exe sdhezr.exe PID 4624 wrote to memory of 2032 4624 sdhezr.exe sdhezr.exe PID 4624 wrote to memory of 2032 4624 sdhezr.exe sdhezr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\fahfmz.exeC:\Windows\system32\fahfmz.exe 1000 "C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\SysWOW64\fahfmz.exeC:\Windows\system32\fahfmz.exe 1000 "C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Windows\SysWOW64\svpkly.exeC:\Windows\system32\svpkly.exe 1160 "C:\Windows\SysWOW64\fahfmz.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\SysWOW64\svpkly.exeC:\Windows\system32\svpkly.exe 1160 "C:\Windows\SysWOW64\fahfmz.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\SysWOW64\ftugqn.exeC:\Windows\system32\ftugqn.exe 1004 "C:\Windows\SysWOW64\svpkly.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SysWOW64\ftugqn.exeC:\Windows\system32\ftugqn.exe 1004 "C:\Windows\SysWOW64\svpkly.exe"8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\ftrwqx.exeC:\Windows\system32\ftrwqx.exe 992 "C:\Windows\SysWOW64\ftugqn.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\SysWOW64\ftrwqx.exeC:\Windows\system32\ftrwqx.exe 992 "C:\Windows\SysWOW64\ftugqn.exe"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\SysWOW64\sdhezr.exeC:\Windows\system32\sdhezr.exe 1000 "C:\Windows\SysWOW64\ftrwqx.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\sdhezr.exeC:\Windows\system32\sdhezr.exe 1000 "C:\Windows\SysWOW64\ftrwqx.exe"12⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2032 -
C:\Windows\SysWOW64\kdlhje.exeC:\Windows\system32\kdlhje.exe 1000 "C:\Windows\SysWOW64\sdhezr.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4204 -
C:\Windows\SysWOW64\kdlhje.exeC:\Windows\system32\kdlhje.exe 1000 "C:\Windows\SysWOW64\sdhezr.exe"14⤵
- Executes dropped EXE
PID:4272 -
C:\Windows\SysWOW64\alhnei.exeC:\Windows\system32\alhnei.exe 1000 "C:\Windows\SysWOW64\kdlhje.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2704 -
C:\Windows\SysWOW64\alhnei.exeC:\Windows\system32\alhnei.exe 1000 "C:\Windows\SysWOW64\kdlhje.exe"16⤵
- Executes dropped EXE
PID:4284 -
C:\Windows\SysWOW64\puctqm.exeC:\Windows\system32\puctqm.exe 1004 "C:\Windows\SysWOW64\alhnei.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4556 -
C:\Windows\SysWOW64\puctqm.exeC:\Windows\system32\puctqm.exe 1004 "C:\Windows\SysWOW64\alhnei.exe"18⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1076 -
C:\Windows\SysWOW64\hxajee.exeC:\Windows\system32\hxajee.exe 1008 "C:\Windows\SysWOW64\puctqm.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2784 -
C:\Windows\SysWOW64\hxajee.exeC:\Windows\system32\hxajee.exe 1008 "C:\Windows\SysWOW64\puctqm.exe"20⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\zmamur.exeC:\Windows\system32\zmamur.exe 1120 "C:\Windows\SysWOW64\hxajee.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4600 -
C:\Windows\SysWOW64\zmamur.exeC:\Windows\system32\zmamur.exe 1120 "C:\Windows\SysWOW64\hxajee.exe"22⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4320 -
C:\Windows\SysWOW64\udvudo.exeC:\Windows\system32\udvudo.exe 992 "C:\Windows\SysWOW64\zmamur.exe"23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4768 -
C:\Windows\SysWOW64\udvudo.exeC:\Windows\system32\udvudo.exe 992 "C:\Windows\SysWOW64\zmamur.exe"24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:316 -
C:\Windows\SysWOW64\motkqg.exeC:\Windows\system32\motkqg.exe 1128 "C:\Windows\SysWOW64\udvudo.exe"25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4616 -
C:\Windows\SysWOW64\motkqg.exeC:\Windows\system32\motkqg.exe 1128 "C:\Windows\SysWOW64\udvudo.exe"26⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\evtngb.exeC:\Windows\system32\evtngb.exe 988 "C:\Windows\SysWOW64\motkqg.exe"27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4116 -
C:\Windows\SysWOW64\evtngb.exeC:\Windows\system32\evtngb.exe 988 "C:\Windows\SysWOW64\motkqg.exe"28⤵
- Executes dropped EXE
PID:4632 -
