Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
06-07-2024 10:13
Static task
static1
Behavioral task
behavioral1
Sample
282dfe32b445737f40ac28aa0b60f6d2_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
282dfe32b445737f40ac28aa0b60f6d2_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
282dfe32b445737f40ac28aa0b60f6d2_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
282dfe32b445737f40ac28aa0b60f6d2
-
SHA1
987268a3758feb71e7947fa203ee83a76c890806
-
SHA256
974706c3834b1991fb40832ce7506bc465b1f8dd51090b56724c6e10407fa3cb
-
SHA512
c71735eb35fdb74b2661323c000b386e6f04db95311398df2297663d063bcdd71542760f3c7c04bec28be0af860ec5eb96523610696d69fcd2963e407414bfca
-
SSDEEP
24576:RGcgOHTzNxOcBOk2AHiZuNhoQshIbVOLnQ19vkudmKfLFRfzay2BEwoeXYRz:RngO/DOgOYWurooVYuFdm8ZRfkE4Yx
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 64 IoCs
pid Process 2512 swpi.exe 2432 pqif.exe 1840 wntd.exe 2128 gqjg.exe 2164 lrza.exe 2004 ufsq.exe 1476 krol.exe 2960 wxfg.exe 1700 wiry.exe 3052 ghdd.exe 2304 dioi.exe 2440 qcuy.exe 352 ndml.exe 2860 zcho.exe 1072 wdrb.exe 2936 juue.exe 944 ddnm.exe 1432 vobe.exe 2700 dslj.exe 2548 qjgm.exe 2452 xumz.exe 2268 khwo.exe 2752 uoim.exe 584 erxw.exe 564 pmyh.exe 988 cltj.exe 2972 jsgj.exe 304 ypoj.exe 2620 gxkc.exe 2504 vfvk.exe 2108 gawu.exe 2036 pppr.exe 1540 zobp.exe 1408 njke.exe 448 uqgf.exe 3020 hkmm.exe 2496 rgnf.exe 1724 eitm.exe 1976 olix.exe 2560 ysmu.exe 2876 lipx.exe 2724 xkvn.exe 1132 kxfc.exe 844 xzls.exe 1784 hyxp.exe 836 upss.exe 2284 eoep.exe 1744 rqkf.exe 2944 tazp.exe 2404 gnjf.exe 1616 qmvd.exe 2264 axkn.exe 560 ktlx.exe 768 vspd.exe 632 cwai.exe 2328 pqgy.exe 2952 zbvi.exe 1504 mrql.exe 1776 wqci.exe 2708 jsiy.exe 2880 trmv.exe 1008 ftsd.exe 108 skvg.exe 1420 fiqi.exe -
Loads dropped DLL 64 IoCs
pid Process 2184 282dfe32b445737f40ac28aa0b60f6d2_JaffaCakes118.exe 2184 282dfe32b445737f40ac28aa0b60f6d2_JaffaCakes118.exe 2512 swpi.exe 2512 swpi.exe 2432 pqif.exe 2432 pqif.exe 1840 wntd.exe 1840 wntd.exe 2128 gqjg.exe 2128 gqjg.exe 2164 lrza.exe 2164 lrza.exe 2004 ufsq.exe 2004 ufsq.exe 1476 krol.exe 1476 krol.exe 2960 wxfg.exe 2960 wxfg.exe 1700 wiry.exe 1700 wiry.exe 3052 ghdd.exe 3052 ghdd.exe 2304 dioi.exe 2304 dioi.exe 2440 qcuy.exe 2440 qcuy.exe 352 ndml.exe 352 ndml.exe 2860 zcho.exe 2860 zcho.exe 1072 wdrb.exe 1072 wdrb.exe 2936 juue.exe 2936 juue.exe 944 ddnm.exe 944 ddnm.exe 1432 vobe.exe 1432 vobe.exe 2700 dslj.exe 2700 dslj.exe 2548 qjgm.exe 2548 qjgm.exe 2452 xumz.exe 2452 xumz.exe 2268 khwo.exe 2268 khwo.exe 2752 uoim.exe 2752 uoim.exe 584 erxw.exe 584 erxw.exe 564 pmyh.exe 564 pmyh.exe 988 cltj.exe 988 cltj.exe 2972 jsgj.exe 2972 jsgj.exe 304 ypoj.exe 304 ypoj.exe 2620 gxkc.exe 2620 gxkc.exe 2504 vfvk.exe 2504 vfvk.exe 2108 gawu.exe 2108 gawu.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\nujz.exe adow.exe File created C:\Windows\SysWOW64\ivbl.exe yhjo.exe File created C:\Windows\SysWOW64\axkn.exe qmvd.exe File created C:\Windows\SysWOW64\sifp.exe jufa.exe File opened for modification C:\Windows\SysWOW64\gfsf.exe vgoi.exe File opened for modification C:\Windows\SysWOW64\ohbe.exe busg.exe File opened for modification C:\Windows\SysWOW64\naxb.exe dmwe.exe File opened for modification C:\Windows\SysWOW64\vsqb.exe lhbr.exe File opened for modification C:\Windows\SysWOW64\uuwe.exe hvcb.exe File created C:\Windows\SysWOW64\ikqr.exe