Analysis
-
max time kernel
149s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
09-07-2024 07:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2f7f5560775949053f1e60fc602d52fc_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
2f7f5560775949053f1e60fc602d52fc_JaffaCakes118.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
2f7f5560775949053f1e60fc602d52fc_JaffaCakes118.exe
-
Size
313KB
-
MD5
2f7f5560775949053f1e60fc602d52fc
-
SHA1
0079a814e1806cddf9a94f3cb66f8f6040dd0deb
-
SHA256
c50bc0ecfb7b78a952b0225bc3c616dacd83eb4626cef8aec8be08a3e1596171
-
SHA512
f19765d7e49e782bd43e44293d3ffcabc67f6dd4d069de3fdae78f04524ee5b20bf4aea1f428050db6eb0a4fc78cc24c1ab79fc71d2247286fcfb15522cde009
-
SSDEEP
6144:rdw2CsbZ5kp/Llj8aG8Rty29F0duOd028hfTQzAdvMqzMjm/ZpS:pw2CsbZ5kNR8aVRsE6duHTk4vMwMjm/u
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 1720 xnvjvko.exe 1132 xnvjvko.exe 3480 nwtszqe.exe 4872 nwtszqe.exe 3936 bmmoteo.exe 3384 bmmoteo.exe 4284 cuwknoc.exe 3200 cuwknoc.exe 4028 kketsfw.exe 1644 kketsfw.exe 3432 mbwrtlu.exe 4384 mbwrtlu.exe 1708 jplacux.exe 1484 jplacux.exe 4740 hujygyu.exe 2988 hujygyu.exe 5112 orfhjyu.exe 3352 orfhjyu.exe 1288 tiwkifq.exe 1724 tiwkifq.exe 1028 wwlenhh.exe 1172 wwlenhh.exe 2924 wajrvai.exe 2420 wajrvai.exe 4264 qoydbcz.exe 4604 qoydbcz.exe 408 yirybya.exe 3324 yirybya.exe 456 gqrhypu.exe 3704 gqrhypu.exe 2492 ldxgcsj.exe 5024 ldxgcsj.exe 3792 qxrwdem.exe 3164 qxrwdem.exe 4532 noiacui.exe 3560 noiacui.exe 4772 sikqmgd.exe 5104 sikqmgd.exe 3168 lrjfykz.exe 2344 lrjfykz.exe 3964 iwowcww.exe 5064 iwowcww.exe 4256 nqjmeir.exe 3100 nqjmeir.exe 4820 xbkncfq.exe 4560 xbkncfq.exe 1820 ibibxfi.exe 1584 ibibxfi.exe 1692 qvtpxbb.exe 4732 qvtpxbb.exe 4636 ayvqvfa.exe 2616 ayvqvfa.exe 4840 avrzgfz.exe 452 avrzgfz.exe 1628 kupfbgr.exe 1376 kupfbgr.exe 1392 vfrgzci.exe 1972 vfrgzci.exe 2148 crcbzyj.exe 2924 crcbzyj.exe 4144 mjauclf.exe 4440 mjauclf.exe 3924 sihgwnv.exe 2380 sihgwnv.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ydbmmxw.exe rccygty.exe File created C:\Windows\SysWOW64\qxfgjze.exe lhockji.exe File opened for modification C:\Windows\SysWOW64\pnfyypw.exe kwwurha.exe File created C:\Windows\SysWOW64\gqfzdbm.exe gljvjoq.exe File created C:\Windows\SysWOW64\lhockji.exe gqfzdbm.exe File opened for modification C:\Windows\SysWOW64\cuwknoc.exe bmmoteo.exe File created C:\Windows\SysWOW64\tiwkifq.exe orfhjyu.exe File created C:\Windows\SysWOW64\qvtpxbb.exe ibibxfi.exe File opened for modification C:\Windows\SysWOW64\qvtpxbb.exe ibibxfi.exe File opened for modification C:\Windows\SysWOW64\ayvqvfa.exe qvtpxbb.exe File opened for modification C:\Windows\SysWOW64\hnuygbp.exe cxduhtt.exe File created C:\Windows\SysWOW64\bmmoteo.exe nwtszqe.exe File created C:\Windows\SysWOW64\ayvqvfa.exe qvtpxbb.exe File created C:\Windows\SysWOW64\ctlwkla.exe aulyjmu.exe File opened for modification C:\Windows\SysWOW64\ctlwkla.exe aulyjmu.exe File created C:\Windows\SysWOW64\rzbythi.exe nfhhsvf.exe File created C:\Windows\SysWOW64\mclixky.exe eudzate.exe File created C:\Windows\SysWOW64\avrzgfz.exe ayvqvfa.exe File opened for modification C:\Windows\SysWOW64\aulyjmu.exe vzriaaz.exe File opened for modification C:\Windows\SysWOW64\hkuiraw.exe ctlwkla.exe File opened for modification C:\Windows\SysWOW64\nwtszqe.exe xnvjvko.exe File opened for modification C:\Windows\SysWOW64\mqwxmem.exe medbnjl.exe File created C:\Windows\SysWOW64\tpbqprq.exe jdzxrmr.exe File opened for modification C:\Windows\SysWOW64\fpqvgwk.exe azirzho.exe File created C:\Windows\SysWOW64\vzriaaz.exe yjawbkd.exe File opened for modification C:\Windows\SysWOW64\mbwrtlu.exe kketsfw.exe File created C:\Windows\SysWOW64\xbkncfq.exe nqjmeir.exe File created C:\Windows\SysWOW64\iwowcww.exe lrjfykz.exe File created C:\Windows\SysWOW64\rccygty.exe gdekltg.exe File created C:\Windows\SysWOW64\vshwsly.exe qxfgjze.exe File opened for modification C:\Windows\SysWOW64\eudzate.exe zdmvbei.exe File opened for modification C:\Windows\SysWOW64\jwfygwt.exe mclixky.exe File created C:\Windows\SysWOW64\mbwrtlu.exe kketsfw.exe