Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
14/08/2024, 14:37
Behavioral task
behavioral1
Sample
96801577522608d92a0777d13d635fbf_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
150 seconds
General
-
Target
96801577522608d92a0777d13d635fbf_JaffaCakes118.exe
-
Size
578KB
-
MD5
96801577522608d92a0777d13d635fbf
-
SHA1
bdb3f83a426eed29d938f51e717fb76a0b8919b5
-
SHA256
3bc59163cd7d8cfcc964bd99afeee2f90e20bcfdace720acfa24036c2958c6dc
-
SHA512
8a51c1ebb31b517ed4882c12c1d049818b68d259934d65b487514583ccdb904571b910121553df25c38a8b4fce6d72456b394366cc5076aa45533535c35d5436
-
SSDEEP
12288:tTYYYJbaSH2zN80kJwOZ3EJQIbgTZdQvZiksxizh:tMYYJbBA8VpMRgTZmZiM
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 2808 uibajpboxj.exe 1300 eioivasflt.exe 1868 tumozjenfs.exe 344 oloqwyopho.exe 1724 ajgdebbknm.exe 1600 cpmoutkghg.exe 1360 kattrnstbw.exe 1260 rigldcclag.exe 2840 zjfmrrggbp.exe 2680 btfjkngeqp.exe 2204 iedozgwrcm.exe 1956 dkujcedqcj.exe 1876 crjotmofeh.exe 2072 cvvmydxqwg.exe 2764 wtmpsbmpxc.exe 2368 wmvzmowglo.exe 2892 jkpcdwbnma.exe 3020 flipzhnxrx.exe 2884 anemxgmdzv.exe 3028 ivzerdnvgx.exe 2748 vmuhadtczr.exe 2528 cftuxxjptg.exe 2000 pvvpffhwmt.exe 1996 cmqsonmlnf.exe 1604 okluxnssnz.exe 2688 bboxfwpzol.exe 2756 lldhazetbx.exe 536 yfjxmlidow.exe 1720 leeaulnkhi.exe 2292 nafkcgoivt.exe 2776 xogisnbmus.exe 1044 iyvnfdvhvi.exe 2760 rmwcvlidcg.exe 672 celiabkgde.exe 2164 pyrxtopqjd.exe 2904 wrqdihfcda.exe 2272 jilfrpckdn.exe 676 qpgxlfmcdx.exe 1988 dcqnrjlhrw.exe 1196 qbtqzjqwki.exe 1992 ddzglvvxxh.exe 2216 kkmyflepfs.exe 2972 xesnqxjzkr.exe 2148 emofdnsjsb.exe 2252 rhfvqqrwga.exe 480 bkvgeufqsl.exe 3012 oaqimudxly.exe 2260 bzklvcinmk.exe 1304 ikrqswrzgh.exe 2768 yorlwbvtnu.exe 1828 icsimiaqmt.exe 2064 vbnluqgxnf.exe 292 hrpodzmeor.exe 2112 utwvpdqotq.exe 3032 hgftuhptiq.exe 1532 rugjsocpho.exe 576 eljlbphwia.exe 1884 rbdokxnmjm.exe 872 eayrsfktbz.exe 2796 rqbtbfqacl.exe 2300 afurzndwbj.exe 1480 nvwthvbecv.exe 2088 auroqdgldi.exe 804 nkmrzdmswu.exe -
Identifies Wine through registry keys 2 TTPs 64 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine vfmgxnhvda.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine rspgypbhyi.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine tgbjyuinpj.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine pckhvezamo.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine bvujvbnrku.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine cdrumtsiby.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine wglminmudk.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine etdnbwcaxf.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine bwoqcmtmzm.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine jvwgocrrbb.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine jegmlgldoj.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine pmivjjhinp.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine wpwdhftmts.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine geiygizwbg.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine kahmjkhaaz.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine cvkfocdufq.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine exagdtadyv.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine kgdpdjhyem.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine gfsepgnvmk.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine rujktowtet.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine vtxdmgbhpp.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine jckbxwmduo.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine irohatsslb.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine xayyvfethh.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine vefezbtsvt.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine dorzvnixsd.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine brgpebjftn.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine mkwgpmguyb.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine fdjeomqhpw.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine cvvmydxqwg.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine nujzyfqrsd.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine mmpkjlcfwe.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine xsnxjbygis.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine hdzyrkmjsh.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine lbgpfaduex.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine ngnahqktfh.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine pvvpffhwmt.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine nocirmslyc.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine afiyeohxig.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine ecnrdtjfed.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine itzbfbzijo.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine rwxwuqxtkl.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine lokfudsiof.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine tkbggyiswr.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine amsmfijvto.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine fwrzzjlvll.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine jbkhzzuzfw.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine gjywxvwqip.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine gawmthcqgv.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine iugdkmntru.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine sgkhyvqyys.