Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
01/07/2024, 17:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1bf0bcfd342783f509d19aa1e188fb73_JaffaCakes118.exe
Resource
win7-20240508-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
1bf0bcfd342783f509d19aa1e188fb73_JaffaCakes118.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
1bf0bcfd342783f509d19aa1e188fb73_JaffaCakes118.exe
-
Size
627KB
-
MD5
1bf0bcfd342783f509d19aa1e188fb73
-
SHA1
ba736a888567a490a5aa48f0c3a735a9086e913e
-
SHA256
fac25bfdbded25210d78c35f1b6a66ac2714fb8e52de64ec8d3371120df02007
-
SHA512
26f77e915419bc75c564e82d40e2619b70bd445393558cbd72ec8310c667adcda29a715d23981a7d9828f6d8485f3d97cdfdd123ef75b9f16d5bf0735b4003b5
-
SSDEEP
12288:KxmvLIsmU9pcZhbcwAP/f7JeIA/OUNfHcMPjle6zlssQtiEn9TMy3V6b7MP+Dd2h:GIZVu74r/f7JeIA/ZN/c2jlZJQtTn9Tb
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 2812 ycgwzbeyq.exe 2932 fgouqpebq.exe 2108 xmnjvenly.exe 2396 klimemsay.exe 2996 jdreyycjf.exe 2332 jsgjxhffg.exe 3000 drxeseuwg.exe 824 vfvkcguya.exe 2676 xaymxgiyt.exe 2448 iwzxfbjwh.exe 2608 svdcxzrvh.exe 1640 pwnhtdceu.exe 2496 emhpaugto.exe 1336 lxfuxoogi.exe 684 yoaxgwunj.exe 2572 jvmuqvtnj.exe 1480 ydycxexjc.exe 1296 aybfsfecw.exe 2760 nshudrqmj.exe 2256 auncpwuvx.exe 628 nheauatad.exe 1676 rxbnrgflk.exe 764 wzjihllrr.exe 2912 ovinsnssl.exe 1232 rumkclrrl.exe 2172 dzenqccvl.exe 1484 ostsvseym.exe 1712 sljsudpdf.exe 340 fytiahnil.exe 2224 sazyllasz.exe 2136 cwaibgapm.exe 1508 jhynqhjjg.exe 2828 zbvizvlam.exe 1952 mrqlidrin.exe 2248 ytestivjb.exe 1616 mgnqhmcwh.exe 2392 vrdtupiqt.exe 1528 ihgvdxofu.exe 792 vjmlobshi.exe 1900 iahoxkyoj.exe 2028 scwysneqv.exe 1176 fxnoyidvb.exe 2928 padylmjxw.exe 1732 ccjoxyvhc.exe 2880 oseqfgtoc.exe 1880 brhtogyvd.exe 604 ltwwjkfpq.exe 560 ysrysskwr.exe 1652 lmxodwpgw.exe 2636 yksrmeunx.exe 1252 lbutunauy.exe 2596 yrpwdnxkz.exe 316 hfqlbukgy.exe 2616 uelokcqnr.exe 1904 hunrskvur.exe 1768 ulitbltcs.exe 1624 ewyeoohwf.exe 2144 rjptcsgit.exe 1888 bxqrsztfs.exe 1656 okzhyvssh.exe 2756 amfwjhwtm.exe 1776 ncizspcbn.exe 1628 xnyjntida.exe 1612 kdsmvtoka.exe -
Identifies Wine through registry keys 2 TTPs 64 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine nuzszgnhs.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine djkdsgxjr.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine mclueqtoc.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine rdpuwvany.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine vukyowmuz.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine ufkvihhpd.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine wcnuvkehk.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine zwjtpzhhl.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine rlnmarfpz.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine sljsudpdf.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine gisqxvlie.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine fdwmwaoqw.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine xgtwqkyfj.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine jxgyqoaxt.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine yfrroiorc.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine tmaalkerl.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine njbvmvpwb.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine trxnoufbd.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine aqteezyyc.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine ozvgwpftq.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine uwapldndy.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine kysmdmfkt.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine fhqqldegz.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine druplbkxg.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine exahgcdyi.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine oegsypbpt.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine oxaqgiqki.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine husfzroqo.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine iuzgtqwtu.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine okvjuxmmi.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine jmvvqjggm.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine kwyafkfzw.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine iynqbplep.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine omlbncdll.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine qsskwayef.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine yksrmeunx.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine yssuzvpnv.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine xpusfvuow.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine rmfvddxhc.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine traxawmvr.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine bhhsdzuzu.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine hdqioswui.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine ukycoocrr.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine aipqdackl.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine vjmlobshi.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine aklyoruxx.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine rsrouswxo.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine jyalydrpd.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine mwotudoof.