File opened for modification C:\Windows\SysWOW64\cxduhtt.exe ulszhys.exe File created C:\Windows\SysWOW64\medbnjl.exe hnuygbp.exe File opened for modification C:\Windows\SysWOW64\gdekltg.exe tammpnj.exe File opened for modification C:\Windows\SysWOW64\rccygty.exe gdekltg.exe File created C:\Windows\SysWOW64\fpqvgwk.exe azirzho.exe File opened for modification C:\Windows\SysWOW64\wwlenhh.exe tiwkifq.exe File opened for modification C:\Windows\SysWOW64\noiacui.exe qxrwdem.exe File created C:\Windows\SysWOW64\gdekltg.exe tammpnj.exe File opened for modification C:\Windows\SysWOW64\uisfrrf.exe mewbxfs.exe File opened for modification C:\Windows\SysWOW64\bmmoteo.exe nwtszqe.exe File opened for modification C:\Windows\SysWOW64\ldxgcsj.exe gqrhypu.exe File created C:\Windows\SysWOW64\bodphms.exe rhfblui.exe File created C:\Windows\SysWOW64\ydbmmxw.exe rccygty.exe File opened for modification C:\Windows\SysWOW64\gqfzdbm.exe gljvjoq.exe File opened for modification C:\Windows\SysWOW64\lhockji.exe gqfzdbm.exe File opened for modification C:\Windows\SysWOW64\orfhjyu.exe hujygyu.exe File created C:\Windows\SysWOW64\mqwxmem.exe medbnjl.exe File opened for modification C:\Windows\SysWOW64\azirzho.exe veftxvu.exe File opened for modification C:\Windows\SysWOW64\yirybya.exe qoydbcz.exe File created C:\Windows\SysWOW64\qxrwdem.exe ldxgcsj.exe File created C:\Windows\SysWOW64\ulszhys.exe sihgwnv.exe File created C:\Windows\SysWOW64\azirzho.exe veftxvu.exe File opened for modification C:\Windows\SysWOW64\njjqfkl.exe fpqvgwk.exe File opened for modification C:\Windows\SysWOW64\tiwkifq.exe orfhjyu.exe File created C:\Windows\SysWOW64\gqrhypu.exe yirybya.exe File opened for modification C:\Windows\SysWOW64\gqrhypu.exe yirybya.exe File opened for modification C:\Windows\SysWOW64\sihgwnv.exe mjauclf.exe File opened for modification C:\Windows\SysWOW64\bodphms.exe rhfblui.exe File opened for modification C:\Windows\SysWOW64\tammpnj.exe tpbqprq.exe File opened for modification C:\Windows\SysWOW64\xnvjvko.exe 2f7f5560775949053f1e60fc602d52fc_JaffaCakes118.exe File created C:\Windows\SysWOW64\jplacux.exe mbwrtlu.exe -
Suspicious use of SetThreadContext 64 IoCs
description pid Process procid_target PID 3212 set thread context of 1768 3212 2f7f5560775949053f1e60fc602d52fc_JaffaCakes118.exe 92 PID 1720 set thread context of 1132 1720 xnvjvko.exe 94 PID 3480 set thread context of 4872 3480 nwtszqe.exe 97 PID 3936 set thread context of 3384 3936 bmmoteo.exe 99 PID 4284 set thread context of 3200 4284 cuwknoc.exe 101 PID 4028 set thread context of 1644 4028 kketsfw.exe 103 PID 3432 set thread context of 4384 3432 mbwrtlu.exe 105 PID 1708 set thread context of 1484 1708 jplacux.exe 107 PID 4740 set thread context of 2988 4740 hujygyu.exe 109 PID 5112 set thread context of 3352 5112 orfhjyu.exe 111 PID 1288 set thread context of 1724 1288 tiwkifq.exe 113 PID 1028 set thread context of 1172 1028 wwlenhh.exe 115 PID 2924 set thread context of 2420 2924 wajrvai.exe 117 PID 4264 set thread context of 4604 4264 qoydbcz.exe 119 PID 408 set thread context of 3324 408 yirybya.exe 123 PID 456 set thread context of 3704 456 gqrhypu.exe 125 PID 2492 set thread context of 5024 2492 ldxgcsj.exe 127 PID 3792 set thread context of 3164 3792 qxrwdem.exe 129 PID 4532 set thread context of 3560 4532 noiacui.exe 131 PID 4772 set thread context of 5104 4772 sikqmgd.exe 133 PID 1356 set thread context of 4608 1356 ysecfnt.exe 137 PID 3168 set thread context of 2344 3168 lrjfykz.exe 139 PID 3964 set thread context of 5064 3964 iwowcww.exe 141 PID 4256 set thread context of 3100 4256 nqjmeir.exe 143 PID 4820 set thread context of 4560 4820 xbkncfq.exe 145 PID 1820 set thread context of 1584 1820 ibibxfi.exe 147 PID 1692 set thread context of 4732 1692 qvtpxbb.exe 149 PID 4636 set thread context of 2616 4636 ayvqvfa.exe 151 PID 4840 set thread context of 452 4840 avrzgfz.exe 153 PID 1628 set thread context of 1376 1628 kupfbgr.exe 155 PID 1392 set thread context of 1972 1392 vfrgzci.exe 157 PID 2148 set thread context of 2924 2148 crcbzyj.exe 