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine rgxshzdble.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine idnlbkukvu.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine vilpjqpqxq.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine zewdqhahik.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine vxhyilqwbn.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine oloqwyopho.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine jhycaglcky.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine dkxmfdcxfg.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine folzwvftox.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine aekpvgtglw.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine wermhladtu.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine lcezxkwfoi.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine qjihqhqyhn.exe -
Loads dropped DLL 64 IoCs
pid Process 2052 96801577522608d92a0777d13d635fbf_JaffaCakes118.exe 2052 96801577522608d92a0777d13d635fbf_JaffaCakes118.exe 2808 uibajpboxj.exe 2808 uibajpboxj.exe 1300 eioivasflt.exe 1300 eioivasflt.exe 1868 tumozjenfs.exe 1868 tumozjenfs.exe 344 oloqwyopho.exe 344 oloqwyopho.exe 1724 ajgdebbknm.exe 1724 ajgdebbknm.exe 1600 cpmoutkghg.exe 1600 cpmoutkghg.exe 1360 kattrnstbw.exe 1360 kattrnstbw.exe 1260 rigldcclag.exe 1260 rigldcclag.exe 2840 zjfmrrggbp.exe 2840 zjfmrrggbp.exe 2680 btfjkngeqp.exe 2680 btfjkngeqp.exe 2204 iedozgwrcm.exe 2204 iedozgwrcm.exe 1956 dkujcedqcj.exe 1956 dkujcedqcj.exe 1876 crjotmofeh.exe 1876 crjotmofeh.exe 2072 cvvmydxqwg.exe 2072 cvvmydxqwg.exe 2764 wtmpsbmpxc.exe 2764 wtmpsbmpxc.exe 2368 wmvzmowglo.exe 2368 wmvzmowglo.exe 2892 jkpcdwbnma.exe 2892 jkpcdwbnma.exe 3020 flipzhnxrx.exe 3020 flipzhnxrx.exe 2884 anemxgmdzv.exe 2884 anemxgmdzv.exe 3028 ivzerdnvgx.exe 3028 ivzerdnvgx.exe 2748 vmuhadtczr.exe 2748 vmuhadtczr.exe 2528 cftuxxjptg.exe 2528 cftuxxjptg.exe 2000 pvvpffhwmt.exe 2000 pvvpffhwmt.exe 1996 cmqsonmlnf.exe 1996 cmqsonmlnf.exe 1604 okluxnssnz.exe 1604 okluxnssnz.exe 2688 bboxfwpzol.exe 2688 bboxfwpzol.exe 2756 lldhazetbx.exe 2756 lldhazetbx.exe 536 yfjxmlidow.exe 536 yfjxmlidow.exe 1720 leeaulnkhi.exe 1720 leeaulnkhi.exe 2292 nafkcgoivt.exe 2292 nafkcgoivt.exe 2776 xogisnbmus.exe 2776 xogisnbmus.exe -
resource yara_rule behavioral1/memory/2052-0-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/2052-2-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/2052-7-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/2052-6-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/files/0x0006000000012118-8.dat themida behavioral1/memory/2808-16-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/2808-19-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/2808-24-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/2808-23-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/1300-34-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/1300-39-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/1300-46-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/1868-50-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/1868-56-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/1868-57-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/344-67-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/1868-52-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/1724-80-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/344-82-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/1724-92-0x00000000049F0000-0x0000000004BE4000-memory.dmp themida behavioral1/memory/1724-98-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/1600-110-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/1360-118-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/2840-130-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/1260-132-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/2680-143-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/2204-157-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/2840-148-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/2680-159-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/2204-169-0x0000000004910000-0x0000000004B04000-memory.dmp themida behavioral1/memory/1956-171-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/2204-173-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/1876-185-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/1956-187-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/2072-200-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/1876-201-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/2764-214-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/2072-216-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/2764-230-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/2368-238-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/2892-245-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/3020-252-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/2884-259-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/3028-268-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/2748-273-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/2528-280-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/2000-287-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/1996-294-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/1604-301-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/2688-308-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/2756-315-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/536-322-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/1720-329-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/2292-336-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/2776-343-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/1044-350-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/2760-358-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/672-364-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/2164-371-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/2904-378-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/2272-385-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/676-392-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/1988-399-0x0000000000400000-0x00000000005F4000-memory.dmp