C:\Windows\SysWOW64\wgjdul.exeC:\Windows\system32\wgjdul.exe 992 "C:\Windows\SysWOW64\evtngb.exe"29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1340 -
C:\Windows\SysWOW64\wgjdul.exeC:\Windows\system32\wgjdul.exe 992 "C:\Windows\SysWOW64\evtngb.exe"30⤵
- Executes dropped EXE
PID:412 -
C:\Windows\SysWOW64\hgvgey.exeC:\Windows\system32\hgvgey.exe 996 "C:\Windows\SysWOW64\wgjdul.exe"31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2704 -
C:\Windows\SysWOW64\hgvgey.exeC:\Windows\system32\hgvgey.exe 996 "C:\Windows\SysWOW64\wgjdul.exe"32⤵
- Executes dropped EXE
PID:3196 -
C:\Windows\SysWOW64\zdwemh.exeC:\Windows\system32\zdwemh.exe 1136 "C:\Windows\SysWOW64\hgvgey.exe"33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1936 -
C:\Windows\SysWOW64\zdwemh.exeC:\Windows\system32\zdwemh.exe 1136 "C:\Windows\SysWOW64\hgvgey.exe"34⤵
- Executes dropped EXE
PID:3120 -
C:\Windows\SysWOW64\osgceu.exeC:\Windows\system32\osgceu.exe 968 "C:\Windows\SysWOW64\zdwemh.exe"35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5064 -
C:\Windows\SysWOW64\osgceu.exeC:\Windows\system32\osgceu.exe 968 "C:\Windows\SysWOW64\zdwemh.exe"36⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\hopamd.exeC:\Windows\system32\hopamd.exe 1004 "C:\Windows\SysWOW64\osgceu.exe"37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1956 -
C:\Windows\SysWOW64\hopamd.exeC:\Windows\system32\hopamd.exe 1004 "C:\Windows\SysWOW64\osgceu.exe"38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3492 -
C:\Windows\SysWOW64\zreqzu.exeC:\Windows\system32\zreqzu.exe 996 "C:\Windows\SysWOW64\hopamd.exe"39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3124 -
C:\Windows\SysWOW64\zreqzu.exeC:\Windows\system32\zreqzu.exe 996 "C:\Windows\SysWOW64\hopamd.exe"40⤵
- Executes dropped EXE
PID:3360 -
C:\Windows\SysWOW64\rgftqq.exeC:\Windows\system32\rgftqq.exe 1120 "C:\Windows\SysWOW64\zreqzu.exe"41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3248 -
C:\Windows\SysWOW64\rgftqq.exeC:\Windows\system32\rgftqq.exe 1120 "C:\Windows\SysWOW64\zreqzu.exe"42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4176 -
C:\Windows\SysWOW64\kdgryz.exeC:\Windows\system32\kdgryz.exe 996 "C:\Windows\SysWOW64\rgftqq.exe"43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2164 -
C:\Windows\SysWOW64\kdgryz.exeC:\Windows\system32\kdgryz.exe 996 "C:\Windows\SysWOW64\rgftqq.exe"44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1340 -
C:\Windows\SysWOW64\efmmjs.exeC:\Windows\system32\efmmjs.exe 1120 "C:\Windows\SysWOW64\kdgryz.exe"45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3832 -
C:\Windows\SysWOW64\efmmjs.exeC:\Windows\system32\efmmjs.exe 1120 "C:\Windows\SysWOW64\kdgryz.exe"46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2176 -
C:\Windows\SysWOW64\wmuhzo.exeC:\Windows\system32\wmuhzo.exe 1000 "C:\Windows\SysWOW64\efmmjs.exe"47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2000 -
C:\Windows\SysWOW64\wmuhzo.exeC:\Windows\system32\wmuhzo.exe 1000 "C:\Windows\SysWOW64\efmmjs.exe"48⤵
- Executes dropped EXE
PID:3548 -
C:\Windows\SysWOW64\rpaclh.exeC:\Windows\system32\rpaclh.exe 988 "C:\Windows\SysWOW64\wmuhzo.exe"49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1084 -
C:\Windows\SysWOW64\rpaclh.exeC:\Windows\system32\rpaclh.exe 988 "C:\Windows\SysWOW64\wmuhzo.exe"50⤵
- Executes dropped EXE
PID:5056 -
C:\Windows\SysWOW64\evskrm.exeC:\Windows\system32\evskrm.exe 992 "C:\Windows\SysWOW64\rpaclh.exe"51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2104 -
C:\Windows\SysWOW64\evskrm.exeC:\Windows\system32\evskrm.exe 992 "C:\Windows\SysWOW64\rpaclh.exe"52⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\zqygdf.exeC:\Windows\system32\zqygdf.exe 988 "C:\Windows\SysWOW64\evskrm.exe"53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5044 -
C:\Windows\SysWOW64\zqygdf.exeC:\Windows\system32\zqygdf.exe 988 "C:\Windows\SysWOW64\evskrm.exe"54⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\usmbpg.exeC:\Windows\system32\usmbpg.exe 1000 "C:\Windows\SysWOW64\zqygdf.exe"55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:872 -