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine kiofeeqac.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine eezpmpthu.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine lypaymcnb.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine siirjucgh.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine kitzskrzx.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine jwzxhazze.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine ydibhyuhj.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine ranrxavkw.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine yrilrqlep.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine vjadfexqt.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine vhwhbygnt.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine sehtqkuso.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine rqdalznyi.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine odwmburha.exe Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine tngmczprv.exe -
Loads dropped DLL 64 IoCs
pid Process 2400 1bf0bcfd342783f509d19aa1e188fb73_JaffaCakes118.exe 2400 1bf0bcfd342783f509d19aa1e188fb73_JaffaCakes118.exe 2812 ycgwzbeyq.exe 2812 ycgwzbeyq.exe 2932 fgouqpebq.exe 2932 fgouqpebq.exe 2108 xmnjvenly.exe 2108 xmnjvenly.exe 2396 klimemsay.exe 2396 klimemsay.exe 2996 jdreyycjf.exe 2996 jdreyycjf.exe 2332 jsgjxhffg.exe 2332 jsgjxhffg.exe 3000 drxeseuwg.exe 3000 drxeseuwg.exe 824 vfvkcguya.exe 824 vfvkcguya.exe 2676 xaymxgiyt.exe 2676 xaymxgiyt.exe 2448 iwzxfbjwh.exe 2448 iwzxfbjwh.exe 2608 svdcxzrvh.exe 2608 svdcxzrvh.exe 1640 pwnhtdceu.exe 1640 pwnhtdceu.exe 2496 emhpaugto.exe 2496 emhpaugto.exe 1336 lxfuxoogi.exe 1336 lxfuxoogi.exe 684 yoaxgwunj.exe 684 yoaxgwunj.exe 2572 jvmuqvtnj.exe 2572 jvmuqvtnj.exe 1480 ydycxexjc.exe 1480 ydycxexjc.exe 1296 aybfsfecw.exe 1296 aybfsfecw.exe 2760 nshudrqmj.exe 2760 nshudrqmj.exe 2256 auncpwuvx.exe 2256 auncpwuvx.exe 628 nheauatad.exe 628 nheauatad.exe 1676 rxbnrgflk.exe 1676 rxbnrgflk.exe 764 wzjihllrr.exe 764 wzjihllrr.exe 2912 ovinsnssl.exe 2912 ovinsnssl.exe 1232 rumkclrrl.exe 1232 rumkclrrl.exe 2172 dzenqccvl.exe 2172 dzenqccvl.exe 1484 ostsvseym.exe 1484 ostsvseym.exe 1712 sljsudpdf.exe 1712 sljsudpdf.exe 340 fytiahnil.exe 340 fytiahnil.exe 2224 sazyllasz.exe 2224 sazyllasz.exe 2136 cwaibgapm.exe 2136 cwaibgapm.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 64 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 mrqlidrin.exe File opened for modification \??\PhysicalDrive0 tlommrfqw.exe File opened for modification \??\PhysicalDrive0 czwkrnnmp.exe File opened for modification \??\PhysicalDrive0 swpqwsqwo.exe File opened for modification \??\PhysicalDrive0 owmgbapao.exe File opened for modification \??\PhysicalDrive0 sryhzapde.exe File opened for modification \??\PhysicalDrive0 tkggihprj.exe File opened for modification \??\PhysicalDrive0 nifqunhnj.exe File opened for modification \??\PhysicalDrive0 iadgomdxu.exe File opened for modification \??\PhysicalDrive0 kviptyhwt.exe File opened for modification \??\PhysicalDrive0 tgohudgbz.exe File opened for modification \??\PhysicalDrive0 mjksqtgtk.exe File opened for modification \??\PhysicalDrive0 gzisluwvq.exe File opened for modification \??\PhysicalDrive0 bnhjjiuqp.exe File opened for modification \??\PhysicalDrive0 mkqebujhp.exe File opened for modification \??\PhysicalDrive0 rvaoxamiq.exe File opened for modification \??\PhysicalDrive0 tdoxufgfh.exe File opened for modification \??\PhysicalDrive0 yfrroiorc.exe File opened for modification \??\PhysicalDrive0 iqbespbxs.exe File opened for modification \??\PhysicalDrive0 fuwwhwrjz.exe File opened for modification \??\PhysicalDrive0 amfwjhwtm.exe File opened for modification \??\PhysicalDrive0 wqgpzjrdk.exe File opened for modification \??\PhysicalDrive0 uwapldndy.exe File opened for modification \??\PhysicalDrive0 eaucmqspf.exe File opened for modification \??\PhysicalDrive0 bssmmirla.exe File opened for modification \??\PhysicalDrive0 rmfvddxhc.exe File opened for modification \??\PhysicalDrive0 fpivgzshg.exe File opened for modification \??\PhysicalDrive0 onwiodfhk.exe File opened for modification \??\PhysicalDrive0 rdpuwvany.exe File opened for modification \??\PhysicalDrive0 nqefzxoyp.exe File opened for modification \??\PhysicalDrive0 ffhqqnovf.exe File opened for modification \??\PhysicalDrive0 fmfobqban.exe File opened for modification \??\PhysicalDrive0 svdcxzrvh.exe File opened for modification \??\PhysicalDrive0 awmbpakon.exe File opened for modification \??\PhysicalDrive0 kargjybji.exe File opened for modification \??\PhysicalDrive0 ysyqbgchi.exe File opened for modification \??\PhysicalDrive0 ivblcplte.exe File opened for modification \??\PhysicalDrive0 flilvwyzf.exe File opened for modification \??\PhysicalDrive0 bhhsdzuzu.exe File opened for modification \??\PhysicalDrive0 pmhzqdzak.exe File opened for modification \??\PhysicalDrive0 kjnwoeerr.exe File opened for modification \??\PhysicalDrive0 ufnrbqthu.exe File opened for modification \??\PhysicalDrive0 yktcvwltb.exe File opened for modification \??\PhysicalDrive0 eodaffzla.exe File opened for modification \??\PhysicalDrive0 aertdemtf.exe File opened for modification \??\PhysicalDrive0 mbgavabbs.exe File opened for modification \??\PhysicalDrive0 cbzhlrfez.exe File opened for modification \??\PhysicalDrive0 wzdwhgcqs.exe File opened for modification \??\PhysicalDrive0 dvbnhrqvw.exe File opened for modification \??