Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
22/08/2024, 10:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b7397acfd3191c9c48ab4133830f7e40_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
b7397acfd3191c9c48ab4133830f7e40_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
b7397acfd3191c9c48ab4133830f7e40_JaffaCakes118.exe
-
Size
153KB
-
MD5
b7397acfd3191c9c48ab4133830f7e40
-
SHA1
426241434edca06dee35498551326ead535ca821
-
SHA256
72437c9294864eab42abfe4c37344ea9061472c3593c0dee7a14bc748b543350
-
SHA512
915eeb45aca69be110050c2f899385eb4c144ef69ed6ada33556226f88922e02df875c43cdf16a48cc8d65972e909c82fd2533b479adf6cb0006987e4b9358d2
-
SSDEEP
3072:jGA6Wb8Vrv21EVVH8qff7UgsEbYlEwqlEssKcg3MUcozBbT10F3wE4:jG2b85v21EVVcqHwgsEiqlECcgcTozBv
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 4544 vmcf.exe 2980 vmcf.exe 784 ofrl.exe 2264 ofrl.exe 3656 qoia.exe 4076 qoia.exe 5020 qsvt.exe 2640 qsvt.exe 4448 wysj.exe 4624 wysj.exe 2184 bzie.exe 4816 bzie.exe 2292 gxfm.exe 3700 gxfm.exe 3540 lkzu.exe 3316 lkzu.exe 1236 tzmh.exe 4912 tzmh.exe 740 ymgp.exe 3916 ymgp.exe 4500 gbbc.exe 1564 gbbc.exe 3632 lonk.exe 1176 lonk.exe 3172 rihn.exe 1660 rihn.exe 4684 vnav.exe 2560 vnav.exe 1016 ekoi.exe 2436 ekoi.exe 3672 iphq.exe 4432 iphq.exe 2228 rmdd.exe 1900 rmdd.exe 2708 vrwl.exe 4728 vrwl.exe 1176 eoky.exe 3624 eoky.exe 1660 iteg.exe 4784 iteg.exe 3592 rqrt.exe 756 rqrt.exe 3036 wrzo.exe 2020 wrzo.exe 4956 aetw.exe 3940 aetw.exe 3656 jtpj.exe 2264 jtpj.exe 1136 ngir.exe 5012 ngir.exe 3848 ovwe.exe 4712 ovwe.exe 3592 sipm.exe 4000 sipm.exe 4928 abom.exe 3572 abom.exe 1744 iycz.exe 5088 iycz.exe 2824 ndvh.exe 4012 ndvh.exe 696 varu.exe 4784 varu.exe 772 afdc.exe 4668 afdc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\hglp.exe ctsh.exe File created C:\Windows\SysWOW64\ohvw.exe howw.exe File created C:\Windows\SysWOW64\ykbc.exe Process not Found File created C:\Windows\SysWOW64\qgpp.exe Process not Found File opened for modification C:\Windows\SysWOW64\tzmh.exe lkzu.exe File opened for modification C:\Windows\SysWOW64\rqrt.exe iteg.exe File opened for modification C:\Windows\SysWOW64\ihaj.exe lvgb.exe File opened for modification C:\Windows\SysWOW64\rgum.exe Process not Found File opened for modification C:\Windows\SysWOW64\ooni.exe Process not Found File opened for modification C:\Windows\SysWOW64\ijdf.exe ajwf.exe File opened for modification C:\Windows\SysWOW64\eggy.exe Process not Found File created C:\Windows\SysWOW64\fnin.exe Process not Found File opened for modification C:\Windows\SysWOW64\eqsm.exe Process not Found File opened for modification C:\Windows\SysWOW64\unbz.exe Process not Found File created C:\Windows\SysWOW64\ekoi.exe vnav.exe File opened for modification C:\Windows\SysWOW64\arkz.exe vmqr.exe File created C:\Windows\SysWOW64\kekt.exe Process not Found File created C:\Windows\SysWOW64\nomn.exe Process not Found File created C:\Windows\SysWOW64\ludu.exe Process not Found File opened for modification C:\Windows\SysWOW64\szmw.exe kgnw.exe File opened for modification C:\Windows\SysWOW64\jzri.exe bkwv.exe File created C:\Windows\SysWOW64\smot.exe Process not Found File created C:\Windows\SysWOW64\zmcz.exe rxom.exe File created C:\Windows\SysWOW64\ayiu.exe Process not Found File opened for modification C:\Windows\SysWOW64\zauh.exe Process not Found File opened for modification C:\Windows\SysWOW64\vwmb.exe Process not Found File opened for modification C:\Windows\SysWOW64\arom.exe susy.exe File created C:\Windows\SysWOW64\qyze.exe Process not Found File created