themida behavioral1/memory/1196-407-0x0000000000400000-0x00000000005F4000-memory.dmp themida -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\csbemzmooa.exe pcgjdqphno.exe File opened for modification C:\Windows\SysWOW64\cpmoutkghg.exe ajgdebbknm.exe File created C:\Windows\SysWOW64\ypukrgysaj.exe mjdhdpmoax.exe File created C:\Windows\SysWOW64\ahudmvhdhf.exe nisavnbogs.exe File created C:\Windows\SysWOW64\xzkoqxdjnl.exe kbhlhpycmz.exe File created C:\Windows\SysWOW64\gawmthcqgv.exe xlvpdzpuyf.exe File opened for modification C:\Windows\SysWOW64\lkuglmzsul.exe ytzdceblbz.exe File created C:\Windows\SysWOW64\mvtlyexfui.exe zfyiqerytv.exe File opened for modification C:\Windows\SysWOW64\axhfievdxq.exe qnjvnjgjkf.exe File created C:\Windows\SysWOW64\zwbtmdhmjt.exe myyqdvbfiz.exe File created C:\Windows\SysWOW64\jguwhpgesp.exe wpzuzpbxzd.exe File opened for modification C:\Windows\SysWOW64\wlhfqrosfk.exe jmmcijrdmx.exe File created C:\Windows\SysWOW64\izuyxxyajh.exe yttihxldci.exe File created C:\Windows\SysWOW64\bvnbnmrsrf.exe owkyfeukyt.exe File opened for modification C:\Windows\SysWOW64\olnhxkbcyd.exe cvkfocdufq.exe File created C:\Windows\SysWOW64\wztduedpbp.exe jizbmexiad.exe File created C:\Windows\SysWOW64\zcgvgdxxvu.exe pofxqdkanv.exe File created C:\Windows\SysWOW64\rhfvqqrwga.exe emofdnsjsb.exe File created C:\Windows\SysWOW64\eeoikozldz.exe rnlfcgtecn.exe File created C:\Windows\SysWOW64\mvgaxwdxxd.exe zfdypwxqeq.exe File created C:\Windows\SysWOW64\vefezbtsvt.exe inkbqtodch.exe File created C:\Windows\SysWOW64\jeazlvcmzn.exe wgfwduwfga.exe File opened for modification C:\Windows\SysWOW64\bkvgeufqsl.exe rhfvqqrwga.exe File created C:\Windows\SysWOW64\eayrsfktbz.exe rbdokxnmjm.exe File created C:\Windows\SysWOW64\nkmrzdmswu.exe auroqdgldi.exe File created C:\Windows\SysWOW64\zrhwbdvwqc.exe mancsvqpxp.exe File opened for modification C:\Windows\SysWOW64\afiyeohxig.exe npgvogbihu.exe File opened for modification C:\Windows\SysWOW64\jtqebchtal.exe xzkoqxdjnl.exe File created C:\Windows\SysWOW64\rmudrsotmy.exe eozaakilll.exe File opened for modification C:\Windows\SysWOW64\awqdpqhagt.exe ngnahqktfh.exe File created C:\Windows\SysWOW64\myxpdsojcv.exe ziumukicbj.exe File opened for modification C:\Windows\SysWOW64\nvwthvbecv.exe afurzndwbj.exe File created C:\Windows\SysWOW64\uvwqqrhzti.exe jwklgszztk.exe File created C:\Windows\SysWOW64\nmsjfllykd.exe bophxdfrjr.exe File opened for modification C:\Windows\SysWOW64\tineftthtf.exe gksbxsnass.exe File created C:\Windows\SysWOW64\vfmgxnhvda.exe iosdoncodn.exe File opened for modification C:\Windows\SysWOW64\wglminmudk.exe jhqjzfgmky.exe File opened for modification C:\Windows\SysWOW64\klisbvqxoj.exe axivlwdahk.exe File created C:\Windows\SysWOW64\oafjndinty.exe bcdgfvcgsm.exe File opened for modification C:\Windows\SysWOW64\jsjwjyaoqs.exe zeihlrnrjb.exe File opened for modification C:\Windows\SysWOW64\wnujecwfry.exe mztloujisa.exe File created C:\Windows\SysWOW64\ajjhhaarqs.exe qhuwuxupvg.exe File opened for modification C:\Windows\SysWOW64\xqoedpczty.exe katbvpwsse.exe File created C:\Windows\SysWOW64\kvgqvpopmw.exe xwdvmhqimk.exe File created C:\Windows\SysWOW64\pkanagbnaz.exe clfksgvyzm.exe File opened for modification C:\Windows\SysWOW64\rwxwuqxtkl.exe eyutlirmjy.exe File created C:\Windows\SysWOW64\ajnvoptmmb.exe qvnyyigqnd.exe File created C:\Windows\SysWOW64\sjfwzryfwl.exe flktrrtxez.exe File opened for modification C:\Windows\SysWOW64\ospndfufma.exe btvkvxpylf.exe File created C:\Windows\SysWOW64\zfdypwxqeq.exe qqlizokuws.exe File opened for modification C:\Windows\SysWOW64\tgbjyuinpj.exe glstsqjbbk.exe File opened for modification C:\Windows\SysWOW64\zhsgtmudqx.exe mipecmwvql.exe File created C:\Windows\SysWOW64\bqtecmgtfw.exe rfeupjzzsl.exe File created C:\Windows\SysWOW64\hmmsbaxwci.exe uojplssobw.exe File created C:\Windows\SysWOW64\bophxdfrjr.exe oxueodakje.exe File created C:\Windows\SysWOW64\rczrgyzgjw.exe emeoqqbyrk.exe File created C:\Windows\SysWOW64\uthschwjko.exe hvmquzqbrc.exe File created C:\Windows\SysWOW64\baoeepfvqz.exe rmohoiazqb.exe File created C:\Windows\SysWOW64\ochqtefiei.exe earogiqnsw.exe File created C:\Windows\SysWOW64\equqqrxuts.exe rrznijrfsg.exe File created C:\Windows\SysWOW64\ldxvbtntba.exe jxwgdmiwcb.exe File opened for modification C:\Windows\SysWOW64\nmsjfllykd.exe bophxdfrjr.exe File opened for modification C:\Windows\SysWOW64\vobqjvafxn.exe ibraercsjo.exe File opened for modification C:\Windows\SysWOW64\xyvmkepyff.exe kzajcesrmt.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lpjopxsnil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eidimlxgww.