vuvo.exe File created C:\Windows\SysWOW64\gmte.exe tnqb.exe File created C:\Windows\SysWOW64\naxb.exe dmwe.exe File opened for modification C:\Windows\SysWOW64\cvvm.exe skgj.exe File created C:\Windows\SysWOW64\jyks.exe weec.exe File opened for modification C:\Windows\SysWOW64\uypy.exe hlya.exe File opened for modification C:\Windows\SysWOW64\llxw.exe bxeg.exe File created C:\Windows\SysWOW64\drsh.exe qtxe.exe File created C:\Windows\SysWOW64\ldwi.exe bxvl.exe File created C:\Windows\SysWOW64\arwc.exe nbba.exe File created C:\Windows\SysWOW64\ncsg.exe aamy.exe File opened for modification C:\Windows\SysWOW64\pwew.exe cfku.exe File created C:\Windows\SysWOW64\vgfp.exe ipcn.exe File created C:\Windows\SysWOW64\dnkj.exe roqh.exe File created C:\Windows\SysWOW64\ohbo.exe buky.exe File created C:\Windows\SysWOW64\kukw.exe vqjb.exe File opened for modification C:\Windows\SysWOW64\hqli.exe udtl.exe File opened for modification C:\Windows\SysWOW64\lomh.exe ymga.exe File created C:\Windows\SysWOW64\dylf.exe uvnu.exe File opened for modification C:\Windows\SysWOW64\qizj.exe dkeg.exe File created C:\Windows\SysWOW64\eacv.exe rcis.exe File opened for modification C:\Windows\SysWOW64\uhjd.exe hioa.exe File opened for modification C:\Windows\SysWOW64\ufsq.exe lrza.exe File created C:\Windows\SysWOW64\uwug.exe hunr.exe File opened for modification C:\Windows\SysWOW64\khiv.exe xqfs.exe File created C:\Windows\SysWOW64\adhf.exe qsku.exe File created C:\Windows\SysWOW64\lhbr.exe vdsw.exe File opened for modification C:\Windows\SysWOW64\raqu.exe ekvr.exe File created C:\Windows\SysWOW64\ulpm.exe hmuj.exe File opened for modification C:\Windows\SysWOW64\vhoh.exe iile.exe File created C:\Windows\SysWOW64\bang.exe ojtd.exe File opened for modification C:\Windows\SysWOW64\vokr.exe mmmp.exe File opened for modification C:\Windows\SysWOW64\fary.exe pwrd.exe File created C:\Windows\SysWOW64\czld.exe sows.exe File created C:\Windows\SysWOW64\ubes.exe hhyl.exe File created C:\Windows\SysWOW64\klji.exe xvgf.exe File opened for modification C:\Windows\SysWOW64\eywt.exe uwhi.exe File opened for modification C:\Windows\SysWOW64\rcwg.exe howq.exe File created C:\Windows\SysWOW64\uvxt.exe htrm.exe File opened for modification C:\Windows\SysWOW64\xpqn.exe nbpp.exe File created C:\Windows\SysWOW64\xrwp.exe ktbm.exe File created C:\Windows\SysWOW64\uhjd.exe hioa.exe File created C:\Windows\SysWOW64\vsqb.exe lhbr.exe File created C:\Windows\SysWOW64\skvg.exe ftsd.exe File created C:\Windows\SysWOW64\hfql.exe xdaj.exe File created C:\Windows\SysWOW64\onmb.exe cpky.exe File opened for modification C:\Windows\SysWOW64\ospk.exe bbni.exe File opened for modification C:\Windows\SysWOW64\zoqy.exe mbga.exe File created C:\Windows\SysWOW64\rcis.exe epqc.exe File created C:\Windows\SysWOW64\bxin.exe ohok.exe File opened for modification C:\Windows\SysWOW64\cwai.exe vspd.exe File created C:\Windows\SysWOW64\gekh.exe tgpe.exe File opened for modification C:\Windows\SysWOW64\sbvk.exe inuv.exe File opened for modification C:\Windows\SysWOW64\nkjw.exe alot.exe File created C:\Windows\SysWOW64\hyxp.exe xzls.