\PhysicalDrive0 cbjwjtzyb.exe File opened for modification \??\PhysicalDrive0 gafusohoq.exe File opened for modification \??\PhysicalDrive0 qpucvenuj.exe File opened for modification \??\PhysicalDrive0 ccjoxyvhc.exe File opened for modification \??\PhysicalDrive0 ewflozoap.exe File opened for modification \??\PhysicalDrive0 vjmlobshi.exe File opened for modification \??\PhysicalDrive0 kdtjqlhek.exe File opened for modification \??\PhysicalDrive0 rhbrbmjyr.exe File opened for modification \??\PhysicalDrive0 lutguhupp.exe File opened for modification \??\PhysicalDrive0 gzenhmids.exe File opened for modification \??\PhysicalDrive0 hzqkznwpu.exe File opened for modification \??\PhysicalDrive0 wxouigpjo.exe File opened for modification \??\PhysicalDrive0 btzokcxob.exe File opened for modification \??\PhysicalDrive0 zghbqckry.exe File opened for modification \??\PhysicalDrive0 nwhhhatbg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\pmhzqdzak.exe crpkkzsnd.exe File created C:\Windows\SysWOW64\yrivibwcw.exe ootlvxiik.exe File created C:\Windows\SysWOW64\rdpuwvany.exe hedwmwtnq.exe File opened for modification C:\Windows\SysWOW64\jgydccvbx.exe zwjtpzhhl.exe File opened for modification C:\Windows\SysWOW64\kkfvtokkv.exe xmlscgfdu.exe File opened for modification C:\Windows\SysWOW64\pcbozsygb.exe clglqktzi.exe File opened for modification C:\Windows\SysWOW64\xjywjctsw.exe ktvtacokd.exe File created C:\Windows\SysWOW64\vjadfexqt.exe itfaxesba.exe File opened for modification C:\Windows\SysWOW64\eimidscep.exe rsrouswxo.exe File opened for modification C:\Windows\SysWOW64\ahhkzpely.exe nqmhqhzwx.exe File opened for modification C:\Windows\SysWOW64\mkqebujhp.exe kargjybji.exe File opened for modification C:\Windows\SysWOW64\rkqrayetu.exe eezpmpthu.exe File opened for modification C:\Windows\SysWOW64\afpcsgkbf.exe novzkxfme.exe File created C:\Windows\SysWOW64\aqpgjnstx.exe ndxqdjtoq.exe File created C:\Windows\SysWOW64\yxhmvrsns.exe voppcvlpl.exe File created C:\Windows\SysWOW64\lyixpcsil.exe yinvyumak.exe File created C:\Windows\SysWOW64\qxyfrsclx.exe hjfqtlpop.exe File opened for modification C:\Windows\SysWOW64\siomfbsoy.exe icnwhbfrz.exe File created C:\Windows\SysWOW64\hfguoyunp.exe ugdrfqogw.exe File opened for modification C:\Windows\SysWOW64\mmgwtzahs.exe zvetkqdar.exe File created C:\Windows\SysWOW64\lthsxnlsg.exe zrbddbgit.exe File opened for modification C:\Windows\SysWOW64\yrivibwcw.exe ootlvxiik.exe File opened for modification C:\Windows\SysWOW64\azjdfaxlq.exe naoawzrex.exe File created C:\Windows\SysWOW64\siirjucgh.exe fsnobmxzg.exe File opened for modification C:\Windows\SysWOW64\siirjucgh.exe fsnobmxzg.exe File created C:\Windows\SysWOW64\sapezwcfm.exe iuohbopin.exe File created C:\Windows\SysWOW64\oseqfgtoc.exe ccjoxyvhc.exe File opened for modification C:\Windows\SysWOW64\wnrxaxwih.exe pgeeganyh.exe File opened for modification C:\Windows\SysWOW64\yssuzvpnv.exe mymenrkdi.exe File opened for modification C:\Windows\SysWOW64\fhqqldegz.exe sjvncuyzg.exe File opened for modification C:\Windows\SysWOW64\yrpeppjbq.exe laubgheup.exe File opened for modification C:\Windows\SysWOW64\vjadfexqt.exe itfaxesba.exe File created C:\Windows\SysWOW64\hdqioswui.exe unvfgrymi.exe File opened for modification C:\Windows\SysWOW64\dzenqccvl.exe rumkclrrl.exe File opened for modification C:\Windows\SysWOW64\scachrmgc.exe idofpsepc.exe File created C:\Windows\SysWOW64\edagwvczu.exe rfgdonxsb.exe File opened for modification C:\Windows\SysWOW64\kogtzfpic.exe xbpdtbjdw.exe File created C:\Windows\SysWOW64\wjphbwbuy.exe jhjrqrwkl.exe File created C:\Windows\SysWOW64\rsrouswxo.exe fqlyjgsvb.exe File created C:\Windows\SysWOW64\aajcqxqrp.exe nbgziolko.exe File created C:\Windows\SysWOW64\mrcrokjdk.exe cdbcydwhl.exe File opened for modification C:\Windows\SysWOW64\xsmgwkmcy.exe kfvjqgopk.exe File created C:\Windows\SysWOW64\rcmhfqfxm.exe fdrexiiqt.exe File opened for modification C:\Windows\SysWOW64\rfbydhruc.exe dsjixlshw.exe File created C:\Windows\SysWOW64\yrpwdnxkz.exe lbutunauy.exe File opened for modification C:\Windows\SysWOW64\nqmywirwz.exe critmjkwr.exe File opened for modification C:\Windows\SysWOW64\vvpbexlbt.exe jxgyqoaxt.exe File opened for modification C:\Windows\SysWOW64\jyujdobhm.exe whrouowam.exe File created C:\Windows\SysWOW64\ytestivjb.exe mrqlidrin.exe File created C:\Windows\SysWOW64\ltwwjkfpq.exe brhtogyvd.exe File created C:\Windows\SysWOW64\vwpszhydg.exe igupqzswf.exe File opened for modification C:\Windows\SysWOW64\ycefstnru.exe oodiumamu.exe File created C:\Windows\SysWOW64\zaoxnzzvd.exe mclueqtoc.exe File created C:\Windows\SysWOW64\kyxfhqkmd.exe xhvcziefc.exe File created C:\Windows\SysWOW64\nqmhqhzwx.exe dclsaauzy.exe File opened for modification C:\Windows\SysWOW64\eznvgxowh.exe ulnxqpbaz.exe File created C:\Windows\SysWOW64\jhhdtrzyq.exe wqnakjurp.exe File opened for modification C:\Windows\SysWOW64\igqkmjeeo.exe avkfppwrc.exe File created C:\Windows\SysWOW64\rmmdkrtgw.exe evrbcrnyv.exe File opened for modification C:\Windows\SysWOW64\arpzakkfl.exe nauxrkfyk.exe File created C:\Windows\SysWOW64\qtzmctehf.exe dcwjtlyae.exe File created C:\Windows\SysWOW64\yoaxgwunj.exe lxfuxoogi.exe File opened for modification C:\Windows\SysWOW64\cjlauvrra.exe sgvphslxn.exe File opened for modification C:\Windows\SysWOW64\uqpbooizo.exe plvtvedru.