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kgdpdjhyem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tineftthtf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wvjjzwxqfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language orevkuiegg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrznijrfsg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yyglhxugqz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xuvyzkyphd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language npgvogbihu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wvdcudztzz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sjpafdpemb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ivxxvasxir.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vnjiunbnpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gkanvmqpoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rzrswmxrwy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rwxwuqxtkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avjbsfbpym.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qmorelvbim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adnmotqflp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iynwzllpba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yjltyufbos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language brgpebjftn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wexzqxmmtc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cxuklkmzjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wlhfqrosfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xwgkmjmffy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ypmoldhoww.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ysqdaevhgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language quukwvfqeu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uthschwjko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aiglqwnbeu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fbrhyehceh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language klpbisewax.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ahudmvhdhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ejtpqvvnjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rhzkfqoaaz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tedzpppxxi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ivgnysiusm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axivlwdahk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ufuybnpxhr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language apmjdxqsrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language epqctyoxba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iztkqtujwp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbnssieuds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vcoxvrelib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wermhladtu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jwwhsxprex.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qqlizokuws.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zfdypwxqeq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zewdqhahik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plfxnaqerh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fqpfpvkrfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wtnehgpava.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oikthbnjoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wazxqwiqrm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qppnopuznr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bvnbnmrsrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lkymfznozm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tylpzkwnav.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jragpnxzom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rylyuwmemx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igpbsbaueo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iekxgvjqvb.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2052 96801577522608d92a0777d13d635fbf_JaffaCakes118.exe 2808 uibajpboxj.exe 1300 eioivasflt.exe 1868 tumozjenfs.exe 344 oloqwyopho.exe 1724 ajgdebbknm.exe 1600 cpmoutkghg.exe 1360 kattrnstbw.exe 1260 rigldcclag.exe 2840 zjfmrrggbp.exe 2680 btfjkngeqp.exe 2204 iedozgwrcm.exe 1956 dkujcedqcj.exe 1876 crjotmofeh.exe 2072 cvvmydxqwg.exe 2764 wtmpsbmpxc.exe 2368 wmvzmowglo.exe 2892 jkpcdwbnma.exe 3020 flipzhnxrx.exe 2884 anemxgmdzv.exe 3028 ivzerdnvgx.exe 2748 vmuhadtczr.exe 2528 cftuxxjptg.exe 2000 pvvpffhwmt.exe 1996 cmqsonmlnf.exe 1604 okluxnssnz.exe 2688 bboxfwpzol.exe 2756 lldhazetbx.exe 536 yfjxmlidow.exe 1720 leeaulnkhi.exe 2292 nafkcgoivt.exe 2776 xogisnbmus.exe 1044 iyvnfdvhvi.exe 2760 rmwcvlidcg.exe 672 celiabkgde.exe 2164 pyrxtopqjd.exe 2904 wrqdihfcda.exe 2272 jilfrpckdn.exe 676 qpgxlfmcdx.exe 1988 dcqnrjlhrw.exe 1196 qbtqzjqwki.exe 1992 ddzglvvxxh.exe 2216 kkmyflepfs.exe 2972 xesnqxjzkr.exe 2148 emofdnsjsb.exe 2252 rhfvqqrwga.exe 480 bkvgeufqsl.exe 3012 oaqimudxly.exe 2260 bzklvcinmk.exe 1304 ikrqswrzgh.exe 2768 yorlwbvtnu.exe 1828 icsimiaqmt.exe 2064 vbnluqgxnf.exe 292 hrpodzmeor.exe 2112 utwvpdqotq.exe 3032 hgftuhptiq.exe 1532 rugjsocpho.exe 576 eljlbphwia.exe 1884 rbdokxnmjm.exe 872 eayrsfktbz.exe 2796 rqbtbfqacl.exe 2300 afurzndwbj.exe 1480 nvwthvbecv.exe 2088 auroqdgldi.