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2184 282dfe32b445737f40ac28aa0b60f6d2_JaffaCakes118.exe 2512 swpi.exe 2432 pqif.exe 1840 wntd.exe 2128 gqjg.exe 2164 lrza.exe 2004 ufsq.exe 1476 krol.exe 2960 wxfg.exe 1700 wiry.exe 3052 ghdd.exe 2304 dioi.exe 2440 qcuy.exe 352 ndml.exe 2860 zcho.exe 1072 wdrb.exe 2936 juue.exe 944 ddnm.exe 1432 vobe.exe 2700 dslj.exe 2548 qjgm.exe 2452 xumz.exe 2268 khwo.exe 2752 uoim.exe 584 erxw.exe 564 pmyh.exe 988 cltj.exe 2972 jsgj.exe 304 ypoj.exe 2620 gxkc.exe 2504 vfvk.exe 2108 gawu.exe 2036 pppr.exe 1540 zobp.exe 1408 njke.exe 448 uqgf.exe 3020 hkmm.exe 2496 rgnf.exe 1724 eitm.exe 1976 olix.exe 2560 ysmu.exe 2876 lipx.exe 2724 xkvn.exe 1132 kxfc.exe 844 xzls.exe 1784 hyxp.exe 836 upss.exe 2284 eoep.exe 1744 rqkf.exe 2944 tazp.exe 2404 gnjf.exe 1616 qmvd.exe 2264 axkn.exe 560 ktlx.exe 768 vspd.exe 632 cwai.exe 2328 pqgy.exe 2952 zbvi.exe 1504 mrql.exe 1776 wqci.exe 2708 jsiy.exe 2880 trmv.exe 1008 ftsd.exe 108 skvg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2184 wrote to memory of 2512 2184 282dfe32b445737f40ac28aa0b60f6d2_JaffaCakes118.exe 28 PID 2184 wrote to memory of 2512 2184 282dfe32b445737f40ac28aa0b60f6d2_JaffaCakes118.exe 28 PID 2184 wrote to memory of 2512 2184 282dfe32b445737f40ac28aa0b60f6d2_JaffaCakes118.exe 28 PID 2184 wrote to memory of 2512 2184 282dfe32b445737f40ac28aa0b60f6d2_JaffaCakes118.exe 28 PID 2512 wrote to memory of 2432 2512 swpi.exe 29 PID 2512 wrote to memory of 2432 2512 swpi.exe 29 PID 2512 wrote to memory of 2432 2512 swpi.exe 29 PID 2512 wrote to memory of 2432 2512 swpi.exe 29 PID 2432 wrote to memory of 1840 2432 pqif.exe 30 PID 2432 wrote to memory of 1840 2432 pqif.exe 30 PID 2432 wrote to memory of 1840 2432 pqif.exe 30 PID 2432 wrote to memory of 1840 2432 pqif.exe 30 PID 1840 wrote to memory of 2128 1840 wntd.exe 31 PID 1840 wrote to memory of 2128 1840 wntd.exe 31 PID 1840 wrote to memory of 2128 1840 wntd.exe 31 PID 1840 wrote to memory of 2128 1840 wntd.exe 31 PID 2128 wrote to memory of 2164 2128 gqjg.exe 32 PID 2128 wrote to memory of 2164 2128 gqjg.exe 32 PID 2128 wrote to memory of 2164 2128 gqjg.exe 32 PID 2128 wrote to memory of 2164 2128 gqjg.exe 32 PID 2164 wrote to memory of 2004 2164 lrza.exe 33 PID 2164 wrote to memory of 2004 2164 lrza.exe 33 PID 2164 wrote to memory of 2004 2164 lrza.exe 33 PID 2164 wrote to memory of 2004 2164 lrza.exe 33 PID 2004 wrote to memory of 1476 2004 ufsq.exe 34 PID 2004 wrote to memory of 1476 2004 ufsq.exe 34 PID 2004 wrote to memory of 1476 2004 ufsq.exe 34 PID 2004 wrote to memory of 1476 2004 ufsq.exe 34 PID 1476 wrote to memory of 2960 1476 krol.exe 35 PID 1476 wrote to memory of 2960 1476 krol.exe 35 PID 1476 wrote to memory of 2960 1476 krol.exe 35 PID 1476 wrote to memory of 2960 1476 krol.exe 35 PID 2960 wrote to memory of 1700 2960 wxfg.exe 36 PID 2960 wrote to memory of 1700 2960 wxfg.exe 36 PID 2960 wrote to memory of 1700 2960 wxfg.exe 36 PID 2960 wrote to memory of 1700 2960 wxfg.exe 36 PID 1700 wrote to memory of 3052 1700 wiry.exe 37 PID 1700 wrote to memory of 3052 1700 wiry.exe 37 PID 1700 wrote to memory of 3052 1700 wiry.exe 37 PID 1700 wrote to memory of 3052 1700 wiry.exe 37 PID 3052 wrote to memory of 2304 3052 ghdd.exe 38 PID 3052 wrote to memory of 2304 3052 ghdd.exe 38 PID 3052 wrote to memory of 2304 3052 ghdd.exe 38 PID 3052 wrote to memory of 2304 3052 ghdd.exe 38 PID 2304 wrote to memory of 2440 2304 dioi.exe 39 PID 2304 wrote to memory of 2440 2304 dioi.exe 39 PID 2304 wrote to memory of 2440 2304 dioi.exe 39 PID 2304 wrote to