C:\Windows\SysWOW64\usmbpg.exeC:\Windows\system32\usmbpg.exe 1000 "C:\Windows\SysWOW64\zqygdf.exe"56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:472 -
C:\Windows\SysWOW64\onswaz.exeC:\Windows\system32\onswaz.exe 1120 "C:\Windows\SysWOW64\usmbpg.exe"57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:804 -
C:\Windows\SysWOW64\onswaz.exeC:\Windows\system32\onswaz.exe 1120 "C:\Windows\SysWOW64\usmbpg.exe"58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1108 -
C:\Windows\SysWOW64\gctzqv.exeC:\Windows\system32\gctzqv.exe 988 "C:\Windows\SysWOW64\onswaz.exe"59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3248 -
C:\Windows\SysWOW64\gctzqv.exeC:\Windows\system32\gctzqv.exe 988 "C:\Windows\SysWOW64\onswaz.exe"60⤵
- Executes dropped EXE
PID:4428 -
C:\Windows\SysWOW64\yfqpem.exeC:\Windows\system32\yfqpem.exe 988 "C:\Windows\SysWOW64\gctzqv.exe"61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4204 -
C:\Windows\SysWOW64\yfqpem.exeC:\Windows\system32\yfqpem.exe 988 "C:\Windows\SysWOW64\gctzqv.exe"62⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\telxfb.exeC:\Windows\system32\telxfb.exe 1000 "C:\Windows\SysWOW64\yfqpem.exe"63⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1540 -
C:\Windows\SysWOW64\telxfb.exeC:\Windows\system32\telxfb.exe 1000 "C:\Windows\SysWOW64\yfqpem.exe"64⤵
- Executes dropped EXE
PID:4844 -
C:\Windows\SysWOW64\miinst.exeC:\Windows\system32\miinst.exe 1000 "C:\Windows\SysWOW64\telxfb.exe"65⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2584 -
C:\Windows\SysWOW64\miinst.exeC:\Windows\system32\miinst.exe 1000 "C:\Windows\SysWOW64\telxfb.exe"66⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4088 -
C:\Windows\SysWOW64\gkojeu.exeC:\Windows\system32\gkojeu.exe 992 "C:\Windows\SysWOW64\miinst.exe"67⤵
- Suspicious use of SetThreadContext
PID:2784 -
C:\Windows\SysWOW64\gkojeu.exeC:\Windows\system32\gkojeu.exe 992 "C:\Windows\SysWOW64\miinst.exe"68⤵
- Drops file in System32 directory
PID:4948 -
C:\Windows\SysWOW64\yomzrl.exeC:\Windows\system32\yomzrl.exe 988 "C:\Windows\SysWOW64\gkojeu.exe"69⤵
- Suspicious use of SetThreadContext
PID:5044 -
C:\Windows\SysWOW64\yomzrl.exeC:\Windows\system32\yomzrl.exe 988 "C:\Windows\SysWOW64\gkojeu.exe"70⤵PID:4404
-
C:\Windows\SysWOW64\owzemp.exeC:\Windows\system32\owzemp.exe 1008 "C:\Windows\SysWOW64\yomzrl.exe"71⤵
- Suspicious use of SetThreadContext
PID:1788 -
C:\Windows\SysWOW64\owzemp.exeC:\Windows\system32\owzemp.exe 1008 "C:\Windows\SysWOW64\yomzrl.exe"72⤵PID:2308
-
C:\Windows\SysWOW64\tnefaj.exeC:\Windows\system32\tnefaj.exe 1000 "C:\Windows\SysWOW64\owzemp.exe"73⤵
- Suspicious use of SetThreadContext
PID:3592 -
C:\Windows\SysWOW64\tnefaj.exeC:\Windows\system32\tnefaj.exe 1000 "C:\Windows\SysWOW64\owzemp.exe"74⤵
- Drops file in System32 directory
PID:4440 -
C:\Windows\SysWOW64\lnqikx.exeC:\Windows\system32\lnqikx.exe 988 "C:\Windows\SysWOW64\tnefaj.exe"75⤵
- Suspicious use of SetThreadContext
PID:4500 -
C:\Windows\SysWOW64\lnqikx.exeC:\Windows\system32\lnqikx.exe 988 "C:\Windows\SysWOW64\tnefaj.exe"76⤵PID:4476
-
C:\Windows\SysWOW64\emctvk.exeC:\Windows\system32\emctvk.exe 1120 "C:\Windows\SysWOW64\lnqikx.exe"77⤵
- Suspicious use of SetThreadContext
PID:2228 -
C:\Windows\SysWOW64\emctvk.exeC:\Windows\system32\emctvk.exe 1120 "C:\Windows\SysWOW64\lnqikx.exe"78⤵
- Drops file in System32 directory
PID:4376 -
C:\Windows\SysWOW64\wmpwgx.exeC:\Windows\system32\wmpwgx.exe 1128 "C:\Windows\SysWOW64\emctvk.exe"79⤵
- Suspicious use of SetThreadContext
PID:3692 -
C:\Windows\SysWOW64\wmpwgx.exeC:\Windows\system32\wmpwgx.exe 1128 "C:\Windows\SysWOW64\emctvk.exe"80⤵PID:4804
-
C:\Windows\SysWOW64\lgnpvf.exeC:\Windows\system32\lgnpvf.exe 1000 "C:\Windows\SysWOW64\wmpwgx.exe"81⤵
- Suspicious use of SetThreadContext
PID:4488 -
C:\Windows\SysWOW64\lgnpvf.exeC:\Windows\system32\lgnpvf.exe 1000 "C:\Windows\SysWOW64\wmpwgx.exe"82⤵
- Drops file in System32 directory
PID:5012 -