159 PID 4144 set thread context of 4440 4144 mjauclf.exe 161 PID 3924 set thread context of 2380 3924 sihgwnv.exe 163 PID 1964 set thread context of 876 1964 ulszhys.exe 165 PID 3912 set thread context of 2436 3912 cxduhtt.exe 167 PID 4056 set thread context of 624 4056 hnuygbp.exe 169 PID 4516 set thread context of 4952 4516 medbnjl.exe 171 PID 2696 set thread context of 4640 2696 mqwxmem.exe 173 PID 3192 set thread context of 4636 3192 rhfblui.exe 175 PID 2340 set thread context of 3732 2340 bodphms.exe 177 PID 1116 set thread context of 2704 1116 jdzxrmr.exe 179 PID 1736 set thread context of 4512 1736 tpbqprq.exe 181 PID 3372 set thread context of 4468 3372 tammpnj.exe 183 PID 3116 set thread context of 908 3116 gdekltg.exe 185 PID 3968 set thread context of 4540 3968 rccygty.exe 187 PID 4168 set thread context of 2176 4168 ydbmmxw.exe 189 PID 5008 set thread context of 2624 5008 gljvjoq.exe 191 PID 1372 set thread context of 4092 1372 gqfzdbm.exe 193 PID 2820 set thread context of 4820 2820 lhockji.exe 195 PID 3740 set thread context of 432 3740 qxfgjze.exe 197 PID 3860 set thread context of 1624 3860 vshwsly.exe 199 PID 1684 set thread context of 2296 1684 ynwpqny.exe 201 PID 5112 set thread context of 4772 5112 veftxvu.exe 203 PID 712 set thread context of 5100 712 azirzho.exe 205 PID 1476 set thread context of 1956 1476 fpqvgwk.exe 207 PID 556 set thread context of 3968 556 yjawbkd.exe 211 PID 3768 set thread context of 4736 3768 vzriaaz.exe 213 PID 4828 set thread context of 4644 4828 aulyjmu.exe 215 PID 1112 set thread context of 3492 1112 ctlwkla.exe 217 PID 1284 set thread context of 2676 1284 hkuiraw.exe 219 PID 2820 set thread context of 2448 2820 poqelnj.exe 221 PID 1816 set thread context of 3172 1816 nfhhsvf.exe 223 PID 1260 set thread context of 4956 1260 rzbythi.exe 225 -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3212 wrote to memory of 1768 3212 2f7f5560775949053f1e60fc602d52fc_JaffaCakes118.exe 92 PID 3212 wrote to memory of 1768 3212 2f7f5560775949053f1e60fc602d52fc_JaffaCakes118.exe 92 PID 3212 wrote to memory of 1768 3212 2f7f5560775949053f1e60fc602d52fc_JaffaCakes118.exe 92 PID 3212 wrote to memory of 1768 3212 2f7f5560775949053f1e60fc602d52fc_JaffaCakes118.exe 92 PID 3212 wrote to memory of 1768 3212 2f7f5560775949053f1e60fc602d52fc_JaffaCakes118.exe 92 PID 1768 wrote to memory of 1720 1768 2f7f5560775949053f1e60fc602d52fc_JaffaCakes118.exe 93 PID 1768 wrote to memory of 1720 1768 2f7f5560775949053f1e60fc602d52fc_JaffaCakes118.exe 93 PID 1768 wrote to memory of 1720 1768 2f7f5560775949053f1e60fc602d52fc_JaffaCakes118.exe 93 PID 1720 wrote to memory of 1132 1720 xnvjvko.exe 94 PID 1720 wrote to memory of 1132 1720 xnvjvko.exe 94 PID 1720 wrote to memory of 1132 1720 xnvjvko.exe 94 PID 1720 wrote to memory of 1132 1720 xnvjvko.exe 94 PID 1720 wrote to memory of 1132 1720 xnvjvko.exe 94 PID 1132 wrote to memory of 3480 1132 xnvjvko.exe 95 PID 1132 wrote to memory of 3480 1132 xnvjvko.exe 95 PID 1132 wrote to memory of 3480 1132 xnvjvko.exe 95 PID 3480 wrote to memory of 4872 3480 nwtszqe.exe 97 PID 3480 wrote to memory of 4872 3480 nwtszqe.exe 97 PID 3480 wrote to memory of 4872 3480 nwtszqe.exe 97 PID 3480 wrote to memory of 4872 3480 nwtszqe.exe 97 PID 3480 wrote to memory of 4872 3480 nwtszqe.exe 97 PID 4872 wrote to memory of 3936 4872 nwtszqe.exe 98 PID 4872 wrote to memory of 3936 4872 nwtszqe.exe 98 PID 4872 wrote to memory of 3936 4872 nwtszqe.exe 98 PID 3936 wrote to memory of 3384 3936 bmmoteo.exe 99 PID 3936 wrote to memory of 3384 3936 bmmoteo.exe 99 PID 3936 wrote to memory of 3384 3936 bmmoteo.exe 99 PID 3936 wrote to memory of 3384 3936 bmmoteo.exe 99 PID 3936 wrote to memory of 3384 3936 bmmoteo.exe 99 PID 3384 wrote to memory of 4284 3384 bmmoteo.exe 100 PID 3384 wrote to memory of 4284 3384 bmmoteo.exe 100 PID 3384 wrote to memory of 4284 3384 bmmoteo.exe 100 PID 4284 wrote to memory of 3200 4284 cuwknoc.exe 101 PID 4284 wrote to memory of 3200 4284 cuwknoc.exe 101 PID 4284 wrote to memory of 3200 4284 cuwknoc.exe 101 PID 4284 wrote