memory of 2440 2304 dioi.exe 39 PID 2440 wrote to memory of 352 2440 qcuy.exe 40 PID 2440 wrote to memory of 352 2440 qcuy.exe 40 PID 2440 wrote to memory of 352 2440 qcuy.exe 40 PID 2440 wrote to memory of 352 2440 qcuy.exe 40 PID 352 wrote to memory of 2860 352 ndml.exe 41 PID 352 wrote to memory of 2860 352 ndml.exe 41 PID 352 wrote to memory of 2860 352 ndml.exe 41 PID 352 wrote to memory of 2860 352 ndml.exe 41 PID 2860 wrote to memory of 1072 2860 zcho.exe 42 PID 2860 wrote to memory of 1072 2860 zcho.exe 42 PID 2860 wrote to memory of 1072 2860 zcho.exe 42 PID 2860 wrote to memory of 1072 2860 zcho.exe 42 PID 1072 wrote to memory of 2936 1072 wdrb.exe 43 PID 1072 wrote to memory of 2936 1072 wdrb.exe 43 PID 1072 wrote to memory of 2936 1072 wdrb.exe 43 PID 1072 wrote to memory of 2936 1072 wdrb.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\282dfe32b445737f40ac28aa0b60f6d2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\282dfe32b445737f40ac28aa0b60f6d2_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\swpi.exeC:\Windows\system32\swpi.exe 652 "C:\Users\Admin\AppData\Local\Temp\282dfe32b445737f40ac28aa0b60f6d2_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\pqif.exeC:\Windows\system32\pqif.exe 624 "C:\Windows\SysWOW64\swpi.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\wntd.exeC:\Windows\system32\wntd.exe 628 "C:\Windows\SysWOW64\pqif.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\gqjg.exeC:\Windows\system32\gqjg.exe 648 "C:\Windows\SysWOW64\wntd.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\lrza.exeC:\Windows\system32\lrza.exe 636 "C:\Windows\SysWOW64\gqjg.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\ufsq.exeC:\Windows\system32\ufsq.exe 724 "C:\Windows\SysWOW64\lrza.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\krol.exeC:\Windows\system32\krol.exe 632 "C:\Windows\SysWOW64\ufsq.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\wxfg.exeC:\Windows\system32\wxfg.exe 728 "C:\Windows\SysWOW64\krol.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\wiry.exeC:\Windows\system32\wiry.exe 708 "C:\Windows\SysWOW64\wxfg.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\ghdd.exeC:\Windows\system32\ghdd.exe 740 "C:\Windows\SysWOW64\wiry.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\dioi.exeC:\Windows\system32\dioi.exe 664 "C:\Windows\SysWOW64\ghdd.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\qcuy.exeC:\Windows\system32\qcuy.exe 752 "C:\Windows\SysWOW64\dioi.exe"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\ndml.exeC:\Windows\system32\ndml.exe 748 "C:\Windows\SysWOW64\qcuy.exe"14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:352 -
C:\Windows\SysWOW64\zcho.exeC:\Windows\system32\zcho.exe 756 "C:\Windows\SysWOW64\ndml.exe"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\wdrb.exeC:\Windows\system32\wdrb.exe 656 "C:\Windows\SysWOW64\zcho.exe"16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\juue.exeC:\Windows\system32\juue.exe 760 "C:\Windows\SysWOW64\wdrb.exe"17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2936 -
C:\Windows\SysWOW64\ddnm.exeC:\Windows\system32\ddnm.exe 688 "C:\Windows\SysWOW64\juue.exe"18⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:944 -
C:\Windows\SysWOW64\vobe.exeC:\Windows\system32\vobe.exe 772 "C:\Windows\SysWOW64\ddnm.exe"19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1432 -