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key zbraqyycf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key btzokcxob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" svctzvtcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ jutkjetlu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key ywaisxgwb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ emhpaugto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ fytiahnil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" yrilrqlep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ wrkanspve.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ wagcpqruh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key rjisnhaok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" shnypxofu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key zlhqgpsve.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ rdofcmpfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ gzenhmids.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ uptnqncwv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" aipqdackl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" drxeseuwg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ jnrjxcmqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ srykqkaal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key byifmeuft.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key kdtjqlhek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ vmlrxtkfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" jfwnswqxs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ jdreyycjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key mgnqhmcwh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ kogtzfpic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" cjlauvrra.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ jdljomrbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ rxbnrgflk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key ulitbltcs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" pxpubalof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ pcbozsygb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key xsmgwkmcy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" rjptcsgit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key mbgavabbs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ xbtpuacsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ amcnvbozp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" fytiahnil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ ncizspcbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" swpqwsqwo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key naoawzrex.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" zhbgyrbar.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key vfsvcgxsj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ snobgacjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ vncsjupxt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key ndkfbgqig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ aptnpqdsr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key fmygucnbu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key xbtpuacsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ nifqunhnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ hrwzcqkjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" xnyjntida.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" yfrroiorc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key ktvtacokd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ xjywjctsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" gzisluwvq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" eaucmqspf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" sazyllasz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key lmbssbwel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" uyzfykced.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" odwmburha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" tdbjxbjls.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key keohkvimj.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2400 1bf0bcfd342783f509d19aa1e188fb73_JaffaCakes118.exe 2812 ycgwzbeyq.exe 2932 fgouqpebq.exe 2108 xmnjvenly.exe 2396 klimemsay.exe 2996 jdreyycjf.exe 2332 jsgjxhffg.exe 3000 drxeseuwg.exe 824 vfvkcguya.exe 2676 xaymxgiyt.exe 2448 iwzxfbjwh.exe 2608 svdcxzrvh.exe 1640 pwnhtdceu.exe 2496 emhpaugto.exe 1336 lxfuxoogi.exe 684 yoaxgwunj.exe 2572 jvmuqvtnj.exe 1480 ydycxexjc.exe 1296 aybfsfecw.exe 2760 nshudrqmj.exe 2256 auncpwuvx.exe 628 nheauatad.exe 1676 rxbnrgflk.exe 764 wzjihllrr.exe 2912 ovinsnssl.exe 1232 rumkclrrl.exe 2172 dzenqccvl.exe 1484 ostsvseym.exe 1712 sljsudpdf.exe 340 fytiahnil.exe 2224 sazyllasz.exe 2136 cwaibgapm.exe 1508 jhynqhjjg.exe 2828 zbvizvlam.exe 1952 mrqlidrin.exe 2248 ytestivjb.exe 1616 mgnqhmcwh.exe 2392 vrdtupiqt.exe 1528 ihgvdxofu.exe 792 vjmlobshi.exe 1900 iahoxkyoj.exe 2028 scwysneqv.exe 1176 fxnoyidvb.exe 2928 padylmjxw.exe 1732 ccjoxyvhc.exe 2880 oseqfgtoc.exe 1880 brhtogyvd.exe 604 ltwwjkfpq.exe 560 ysrysskwr.exe 1652 lmxodwpgw.exe 2636 yksrmeunx.exe 1252 lbutunauy.exe 2596 yrpwdnxkz.exe 316 hfqlbukgy.exe 2616 uelokcqnr.exe 1904 hunrskvur.exe 1768 ulitbltcs.exe 1624 ewyeoohwf.exe 2144 rjptcsgit.exe 1888 bxqrsztfs.exe 1656 okzhyvssh.exe 2756 amfwjhwtm.exe 1776 ncizspcbn.exe 1628 xnyjntida.