to memory of 3200 4284 cuwknoc.exe 101 PID 4284 wrote to memory of 3200 4284 cuwknoc.exe 101 PID 3200 wrote to memory of 4028 3200 cuwknoc.exe 102 PID 3200 wrote to memory of 4028 3200 cuwknoc.exe 102 PID 3200 wrote to memory of 4028 3200 cuwknoc.exe 102 PID 4028 wrote to memory of 1644 4028 kketsfw.exe 103 PID 4028 wrote to memory of 1644 4028 kketsfw.exe 103 PID 4028 wrote to memory of 1644 4028 kketsfw.exe 103 PID 4028 wrote to memory of 1644 4028 kketsfw.exe 103 PID 4028 wrote to memory of 1644 4028 kketsfw.exe 103 PID 1644 wrote to memory of 3432 1644 kketsfw.exe 104 PID 1644 wrote to memory of 3432 1644 kketsfw.exe 104 PID 1644 wrote to memory of 3432 1644 kketsfw.exe 104 PID 3432 wrote to memory of 4384 3432 mbwrtlu.exe 105 PID 3432 wrote to memory of 4384 3432 mbwrtlu.exe 105 PID 3432 wrote to memory of 4384 3432 mbwrtlu.exe 105 PID 3432 wrote to memory of 4384 3432 mbwrtlu.exe 105 PID 3432 wrote to memory of 4384 3432 mbwrtlu.exe 105 PID 4384 wrote to memory of 1708 4384 mbwrtlu.exe 106 PID 4384 wrote to memory of 1708 4384 mbwrtlu.exe 106 PID 4384 wrote to memory of 1708 4384 mbwrtlu.exe 106 PID 1708 wrote to memory of 1484 1708 jplacux.exe 107 PID 1708 wrote to memory of 1484 1708 jplacux.exe 107 PID 1708 wrote to memory of 1484 1708 jplacux.exe 107 PID 1708 wrote to memory of 1484 1708 jplacux.exe 107 PID 1708 wrote to memory of 1484 1708 jplacux.exe 107 PID 1484 wrote to memory of 4740 1484 jplacux.exe 108 PID 1484 wrote to memory of 4740 1484 jplacux.exe 108 PID 1484 wrote to memory of 4740 1484 jplacux.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f7f5560775949053f1e60fc602d52fc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2f7f5560775949053f1e60fc602d52fc_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Users\Admin\AppData\Local\Temp\2f7f5560775949053f1e60fc602d52fc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2f7f5560775949053f1e60fc602d52fc_JaffaCakes118.exe"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\xnvjvko.exeC:\Windows\system32\xnvjvko.exe 1000 "C:\Users\Admin\AppData\Local\Temp\2f7f5560775949053f1e60fc602d52fc_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\xnvjvko.exe"C:\Windows\SysWOW64\xnvjvko.exe" 1000 "C:\Users\Admin\AppData\Local\Temp\2f7f5560775949053f1e60fc602d52fc_JaffaCakes118.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\SysWOW64\nwtszqe.exeC:\Windows\system32\nwtszqe.exe 1016 "C:\Windows\SysWOW64\xnvjvko.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Windows\SysWOW64\nwtszqe.exe"C:\Windows\SysWOW64\nwtszqe.exe" 1016 "C:\Windows\SysWOW64\xnvjvko.exe"6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\bmmoteo.exeC:\Windows\system32\bmmoteo.exe 1032 "C:\Windows\SysWOW64\nwtszqe.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\SysWOW64\bmmoteo.exe"C:\Windows\SysWOW64\bmmoteo.exe" 1032 "C:\Windows\SysWOW64\nwtszqe.exe"8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Windows\SysWOW64\cuwknoc.exeC:\Windows\system32\cuwknoc.exe 1032 "C:\Windows\SysWOW64\bmmoteo.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\SysWOW64\cuwknoc.exe"C:\Windows\SysWOW64\cuwknoc.exe" 1032 "C:\Windows\SysWOW64\bmmoteo.exe"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\SysWOW64\kketsfw.exeC:\Windows\system32\kketsfw.exe 1016 "C:\Windows\SysWOW64\cuwknoc.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SysWOW64\kketsfw.exe"C:\Windows\SysWOW64\kketsfw.exe" 1016 "C:\Windows\SysWOW64\cuwknoc.exe"12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\mbwrtlu.exeC:\Windows\system32\mbwrtlu.exe 1156 "C:\Windows\SysWOW64\kketsfw.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Windows\SysWOW64\mbwrtlu.exe"C:\Windows\SysWOW64\mbwrtlu.exe" 1156 "C:\Windows\SysWOW64\kketsfw.exe"14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\jplacux.exeC:\Windows\system32\jplacux.exe 1148 "C:\Windows\SysWOW64\mbwrtlu.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\jplacux.exe"C:\Windows\SysWOW64\jplacux.exe" 1148 "C:\Windows\SysWOW64\mbwrtlu.exe"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\hujygyu.exeC:\Windows\system32\hujygyu.exe 1156 "C:\Windows\SysWOW64\jplacux.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4740 -