C:\Windows\SysWOW64\dslj.exeC:\Windows\system32\dslj.exe 776 "C:\Windows\SysWOW64\vobe.exe"20⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2700 -
C:\Windows\SysWOW64\qjgm.exeC:\Windows\system32\qjgm.exe 780 "C:\Windows\SysWOW64\dslj.exe"21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2548 -
C:\Windows\SysWOW64\xumz.exeC:\Windows\system32\xumz.exe 784 "C:\Windows\SysWOW64\qjgm.exe"22⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2452 -
C:\Windows\SysWOW64\khwo.exeC:\Windows\system32\khwo.exe 792 "C:\Windows\SysWOW64\xumz.exe"23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2268 -
C:\Windows\SysWOW64\uoim.exeC:\Windows\system32\uoim.exe 788 "C:\Windows\SysWOW64\khwo.exe"24⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2752 -
C:\Windows\SysWOW64\erxw.exeC:\Windows\system32\erxw.exe 768 "C:\Windows\SysWOW64\uoim.exe"25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:584 -
C:\Windows\SysWOW64\pmyh.exeC:\Windows\system32\pmyh.exe 800 "C:\Windows\SysWOW64\erxw.exe"26⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:564 -
C:\Windows\SysWOW64\cltj.exeC:\Windows\system32\cltj.exe 808 "C:\Windows\SysWOW64\pmyh.exe"27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:988 -
C:\Windows\SysWOW64\jsgj.exeC:\Windows\system32\jsgj.exe 804 "C:\Windows\SysWOW64\cltj.exe"28⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2972 -
C:\Windows\SysWOW64\ypoj.exeC:\Windows\system32\ypoj.exe 796 "C:\Windows\SysWOW64\jsgj.exe"29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:304 -
C:\Windows\SysWOW64\gxkc.exeC:\Windows\system32\gxkc.exe 816 "C:\Windows\SysWOW64\ypoj.exe"30⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2620 -
C:\Windows\SysWOW64\vfvk.exeC:\Windows\system32\vfvk.exe 820 "C:\Windows\SysWOW64\gxkc.exe"31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2504 -
C:\Windows\SysWOW64\gawu.exeC:\Windows\system32\gawu.exe 824 "C:\Windows\SysWOW64\vfvk.exe"32⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2108 -
C:\Windows\SysWOW64\pppr.exeC:\Windows\system32\pppr.exe 812 "C:\Windows\SysWOW64\gawu.exe"33⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2036 -
C:\Windows\SysWOW64\zobp.exeC:\Windows\system32\zobp.exe 832 "C:\Windows\SysWOW64\pppr.exe"34⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1540 -
C:\Windows\SysWOW64\njke.exeC:\Windows\system32\njke.exe 836 "C:\Windows\SysWOW64\zobp.exe"35⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1408 -
C:\Windows\SysWOW64\uqgf.exeC:\Windows\system32\uqgf.exe 828 "C:\Windows\SysWOW64\njke.exe"36⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:448 -
C:\Windows\SysWOW64\hkmm.exeC:\Windows\system32\hkmm.exe 844 "C:\Windows\SysWOW64\uqgf.exe"37⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3020 -
C:\Windows\SysWOW64\rgnf.exeC:\Windows\system32\rgnf.exe 852 "C:\Windows\SysWOW64\hkmm.exe"38⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2496 -
C:\Windows\SysWOW64\eitm.exeC:\Windows\system32\eitm.exe 848 "C:\Windows\SysWOW64\rgnf.exe"39⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1724 -
C:\Windows\SysWOW64\olix.exeC:\Windows\system32\olix.exe 856 "C:\Windows\SysWOW64\eitm.exe"40⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1976 -