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2400 wrote to memory of 2812 2400 1bf0bcfd342783f509d19aa1e188fb73_JaffaCakes118.exe 28 PID 2400 wrote to memory of 2812 2400 1bf0bcfd342783f509d19aa1e188fb73_JaffaCakes118.exe 28 PID 2400 wrote to memory of 2812 2400 1bf0bcfd342783f509d19aa1e188fb73_JaffaCakes118.exe 28 PID 2400 wrote to memory of 2812 2400 1bf0bcfd342783f509d19aa1e188fb73_JaffaCakes118.exe 28 PID 2812 wrote to memory of 2932 2812 ycgwzbeyq.exe 29 PID 2812 wrote to memory of 2932 2812 ycgwzbeyq.exe 29 PID 2812 wrote to memory of 2932 2812 ycgwzbeyq.exe 29 PID 2812 wrote to memory of 2932 2812 ycgwzbeyq.exe 29 PID 2932 wrote to memory of 2108 2932 fgouqpebq.exe 30 PID 2932 wrote to memory of 2108 2932 fgouqpebq.exe 30 PID 2932 wrote to memory of 2108 2932 fgouqpebq.exe 30 PID 2932 wrote to memory of 2108 2932 fgouqpebq.exe 30 PID 2108 wrote to memory of 2396 2108 xmnjvenly.exe 31 PID 2108 wrote to memory of 2396 2108 xmnjvenly.exe 31 PID 2108 wrote to memory of 2396 2108 xmnjvenly.exe 31 PID 2108 wrote to memory of 2396 2108 xmnjvenly.exe 31 PID 2396 wrote to memory of 2996 2396 klimemsay.exe 32 PID 2396 wrote to memory of 2996 2396 klimemsay.exe 32 PID 2396 wrote to memory of 2996 2396 klimemsay.exe 32 PID 2396 wrote to memory of 2996 2396 klimemsay.exe 32 PID 2996 wrote to memory of 2332 2996 jdreyycjf.exe 33 PID 2996 wrote to memory of 2332 2996 jdreyycjf.exe 33 PID 2996 wrote to memory of 2332 2996 jdreyycjf.exe 33 PID 2996 wrote to memory of 2332 2996 jdreyycjf.exe 33 PID 2332 wrote to memory of 3000 2332 jsgjxhffg.exe 34 PID 2332 wrote to memory of 3000 2332 jsgjxhffg.exe 34 PID 2332 wrote to memory of 3000 2332 jsgjxhffg.exe 34 PID 2332 wrote to memory of 3000 2332 jsgjxhffg.exe 34 PID 3000 wrote to memory of 824 3000 drxeseuwg.exe 35 PID 3000 wrote to memory of 824 3000 drxeseuwg.exe 35 PID 3000 wrote to memory of 824 3000 drxeseuwg.exe 35 PID 3000 wrote to memory of 824 3000 drxeseuwg.exe 35 PID 824 wrote to memory of 2676 824 vfvkcguya.exe 36 PID 824 wrote to memory of 2676 824 vfvkcguya.exe 36 PID 824 wrote to memory of 2676 824 vfvkcguya.exe 36 PID 824 wrote to memory of 2676 824 vfvkcguya.exe 36 PID 2676 wrote to memory of 2448 2676 xaymxgiyt.exe 37 PID 2676 wrote to memory of 2448 2676 xaymxgiyt.exe 37 PID 2676 wrote to memory of 2448 2676 xaymxgiyt.exe 37 PID 2676 wrote to memory of 2448 2676 xaymxgiyt.exe 37 PID 2448 wrote to memory of 2608 2448 iwzxfbjwh.exe 38 PID 2448 wrote to memory of 2608 2448 iwzxfbjwh.exe 38 PID 2448 wrote to memory of 2608 2448 iwzxfbjwh.exe 38 PID 2448 wrote to memory of 2608 2448 iwzxfbjwh.exe 38 PID 2608 wrote to memory of 1640 2608 svdcxzrvh.exe 39 PID 2608 wrote to memory of 1640 2608 svdcxzrvh.exe 39 PID 2608 wrote to memory of 1640 2608 svdcxzrvh.exe 39 PID 2608 wrote to memory of 1640 2608 svdcxzrvh.exe 39 PID 1640 wrote to memory of 2496 1640 pwnhtdceu.exe 40 PID 1640 wrote to memory of 2496 1640 pwnhtdceu.exe 40 PID 1640 wrote to memory of 2496 1640 pwnhtdceu.exe 40 PID 1640 wrote to memory of 2496 1640 pwnhtdceu.exe 40 PID 2496 wrote to memory of 1336 2496 emhpaugto.exe 41 PID 2496 wrote to memory of 1336 2496 emhpaugto.exe 41 PID 2496 wrote to memory of 1336 2496 emhpaugto.exe 41 PID 2496 wrote to memory of 1336 2496 emhpaugto.exe 41 PID 1336 wrote to memory of 684 1336 lxfuxoogi.exe 42 PID 1336 wrote to memory of 684 1336 lxfuxoogi.exe 42 PID 1336 wrote to memory of 684 1336 lxfuxoogi.exe 42 PID 1336 wrote to memory of 684 1336 lxfuxoogi.exe 42 PID 684 wrote to memory of 2572 684 yoaxgwunj.exe 43 PID 684 wrote to memory of 2572 684 yoaxgwunj.exe 43 PID 684 wrote to memory of 2572 684 yoaxgwunj.exe 43 PID 684 wrote to memory of 2572 684 yoaxgwunj.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\1bf0bcfd342783f509d19aa1e188fb73_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1bf0bcfd342783f509d19aa1e188fb73_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\ycgwzbeyq.exeC:\Windows\system32\ycgwzbeyq.exe 676 "C:\Users\Admin\AppData\Local\Temp\1bf0bcfd342783f509d19aa1e188fb73_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\fgouqpebq.exeC:\Windows\system32\fgouqpebq.exe 644 "C:\Windows\SysWOW64\ycgwzbeyq.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\xmnjvenly.exeC:\Windows\system32\xmnjvenly.exe 668 "C:\Windows\SysWOW64\fgouqpebq.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\klimemsay.exeC:\Windows\system32\klimemsay.exe 692 "C:\Windows\SysWOW64\xmnjvenly.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\jdreyycjf.exeC:\Windows\system32\jdreyycjf.exe 744 "C:\Windows\SysWOW64\klimemsay.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\jsgjxhffg.exeC:\Windows\system32\jsgjxhffg.exe 664 "C:\Windows\SysWOW64\jdreyycjf.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\drxeseuwg.exeC:\Windows\system32\drxeseuwg.exe 656 "C:\Windows\SysWOW64\jsgjxhffg.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\vfvkcguya.exeC:\Windows\system32\vfvkcguya.exe 764 "C:\Windows\SysWOW64\drxeseuwg.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\SysWOW64\xaymxgiyt.exeC:\Windows\system32\xaymxgiyt.exe 652 "C:\Windows\SysWOW64\vfvkcguya.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\iwzxfbjwh.exeC:\Windows\system32\iwzxfbjwh.exe 700 "C:\Windows\SysWOW64\xaymxgiyt.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\svdcxzrvh.exeC:\Windows\system32\svdcxzrvh.exe 704 "C:\Windows\SysWOW64\iwzxfbjwh.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\pwnhtdceu.exeC:\Windows\system32\pwnhtdceu.exe 740 "C:\Windows\SysWOW64\svdcxzrvh.exe"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\emhpaugto.exeC:\Windows\system32\emhpaugto.exe 768 "C:\Windows\SysWOW64\pwnhtdceu.exe"14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\lxfuxoogi.exeC:\Windows\system32\lxfuxoogi.exe 780 "C:\Windows\SysWOW64\emhpaugto.exe"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\yoaxgwunj.exeC:\Windows\system32\yoaxgwunj.exe 776 "C:\Windows\SysWOW64\lxfuxoogi.exe"16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\SysWOW64\jvmuqvtnj.exeC:\Windows\system32\jvmuqvtnj.exe 796 "C:\Windows\SysWOW64\yoaxgwunj.exe"17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2572 -