C:\Windows\SysWOW64\djlfix.exeC:\Windows\system32\djlfix.exe 1008 "C:\Windows\SysWOW64\lgnpvf.exe"83⤵
- Suspicious use of SetThreadContext
PID:3628 -
C:\Windows\SysWOW64\djlfix.exeC:\Windows\system32\djlfix.exe 1008 "C:\Windows\SysWOW64\lgnpvf.exe"84⤵PID:5044
-
C:\Windows\SysWOW64\vnavwp.exeC:\Windows\system32\vnavwp.exe 1128 "C:\Windows\SysWOW64\djlfix.exe"85⤵
- Suspicious use of SetThreadContext
PID:1816 -
C:\Windows\SysWOW64\vnavwp.exeC:\Windows\system32\vnavwp.exe 1128 "C:\Windows\SysWOW64\djlfix.exe"86⤵PID:2208
-
C:\Windows\SysWOW64\oyxljy.exeC:\Windows\system32\oyxljy.exe 992 "C:\Windows\SysWOW64\vnavwp.exe"87⤵
- Suspicious use of SetThreadContext
PID:1836 -
C:\Windows\SysWOW64\oyxljy.exeC:\Windows\system32\oyxljy.exe 992 "C:\Windows\SysWOW64\vnavwp.exe"88⤵
- Drops file in System32 directory
PID:4260 -
C:\Windows\SysWOW64\jpstsv.exeC:\Windows\system32\jpstsv.exe 1000 "C:\Windows\SysWOW64\oyxljy.exe"89⤵
- Suspicious use of SetThreadContext
PID:3624 -
C:\Windows\SysWOW64\jpstsv.exeC:\Windows\system32\jpstsv.exe 1000 "C:\Windows\SysWOW64\oyxljy.exe"90⤵PID:2756
-
C:\Windows\SysWOW64\bsqjfm.exeC:\Windows\system32\bsqjfm.exe 1156 "C:\Windows\SysWOW64\jpstsv.exe"91⤵
- Suspicious use of SetThreadContext
PID:2464 -
C:\Windows\SysWOW64\bsqjfm.exeC:\Windows\system32\bsqjfm.exe 1156 "C:\Windows\SysWOW64\jpstsv.exe"92⤵PID:2416
-
C:\Windows\SysWOW64\lhqmwa.exeC:\Windows\system32\lhqmwa.exe 1120 "C:\Windows\SysWOW64\bsqjfm.exe"93⤵
- Suspicious use of SetThreadContext
PID:3080 -
C:\Windows\SysWOW64\lhqmwa.exeC:\Windows\system32\lhqmwa.exe 1120 "C:\Windows\SysWOW64\bsqjfm.exe"94⤵
- Drops file in System32 directory
PID:3168 -
C:\Windows\SysWOW64\gvipcs.exeC:\Windows\system32\gvipcs.exe 988 "C:\Windows\SysWOW64\lhqmwa.exe"95⤵
- Suspicious use of SetThreadContext
PID:3632 -
C:\Windows\SysWOW64\gvipcs.exeC:\Windows\system32\gvipcs.exe 988 "C:\Windows\SysWOW64\lhqmwa.exe"96⤵
- Drops file in System32 directory
PID:2452 -
C:\Windows\SysWOW64\vssnuf.exeC:\Windows\system32\vssnuf.exe 1144 "C:\Windows\SysWOW64\gvipcs.exe"97⤵
- Suspicious use of SetThreadContext
PID:4256 -
C:\Windows\SysWOW64\vssnuf.exeC:\Windows\system32\vssnuf.exe 1144 "C:\Windows\SysWOW64\gvipcs.exe"98⤵PID:4912
-
C:\Windows\SysWOW64\nwhdhx.exeC:\Windows\system32\nwhdhx.exe 1084 "C:\Windows\SysWOW64\vssnuf.exe"99⤵
- Suspicious use of SetThreadContext
PID:3784 -
C:\Windows\SysWOW64\nwhdhx.exeC:\Windows\system32\nwhdhx.exe 1084 "C:\Windows\SysWOW64\vssnuf.exe"100⤵
- Drops file in System32 directory
PID:1336 -
C:\Windows\SysWOW64\iyvytq.exeC:\Windows\system32\iyvytq.exe 1012 "C:\Windows\SysWOW64\nwhdhx.exe"101⤵
- Suspicious use of SetThreadContext
PID:2816 -
C:\Windows\SysWOW64\iyvytq.exeC:\Windows\system32\iyvytq.exe 1012 "C:\Windows\SysWOW64\nwhdhx.exe"102⤵PID:4012
-
C:\Windows\SysWOW64\dtbteq.exeC:\Windows\system32\dtbteq.exe 992 "C:\Windows\SysWOW64\iyvytq.exe"103⤵
- Suspicious use of SetThreadContext
PID:4532 -
C:\Windows\SysWOW64\dtbteq.exeC:\Windows\system32\dtbteq.exe 992 "C:\Windows\SysWOW64\iyvytq.exe"104⤵PID:2116
-
C:\Windows\SysWOW64\ywipij.exeC:\Windows\system32\ywipij.exe 1120 "C:\Windows\SysWOW64\dtbteq.exe"105⤵
- Suspicious use of SetThreadContext
PID:1856 -
C:\Windows\SysWOW64\ywipij.exeC:\Windows\system32\ywipij.exe 1120 "C:\Windows\SysWOW64\dtbteq.exe"106⤵
- Drops file in System32 directory
PID:3624 -
C:\Windows\SysWOW64\schpwp.exeC:\Windows\system32\schpwp.exe 988 "C:\Windows\SysWOW64\ywipij.exe"107⤵
- Suspicious use of SetThreadContext
PID:4556 -
C:\Windows\SysWOW64\schpwp.exeC:\Windows\system32\schpwp.exe 988 "C:\Windows\SysWOW64\ywipij.exe"108⤵PID:3984
-
C:\Windows\SysWOW64\kfwnkg.exeC:\Windows\system32\kfwnkg.exe 1008 "C:\Windows\SysWOW64\schpwp.exe"109⤵
- Suspicious use of SetThreadContext
PID:3684 -
C:\Windows\SysWOW64\kfwnkg.exeC:\Windows\system32\kfwnkg.exe 1008 "C:\Windows\SysWOW64\schpwp.exe"110⤵PID:2892
-
C:\Windows\SysWOW64\ficavz.exeC:\Windows\system32\ficavz.exe 1120 "C:\Windows\SysWOW64\kfwnkg.exe"111⤵
- Suspicious use of SetThreadContext
PID:4984 -