C:\Windows\SysWOW64\ysmu.exeC:\Windows\system32\ysmu.exe 864 "C:\Windows\SysWOW64\olix.exe"41⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2560 -
C:\Windows\SysWOW64\lipx.exeC:\Windows\system32\lipx.exe 868 "C:\Windows\SysWOW64\ysmu.exe"42⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2876 -
C:\Windows\SysWOW64\xkvn.exeC:\Windows\system32\xkvn.exe 860 "C:\Windows\SysWOW64\lipx.exe"43⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2724 -
C:\Windows\SysWOW64\kxfc.exeC:\Windows\system32\kxfc.exe 872 "C:\Windows\SysWOW64\xkvn.exe"44⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1132 -
C:\Windows\SysWOW64\xzls.exeC:\Windows\system32\xzls.exe 840 "C:\Windows\SysWOW64\kxfc.exe"45⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:844 -
C:\Windows\SysWOW64\hyxp.exeC:\Windows\system32\hyxp.exe 880 "C:\Windows\SysWOW64\xzls.exe"46⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1784 -
C:\Windows\SysWOW64\upss.exeC:\Windows\system32\upss.exe 888 "C:\Windows\SysWOW64\hyxp.exe"47⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:836 -
C:\Windows\SysWOW64\eoep.exeC:\Windows\system32\eoep.exe 900 "C:\Windows\SysWOW64\upss.exe"48⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2284 -
C:\Windows\SysWOW64\rqkf.exeC:\Windows\system32\rqkf.exe 884 "C:\Windows\SysWOW64\eoep.exe"49⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1744 -
C:\Windows\SysWOW64\tazp.exeC:\Windows\system32\tazp.exe 904 "C:\Windows\SysWOW64\rqkf.exe"50⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2944 -
C:\Windows\SysWOW64\gnjf.exeC:\Windows\system32\gnjf.exe 892 "C:\Windows\SysWOW64\tazp.exe"51⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2404 -
C:\Windows\SysWOW64\qmvd.exeC:\Windows\system32\qmvd.exe 912 "C:\Windows\SysWOW64\gnjf.exe"52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1616 -
C:\Windows\SysWOW64\axkn.exeC:\Windows\system32\axkn.exe 896 "C:\Windows\SysWOW64\qmvd.exe"53⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2264 -
C:\Windows\SysWOW64\ktlx.exeC:\Windows\system32\ktlx.exe 908 "C:\Windows\SysWOW64\axkn.exe"54⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:560 -
C:\Windows\SysWOW64\vspd.exeC:\Windows\system32\vspd.exe 876 "C:\Windows\SysWOW64\ktlx.exe"55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:768 -
C:\Windows\SysWOW64\cwai.exeC:\Windows\system32\cwai.exe 920 "C:\Windows\SysWOW64\vspd.exe"56⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:632 -
C:\Windows\SysWOW64\pqgy.exeC:\Windows\system32\pqgy.exe 916 "C:\Windows\SysWOW64\cwai.exe"57⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2328 -
C:\Windows\SysWOW64\zbvi.exeC:\Windows\system32\zbvi.exe 932 "C:\Windows\SysWOW64\pqgy.exe"58⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2952 -
C:\Windows\SysWOW64\mrql.exeC:\Windows\system32\mrql.exe 936 "C:\Windows\SysWOW64\zbvi.exe"59⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1504 -
C:\Windows\SysWOW64\wqci.exeC:\Windows\system32\wqci.exe 924 "C:\Windows\SysWOW64\mrql.exe"60⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1776 -
C:\Windows\SysWOW64\jsiy.exeC:\Windows\system32\jsiy.exe 940 "C:\Windows\SysWOW64\wqci.exe"61⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2708 -
C:\Windows\SysWOW64\trmv.exeC:\Windows\system32\trmv.exe 944 "C:\Windows\SysWOW64\jsiy.exe"62⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2880 -