C:\Windows\SysWOW64\hujygyu.exe"C:\Windows\SysWOW64\hujygyu.exe" 1156 "C:\Windows\SysWOW64\jplacux.exe"18⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2988 -
C:\Windows\SysWOW64\orfhjyu.exeC:\Windows\system32\orfhjyu.exe 1156 "C:\Windows\SysWOW64\hujygyu.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5112 -
C:\Windows\SysWOW64\orfhjyu.exe"C:\Windows\SysWOW64\orfhjyu.exe" 1156 "C:\Windows\SysWOW64\hujygyu.exe"20⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3352 -
C:\Windows\SysWOW64\tiwkifq.exeC:\Windows\system32\tiwkifq.exe 1016 "C:\Windows\SysWOW64\orfhjyu.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1288 -
C:\Windows\SysWOW64\tiwkifq.exe"C:\Windows\SysWOW64\tiwkifq.exe" 1016 "C:\Windows\SysWOW64\orfhjyu.exe"22⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1724 -
C:\Windows\SysWOW64\wwlenhh.exeC:\Windows\system32\wwlenhh.exe 1032 "C:\Windows\SysWOW64\tiwkifq.exe"23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1028 -
C:\Windows\SysWOW64\wwlenhh.exe"C:\Windows\SysWOW64\wwlenhh.exe" 1032 "C:\Windows\SysWOW64\tiwkifq.exe"24⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\wajrvai.exeC:\Windows\system32\wajrvai.exe 1032 "C:\Windows\SysWOW64\wwlenhh.exe"25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2924 -
C:\Windows\SysWOW64\wajrvai.exe"C:\Windows\SysWOW64\wajrvai.exe" 1032 "C:\Windows\SysWOW64\wwlenhh.exe"26⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\qoydbcz.exeC:\Windows\system32\qoydbcz.exe 1040 "C:\Windows\SysWOW64\wajrvai.exe"27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4264 -
C:\Windows\SysWOW64\qoydbcz.exe"C:\Windows\SysWOW64\qoydbcz.exe" 1040 "C:\Windows\SysWOW64\wajrvai.exe"28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4604 -
C:\Windows\SysWOW64\yirybya.exeC:\Windows\system32\yirybya.exe 1156 "C:\Windows\SysWOW64\qoydbcz.exe"29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:408 -
C:\Windows\SysWOW64\yirybya.exe"C:\Windows\SysWOW64\yirybya.exe" 1156 "C:\Windows\SysWOW64\qoydbcz.exe"30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3324 -
C:\Windows\SysWOW64\gqrhypu.exeC:\Windows\system32\gqrhypu.exe 1148 "C:\Windows\SysWOW64\yirybya.exe"31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:456 -
C:\Windows\SysWOW64\gqrhypu.exe"C:\Windows\SysWOW64\gqrhypu.exe" 1148 "C:\Windows\SysWOW64\yirybya.exe"32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3704 -
C:\Windows\SysWOW64\ldxgcsj.exeC:\Windows\system32\ldxgcsj.exe 1156 "C:\Windows\SysWOW64\gqrhypu.exe"33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2492 -
C:\Windows\SysWOW64\ldxgcsj.exe"C:\Windows\SysWOW64\ldxgcsj.exe" 1156 "C:\Windows\SysWOW64\gqrhypu.exe"34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5024 -
C:\Windows\SysWOW64\qxrwdem.exeC:\Windows\system32\qxrwdem.exe 1160 "C:\Windows\SysWOW64\ldxgcsj.exe"35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3792 -
C:\Windows\SysWOW64\qxrwdem.exe"C:\Windows\SysWOW64\qxrwdem.exe" 1160 "C:\Windows\SysWOW64\ldxgcsj.exe"36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3164 -
C:\Windows\SysWOW64\noiacui.exeC:\Windows\system32\noiacui.exe 1040 "C:\Windows\SysWOW64\qxrwdem.exe"37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4532 -
C:\Windows\SysWOW64\noiacui.exe"C:\Windows\SysWOW64\noiacui.exe" 1040 "C:\Windows\SysWOW64\qxrwdem.exe"38⤵
- Executes dropped EXE
PID:3560 -
C:\Windows\SysWOW64\sikqmgd.exeC:\Windows\system32\sikqmgd.exe 1032 "C:\Windows\SysWOW64\noiacui.exe"39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4772 -
C:\Windows\SysWOW64\sikqmgd.exe"C:\Windows\SysWOW64\sikqmgd.exe" 1032 "C:\Windows\SysWOW64\noiacui.exe"40⤵
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\ysecfnt.exeC:\Windows\system32\ysecfnt.exe 1144 "C:\Windows\SysWOW64\sikqmgd.exe"41⤵
- Suspicious use of SetThreadContext
PID:1356 -
C:\Windows\SysWOW64\ysecfnt.exe"C:\Windows\SysWOW64\ysecfnt.exe" 1144 "C:\Windows\SysWOW64\sikqmgd.exe"42⤵PID:4608