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2052 wrote to memory of 2808 2052 96801577522608d92a0777d13d635fbf_JaffaCakes118.exe 30 PID 2052 wrote to memory of 2808 2052 96801577522608d92a0777d13d635fbf_JaffaCakes118.exe 30 PID 2052 wrote to memory of 2808 2052 96801577522608d92a0777d13d635fbf_JaffaCakes118.exe 30 PID 2052 wrote to memory of 2808 2052 96801577522608d92a0777d13d635fbf_JaffaCakes118.exe 30 PID 2808 wrote to memory of 1300 2808 uibajpboxj.exe 31 PID 2808 wrote to memory of 1300 2808 uibajpboxj.exe 31 PID 2808 wrote to memory of 1300 2808 uibajpboxj.exe 31 PID 2808 wrote to memory of 1300 2808 uibajpboxj.exe 31 PID 1300 wrote to memory of 1868 1300 eioivasflt.exe 32 PID 1300 wrote to memory of 1868 1300 eioivasflt.exe 32 PID 1300 wrote to memory of 1868 1300 eioivasflt.exe 32 PID 1300 wrote to memory of 1868 1300 eioivasflt.exe 32 PID 1868 wrote to memory of 344 1868 tumozjenfs.exe 33 PID 1868 wrote to memory of 344 1868 tumozjenfs.exe 33 PID 1868 wrote to memory of 344 1868 tumozjenfs.exe 33 PID 1868 wrote to memory of 344 1868 tumozjenfs.exe 33 PID 344 wrote to memory of 1724 344 oloqwyopho.exe 34 PID 344 wrote to memory of 1724 344 oloqwyopho.exe 34 PID 344 wrote to memory of 1724 344 oloqwyopho.exe 34 PID 344 wrote to memory of 1724 344 oloqwyopho.exe 34 PID 1724 wrote to memory of 1600 1724 ajgdebbknm.exe 35 PID 1724 wrote to memory of 1600 1724 ajgdebbknm.exe 35 PID 1724 wrote to memory of 1600 1724 ajgdebbknm.exe 35 PID 1724 wrote to memory of 1600 1724 ajgdebbknm.exe 35 PID 1600 wrote to memory of 1360 1600 cpmoutkghg.exe 36 PID 1600 wrote to memory of 1360 1600 cpmoutkghg.exe 36 PID 1600 wrote to memory of 1360 1600 cpmoutkghg.exe 36 PID 1600 wrote to memory of 1360 1600 cpmoutkghg.exe 36 PID 1360 wrote to memory of 1260 1360 kattrnstbw.exe 37 PID 1360 wrote to memory of 1260 1360 kattrnstbw.exe 37 PID 1360 wrote to memory of 1260 1360 kattrnstbw.exe 37 PID 1360 wrote to memory of 1260 1360 kattrnstbw.exe 37 PID 1260 wrote to memory of 2840 1260 rigldcclag.exe 38 PID 1260 wrote to memory of 2840 1260 rigldcclag.exe 38 PID 1260 wrote to memory of 2840 1260 rigldcclag.exe 38 PID 1260 wrote to memory of 2840 1260 rigldcclag.exe 38 PID 2840 wrote to memory of 2680 2840 zjfmrrggbp.exe 39 PID 2840 wrote to memory of 2680 2840 zjfmrrggbp.exe 39 PID 2840 wrote to memory of 2680 2840 zjfmrrggbp.exe 39 PID 2840 wrote to memory of 2680 2840 zjfmrrggbp.exe 39 PID 2680 wrote to memory of 2204 2680 btfjkngeqp.exe 40 PID 2680 wrote to memory of 2204 2680 btfjkngeqp.exe 40 PID 2680 wrote to memory of 2204 2680 btfjkngeqp.exe 40 PID 2680 wrote to memory of 2204 2680 btfjkngeqp.exe 40 PID 2204 wrote to memory of 1956 2204 iedozgwrcm.exe 41 PID 2204 wrote to memory of 1956 2204 iedozgwrcm.exe 41 PID 2204 wrote to memory of 1956 2204 iedozgwrcm.exe 41 PID 2204 wrote to memory of 1956 2204 iedozgwrcm.exe 41 PID 1956 wrote to memory of 1876 1956 dkujcedqcj.exe 42 PID 1956 wrote to memory of 1876 1956 dkujcedqcj.exe 42 PID 1956 wrote to memory of 1876 1956 dkujcedqcj.exe 42 PID 1956 wrote to memory of 1876 1956 dkujcedqcj.exe 42 PID 1876 wrote to memory of 2072 1876 crjotmofeh.exe 43 PID 1876 wrote to memory of 2072 1876 crjotmofeh.exe 43 PID 1876 wrote to memory of 2072 1876 crjotmofeh.exe 43 PID 1876 wrote to memory of 2072 1876 crjotmofeh.exe 43 PID 2072 wrote to memory of 2764 2072 cvvmydxqwg.exe 44 PID 2072 wrote to memory of 2764 2072 cvvmydxqwg.exe 44 PID 2072 wrote to memory of 2764 2072 cvvmydxqwg.exe 44 PID 2072 wrote to memory of 2764 2072 cvvmydxqwg.exe 44 PID 2764 wrote to memory of 2368 2764 wtmpsbmpxc.exe 45 PID 2764 wrote to memory of 2368 2764 wtmpsbmpxc.exe 45 PID 2764 wrote to memory of 2368 2764 wtmpsbmpxc.exe 45 PID 2764 wrote to memory of 2368 2764 wtmpsbmpxc.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\96801577522608d92a0777d13d635fbf_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\96801577522608d92a0777d13d635fbf_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\uibajpboxj.exeC:\Windows\system32\uibajpboxj.exe 640 "C:\Users\Admin\AppData\Local\Temp\96801577522608d92a0777d13d635fbf_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\eioivasflt.exeC:\Windows\system32\eioivasflt.exe 624 "C:\Windows\SysWOW64\uibajpboxj.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\tumozjenfs.exeC:\Windows\system32\tumozjenfs.exe 632 "C:\Windows\SysWOW64\eioivasflt.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\oloqwyopho.exeC:\Windows\system32\oloqwyopho.exe 628 "C:\Windows\SysWOW64\tumozjenfs.exe"5⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:344 -
C:\Windows\SysWOW64\ajgdebbknm.exeC:\Windows\system32\ajgdebbknm.exe 644 "C:\Windows\SysWOW64\oloqwyopho.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\cpmoutkghg.exeC:\Windows\system32\cpmoutkghg.exe 696 "C:\Windows\SysWOW64\ajgdebbknm.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\kattrnstbw.exeC:\Windows\system32\kattrnstbw.exe 724 "C:\Windows\SysWOW64\cpmoutkghg.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\rigldcclag.exeC:\Windows\system32\rigldcclag.exe 648 "C:\Windows\SysWOW64\kattrnstbw.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\zjfmrrggbp.exeC:\Windows\system32\zjfmrrggbp.exe 652 "C:\Windows\SysWOW64\rigldcclag.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\btfjkngeqp.exeC:\Windows\system32\btfjkngeqp.exe 736 "C:\Windows\SysWOW64\zjfmrrggbp.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\iedozgwrcm.exeC:\Windows\system32\iedozgwrcm.exe 752 "C:\Windows\SysWOW64\btfjkngeqp.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\dkujcedqcj.exeC:\Windows\system32\dkujcedqcj.exe 712 "C:\Windows\SysWOW64\iedozgwrcm.exe"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\crjotmofeh.exeC:\Windows\system32\crjotmofeh.exe 664 "C:\Windows\SysWOW64\dkujcedqcj.exe"14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\cvvmydxqwg.exeC:\Windows\system32\cvvmydxqwg.exe 716 "C:\Windows\SysWOW64\crjotmofeh.exe"15⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\wtmpsbmpxc.exeC:\Windows\system32\wtmpsbmpxc.exe 668 "C:\Windows\SysWOW64\cvvmydxqwg.exe"16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\wmvzmowglo.exeC:\Windows\system32\wmvzmowglo.exe 676 "C:\Windows\SysWOW64\wtmpsbmpxc.exe"17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2368 -