C:\Windows\SysWOW64\ficavz.exeC:\Windows\system32\ficavz.exe 1120 "C:\Windows\SysWOW64\kfwnkg.exe"112⤵
- Drops file in System32 directory
PID:3348 -
C:\Windows\SysWOW64\adrvha.exeC:\Windows\system32\adrvha.exe 1120 "C:\Windows\SysWOW64\ficavz.exe"113⤵
- Suspicious use of SetThreadContext
PID:1016 -
C:\Windows\SysWOW64\adrvha.exeC:\Windows\system32\adrvha.exe 1120 "C:\Windows\SysWOW64\ficavz.exe"114⤵
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\nulmqp.exeC:\Windows\system32\nulmqp.exe 1128 "C:\Windows\SysWOW64\adrvha.exe"115⤵
- Suspicious use of SetThreadContext
PID:1136 -
C:\Windows\SysWOW64\nulmqp.exeC:\Windows\system32\nulmqp.exe 1128 "C:\Windows\SysWOW64\adrvha.exe"116⤵PID:2704
-
C:\Windows\SysWOW64\ffjcdg.exeC:\Windows\system32\ffjcdg.exe 1000 "C:\Windows\SysWOW64\nulmqp.exe"117⤵
- Suspicious use of SetThreadContext
PID:3784 -
C:\Windows\SysWOW64\ffjcdg.exeC:\Windows\system32\ffjcdg.exe 1000 "C:\Windows\SysWOW64\nulmqp.exe"118⤵PID:2312
-
C:\Windows\SysWOW64\xmjftc.exeC:\Windows\system32\xmjftc.exe 996 "C:\Windows\SysWOW64\ffjcdg.exe"119⤵
- Suspicious use of SetThreadContext
PID:2816 -
C:\Windows\SysWOW64\xmjftc.exeC:\Windows\system32\xmjftc.exe 996 "C:\Windows\SysWOW64\ffjcdg.exe"120⤵PID:1308
-
C:\Windows\SysWOW64\sppaxv.exeC:\Windows\system32\sppaxv.exe 1156 "C:\Windows\SysWOW64\xmjftc.exe"121⤵
- Suspicious use of SetThreadContext
PID:3832 -
C:\Windows\SysWOW64\sppaxv.exeC:\Windows\system32\sppaxv.exe 1156 "C:\Windows\SysWOW64\xmjftc.exe"122⤵
- Drops file in System32 directory
PID:3720 -
C:\Windows\SysWOW64\nrevjw.exeC:\Windows\system32\nrevjw.exe 996 "C:\Windows\SysWOW64\sppaxv.exe"123⤵
- Suspicious use of SetThreadContext
PID:2040 -
C:\Windows\SysWOW64\nrevjw.exeC:\Windows\system32\nrevjw.exe 996 "C:\Windows\SysWOW64\sppaxv.exe"124⤵PID:4480
-
C:\Windows\SysWOW64\imkiup.exeC:\Windows\system32\imkiup.exe 992 "C:\Windows\SysWOW64\nrevjw.exe"125⤵
- Suspicious use of SetThreadContext
PID:1936 -
C:\Windows\SysWOW64\imkiup.exeC:\Windows\system32\imkiup.exe 992 "C:\Windows\SysWOW64\nrevjw.exe"126⤵PID:4896
-
C:\Windows\SysWOW64\csbrju.exeC:\Windows\system32\csbrju.exe 988 "C:\Windows\SysWOW64\imkiup.exe"127⤵
- Suspicious use of SetThreadContext
PID:2248 -
C:\Windows\SysWOW64\csbrju.exeC:\Windows\system32\csbrju.exe 988 "C:\Windows\SysWOW64\imkiup.exe"128⤵PID:864
-
C:\Windows\SysWOW64\xvhmun.exeC:\Windows\system32\xvhmun.exe 1120 "C:\Windows\SysWOW64\csbrju.exe"129⤵PID:2888
-
C:\Windows\SysWOW64\xvhmun.exeC:\Windows\system32\xvhmun.exe 1120 "C:\Windows\SysWOW64\csbrju.exe"130⤵
- Drops file in System32 directory
PID:2104 -
C:\Windows\SysWOW64\smkuvk.exeC:\Windows\system32\smkuvk.exe 1120 "C:\Windows\SysWOW64\xvhmun.exe"131⤵PID:2148
-
C:\Windows\SysWOW64\smkuvk.exeC:\Windows\system32\smkuvk.exe 1120 "C:\Windows\SysWOW64\xvhmun.exe"132⤵PID:1136
-
C:\Windows\SysWOW64\lphkib.exeC:\Windows\system32\lphkib.exe 1000 "C:\Windows\SysWOW64\smkuvk.exe"133⤵PID:4944
-
C:\Windows\SysWOW64\lphkib.exeC:\Windows\system32\lphkib.exe 1000 "C:\Windows\SysWOW64\smkuvk.exe"134⤵PID:3628
-
C:\Windows\SysWOW64\ceinzp.exeC:\Windows\system32\ceinzp.exe 988 "C:\Windows\SysWOW64\lphkib.exe"135⤵PID:2232
-
C:\Windows\SysWOW64\ceinzp.exeC:\Windows\system32\ceinzp.exe 988 "C:\Windows\SysWOW64\lphkib.exe"136⤵PID:1276
-
C:\Windows\SysWOW64\pvdvhm.exeC:\Windows\system32\pvdvhm.exe 1000 "C:\Windows\SysWOW64\ceinzp.exe"137⤵PID:4516
-
C:\Windows\SysWOW64\pvdvhm.exeC:\Windows\system32\pvdvhm.exe 1000 "C:\Windows\SysWOW64\ceinzp.exe"138⤵
- Drops file in System32 directory
PID:3832 -
C:\Windows\SysWOW64\feybuq.exeC:\Windows\system32\feybuq.exe 988 "C:\Windows\SysWOW64\pvdvhm.exe"139⤵PID:4780
-
C:\Windows\SysWOW64\feybuq.exeC:\Windows\system32\feybuq.exe 988 "C:\Windows\SysWOW64\pvdvhm.exe"140⤵PID:2304
-
C:\Windows\SysWOW64\xszekm.exeC:\Windows\system32\xszekm.exe 1000 "C:\Windows\SysWOW64\feybuq.exe"141⤵PID:640
-
C:\Windows\SysWOW64\xszekm.exeC:\Windows\system32\xszekm.exe 1000 "C:\Windows\SysWOW64\feybuq.exe"142⤵
- Drops file in System32 directory