-
C:\Windows\SysWOW64\lrjfykz.exeC:\Windows\system32\lrjfykz.exe 1156 "C:\Windows\SysWOW64\ysecfnt.exe"43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3168 -
C:\Windows\SysWOW64\lrjfykz.exe"C:\Windows\SysWOW64\lrjfykz.exe" 1156 "C:\Windows\SysWOW64\ysecfnt.exe"44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2344 -
C:\Windows\SysWOW64\iwowcww.exeC:\Windows\system32\iwowcww.exe 1152 "C:\Windows\SysWOW64\lrjfykz.exe"45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3964 -
C:\Windows\SysWOW64\iwowcww.exe"C:\Windows\SysWOW64\iwowcww.exe" 1152 "C:\Windows\SysWOW64\lrjfykz.exe"46⤵
- Executes dropped EXE
PID:5064 -
C:\Windows\SysWOW64\nqjmeir.exeC:\Windows\system32\nqjmeir.exe 1016 "C:\Windows\SysWOW64\iwowcww.exe"47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4256 -
C:\Windows\SysWOW64\nqjmeir.exe"C:\Windows\SysWOW64\nqjmeir.exe" 1016 "C:\Windows\SysWOW64\iwowcww.exe"48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3100 -
C:\Windows\SysWOW64\xbkncfq.exeC:\Windows\system32\xbkncfq.exe 1032 "C:\Windows\SysWOW64\nqjmeir.exe"49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4820 -
C:\Windows\SysWOW64\xbkncfq.exe"C:\Windows\SysWOW64\xbkncfq.exe" 1032 "C:\Windows\SysWOW64\nqjmeir.exe"50⤵
- Executes dropped EXE
PID:4560 -
C:\Windows\SysWOW64\ibibxfi.exeC:\Windows\system32\ibibxfi.exe 1180 "C:\Windows\SysWOW64\xbkncfq.exe"51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1820 -
C:\Windows\SysWOW64\ibibxfi.exe"C:\Windows\SysWOW64\ibibxfi.exe" 1180 "C:\Windows\SysWOW64\xbkncfq.exe"52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1584 -
C:\Windows\SysWOW64\qvtpxbb.exeC:\Windows\system32\qvtpxbb.exe 1032 "C:\Windows\SysWOW64\ibibxfi.exe"53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1692 -
C:\Windows\SysWOW64\qvtpxbb.exe"C:\Windows\SysWOW64\qvtpxbb.exe" 1032 "C:\Windows\SysWOW64\ibibxfi.exe"54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4732 -
C:\Windows\SysWOW64\ayvqvfa.exeC:\Windows\system32\ayvqvfa.exe 1032 "C:\Windows\SysWOW64\qvtpxbb.exe"55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4636 -
C:\Windows\SysWOW64\ayvqvfa.exe"C:\Windows\SysWOW64\ayvqvfa.exe" 1032 "C:\Windows\SysWOW64\qvtpxbb.exe"56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2616 -
C:\Windows\SysWOW64\avrzgfz.exeC:\Windows\system32\avrzgfz.exe 1016 "C:\Windows\SysWOW64\ayvqvfa.exe"57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4840 -
C:\Windows\SysWOW64\avrzgfz.exe"C:\Windows\SysWOW64\avrzgfz.exe" 1016 "C:\Windows\SysWOW64\ayvqvfa.exe"58⤵
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\kupfbgr.exeC:\Windows\system32\kupfbgr.exe 1028 "C:\Windows\SysWOW64\avrzgfz.exe"59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1628 -
C:\Windows\SysWOW64\kupfbgr.exe"C:\Windows\SysWOW64\kupfbgr.exe" 1028 "C:\Windows\SysWOW64\avrzgfz.exe"60⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\vfrgzci.exeC:\Windows\system32\vfrgzci.exe 1040 "C:\Windows\SysWOW64\kupfbgr.exe"61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1392 -
C:\Windows\SysWOW64\vfrgzci.exe"C:\Windows\SysWOW64\vfrgzci.exe" 1040 "C:\Windows\SysWOW64\kupfbgr.exe"62⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\crcbzyj.exeC:\Windows\system32\crcbzyj.exe 1148 "C:\Windows\SysWOW64\vfrgzci.exe"63⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2148 -
C:\Windows\SysWOW64\crcbzyj.exe"C:\Windows\SysWOW64\crcbzyj.exe" 1148 "C:\Windows\SysWOW64\vfrgzci.exe"64⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\mjauclf.exeC:\Windows\system32\mjauclf.exe 1016 "C:\Windows\SysWOW64\crcbzyj.exe"65⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4144 -
C:\Windows\SysWOW64\mjauclf.exe"C:\Windows\SysWOW64\mjauclf.exe" 1016 "C:\Windows\SysWOW64\crcbzyj.exe"66⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4440 -
C:\Windows\SysWOW64\sihgwnv.exeC:\Windows\system32\sihgwnv.exe 1148 "C:\Windows\SysWOW64\mjauclf.exe"67⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3924 -