C:\Windows\SysWOW64\ftsd.exeC:\Windows\system32\ftsd.exe 948 "C:\Windows\SysWOW64\trmv.exe"63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1008 -
C:\Windows\SysWOW64\skvg.exeC:\Windows\system32\skvg.exe 952 "C:\Windows\SysWOW64\ftsd.exe"64⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:108 -
C:\Windows\SysWOW64\fiqi.exeC:\Windows\system32\fiqi.exe 964 "C:\Windows\SysWOW64\skvg.exe"65⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\qerb.exeC:\Windows\system32\qerb.exe 956 "C:\Windows\SysWOW64\fiqi.exe"66⤵PID:1544
-
C:\Windows\SysWOW64\cyxi.exeC:\Windows\system32\cyxi.exe 928 "C:\Windows\SysWOW64\qerb.exe"67⤵PID:1672
-
C:\Windows\SysWOW64\srud.exeC:\Windows\system32\srud.exe 972 "C:\Windows\SysWOW64\cyxi.exe"68⤵PID:2616
-
C:\Windows\SysWOW64\fqog.exeC:\Windows\system32\fqog.exe 976 "C:\Windows\SysWOW64\srud.exe"69⤵PID:2420
-
C:\Windows\SysWOW64\oseq.exeC:\Windows\system32\oseq.exe 980 "C:\Windows\SysWOW64\fqog.exe"70⤵PID:2660
-
C:\Windows\SysWOW64\buky.exeC:\Windows\system32\buky.exe 968 "C:\Windows\SysWOW64\oseq.exe"71⤵
- Drops file in System32 directory
PID:2292 -
C:\Windows\SysWOW64\ohbo.exeC:\Windows\system32\ohbo.exe 988 "C:\Windows\SysWOW64\buky.exe"72⤵PID:2348
-
C:\Windows\SysWOW64\bjhd.exeC:\Windows\system32\bjhd.exe 992 "C:\Windows\SysWOW64\ohbo.exe"73⤵PID:948
-
C:\Windows\SysWOW64\lmxo.exeC:\Windows\system32\lmxo.exe 984 "C:\Windows\SysWOW64\bjhd.exe"74⤵PID:1904
-
C:\Windows\SysWOW64\yksr.exeC:\Windows\system32\yksr.exe 996 "C:\Windows\SysWOW64\lmxo.exe"75⤵PID:2640
-
C:\Windows\SysWOW64\lbut.exeC:\Windows\system32\lbut.exe 1004 "C:\Windows\SysWOW64\yksr.exe"76⤵PID:1792
-
C:\Windows\SysWOW64\xdaj.exeC:\Windows\system32\xdaj.exe 1008 "C:\Windows\SysWOW64\lbut.exe"77⤵
- Drops file in System32 directory
PID:2984 -
C:\Windows\SysWOW64\hfql.exeC:\Windows\system32\hfql.exe 1000 "C:\Windows\SysWOW64\xdaj.exe"78⤵PID:1632
-
C:\Windows\SysWOW64\uelo.exeC:\Windows\system32\uelo.exe 1012 "C:\Windows\SysWOW64\hfql.exe"79⤵PID:2192
-
C:\Windows\SysWOW64\hunr.exeC:\Windows\system32\hunr.exe 1016 "C:\Windows\SysWOW64\uelo.exe"80⤵
- Drops file in System32 directory
PID:1104 -
C:\Windows\SysWOW64\uwug.exeC:\Windows\system32\uwug.exe 1020 "C:\Windows\SysWOW64\hunr.exe"81⤵PID:1928
-
C:\Windows\SysWOW64\hjdw.exeC:\Windows\system32\hjdw.exe 1028 "C:\Windows\SysWOW64\uwug.exe"82⤵PID:536
-
C:\Windows\SysWOW64\qyet.exeC:\Windows\system32\qyet.exe 1032 "C:\Windows\SysWOW64\hjdw.exe"83⤵PID:1732
-
C:\Windows\SysWOW64\dohw.exeC:\Windows\system32\dohw.exe 1036 "C:\Windows\SysWOW64\qyet.exe"84⤵PID:2644
-
C:\Windows\SysWOW64\qqne.exeC:\Windows\system32\qqne.exe 1040 "C:\Windows\SysWOW64\dohw.exe"85⤵PID:2628
-
C:\Windows\SysWOW64\ddwb.exeC:\Windows\system32\ddwb.exe 1044 "C:\Windows\SysWOW64\qqne.exe"86⤵PID:2908
-
C:\Windows\SysWOW64\qxcj.exeC:\Windows\system32\qxcj.exe 1048 "C:\Windows\SysWOW64\ddwb.exe"87⤵PID:2764
-
C:\Windows\SysWOW64\dvfm.exeC:\Windows\system32\dvfm.exe 1052 "C:\Windows\SysWOW64\qxcj.exe"88⤵PID:1236
-
C:\Windows\SysWOW64\nyuw.exeC:\Windows\system32\nyuw.exe 1056 "C:\Windows\SysWOW64\dvfm.exe"89⤵PID:572
-
C:\Windows\SysWOW64\atem.exeC:\Windows\system32\atem.exe 1064 "C:\Windows\SysWOW64\nyuw.exe"90⤵PID:2080
-
C:\Windows\SysWOW64\kzfj.exeC:\Windows\system32\kzfj.exe 1060 "C:\Windows\SysWOW64\atem.exe"91⤵PID:2020
-
C:\Windows\SysWOW64\xmwz.exeC:\Windows\system32\xmwz.exe 960 "C:\Windows\SysWOW64\kzfj.exe"92⤵PID:284