C:\Windows\SysWOW64\ydycxexjc.exeC:\Windows\system32\ydycxexjc.exe 800 "C:\Windows\SysWOW64\jvmuqvtnj.exe"18⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1480 -
C:\Windows\SysWOW64\aybfsfecw.exeC:\Windows\system32\aybfsfecw.exe 784 "C:\Windows\SysWOW64\ydycxexjc.exe"19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1296 -
C:\Windows\SysWOW64\nshudrqmj.exeC:\Windows\system32\nshudrqmj.exe 792 "C:\Windows\SysWOW64\aybfsfecw.exe"20⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2760 -
C:\Windows\SysWOW64\auncpwuvx.exeC:\Windows\system32\auncpwuvx.exe 812 "C:\Windows\SysWOW64\nshudrqmj.exe"21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2256 -
C:\Windows\SysWOW64\nheauatad.exeC:\Windows\system32\nheauatad.exe 804 "C:\Windows\SysWOW64\auncpwuvx.exe"22⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:628 -
C:\Windows\SysWOW64\rxbnrgflk.exeC:\Windows\system32\rxbnrgflk.exe 708 "C:\Windows\SysWOW64\nheauatad.exe"23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1676 -
C:\Windows\SysWOW64\wzjihllrr.exeC:\Windows\system32\wzjihllrr.exe 684 "C:\Windows\SysWOW64\rxbnrgflk.exe"24⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:764 -
C:\Windows\SysWOW64\ovinsnssl.exeC:\Windows\system32\ovinsnssl.exe 820 "C:\Windows\SysWOW64\wzjihllrr.exe"25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2912 -
C:\Windows\SysWOW64\rumkclrrl.exeC:\Windows\system32\rumkclrrl.exe 824 "C:\Windows\SysWOW64\ovinsnssl.exe"26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1232 -
C:\Windows\SysWOW64\dzenqccvl.exeC:\Windows\system32\dzenqccvl.exe 836 "C:\Windows\SysWOW64\rumkclrrl.exe"27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2172 -
C:\Windows\SysWOW64\ostsvseym.exeC:\Windows\system32\ostsvseym.exe 816 "C:\Windows\SysWOW64\dzenqccvl.exe"28⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1484 -
C:\Windows\SysWOW64\sljsudpdf.exeC:\Windows\system32\sljsudpdf.exe 736 "C:\Windows\SysWOW64\ostsvseym.exe"29⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1712 -
C:\Windows\SysWOW64\fytiahnil.exeC:\Windows\system32\fytiahnil.exe 828 "C:\Windows\SysWOW64\sljsudpdf.exe"30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:340 -
C:\Windows\SysWOW64\sazyllasz.exeC:\Windows\system32\sazyllasz.exe 720 "C:\Windows\SysWOW64\fytiahnil.exe"31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2224 -
C:\Windows\SysWOW64\cwaibgapm.exeC:\Windows\system32\cwaibgapm.exe 844 "C:\Windows\SysWOW64\sazyllasz.exe"32⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2136 -
C:\Windows\SysWOW64\jhynqhjjg.exeC:\Windows\system32\jhynqhjjg.exe 852 "C:\Windows\SysWOW64\cwaibgapm.exe"33⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1508 -
C:\Windows\SysWOW64\zbvizvlam.exeC:\Windows\system32\zbvizvlam.exe 848 "C:\Windows\SysWOW64\jhynqhjjg.exe"34⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2828 -
C:\Windows\SysWOW64\mrqlidrin.exeC:\Windows\system32\mrqlidrin.exe 860 "C:\Windows\SysWOW64\zbvizvlam.exe"35⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1952 -
C:\Windows\SysWOW64\ytestivjb.exeC:\Windows\system32\ytestivjb.exe 864 "C:\Windows\SysWOW64\mrqlidrin.exe"36⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2248 -
C:\Windows\SysWOW64\mgnqhmcwh.exeC:\Windows\system32\mgnqhmcwh.exe 876 "C:\Windows\SysWOW64\ytestivjb.exe"37⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1616 -
C:\Windows\SysWOW64\vrdtupiqt.exeC:\Windows\system32\vrdtupiqt.exe 880 "C:\Windows\SysWOW64\mgnqhmcwh.exe"38⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2392 -
C:\Windows\SysWOW64\ihgvdxofu.exeC:\Windows\system32\ihgvdxofu.exe 868 "C:\Windows\SysWOW64\vrdtupiqt.exe"39⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1528 -
C:\Windows\SysWOW64\vjmlobshi.exeC:\Windows\system32\vjmlobshi.exe 872 "C:\Windows\SysWOW64\ihgvdxofu.exe"40⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
PID:792 -
C:\Windows\SysWOW64\iahoxkyoj.exeC:\Windows\system32\iahoxkyoj.exe 884 "C:\Windows\SysWOW64\vjmlobshi.exe"41⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1900 -
C:\Windows\SysWOW64\scwysneqv.exeC:\Windows\system32\scwysneqv.exe 888 "C:\Windows\SysWOW64\iahoxkyoj.exe"42⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2028 -
C:\Windows\SysWOW64\fxnoyidvb.exeC:\Windows\system32\fxnoyidvb.exe 892 "C:\Windows\SysWOW64\scwysneqv.exe"43⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1176 -
C:\Windows\SysWOW64\padylmjxw.exeC:\Windows\system32\padylmjxw.exe 896 "C:\Windows\SysWOW64\fxnoyidvb.exe"44⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2928 -
C:\Windows\SysWOW64\ccjoxyvhc.exeC:\Windows\system32\ccjoxyvhc.exe 900 "C:\Windows\SysWOW64\padylmjxw.exe"45⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1732 -