C:\Windows\SysWOW64\sihgwnv.exe"C:\Windows\SysWOW64\sihgwnv.exe" 1148 "C:\Windows\SysWOW64\mjauclf.exe"68⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\ulszhys.exeC:\Windows\system32\ulszhys.exe 1000 "C:\Windows\SysWOW64\sihgwnv.exe"69⤵
- Suspicious use of SetThreadContext
PID:1964 -
C:\Windows\SysWOW64\ulszhys.exe"C:\Windows\SysWOW64\ulszhys.exe" 1000 "C:\Windows\SysWOW64\sihgwnv.exe"70⤵
- Drops file in System32 directory
PID:876 -
C:\Windows\SysWOW64\cxduhtt.exeC:\Windows\system32\cxduhtt.exe 1148 "C:\Windows\SysWOW64\ulszhys.exe"71⤵
- Suspicious use of SetThreadContext
PID:3912 -
C:\Windows\SysWOW64\cxduhtt.exe"C:\Windows\SysWOW64\cxduhtt.exe" 1148 "C:\Windows\SysWOW64\ulszhys.exe"72⤵
- Drops file in System32 directory
PID:2436 -
C:\Windows\SysWOW64\hnuygbp.exeC:\Windows\system32\hnuygbp.exe 1032 "C:\Windows\SysWOW64\cxduhtt.exe"73⤵
- Suspicious use of SetThreadContext
PID:4056 -
C:\Windows\SysWOW64\hnuygbp.exe"C:\Windows\SysWOW64\hnuygbp.exe" 1032 "C:\Windows\SysWOW64\cxduhtt.exe"74⤵
- Drops file in System32 directory
PID:624 -
C:\Windows\SysWOW64\medbnjl.exeC:\Windows\system32\medbnjl.exe 1016 "C:\Windows\SysWOW64\hnuygbp.exe"75⤵
- Suspicious use of SetThreadContext
PID:4516 -
C:\Windows\SysWOW64\medbnjl.exe"C:\Windows\SysWOW64\medbnjl.exe" 1016 "C:\Windows\SysWOW64\hnuygbp.exe"76⤵
- Drops file in System32 directory
PID:4952 -
C:\Windows\SysWOW64\mqwxmem.exeC:\Windows\system32\mqwxmem.exe 1032 "C:\Windows\SysWOW64\medbnjl.exe"77⤵
- Suspicious use of SetThreadContext
PID:2696 -
C:\Windows\SysWOW64\mqwxmem.exe"C:\Windows\SysWOW64\mqwxmem.exe" 1032 "C:\Windows\SysWOW64\medbnjl.exe"78⤵PID:4640
-
C:\Windows\SysWOW64\rhfblui.exeC:\Windows\system32\rhfblui.exe 1156 "C:\Windows\SysWOW64\mqwxmem.exe"79⤵
- Suspicious use of SetThreadContext
PID:3192 -
C:\Windows\SysWOW64\rhfblui.exe"C:\Windows\SysWOW64\rhfblui.exe" 1156 "C:\Windows\SysWOW64\mqwxmem.exe"80⤵
- Drops file in System32 directory
PID:4636 -
C:\Windows\SysWOW64\bodphms.exeC:\Windows\system32\bodphms.exe 1016 "C:\Windows\SysWOW64\rhfblui.exe"81⤵
- Suspicious use of SetThreadContext
PID:2340 -
C:\Windows\SysWOW64\bodphms.exe"C:\Windows\SysWOW64\bodphms.exe" 1016 "C:\Windows\SysWOW64\rhfblui.exe"82⤵PID:3732
-
C:\Windows\SysWOW64\jdzxrmr.exeC:\Windows\system32\jdzxrmr.exe 1148 "C:\Windows\SysWOW64\bodphms.exe"83⤵
- Suspicious use of SetThreadContext
PID:1116 -
C:\Windows\SysWOW64\jdzxrmr.exe"C:\Windows\SysWOW64\jdzxrmr.exe" 1148 "C:\Windows\SysWOW64\bodphms.exe"84⤵
- Drops file in System32 directory
PID:2704 -
C:\Windows\SysWOW64\tpbqprq.exeC:\Windows\system32\tpbqprq.exe 1032 "C:\Windows\SysWOW64\jdzxrmr.exe"85⤵
- Suspicious use of SetThreadContext
PID:1736 -
C:\Windows\SysWOW64\tpbqprq.exe"C:\Windows\SysWOW64\tpbqprq.exe" 1032 "C:\Windows\SysWOW64\jdzxrmr.exe"86⤵
- Drops file in System32 directory
PID:4512 -
C:\Windows\SysWOW64\tammpnj.exeC:\Windows\system32\tammpnj.exe 1148 "C:\Windows\SysWOW64\tpbqprq.exe"87⤵
- Suspicious use of SetThreadContext
PID:3372 -
C:\Windows\SysWOW64\tammpnj.exe"C:\Windows\SysWOW64\tammpnj.exe" 1148 "C:\Windows\SysWOW64\tpbqprq.exe"88⤵
- Drops file in System32 directory
PID:4468 -
C:\Windows\SysWOW64\gdekltg.exeC:\Windows\system32\gdekltg.exe 1016 "C:\Windows\SysWOW64\tammpnj.exe"89⤵
- Suspicious use of SetThreadContext
PID:3116 -
C:\Windows\SysWOW64\gdekltg.exe"C:\Windows\SysWOW64\gdekltg.exe" 1016 "C:\Windows\SysWOW64\tammpnj.exe"90⤵
- Drops file in System32 directory
PID:908 -
C:\Windows\SysWOW64\rccygty.exeC:\Windows\system32\rccygty.exe 1040 "C:\Windows\SysWOW64\gdekltg.exe"91⤵
- Suspicious use of SetThreadContext
PID:3968 -
C:\Windows\SysWOW64\rccygty.exe"C:\Windows\SysWOW64\rccygty.exe" 1040 "C:\Windows\SysWOW64\gdekltg.exe"92⤵
- Drops file in System32 directory
PID:4540 -
C:\Windows\SysWOW64\ydbmmxw.exeC:\Windows\system32\ydbmmxw.exe 1148 "C:\Windows\SysWOW64\rccygty.exe"93⤵
- Suspicious use of SetThreadContext
PID:4168 -
C:\Windows\SysWOW64\ydbmmxw.exe"C:\Windows\SysWOW64\ydbmmxw.exe" 1148 "C:\Windows\SysWOW64\rccygty.exe"94⤵PID:2176
-
C:\Windows\SysWOW64\gljvjoq.exeC:\Windows\system32\gljvjoq.exe 1040 "C:\Windows\SysWOW64\ydbmmxw.exe"95⤵
- Suspicious use of SetThreadContext
PID:5008 -