C:\Windows\SysWOW64\jkpcdwbnma.exeC:\Windows\system32\jkpcdwbnma.exe 776 "C:\Windows\SysWOW64\wmvzmowglo.exe"18⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2892 -
C:\Windows\SysWOW64\flipzhnxrx.exeC:\Windows\system32\flipzhnxrx.exe 708 "C:\Windows\SysWOW64\jkpcdwbnma.exe"19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3020 -
C:\Windows\SysWOW64\anemxgmdzv.exeC:\Windows\system32\anemxgmdzv.exe 768 "C:\Windows\SysWOW64\flipzhnxrx.exe"20⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2884 -
C:\Windows\SysWOW64\ivzerdnvgx.exeC:\Windows\system32\ivzerdnvgx.exe 792 "C:\Windows\SysWOW64\anemxgmdzv.exe"21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3028 -
C:\Windows\SysWOW64\vmuhadtczr.exeC:\Windows\system32\vmuhadtczr.exe 780 "C:\Windows\SysWOW64\ivzerdnvgx.exe"22⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2748 -
C:\Windows\SysWOW64\cftuxxjptg.exeC:\Windows\system32\cftuxxjptg.exe 796 "C:\Windows\SysWOW64\vmuhadtczr.exe"23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2528 -
C:\Windows\SysWOW64\pvvpffhwmt.exeC:\Windows\system32\pvvpffhwmt.exe 804 "C:\Windows\SysWOW64\cftuxxjptg.exe"24⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2000 -
C:\Windows\SysWOW64\cmqsonmlnf.exeC:\Windows\system32\cmqsonmlnf.exe 784 "C:\Windows\SysWOW64\pvvpffhwmt.exe"25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1996 -
C:\Windows\SysWOW64\okluxnssnz.exeC:\Windows\system32\okluxnssnz.exe 788 "C:\Windows\SysWOW64\cmqsonmlnf.exe"26⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1604 -
C:\Windows\SysWOW64\bboxfwpzol.exeC:\Windows\system32\bboxfwpzol.exe 816 "C:\Windows\SysWOW64\okluxnssnz.exe"27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2688 -
C:\Windows\SysWOW64\lldhazetbx.exeC:\Windows\system32\lldhazetbx.exe 772 "C:\Windows\SysWOW64\bboxfwpzol.exe"28⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2756 -
C:\Windows\SysWOW64\yfjxmlidow.exeC:\Windows\system32\yfjxmlidow.exe 808 "C:\Windows\SysWOW64\lldhazetbx.exe"29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:536 -
C:\Windows\SysWOW64\leeaulnkhi.exeC:\Windows\system32\leeaulnkhi.exe 812 "C:\Windows\SysWOW64\yfjxmlidow.exe"30⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1720 -
C:\Windows\SysWOW64\nafkcgoivt.exeC:\Windows\system32\nafkcgoivt.exe 820 "C:\Windows\SysWOW64\leeaulnkhi.exe"31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2292 -
C:\Windows\SysWOW64\xogisnbmus.exeC:\Windows\system32\xogisnbmus.exe 824 "C:\Windows\SysWOW64\nafkcgoivt.exe"32⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2776 -
C:\Windows\SysWOW64\iyvnfdvhvi.exeC:\Windows\system32\iyvnfdvhvi.exe 840 "C:\Windows\SysWOW64\xogisnbmus.exe"33⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1044 -
C:\Windows\SysWOW64\rmwcvlidcg.exeC:\Windows\system32\rmwcvlidcg.exe 828 "C:\Windows\SysWOW64\iyvnfdvhvi.exe"34⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2760 -
C:\Windows\SysWOW64\celiabkgde.exeC:\Windows\system32\celiabkgde.exe 836 "C:\Windows\SysWOW64\rmwcvlidcg.exe"35⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:672 -
C:\Windows\SysWOW64\pyrxtopqjd.exeC:\Windows\system32\pyrxtopqjd.exe 832 "C:\Windows\SysWOW64\celiabkgde.exe"36⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2164 -
C:\Windows\SysWOW64\wrqdihfcda.exeC:\Windows\system32\wrqdihfcda.exe 844 "C:\Windows\SysWOW64\pyrxtopqjd.exe"37⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2904 -
C:\Windows\SysWOW64\jilfrpckdn.exeC:\Windows\system32\jilfrpckdn.exe 848 "C:\Windows\SysWOW64\wrqdihfcda.exe"38⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2272 -
C:\Windows\SysWOW64\qpgxlfmcdx.exeC:\Windows\system32\qpgxlfmcdx.exe 856 "C:\Windows\SysWOW64\jilfrpckdn.exe"39⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:676 -
C:\Windows\SysWOW64\dcqnrjlhrw.exeC:\Windows\system32\dcqnrjlhrw.exe 800 "C:\Windows\SysWOW64\qpgxlfmcdx.exe"40⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1988 -
C:\Windows\SysWOW64\qbtqzjqwki.exeC:\Windows\system32\qbtqzjqwki.exe 872 "C:\Windows\SysWOW64\dcqnrjlhrw.exe"41⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1196 -
C:\Windows\SysWOW64\ddzglvvxxh.exeC:\Windows\system32\ddzglvvxxh.exe 860 "C:\Windows\SysWOW64\qbtqzjqwki.exe"42⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1992 -
C:\Windows\SysWOW64\kkmyflepfs.exeC:\Windows\system32\kkmyflepfs.exe 864 "C:\Windows\SysWOW64\ddzglvvxxh.exe"43⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2216 -
C:\Windows\SysWOW64\xesnqxjzkr.exeC:\Windows\system32\xesnqxjzkr.exe 868 "C:\Windows\SysWOW64\kkmyflepfs.exe"44⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2972 -
C:\Windows\SysWOW64\emofdnsjsb.exeC:\Windows\system32\emofdnsjsb.exe 888 "C:\Windows\SysWOW64\xesnqxjzkr.exe"45⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2148 -
C:\Windows\SysWOW64\rhfvqqrwga.exeC:\Windows\system32\rhfvqqrwga.exe 880 "C:\Windows\SysWOW64\emofdnsjsb.exe"46⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2252 -