-
C:\Windows\SysWOW64\klrc.exeC:\Windows\system32\klrc.exe 1072 "C:\Windows\SysWOW64\xmwz.exe"93⤵PID:2484
-
C:\Windows\SysWOW64\xbme.exeC:\Windows\system32\xbme.exe 1076 "C:\Windows\SysWOW64\klrc.exe"94⤵PID:2528
-
C:\Windows\SysWOW64\gpmc.exeC:\Windows\system32\gpmc.exe 1080 "C:\Windows\SysWOW64\xbme.exe"95⤵PID:2516
-
C:\Windows\SysWOW64\tgpe.exeC:\Windows\system32\tgpe.exe 1088 "C:\Windows\SysWOW64\gpmc.exe"96⤵
- Drops file in System32 directory
PID:1436 -
C:\Windows\SysWOW64\gekh.exeC:\Windows\system32\gekh.exe 1084 "C:\Windows\SysWOW64\tgpe.exe"97⤵PID:1280
-
C:\Windows\SysWOW64\ihzk.exeC:\Windows\system32\ihzk.exe 1096 "C:\Windows\SysWOW64\gekh.exe"98⤵PID:2728
-
C:\Windows\SysWOW64\ytif.exeC:\Windows\system32\ytif.exe 1100 "C:\Windows\SysWOW64\ihzk.exe"99⤵PID:1920
-
C:\Windows\SysWOW64\hzic.exeC:\Windows\system32\hzic.exe 1092 "C:\Windows\SysWOW64\ytif.exe"100⤵PID:240
-
C:\Windows\SysWOW64\vuss.exeC:\Windows\system32\vuss.exe 1104 "C:\Windows\SysWOW64\hzic.exe"101⤵PID:1696
-
C:\Windows\SysWOW64\ilnu.exeC:\Windows\system32\ilnu.exe 1112 "C:\Windows\SysWOW64\vuss.exe"102⤵PID:2792
-
C:\Windows\SysWOW64\rnkf.exeC:\Windows\system32\rnkf.exe 1108 "C:\Windows\SysWOW64\ilnu.exe"103⤵PID:2648
-
C:\Windows\SysWOW64\byzp.exeC:\Windows\system32\byzp.exe 1116 "C:\Windows\SysWOW64\rnkf.exe"104⤵PID:1844
-
C:\Windows\SysWOW64\opus.exeC:\Windows\system32\opus.exe 1120 "C:\Windows\SysWOW64\byzp.exe"105⤵PID:804
-
C:\Windows\SysWOW64\bnpu.exeC:\Windows\system32\bnpu.exe 1124 "C:\Windows\SysWOW64\opus.exe"106⤵PID:2672
-
C:\Windows\SysWOW64\mjqf.exeC:\Windows\system32\mjqf.exe 1128 "C:\Windows\SysWOW64\bnpu.exe"107⤵PID:380
-
C:\Windows\SysWOW64\ydwv.exeC:\Windows\system32\ydwv.exe 1132 "C:\Windows\SysWOW64\mjqf.exe"108⤵PID:2040
-
C:\Windows\SysWOW64\inlf.exeC:\Windows\system32\inlf.exe 1136 "C:\Windows\SysWOW64\ydwv.exe"109⤵PID:1652
-
C:\Windows\SysWOW64\veoi.exeC:\Windows\system32\veoi.exe 1152 "C:\Windows\SysWOW64\inlf.exe"110⤵PID:1948
-
C:\Windows\SysWOW64\icjk.exeC:\Windows\system32\icjk.exe 1140 "C:\Windows\SysWOW64\veoi.exe"111⤵PID:1272
-
C:\Windows\SysWOW64\vten.exeC:\Windows\system32\vten.exe 1144 "C:\Windows\SysWOW64\icjk.exe"112⤵PID:312
-
C:\Windows\SysWOW64\ehec.exeC:\Windows\system32\ehec.exe 1148 "C:\Windows\SysWOW64\vten.exe"113⤵PID:1688
-
C:\Windows\SysWOW64\rxhf.exeC:\Windows\system32\rxhf.exe 1156 "C:\Windows\SysWOW64\ehec.exe"114⤵PID:688
-
C:\Windows\SysWOW64\ewci.exeC:\Windows\system32\ewci.exe 1164 "C:\Windows\SysWOW64\rxhf.exe"115⤵PID:888
-
C:\Windows\SysWOW64\rmxk.exeC:\Windows\system32\rmxk.exe 1168 "C:\Windows\SysWOW64\ewci.exe"116⤵PID:2416
-
C:\Windows\SysWOW64\elan.exeC:\Windows\system32\elan.exe 1172 "C:\Windows\SysWOW64\rmxk.exe"117⤵PID:2684
-
C:\Windows\SysWOW64\orsl.exeC:\Windows\system32\orsl.exe 1160 "C:\Windows\SysWOW64\elan.exe"118⤵PID:1556
-
C:\Windows\SysWOW64\bpvn.exeC:\Windows\system32\bpvn.exe 1180 "C:\Windows\SysWOW64\orsl.exe"119⤵PID:3028
-
C:\Windows\SysWOW64\ocfd.exeC:\Windows\system32\ocfd.exe 1184 "C:\Windows\SysWOW64\bpvn.exe"120⤵PID:328
-
C:\Windows\SysWOW64\xqfs.exeC:\Windows\system32\xqfs.exe 1188 "C:\Windows\SysWOW64\ocfd.exe"121⤵
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\khiv.exeC:\Windows\system32\khiv.exe 1192 "C:\Windows\SysWOW64\xqfs.exe"122⤵PID:2384
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-