C:\Windows\SysWOW64\gljvjoq.exe"C:\Windows\SysWOW64\gljvjoq.exe" 1040 "C:\Windows\SysWOW64\ydbmmxw.exe"96⤵
- Drops file in System32 directory
PID:2624 -
C:\Windows\SysWOW64\gqfzdbm.exeC:\Windows\system32\gqfzdbm.exe 1040 "C:\Windows\SysWOW64\gljvjoq.exe"97⤵
- Suspicious use of SetThreadContext
PID:1372 -
C:\Windows\SysWOW64\gqfzdbm.exe"C:\Windows\SysWOW64\gqfzdbm.exe" 1040 "C:\Windows\SysWOW64\gljvjoq.exe"98⤵
- Drops file in System32 directory
PID:4092 -
C:\Windows\SysWOW64\lhockji.exeC:\Windows\system32\lhockji.exe 1148 "C:\Windows\SysWOW64\gqfzdbm.exe"99⤵
- Suspicious use of SetThreadContext
PID:2820 -
C:\Windows\SysWOW64\lhockji.exe"C:\Windows\SysWOW64\lhockji.exe" 1148 "C:\Windows\SysWOW64\gqfzdbm.exe"100⤵
- Drops file in System32 directory
PID:4820 -
C:\Windows\SysWOW64\qxfgjze.exeC:\Windows\system32\qxfgjze.exe 1032 "C:\Windows\SysWOW64\lhockji.exe"101⤵
- Suspicious use of SetThreadContext
PID:3740 -
C:\Windows\SysWOW64\qxfgjze.exe"C:\Windows\SysWOW64\qxfgjze.exe" 1032 "C:\Windows\SysWOW64\lhockji.exe"102⤵
- Drops file in System32 directory
PID:432 -
C:\Windows\SysWOW64\vshwsly.exeC:\Windows\system32\vshwsly.exe 1144 "C:\Windows\SysWOW64\qxfgjze.exe"103⤵
- Suspicious use of SetThreadContext
PID:3860 -
C:\Windows\SysWOW64\vshwsly.exe"C:\Windows\SysWOW64\vshwsly.exe" 1144 "C:\Windows\SysWOW64\qxfgjze.exe"104⤵PID:1624
-
C:\Windows\SysWOW64\ynwpqny.exeC:\Windows\system32\ynwpqny.exe 1032 "C:\Windows\SysWOW64\vshwsly.exe"105⤵
- Suspicious use of SetThreadContext
PID:1684 -
C:\Windows\SysWOW64\ynwpqny.exe"C:\Windows\SysWOW64\ynwpqny.exe" 1032 "C:\Windows\SysWOW64\vshwsly.exe"106⤵PID:2296
-
C:\Windows\SysWOW64\veftxvu.exeC:\Windows\system32\veftxvu.exe 1032 "C:\Windows\SysWOW64\ynwpqny.exe"107⤵
- Suspicious use of SetThreadContext
PID:5112 -
C:\Windows\SysWOW64\veftxvu.exe"C:\Windows\SysWOW64\veftxvu.exe" 1032 "C:\Windows\SysWOW64\ynwpqny.exe"108⤵
- Drops file in System32 directory
PID:4772 -
C:\Windows\SysWOW64\azirzho.exeC:\Windows\system32\azirzho.exe 1032 "C:\Windows\SysWOW64\veftxvu.exe"109⤵
- Suspicious use of SetThreadContext
PID:712 -
C:\Windows\SysWOW64\azirzho.exe"C:\Windows\SysWOW64\azirzho.exe" 1032 "C:\Windows\SysWOW64\veftxvu.exe"110⤵
- Drops file in System32 directory
PID:5100 -
C:\Windows\SysWOW64\fpqvgwk.exeC:\Windows\system32\fpqvgwk.exe 1156 "C:\Windows\SysWOW64\azirzho.exe"111⤵
- Suspicious use of SetThreadContext
PID:1476 -
C:\Windows\SysWOW64\fpqvgwk.exe"C:\Windows\SysWOW64\fpqvgwk.exe" 1156 "C:\Windows\SysWOW64\azirzho.exe"112⤵
- Drops file in System32 directory
PID:1956 -
C:\Windows\SysWOW64\njjqfkl.exeC:\Windows\system32\njjqfkl.exe 1036 "C:\Windows\SysWOW64\fpqvgwk.exe"113⤵PID:5104
-
C:\Windows\SysWOW64\njjqfkl.exe"C:\Windows\SysWOW64\njjqfkl.exe" 1036 "C:\Windows\SysWOW64\fpqvgwk.exe"114⤵PID:3092
-
C:\Windows\SysWOW64\yjawbkd.exeC:\Windows\system32\yjawbkd.exe 1036 "C:\Windows\SysWOW64\njjqfkl.exe"115⤵
- Suspicious use of SetThreadContext
PID:556 -
C:\Windows\SysWOW64\yjawbkd.exe"C:\Windows\SysWOW64\yjawbkd.exe" 1036 "C:\Windows\SysWOW64\njjqfkl.exe"116⤵
- Drops file in System32 directory
PID:3968 -
C:\Windows\SysWOW64\vzriaaz.exeC:\Windows\system32\vzriaaz.exe 1156 "C:\Windows\SysWOW64\yjawbkd.exe"117⤵
- Suspicious use of SetThreadContext
PID:3768 -
C:\Windows\SysWOW64\vzriaaz.exe"C:\Windows\SysWOW64\vzriaaz.exe" 1156 "C:\Windows\SysWOW64\yjawbkd.exe"118⤵
- Drops file in System32 directory
PID:4736 -
C:\Windows\SysWOW64\aulyjmu.exeC:\Windows\system32\aulyjmu.exe 1032 "C:\Windows\SysWOW64\vzriaaz.exe"119⤵
- Suspicious use of SetThreadContext
PID:4828 -
C:\Windows\SysWOW64\aulyjmu.exe"C:\Windows\SysWOW64\aulyjmu.exe" 1032 "C:\Windows\SysWOW64\vzriaaz.exe"120⤵
- Drops file in System32 directory
PID:4644 -
C:\Windows\SysWOW64\ctlwkla.exeC:\Windows\system32\ctlwkla.exe 1128 "C:\Windows\SysWOW64\aulyjmu.exe"121⤵
- Suspicious use of SetThreadContext
PID:1112 -
C:\Windows\SysWOW64\ctlwkla.exe"C:\Windows\SysWOW64\ctlwkla.exe" 1128 "C:\Windows\SysWOW64\aulyjmu.exe"122⤵
- Drops file in System32 directory
PID:3492
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-