PID:1084 -
C:\Windows\SysWOW64\pwwuyd.exeC:\Windows\system32\pwwuyd.exe 1120 "C:\Windows\SysWOW64\xszekm.exe"143⤵PID:3152
-
C:\Windows\SysWOW64\pwwuyd.exeC:\Windows\system32\pwwuyd.exe 1120 "C:\Windows\SysWOW64\xszekm.exe"144⤵PID:1360
-
C:\Windows\SysWOW64\hhmkln.exeC:\Windows\system32\hhmkln.exe 988 "C:\Windows\SysWOW64\pwwuyd.exe"145⤵PID:2336
-
C:\Windows\SysWOW64\hhmkln.exeC:\Windows\system32\hhmkln.exe 988 "C:\Windows\SysWOW64\pwwuyd.exe"146⤵PID:4268
-
C:\Windows\SysWOW64\cvdnrf.exeC:\Windows\system32\cvdnrf.exe 992 "C:\Windows\SysWOW64\hhmkln.exe"147⤵PID:5020
-
C:\Windows\SysWOW64\cvdnrf.exeC:\Windows\system32\cvdnrf.exe 992 "C:\Windows\SysWOW64\hhmkln.exe"148⤵PID:5036
-
C:\Windows\SysWOW64\unpvkf.exeC:\Windows\system32\unpvkf.exe 964 "C:\Windows\SysWOW64\cvdnrf.exe"149⤵PID:2844
-
C:\Windows\SysWOW64\unpvkf.exeC:\Windows\system32\unpvkf.exe 964 "C:\Windows\SysWOW64\cvdnrf.exe"150⤵PID:1692
-
C:\Windows\SysWOW64\szmwui.exeC:\Windows\system32\szmwui.exe 1120 "C:\Windows\SysWOW64\unpvkf.exe"151⤵PID:2296
-
C:\Windows\SysWOW64\szmwui.exeC:\Windows\system32\szmwui.exe 1120 "C:\Windows\SysWOW64\unpvkf.exe"152⤵
- Drops file in System32 directory
PID:1088 -
C:\Windows\SysWOW64\kkjmhz.exeC:\Windows\system32\kkjmhz.exe 996 "C:\Windows\SysWOW64\szmwui.exe"153⤵PID:2232
-
C:\Windows\SysWOW64\kkjmhz.exeC:\Windows\system32\kkjmhz.exe 996 "C:\Windows\SysWOW64\szmwui.exe"154⤵
- Drops file in System32 directory
PID:4276 -
C:\Windows\SysWOW64\ffqhts.exeC:\Windows\system32\ffqhts.exe 1000 "C:\Windows\SysWOW64\kkjmhz.exe"155⤵PID:2820
-
C:\Windows\SysWOW64\ffqhts.exeC:\Windows\system32\ffqhts.exe 1000 "C:\Windows\SysWOW64\kkjmhz.exe"156⤵
- Drops file in System32 directory
PID:5088 -
C:\Windows\SysWOW64\aiwcwt.exeC:\Windows\system32\aiwcwt.exe 1000 "C:\Windows\SysWOW64\ffqhts.exe"157⤵PID:3472
-
C:\Windows\SysWOW64\aiwcwt.exeC:\Windows\system32\aiwcwt.exe 1000 "C:\Windows\SysWOW64\ffqhts.exe"158⤵PID:3076
-
C:\Windows\SysWOW64\hqrirx.exeC:\Windows\system32\hqrirx.exe 1120 "C:\Windows\SysWOW64\aiwcwt.exe"159⤵PID:2004
-
C:\Windows\SysWOW64\hqrirx.exeC:\Windows\system32\hqrirx.exe 1120 "C:\Windows\SysWOW64\aiwcwt.exe"160⤵
- Drops file in System32 directory
PID:3396 -
C:\Windows\SysWOW64\ztoyep.exeC:\Windows\system32\ztoyep.exe 1008 "C:\Windows\SysWOW64\hqrirx.exe"161⤵PID:640
-
C:\Windows\SysWOW64\ztoyep.exeC:\Windows\system32\ztoyep.exe 1008 "C:\Windows\SysWOW64\hqrirx.exe"162⤵PID:3652
-
C:\Windows\SysWOW64\uwvtii.exeC:\Windows\system32\uwvtii.exe 968 "C:\Windows\SysWOW64\ztoyep.exe"163⤵PID:2184
-
C:\Windows\SysWOW64\uwvtii.exeC:\Windows\system32\uwvtii.exe 968 "C:\Windows\SysWOW64\ztoyep.exe"164⤵PID:1892
-
C:\Windows\SysWOW64\jibefq.exeC:\Windows\system32\jibefq.exe 1152 "C:\Windows\SysWOW64\uwvtii.exe"165⤵PID:3384
-
C:\Windows\SysWOW64\jibefq.exeC:\Windows\system32\jibefq.exe 1152 "C:\Windows\SysWOW64\uwvtii.exe"166⤵PID:4888
-
C:\Windows\SysWOW64\ceccnz.exeC:\Windows\system32\ceccnz.exe 988 "C:\Windows\SysWOW64\jibefq.exe"167⤵PID:3804
-
C:\Windows\SysWOW64\ceccnz.exeC:\Windows\system32\ceccnz.exe 988 "C:\Windows\SysWOW64\jibefq.exe"168⤵PID:976
-
C:\Windows\SysWOW64\uissaq.exeC:\Windows\system32\uissaq.exe 1128 "C:\Windows\SysWOW64\ceccnz.exe"169⤵PID:2776
-
C:\Windows\SysWOW64\uissaq.exeC:\Windows\system32\uissaq.exe 1128 "C:\Windows\SysWOW64\ceccnz.exe"170⤵PID:4432
-
C:\Windows\SysWOW64\mtpioi.exeC:\Windows\system32\mtpioi.exe 1020 "C:\Windows\SysWOW64\uissaq.exe"171⤵PID:376
-
C:\Windows\SysWOW64\mtpioi.exeC:\Windows\system32\mtpioi.exe 1020 "C:\Windows\SysWOW64\uissaq.exe"172⤵
- Drops file in System32 directory
PID:4420 -
C:\Windows\SysWOW64\eiqlee.exeC:\Windows\system32\eiqlee.exe 1000 "C:\Windows\SysWOW64\mtpioi.exe"173⤵PID:2232
-
C:\Windows\SysWOW64\eiqlee.exeC:\Windows\system32\eiqlee.exe 1000 "C:\Windows\SysWOW64\mtpioi.exe"174⤵PID:440
-
C:\Windows\SysWOW64\zzktfs.exeC:\Windows\system32\zzktfs.exe 988 "C:\Windows\SysWOW64\eiqlee.exe"175⤵PID:2100
-
C:\Windows\SysWOW64\zzktfs.exeC:\Windows\system32\zzktfs.exe 988 "C:\Windows\SysWOW64\eiqlee.exe"176⤵PID:5048