C:\Windows\SysWOW64\oseqfgtoc.exeC:\Windows\system32\oseqfgtoc.exe 904 "C:\Windows\SysWOW64\ccjoxyvhc.exe"46⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2880 -
C:\Windows\SysWOW64\brhtogyvd.exeC:\Windows\system32\brhtogyvd.exe 908 "C:\Windows\SysWOW64\oseqfgtoc.exe"47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1880 -
C:\Windows\SysWOW64\ltwwjkfpq.exeC:\Windows\system32\ltwwjkfpq.exe 912 "C:\Windows\SysWOW64\brhtogyvd.exe"48⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:604 -
C:\Windows\SysWOW64\ysrysskwr.exeC:\Windows\system32\ysrysskwr.exe 916 "C:\Windows\SysWOW64\ltwwjkfpq.exe"49⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:560 -
C:\Windows\SysWOW64\lmxodwpgw.exeC:\Windows\system32\lmxodwpgw.exe 928 "C:\Windows\SysWOW64\ysrysskwr.exe"50⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1652 -
C:\Windows\SysWOW64\yksrmeunx.exeC:\Windows\system32\yksrmeunx.exe 920 "C:\Windows\SysWOW64\lmxodwpgw.exe"51⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
PID:2636 -
C:\Windows\SysWOW64\lbutunauy.exeC:\Windows\system32\lbutunauy.exe 924 "C:\Windows\SysWOW64\yksrmeunx.exe"52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1252 -
C:\Windows\SysWOW64\yrpwdnxkz.exeC:\Windows\system32\yrpwdnxkz.exe 932 "C:\Windows\SysWOW64\lbutunauy.exe"53⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2596 -
C:\Windows\SysWOW64\hfqlbukgy.exeC:\Windows\system32\hfqlbukgy.exe 936 "C:\Windows\SysWOW64\yrpwdnxkz.exe"54⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:316 -
C:\Windows\SysWOW64\uelokcqnr.exeC:\Windows\system32\uelokcqnr.exe 940 "C:\Windows\SysWOW64\hfqlbukgy.exe"55⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2616 -
C:\Windows\SysWOW64\hunrskvur.exeC:\Windows\system32\hunrskvur.exe 944 "C:\Windows\SysWOW64\uelokcqnr.exe"56⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1904 -
C:\Windows\SysWOW64\ulitbltcs.exeC:\Windows\system32\ulitbltcs.exe 948 "C:\Windows\SysWOW64\hunrskvur.exe"57⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1768 -
C:\Windows\SysWOW64\ewyeoohwf.exeC:\Windows\system32\ewyeoohwf.exe 952 "C:\Windows\SysWOW64\ulitbltcs.exe"58⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1624 -
C:\Windows\SysWOW64\rjptcsgit.exeC:\Windows\system32\rjptcsgit.exe 964 "C:\Windows\SysWOW64\ewyeoohwf.exe"59⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2144 -
C:\Windows\SysWOW64\bxqrsztfs.exeC:\Windows\system32\bxqrsztfs.exe 956 "C:\Windows\SysWOW64\rjptcsgit.exe"60⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1888 -
C:\Windows\SysWOW64\okzhyvssh.exeC:\Windows\system32\okzhyvssh.exe 960 "C:\Windows\SysWOW64\bxqrsztfs.exe"61⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1656 -
C:\Windows\SysWOW64\amfwjhwtm.exeC:\Windows\system32\amfwjhwtm.exe 972 "C:\Windows\SysWOW64\okzhyvssh.exe"62⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
PID:2756 -
C:\Windows\SysWOW64\ncizspcbn.exeC:\Windows\system32\ncizspcbn.exe 968 "C:\Windows\SysWOW64\amfwjhwtm.exe"63⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1776 -
C:\Windows\SysWOW64\xnyjntida.exeC:\Windows\system32\xnyjntida.exe 976 "C:\Windows\SysWOW64\ncizspcbn.exe"64⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1628 -
C:\Windows\SysWOW64\kdsmvtoka.exeC:\Windows\system32\kdsmvtoka.exe 988 "C:\Windows\SysWOW64\xnyjntida.exe"65⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\xunpebtrb.exeC:\Windows\system32\xunpebtrb.exe 856 "C:\Windows\SysWOW64\kdsmvtoka.exe"66⤵PID:2732
-
C:\Windows\SysWOW64\helrreato.exeC:\Windows\system32\helrreato.exe 996 "C:\Windows\SysWOW64\xunpebtrb.exe"67⤵PID:1632
-
C:\Windows\SysWOW64\uvfuaefah.exeC:\Windows\system32\uvfuaefah.exe 984 "C:\Windows\SysWOW64\helrreato.exe"68⤵PID:2668
-
C:\Windows\SysWOW64\htawimdhi.exeC:\Windows\system32\htawimdhi.exe 992 "C:\Windows\SysWOW64\uvfuaefah.exe"69⤵PID:2736
-
C:\Windows\SysWOW64\tngmczprv.exeC:\Windows\system32\tngmczprv.exe 1000 "C:\Windows\SysWOW64\htawimdhi.exe"70⤵
- Identifies Wine through registry keys
PID:1884 -
C:\Windows\SysWOW64\euskmyprv.exeC:\Windows\system32\euskmyprv.exe 1004 "C:\Windows\SysWOW64\tngmczprv.exe"71⤵PID:1896
-
C:\Windows\SysWOW64\qoyzycbsj.exeC:\Windows\system32\qoyzycbsj.exe 1008 "C:\Windows\SysWOW64\euskmyprv.exe"72⤵PID:2600
-
C:\Windows\SysWOW64\dbipegafp.exeC:\Windows\system32\dbipegafp.exe 1012 "C:\Windows\SysWOW64\qoyzycbsj.exe"73⤵PID:2112
-
C:\Windows\SysWOW64\idofpsepc.exeC:\Windows\system32\idofpsepc.exe 1028 "C:\Windows\SysWOW64\dbipegafp.exe"74⤵
- Drops file in System32 directory
PID:1124 -
C:\Windows\SysWOW64\scachrmgc.exeC:\Windows\system32\scachrmgc.exe 980 "C:\Windows\SysWOW64\idofpsepc.exe"75⤵PID:1692
-
C:\Windows\SysWOW64\fegstwqqq.exeC:\Windows\system32\fegstwqqq.exe 1020 "C:\Windows\SysWOW64\scachrmgc.exe"76⤵PID:2864
-
C:\Windows\SysWOW64\sryhzapde.exeC:\Windows\system32\sryhzapde.exe 1032 "C:\Windows\SysWOW64\fegstwqqq.exe"77⤵
- Writes to the Master Boot Record (MBR)
PID:2424 -
C:\Windows\SysWOW64\ftepketej.exeC:\Windows\system32\ftepketej.exe 840 "C:\Windows\SysWOW64\sryhzapde.exe"78⤵PID:2052
-
C:\Windows\SysWOW64\pwtzxhhhe.exeC:\Windows\system32\pwtzxhhhe.exe 1048 "C:\Windows\SysWOW64\ftepketej.exe"79⤵PID:2872
-
C:\Windows\SysWOW64\cjdpdlglk.exeC:\Windows\system32\cjdpdlglk.exe 1052 "C:\Windows\SysWOW64\pwtzxhhhe.exe"80⤵PID:2540
-
C:\Windows\SysWOW64\oljfoykvy.exeC:\Windows\system32\oljfoykvy.exe 1040 "C:\Windows\SysWOW64\cjdpdlglk.exe"81⤵PID:2300
-
C:\Windows\SysWOW64\ywgpkbrxk.exeC:\Windows\system32\ywgpkbrxk.exe 1044 "C:\Windows\SysWOW64\oljfoykvy.exe"82⤵PID:1504