C:\Windows\SysWOW64\bkvgeufqsl.exeC:\Windows\system32\bkvgeufqsl.exe 884 "C:\Windows\SysWOW64\rhfvqqrwga.exe"47⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:480 -
C:\Windows\SysWOW64\oaqimudxly.exeC:\Windows\system32\oaqimudxly.exe 892 "C:\Windows\SysWOW64\bkvgeufqsl.exe"48⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3012 -
C:\Windows\SysWOW64\bzklvcinmk.exeC:\Windows\system32\bzklvcinmk.exe 904 "C:\Windows\SysWOW64\oaqimudxly.exe"49⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2260 -
C:\Windows\SysWOW64\ikrqswrzgh.exeC:\Windows\system32\ikrqswrzgh.exe 908 "C:\Windows\SysWOW64\bzklvcinmk.exe"50⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1304 -
C:\Windows\SysWOW64\yorlwbvtnu.exeC:\Windows\system32\yorlwbvtnu.exe 896 "C:\Windows\SysWOW64\ikrqswrzgh.exe"51⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2768 -
C:\Windows\SysWOW64\icsimiaqmt.exeC:\Windows\system32\icsimiaqmt.exe 916 "C:\Windows\SysWOW64\yorlwbvtnu.exe"52⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1828 -
C:\Windows\SysWOW64\vbnluqgxnf.exeC:\Windows\system32\vbnluqgxnf.exe 920 "C:\Windows\SysWOW64\icsimiaqmt.exe"53⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2064 -
C:\Windows\SysWOW64\hrpodzmeor.exeC:\Windows\system32\hrpodzmeor.exe 900 "C:\Windows\SysWOW64\vbnluqgxnf.exe"54⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:292 -
C:\Windows\SysWOW64\utwvpdqotq.exeC:\Windows\system32\utwvpdqotq.exe 928 "C:\Windows\SysWOW64\hrpodzmeor.exe"55⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2112 -
C:\Windows\SysWOW64\hgftuhptiq.exeC:\Windows\system32\hgftuhptiq.exe 912 "C:\Windows\SysWOW64\utwvpdqotq.exe"56⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3032 -
C:\Windows\SysWOW64\rugjsocpho.exeC:\Windows\system32\rugjsocpho.exe 936 "C:\Windows\SysWOW64\hgftuhptiq.exe"57⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1532 -
C:\Windows\SysWOW64\eljlbphwia.exeC:\Windows\system32\eljlbphwia.exe 924 "C:\Windows\SysWOW64\rugjsocpho.exe"58⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:576 -
C:\Windows\SysWOW64\rbdokxnmjm.exeC:\Windows\system32\rbdokxnmjm.exe 944 "C:\Windows\SysWOW64\eljlbphwia.exe"59⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1884 -
C:\Windows\SysWOW64\eayrsfktbz.exeC:\Windows\system32\eayrsfktbz.exe 948 "C:\Windows\SysWOW64\rbdokxnmjm.exe"60⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:872 -
C:\Windows\SysWOW64\rqbtbfqacl.exeC:\Windows\system32\rqbtbfqacl.exe 952 "C:\Windows\SysWOW64\eayrsfktbz.exe"61⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2796 -
C:\Windows\SysWOW64\afurzndwbj.exeC:\Windows\system32\afurzndwbj.exe 932 "C:\Windows\SysWOW64\rqbtbfqacl.exe"62⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2300 -
C:\Windows\SysWOW64\nvwthvbecv.exeC:\Windows\system32\nvwthvbecv.exe 940 "C:\Windows\SysWOW64\afurzndwbj.exe"63⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1480 -
C:\Windows\SysWOW64\auroqdgldi.exeC:\Windows\system32\auroqdgldi.exe 956 "C:\Windows\SysWOW64\nvwthvbecv.exe"64⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2088 -
C:\Windows\SysWOW64\nkmrzdmswu.exeC:\Windows\system32\nkmrzdmswu.exe 960 "C:\Windows\SysWOW64\auroqdgldi.exe"65⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\ajpthlrzxo.exeC:\Windows\system32\ajpthlrzxo.exe 964 "C:\Windows\SysWOW64\nkmrzdmswu.exe"66⤵PID:1932
-
C:\Windows\SysWOW64\kpprxtwwwe.exeC:\Windows\system32\kpprxtwwwe.exe 968 "C:\Windows\SysWOW64\ajpthlrzxo.exe"67⤵PID:2356
-
C:\Windows\SysWOW64\zbqmbybqla.exeC:\Windows\system32\zbqmbybqla.exe 972 "C:\Windows\SysWOW64\kpprxtwwwe.exe"68⤵PID:2800
-
C:\Windows\SysWOW64\jhqjzfgmky.exeC:\Windows\system32\jhqjzfgmky.exe 976 "C:\Windows\SysWOW64\zbqmbybqla.exe"69⤵
- Drops file in System32 directory
PID:2212 -
C:\Windows\SysWOW64\wglminmudk.exeC:\Windows\system32\wglminmudk.exe 984 "C:\Windows\SysWOW64\jhqjzfgmky.exe"70⤵
- Identifies Wine through registry keys
PID:1108 -
C:\Windows\SysWOW64\jwohqorjex.exeC:\Windows\system32\jwohqorjex.exe 980 "C:\Windows\SysWOW64\wglminmudk.exe"71⤵PID:1740
-
C:\Windows\SysWOW64\wvjjzwxqfj.exeC:\Windows\system32\wvjjzwxqfj.exe 988 "C:\Windows\SysWOW64\jwohqorjex.exe"72⤵
- System Location Discovery: System Language Discovery
PID:2440 -
C:\Windows\SysWOW64\jlemieuxgv.exeC:\Windows\system32\jlemieuxgv.exe 1000 "C:\Windows\SysWOW64\wvjjzwxqfj.exe"73⤵PID:992
-
C:\Windows\SysWOW64\gmwzmhgzlt.exeC:\Windows\system32\gmwzmhgzlt.exe 660 "C:\Windows\SysWOW64\jlemieuxgv.exe"74⤵PID:2128
-
C:\Windows\SysWOW64\nujzyfqrsd.exeC:\Windows\system32\nujzyfqrsd.exe 876 "C:\Windows\SysWOW64\gmwzmhgzlt.exe"75⤵
- Identifies Wine through registry keys
PID:2436 -
C:\Windows\SysWOW64\khdzrgvznd.exeC:\Windows\system32\khdzrgvznd.exe 636 "C:\Windows\SysWOW64\nujzyfqrsd.exe"76⤵PID:2360
-
C:\Windows\SysWOW64\rlnmarfpza.exeC:\Windows\system32\rlnmarfpza.exe 760 "C:\Windows\SysWOW64\khdzrgvznd.exe"77⤵PID:2284
-
C:\Windows\SysWOW64\rhzkfqoaaz.exeC:\Windows\system32\rhzkfqoaaz.exe 680 "C:\Windows\SysWOW64\rlnmarfpza.exe"78⤵
- System Location Discovery: System Language Discovery
PID:2104 -
C:\Windows\SysWOW64\mjdhdpmoax.exeC:\Windows\system32\mjdhdpmoax.exe 1012 "C:\Windows\SysWOW64\rhzkfqoaaz.exe"79⤵
- Drops file in System32 directory
PID:2068 -
C:\Windows\SysWOW64\ypukrgysaj.exeC:\Windows\system32\ypukrgysaj.exe 1016 "C:\Windows\SysWOW64\mjdhdpmoax.exe"80⤵PID:1764
-
C:\Windows\SysWOW64\lcezxkwfoi.exeC:\Windows\system32\lcezxkwfoi.exe 1028 "C:\Windows\SysWOW64\ypukrgysaj.exe"81⤵
- Identifies Wine through registry keys
PID:2420 -
C:\Windows\SysWOW64\yahcgkcmpv.exeC:\Windows\system32\yahcgkcmpv.exe 1020 "C:\Windows\SysWOW64\lcezxkwfoi.exe"82⤵PID:2844