-
C:\Windows\SysWOW64\rgtwvo.exeC:\Windows\system32\rgtwvo.exe 1008 "C:\Windows\SysWOW64\zzktfs.exe"177⤵PID:4880
-
C:\Windows\SysWOW64\rgtwvo.exeC:\Windows\system32\rgtwvo.exe 1008 "C:\Windows\SysWOW64\zzktfs.exe"178⤵PID:1188
-
C:\Windows\SysWOW64\bnxhgb.exeC:\Windows\system32\bnxhgb.exe 992 "C:\Windows\SysWOW64\rgtwvo.exe"179⤵PID:3856
-
C:\Windows\SysWOW64\bnxhgb.exeC:\Windows\system32\bnxhgb.exe 992 "C:\Windows\SysWOW64\rgtwvo.exe"180⤵PID:1936
-
C:\Windows\SysWOW64\unjkqp.exeC:\Windows\system32\unjkqp.exe 1136 "C:\Windows\SysWOW64\bnxhgb.exe"181⤵PID:60
-
C:\Windows\SysWOW64\unjkqp.exeC:\Windows\system32\unjkqp.exe 1136 "C:\Windows\SysWOW64\bnxhgb.exe"182⤵PID:1232
-
C:\Windows\SysWOW64\jzqvnx.exeC:\Windows\system32\jzqvnx.exe 1120 "C:\Windows\SysWOW64\unjkqp.exe"183⤵PID:2584
-
C:\Windows\SysWOW64\jzqvnx.exeC:\Windows\system32\jzqvnx.exe 1120 "C:\Windows\SysWOW64\unjkqp.exe"184⤵
- Drops file in System32 directory
PID:1016 -
C:\Windows\SysWOW64\bzugyk.exeC:\Windows\system32\bzugyk.exe 1124 "C:\Windows\SysWOW64\jzqvnx.exe"185⤵PID:4372
-
C:\Windows\SysWOW64\bzugyk.exeC:\Windows\system32\bzugyk.exe 1124 "C:\Windows\SysWOW64\jzqvnx.exe"186⤵
- Drops file in System32 directory
PID:2576 -
C:\Windows\SysWOW64\uzgjjx.exeC:\Windows\system32\uzgjjx.exe 988 "C:\Windows\SysWOW64\bzugyk.exe"187⤵PID:3188
-
C:\Windows\SysWOW64\uzgjjx.exeC:\Windows\system32\uzgjjx.exe 988 "C:\Windows\SysWOW64\bzugyk.exe"188⤵PID:3340
-
C:\Windows\SysWOW64\mkwzwh.exeC:\Windows\system32\mkwzwh.exe 1120 "C:\Windows\SysWOW64\uzgjjx.exe"189⤵PID:4900
-
C:\Windows\SysWOW64\mkwzwh.exeC:\Windows\system32\mkwzwh.exe 1120 "C:\Windows\SysWOW64\uzgjjx.exe"190⤵PID:1200
-
C:\Windows\SysWOW64\bwdslp.exeC:\Windows\system32\bwdslp.exe 1000 "C:\Windows\SysWOW64\mkwzwh.exe"191⤵PID:2816
-
C:\Windows\SysWOW64\bwdslp.exeC:\Windows\system32\bwdslp.exe 1000 "C:\Windows\SysWOW64\mkwzwh.exe"192⤵PID:1152
-
C:\Windows\SysWOW64\twpvwc.exeC:\Windows\system32\twpvwc.exe 1008 "C:\Windows\SysWOW64\bwdslp.exe"193⤵PID:1836
-
C:\Windows\SysWOW64\twpvwc.exeC:\Windows\system32\twpvwc.exe 1008 "C:\Windows\SysWOW64\bwdslp.exe"194⤵PID:5108
-
C:\Windows\SysWOW64\mvtghq.exeC:\Windows\system32\mvtghq.exe 1120 "C:\Windows\SysWOW64\twpvwc.exe"195⤵PID:960
-
C:\Windows\SysWOW64\mvtghq.exeC:\Windows\system32\mvtghq.exe 1120 "C:\Windows\SysWOW64\twpvwc.exe"196⤵PID:4684
-
C:\Windows\SysWOW64\bparwy.exeC:\Windows\system32\bparwy.exe 1120 "C:\Windows\SysWOW64\mvtghq.exe"197⤵PID:4880
-
C:\Windows\SysWOW64\bparwy.exeC:\Windows\system32\bparwy.exe 1120 "C:\Windows\SysWOW64\mvtghq.exe"198⤵
- Drops file in System32 directory
PID:3060 -
C:\Windows\SysWOW64\jqvwic.exeC:\Windows\system32\jqvwic.exe 1120 "C:\Windows\SysWOW64\bparwy.exe"199⤵PID:3468
-
C:\Windows\SysWOW64\jqvwic.exeC:\Windows\system32\jqvwic.exe 1120 "C:\Windows\SysWOW64\bparwy.exe"200⤵
- Drops file in System32 directory
PID:1540 -
C:\Windows\SysWOW64\bxhztp.exeC:\Windows\system32\bxhztp.exe 988 "C:\Windows\SysWOW64\jqvwic.exe"201⤵PID:2092
-
C:\Windows\SysWOW64\bxhztp.exeC:\Windows\system32\bxhztp.exe 988 "C:\Windows\SysWOW64\jqvwic.exe"202⤵PID:4140
-
C:\Windows\SysWOW64\qjgsqx.exeC:\Windows\system32\qjgsqx.exe 1012 "C:\Windows\SysWOW64\bxhztp.exe"203⤵PID:1956
-
C:\Windows\SysWOW64\qjgsqx.exeC:\Windows\system32\qjgsqx.exe 1012 "C:\Windows\SysWOW64\bxhztp.exe"204⤵
- Drops file in System32 directory
PID:464 -
C:\Windows\SysWOW64\indidp.exeC:\Windows\system32\indidp.exe 1008 "C:\Windows\SysWOW64\qjgsqx.exe"205⤵PID:2400
-
C:\Windows\SysWOW64\indidp.exeC:\Windows\system32\indidp.exe 1008 "C:\Windows\SysWOW64\qjgsqx.exe"206⤵
- Drops file in System32 directory
PID:1592 -
C:\Windows\SysWOW64\eandbh.exeC:\Windows\system32\eandbh.exe 1012 "C:\Windows\SysWOW64\indidp.exe"207⤵PID:2044
-
C:\Windows\SysWOW64\eandbh.exeC:\Windows\system32\eandbh.exe 1012 "C:\Windows\SysWOW64\indidp.exe"208⤵PID:2820
-
C:\Windows\SysWOW64\tuuozp.exeC:\Windows\system32\tuuozp.exe 1000 "C:\Windows\SysWOW64\eandbh.exe"209⤵PID:664