-
C:\Windows\SysWOW64\lmbssbwel.exeC:\Windows\system32\lmbssbwel.exe 1064 "C:\Windows\SysWOW64\ywgpkbrxk.exe"83⤵
- Modifies registry class
PID:1460 -
C:\Windows\SysWOW64\ydwvbjclm.exeC:\Windows\system32\ydwvbjclm.exe 1056 "C:\Windows\SysWOW64\lmbssbwel.exe"84⤵PID:1580
-
C:\Windows\SysWOW64\inlfomifz.exeC:\Windows\system32\inlfomifz.exe 1060 "C:\Windows\SysWOW64\ydwvbjclm.exe"85⤵PID:2524
-
C:\Windows\SysWOW64\veoifmovs.exeC:\Windows\system32\veoifmovs.exe 1068 "C:\Windows\SysWOW64\inlfomifz.exe"86⤵PID:676
-
C:\Windows\SysWOW64\igupqzswf.exeC:\Windows\system32\igupqzswf.exe 1072 "C:\Windows\SysWOW64\veoifmovs.exe"87⤵
- Drops file in System32 directory
PID:2648 -
C:\Windows\SysWOW64\vwpszhydg.exeC:\Windows\system32\vwpszhydg.exe 1076 "C:\Windows\SysWOW64\igupqzswf.exe"88⤵PID:916
-
C:\Windows\SysWOW64\hvkvhhdth.exeC:\Windows\system32\hvkvhhdth.exe 1080 "C:\Windows\SysWOW64\vwpszhydg.exe"89⤵PID:2580
-
C:\Windows\SysWOW64\ulnxqpbaz.exeC:\Windows\system32\ulnxqpbaz.exe 1092 "C:\Windows\SysWOW64\hvkvhhdth.exe"90⤵
- Drops file in System32 directory
PID:2484 -
C:\Windows\SysWOW64\eznvgxowh.exeC:\Windows\system32\eznvgxowh.exe 1084 "C:\Windows\SysWOW64\ulnxqpbaz.exe"91⤵PID:2468
-
C:\Windows\SysWOW64\rqixpftez.exeC:\Windows\system32\rqixpftez.exe 1088 "C:\Windows\SysWOW64\eznvgxowh.exe"92⤵PID:2940
-
C:\Windows\SysWOW64\eodaffzla.exeC:\Windows\system32\eodaffzla.exe 1096 "C:\Windows\SysWOW64\rqixpftez.exe"93⤵
- Writes to the Master Boot Record (MBR)
PID:2020 -
C:\Windows\SysWOW64\rfgdonxsb.exeC:\Windows\system32\rfgdonxsb.exe 1100 "C:\Windows\SysWOW64\eodaffzla.exe"94⤵
- Drops file in System32 directory
PID:348 -
C:\Windows\SysWOW64\edagwvczu.exeC:\Windows\system32\edagwvczu.exe 1104 "C:\Windows\SysWOW64\rfgdonxsb.exe"95⤵PID:1276
-
C:\Windows\SysWOW64\njbvmvpwb.exeC:\Windows\system32\njbvmvpwb.exe 1016 "C:\Windows\SysWOW64\edagwvczu.exe"96⤵
- Identifies Wine through registry keys
PID:2416 -
C:\Windows\SysWOW64\aiwyvdndu.exeC:\Windows\system32\aiwyvdndu.exe 1112 "C:\Windows\SysWOW64\njbvmvpwb.exe"97⤵PID:1452
-
C:\Windows\SysWOW64\nyraelssv.exeC:\Windows\system32\nyraelssv.exe 1116 "C:\Windows\SysWOW64\aiwyvdndu.exe"98⤵PID:2724
-
C:\Windows\SysWOW64\axtdulyzw.exeC:\Windows\system32\axtdulyzw.exe 1120 "C:\Windows\SysWOW64\nyraelssv.exe"99⤵PID:1196
-
C:\Windows\SysWOW64\kwyafkfzw.exeC:\Windows\system32\kwyafkfzw.exe 1124 "C:\Windows\SysWOW64\axtdulyzw.exe"100⤵
- Identifies Wine through registry keys
PID:1488 -
C:\Windows\SysWOW64\xbpdtbjdw.exeC:\Windows\system32\xbpdtbjdw.exe 1128 "C:\Windows\SysWOW64\kwyafkfzw.exe"101⤵
- Drops file in System32 directory
PID:2236 -
C:\Windows\SysWOW64\kogtzfpic.exeC:\Windows\system32\kogtzfpic.exe 1036 "C:\Windows\SysWOW64\xbpdtbjdw.exe"102⤵
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\wqnakjurp.exeC:\Windows\system32\wqnakjurp.exe 1140 "C:\Windows\SysWOW64\kogtzfpic.exe"103⤵
- Drops file in System32 directory
PID:1704 -
C:\Windows\SysWOW64\jhhdtrzyq.exeC:\Windows\system32\jhhdtrzyq.exe 1136 "C:\Windows\SysWOW64\wqnakjurp.exe"104⤵PID:1680
-
C:\Windows\SysWOW64\trxnoufbd.exeC:\Windows\system32\trxnoufbd.exe 1144 "C:\Windows\SysWOW64\jhhdtrzyq.exe"105⤵
- Identifies Wine through registry keys
PID:3028 -
C:\Windows\SysWOW64\gisqxvlie.exeC:\Windows\system32\gisqxvlie.exe 1156 "C:\Windows\SysWOW64\trxnoufbd.exe"106⤵
- Identifies Wine through registry keys
PID:1456 -
C:\Windows\SysWOW64\tkggihprj.exeC:\Windows\system32\tkggihprj.exe 1160 "C:\Windows\SysWOW64\gisqxvlie.exe"107⤵
- Writes to the Master Boot Record (MBR)
PID:2680 -
C:\Windows\SysWOW64\djkdsgxjr.exeC:\Windows\system32\djkdsgxjr.exe 1148 "C:\Windows\SysWOW64\tkggihprj.exe"108⤵
- Identifies Wine through registry keys
PID:2960 -
C:\Windows\SysWOW64\qafgbouyk.exeC:\Windows\system32\qafgbouyk.exe 1152 "C:\Windows\SysWOW64\djkdsgxjr.exe"109⤵PID:2952
-
C:\Windows\SysWOW64\dyhjkoafl.exeC:\Windows\system32\dyhjkoafl.exe 1168 "C:\Windows\SysWOW64\qafgbouyk.exe"110⤵PID:1876
-
C:\Windows\SysWOW64\psnydbehy.exeC:\Windows\system32\psnydbehy.exe 1164 "C:\Windows\SysWOW64\dyhjkoafl.exe"111⤵PID:440
-
C:\Windows\SysWOW64\critmjkwr.exeC:\Windows\system32\critmjkwr.exe 1172 "C:\Windows\SysWOW64\psnydbehy.exe"112⤵
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\nqmywirwz.exeC:\Windows\system32\nqmywirwz.exe 1176 "C:\Windows\SysWOW64\critmjkwr.exe"113⤵PID:1696
-
C:\Windows\SysWOW64\zvetkqdar.exeC:\Windows\system32\zvetkqdar.exe 1180 "C:\Windows\SysWOW64\nqmywirwz.exe"114⤵
- Drops file in System32 directory
PID:372 -
C:\Windows\SysWOW64\mmgwtzahs.exeC:\Windows\system32\mmgwtzahs.exe 1184 "C:\Windows\SysWOW64\zvetkqdar.exe"115⤵PID:2696
-
C:\Windows\SysWOW64\zzqlzczmg.exeC:\Windows\system32\zzqlzczmg.exe 1132 "C:\Windows\SysWOW64\mmgwtzahs.exe"116⤵PID:1516
-
C:\Windows\SysWOW64\jnrjxcmqg.exeC:\Windows\system32\jnrjxcmqg.exe 1200 "C:\Windows\SysWOW64\zzqlzczmg.exe"117⤵
- Modifies registry class
PID:1892 -
C:\Windows\SysWOW64\zzzebpjdn.exeC:\Windows\system32\zzzebpjdn.exe 1192 "C:\Windows\SysWOW64\jnrjxcmqg.exe"118⤵PID:292
-
C:\Windows\SysWOW64\ifstrxwzm.exeC:\Windows\system32\ifstrxwzm.exe 1196 "C:\Windows\SysWOW64\zzzebpjdn.exe"119⤵PID:1968
-
C:\Windows\SysWOW64\veuwzxbgn.exeC:\Windows\system32\veuwzxbgn.exe 1204 "C:\Windows\SysWOW64\ifstrxwzm.exe"120⤵PID:2060
-
C:\Windows\SysWOW64\ireufbatb.exeC:\Windows\system32\ireufbatb.exe 1216 "C:\Windows\SysWOW64\veuwzxbgn.exe"121⤵PID:1868
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-