-
C:\Windows\SysWOW64\igzzerpiot.exeC:\Windows\system32\igzzerpiot.exe 1044 "C:\Windows\SysWOW64\yahcgkcmpv.exe"83⤵PID:792
-
C:\Windows\SysWOW64\vfccmzuqhf.exeC:\Windows\system32\vfccmzuqhf.exe 1032 "C:\Windows\SysWOW64\igzzerpiot.exe"84⤵PID:2928
-
C:\Windows\SysWOW64\ivxxvasxir.exeC:\Windows\system32\ivxxvasxir.exe 1052 "C:\Windows\SysWOW64\vfccmzuqhf.exe"85⤵
- System Location Discovery: System Language Discovery
PID:2696 -
C:\Windows\SysWOW64\vuszeiyeje.exeC:\Windows\system32\vuszeiyeje.exe 1036 "C:\Windows\SysWOW64\ivxxvasxir.exe"86⤵PID:1076
-
C:\Windows\SysWOW64\ikvcmqdljq.exeC:\Windows\system32\ikvcmqdljq.exe 1040 "C:\Windows\SysWOW64\vuszeiyeje.exe"87⤵PID:2712
-
C:\Windows\SysWOW64\ubpfvqbacc.exeC:\Windows\system32\ubpfvqbacc.exe 1048 "C:\Windows\SysWOW64\ikvcmqdljq.exe"88⤵PID:1912
-
C:\Windows\SysWOW64\epqctyoxba.exeC:\Windows\system32\epqctyoxba.exe 1068 "C:\Windows\SysWOW64\ubpfvqbacc.exe"89⤵
- System Location Discovery: System Language Discovery
PID:2476 -
C:\Windows\SysWOW64\rnlfcgtecn.exeC:\Windows\system32\rnlfcgtecn.exe 1056 "C:\Windows\SysWOW64\epqctyoxba.exe"90⤵
- Drops file in System32 directory
PID:1500 -
C:\Windows\SysWOW64\eeoikozldz.exeC:\Windows\system32\eeoikozldz.exe 1060 "C:\Windows\SysWOW64\rnlfcgtecn.exe"91⤵PID:2920
-
C:\Windows\SysWOW64\rujktowtet.exeC:\Windows\system32\rujktowtet.exe 1064 "C:\Windows\SysWOW64\eeoikozldz.exe"92⤵
- Identifies Wine through registry keys
PID:1612 -
C:\Windows\SysWOW64\etdnbwcaxf.exeC:\Windows\system32\etdnbwcaxf.exe 1004 "C:\Windows\SysWOW64\rujktowtet.exe"93⤵
- Identifies Wine through registry keys
PID:2812 -
C:\Windows\SysWOW64\qnjvnjgjkf.exeC:\Windows\system32\qnjvnjgjkf.exe 1076 "C:\Windows\SysWOW64\etdnbwcaxf.exe"94⤵
- Drops file in System32 directory
PID:2708 -
C:\Windows\SysWOW64\axhfievdxq.exeC:\Windows\system32\axhfievdxq.exe 1084 "C:\Windows\SysWOW64\qnjvnjgjkf.exe"95⤵PID:1036
-
C:\Windows\SysWOW64\nocirmslyc.exeC:\Windows\system32\nocirmslyc.exe 1088 "C:\Windows\SysWOW64\axhfievdxq.exe"96⤵
- Identifies Wine through registry keys
PID:1756 -
C:\Windows\SysWOW64\amwkzuyayp.exeC:\Windows\system32\amwkzuyayp.exe 1080 "C:\Windows\SysWOW64\nocirmslyc.exe"97⤵PID:2140
-
C:\Windows\SysWOW64\ndrniudhrb.exeC:\Windows\system32\ndrniudhrb.exe 1092 "C:\Windows\SysWOW64\amwkzuyayp.exe"98⤵PID:2924
-
C:\Windows\SysWOW64\xrskycqdzz.exeC:\Windows\system32\xrskycqdzz.exe 1100 "C:\Windows\SysWOW64\ndrniudhrb.exe"99⤵PID:492
-
C:\Windows\SysWOW64\khvnokolrl.exeC:\Windows\system32\khvnokolrl.exe 1104 "C:\Windows\SysWOW64\xrskycqdzz.exe"100⤵PID:2880
-
C:\Windows\SysWOW64\xgpixsussy.exeC:\Windows\system32\xgpixsussy.exe 1096 "C:\Windows\SysWOW64\khvnokolrl.exe"101⤵PID:2772
-
C:\Windows\SysWOW64\jwklgszztk.exeC:\Windows\system32\jwklgszztk.exe 1108 "C:\Windows\SysWOW64\xgpixsussy.exe"102⤵
- Drops file in System32 directory
PID:2472 -
C:\Windows\SysWOW64\uvwqqrhzti.exeC:\Windows\system32\uvwqqrhzti.exe 1112 "C:\Windows\SysWOW64\jwklgszztk.exe"103⤵PID:1404
-
C:\Windows\SysWOW64\gurlzzeguu.exeC:\Windows\system32\gurlzzeguu.exe 1120 "C:\Windows\SysWOW64\uvwqqrhzti.exe"104⤵PID:1340
-
C:\Windows\SysWOW64\qisixhrctt.exeC:\Windows\system32\qisixhrctt.exe 1124 "C:\Windows\SysWOW64\gurlzzeguu.exe"105⤵PID:1544
-
C:\Windows\SysWOW64\gmadtmoxag.exeC:\Windows\system32\gmadtmoxag.exe 1128 "C:\Windows\SysWOW64\qisixhrctt.exe"106⤵PID:1688
-
C:\Windows\SysWOW64\qppnopuznr.exeC:\Windows\system32\qppnopuznr.exe 1116 "C:\Windows\SysWOW64\gmadtmoxag.exe"107⤵
- System Location Discovery: System Language Discovery
PID:2936 -
C:\Windows\SysWOW64\dokqxxagod.exeC:\Windows\system32\dokqxxagod.exe 1136 "C:\Windows\SysWOW64\qppnopuznr.exe"108⤵PID:1328
-
C:\Windows\SysWOW64\qeftfxgnoq.exeC:\Windows\system32\qeftfxgnoq.exe 1140 "C:\Windows\SysWOW64\dokqxxagod.exe"109⤵PID:2468
-
C:\Windows\SysWOW64\zsgivftkoo.exeC:\Windows\system32\zsgivftkoo.exe 1132 "C:\Windows\SysWOW64\qeftfxgnoq.exe"110⤵PID:880
-
C:\Windows\SysWOW64\mjilmnqrha.exeC:\Windows\system32\mjilmnqrha.exe 1144 "C:\Windows\SysWOW64\zsgivftkoo.exe"111⤵PID:1040
-
C:\Windows\SysWOW64\zhdouvwyhm.exeC:\Windows\system32\zhdouvwyhm.exe 1148 "C:\Windows\SysWOW64\mjilmnqrha.exe"112⤵PID:2172
-
C:\Windows\SysWOW64\myyqdvbfiz.exeC:\Windows\system32\myyqdvbfiz.exe 1072 "C:\Windows\SysWOW64\zhdouvwyhm.exe"113⤵
- Drops file in System32 directory
PID:2196 -
C:\Windows\SysWOW64\zwbtmdhmjt.exeC:\Windows\system32\zwbtmdhmjt.exe 1156 "C:\Windows\SysWOW64\myyqdvbfiz.exe"114⤵PID:2200
-
C:\Windows\SysWOW64\jcuqclmjij.exeC:\Windows\system32\jcuqclmjij.exe 1164 "C:\Windows\SysWOW64\zwbtmdhmjt.exe"115⤵PID:1916
-
C:\Windows\SysWOW64\wbwtklryjd.exeC:\Windows\system32\wbwtklryjd.exe 1172 "C:\Windows\SysWOW64\jcuqclmjij.exe"116⤵PID:2676
-
C:\Windows\SysWOW64\jrrwttxfcq.exeC:\Windows\system32\jrrwttxfcq.exe 1160 "C:\Windows\SysWOW64\wbwtklryjd.exe"117⤵PID:2180
-
C:\Windows\SysWOW64\vtxdmgbhpp.exeC:\Windows\system32\vtxdmgbhpp.exe 1184 "C:\Windows\SysWOW64\jrrwttxfcq.exe"118⤵
- Identifies Wine through registry keys
PID:2728 -
C:\Windows\SysWOW64\igpbsbaueo.exeC:\Windows\system32\igpbsbaueo.exe 1168 "C:\Windows\SysWOW64\vtxdmgbhpp.exe"119⤵
- System Location Discovery: System Language Discovery
PID:2864 -
C:\Windows\SysWOW64\supqijnqdm.exeC:\Windows\system32\supqijnqdm.exe 1176 "C:\Windows\SysWOW64\igpbsbaueo.exe"120⤵PID:3016
-
C:\Windows\SysWOW64\flktrrtxez.exeC:\Windows\system32\flktrrtxez.exe 1192 "C:\Windows\SysWOW64\supqijnqdm.exe"121⤵
- Drops file in System32 directory
PID:2388
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-