-
C:\Windows\SysWOW64\tuuozp.exeC:\Windows\system32\tuuozp.exe 1000 "C:\Windows\SysWOW64\eandbh.exe"210⤵
- Drops file in System32 directory
PID:3992 -
C:\Windows\SysWOW64\jgahox.exeC:\Windows\system32\jgahox.exe 1120 "C:\Windows\SysWOW64\tuuozp.exe"211⤵PID:2508
-
C:\Windows\SysWOW64\jgahox.exeC:\Windows\system32\jgahox.exe 1120 "C:\Windows\SysWOW64\tuuozp.exe"212⤵PID:3380
-
C:\Windows\SysWOW64\wmuuzw.exeC:\Windows\system32\wmuuzw.exe 1120 "C:\Windows\SysWOW64\jgahox.exe"213⤵PID:2892
-
C:\Windows\SysWOW64\wmuuzw.exeC:\Windows\system32\wmuuzw.exe 1120 "C:\Windows\SysWOW64\jgahox.exe"214⤵
- Drops file in System32 directory
PID:5004 -
C:\Windows\SysWOW64\oxjknf.exeC:\Windows\system32\oxjknf.exe 1000 "C:\Windows\SysWOW64\wmuuzw.exe"215⤵PID:5072
-
C:\Windows\SysWOW64\oxjknf.exeC:\Windows\system32\oxjknf.exe 1000 "C:\Windows\SysWOW64\wmuuzw.exe"216⤵PID:1308
-
C:\Windows\SysWOW64\jomswc.exeC:\Windows\system32\jomswc.exe 1008 "C:\Windows\SysWOW64\oxjknf.exe"217⤵PID:4788
-
C:\Windows\SysWOW64\jomswc.exeC:\Windows\system32\jomswc.exe 1008 "C:\Windows\SysWOW64\oxjknf.exe"218⤵PID:4784
-
C:\Windows\SysWOW64\dudbkz.exeC:\Windows\system32\dudbkz.exe 1012 "C:\Windows\SysWOW64\jomswc.exe"219⤵PID:880
-
C:\Windows\SysWOW64\dudbkz.exeC:\Windows\system32\dudbkz.exe 1012 "C:\Windows\SysWOW64\jomswc.exe"220⤵PID:3900
-
C:\Windows\SysWOW64\qpkwwa.exeC:\Windows\system32\qpkwwa.exe 1000 "C:\Windows\SysWOW64\dudbkz.exe"221⤵PID:4776
-
C:\Windows\SysWOW64\qpkwwa.exeC:\Windows\system32\qpkwwa.exe 1000 "C:\Windows\SysWOW64\dudbkz.exe"222⤵
- Drops file in System32 directory
PID:3936 -
C:\Windows\SysWOW64\iekzmw.exeC:\Windows\system32\iekzmw.exe 1120 "C:\Windows\SysWOW64\qpkwwa.exe"223⤵PID:4712
-
C:\Windows\SysWOW64\iekzmw.exeC:\Windows\system32\iekzmw.exe 1120 "C:\Windows\SysWOW64\qpkwwa.exe"224⤵
- Drops file in System32 directory
PID:5052 -
C:\Windows\SysWOW64\dvnhnl.exeC:\Windows\system32\dvnhnl.exe 996 "C:\Windows\SysWOW64\iekzmw.exe"225⤵PID:5020
-
C:\Windows\SysWOW64\dvnhnl.exeC:\Windows\system32\dvnhnl.exe 996 "C:\Windows\SysWOW64\iekzmw.exe"226⤵PID:2844
-
C:\Windows\SysWOW64\yytcyl.exeC:\Windows\system32\yytcyl.exe 1156 "C:\Windows\SysWOW64\dvnhnl.exe"227⤵PID:1984
-
C:\Windows\SysWOW64\yytcyl.exeC:\Windows\system32\yytcyl.exe 1156 "C:\Windows\SysWOW64\dvnhnl.exe"228⤵
- Drops file in System32 directory
PID:2092 -
C:\Windows\SysWOW64\qmcfoh.exeC:\Windows\system32\qmcfoh.exe 988 "C:\Windows\SysWOW64\yytcyl.exe"229⤵PID:2112
-
C:\Windows\SysWOW64\qmcfoh.exeC:\Windows\system32\qmcfoh.exe 988 "C:\Windows\SysWOW64\yytcyl.exe"230⤵
- Drops file in System32 directory
PID:1836 -
C:\Windows\SysWOW64\ovntvf.exeC:\Windows\system32\ovntvf.exe 1000 "C:\Windows\SysWOW64\qmcfoh.exe"231⤵PID:5004
-
C:\Windows\SysWOW64\ovntvf.exeC:\Windows\system32\ovntvf.exe 1000 "C:\Windows\SysWOW64\qmcfoh.exe"232⤵PID:2156
-
C:\Windows\SysWOW64\gkowmb.exeC:\Windows\system32\gkowmb.exe 1000 "C:\Windows\SysWOW64\ovntvf.exe"233⤵PID:3340
-
C:\Windows\SysWOW64\gkowmb.exeC:\Windows\system32\gkowmb.exe 1000 "C:\Windows\SysWOW64\ovntvf.exe"234⤵PID:376
-
C:\Windows\SysWOW64\bbreuq.exeC:\Windows\system32\bbreuq.exe 1000 "C:\Windows\SysWOW64\gkowmb.exe"235⤵PID:3056
-
C:\Windows\SysWOW64\bbreuq.exeC:\Windows\system32\bbreuq.exe 1000 "C:\Windows\SysWOW64\gkowmb.exe"236⤵
- Drops file in System32 directory
PID:640 -
C:\Windows\SysWOW64\tqrhlm.exeC:\Windows\system32\tqrhlm.exe 1000 "C:\Windows\SysWOW64\bbreuq.exe"237⤵PID:4500
-
C:\Windows\SysWOW64\tqrhlm.exeC:\Windows\system32\tqrhlm.exe 1000 "C:\Windows\SysWOW64\bbreuq.exe"238⤵PID:4488
-
C:\Windows\SysWOW64\ltpxyd.exeC:\Windows\system32\ltpxyd.exe 992 "C:\Windows\SysWOW64\tqrhlm.exe"239⤵PID:1224
-
C:\Windows\SysWOW64\ltpxyd.exeC:\Windows\system32\ltpxyd.exe 992 "C:\Windows\SysWOW64\tqrhlm.exe"240⤵PID:1004
-
C:\Windows\SysWOW64\xzgffb.exeC:\Windows\system32\xzgffb.exe 1120 "C:\Windows\SysWOW64\ltpxyd.exe"241⤵PID:1500
-
C:\Windows\SysWOW64\xzgffb.exeC:\Windows\system32\xzgffb.exe 1120 "C:\Windows\SysWOW64\ltpxyd.exe"242⤵PID:3716