C:\Windows\SysWOW64\uubu.exe Process not Found File created C:\Windows\SysWOW64\xnan.exe pubn.exe File created C:\Windows\SysWOW64\jlad.exe Process not Found File opened for modification C:\Windows\SysWOW64\tdzp.exe Process not Found File opened for modification C:\Windows\SysWOW64\dxel.exe vefl.exe File created C:\Windows\SysWOW64\aiyq.exe shzy.exe File created C:\Windows\SysWOW64\kecl.exe chpy.exe File created C:\Windows\SysWOW64\stis.exe nhpk.exe File created C:\Windows\SysWOW64\nupl.exe efuy.exe File created C:\Windows\SysWOW64\rpph.exe Process not Found File opened for modification C:\Windows\SysWOW64\qufb.exe Process not Found File opened for modification C:\Windows\SysWOW64\rrrc.exe Process not Found File opened for modification C:\Windows\SysWOW64\ofrl.exe vmcf.exe File created C:\Windows\SysWOW64\sipm.exe ovwe.exe File opened for modification C:\Windows\SysWOW64\kecl.exe chpy.exe File created C:\Windows\SysWOW64\unbz.exe Process not Found File opened for modification C:\Windows\SysWOW64\pvhd.exe hglp.exe File created C:\Windows\SysWOW64\eguu.exe Process not Found File opened for modification C:\Windows\SysWOW64\gqnh.exe Process not Found File created C:\Windows\SysWOW64\shwq.exe Process not Found File opened for modification C:\Windows\SysWOW64\vrwl.exe rmdd.exe File created C:\Windows\SysWOW64\abom.exe sipm.exe File opened for modification C:\Windows\SysWOW64\lrkl.exe dbwx.exe File opened for modification C:\Windows\SysWOW64\hhlf.exe Process not Found File opened for modification C:\Windows\SysWOW64\wptm.exe Process not Found File opened for modification C:\Windows\SysWOW64\exbq.exe Process not Found File opened for modification C:\Windows\SysWOW64\efuy.exe aoxd.exe File opened for modification C:\Windows\SysWOW64\sdgs.exe Process not Found File created C:\Windows\SysWOW64\zcjk.exe Process not Found File created C:\Windows\SysWOW64\gfgk.exe Process not Found File opened for modification C:\Windows\SysWOW64\cmlb.exe Process not Found File created C:\Windows\SysWOW64\xqto.exe Process not Found File created C:\Windows\SysWOW64\kwmx.exe Process not Found File created C:\Windows\SysWOW64\unen.exe Process not Found File opened for modification C:\Windows\SysWOW64\ewkk.exe Process not Found File opened for modification C:\Windows\SysWOW64\iteg.exe eoky.exe -
Suspicious use of SetThreadContext 64 IoCs
description pid Process procid_target PID 4196 set thread context of 2976 4196 b7397acfd3191c9c48ab4133830f7e40_JaffaCakes118.exe 93 PID 4544 set thread context of 2980 4544 vmcf.exe 99 PID 784 set thread context of 2264 784 ofrl.exe 107 PID 3656 set thread context of 4076 3656 qoia.exe 114 PID 5020 set thread context of 2640 5020 qsvt.exe 120 PID 4448 set thread context of 4624 4448 wysj.exe 126 PID 2184 set thread context of 4816 2184 bzie.exe 132 PID 2292 set thread context of 3700 2292 gxfm.exe 138 PID 3540 set thread context of 3316 3540 lkzu.exe 144 PID 1236 set thread context of 4912 1236 tzmh.exe 150 PID 740 set thread context of 3916 740 ymgp.exe 156 PID 4500 set thread context of 1564 4500 gbbc.exe 162 PID 3632 set thread context of 1176 3632 lonk.exe 168 PID 3172 set thread context of 1660 3172 rihn.exe 174 PID 4684 set thread context of 2560 4684 vnav.exe 180 PID 1016 set thread context of 2436 1016 ekoi.exe 186 PID 3672 set thread context of 4432 3672 iphq.exe 192 PID 2228 set thread context of 1900 2228 rmdd.exe 201 PID 2708 set thread context of 4728 2708 vrwl.exe 207 PID 1176 set thread context of 3624 1176 eoky.exe 213 PID 1660 set thread context of 4784 1660 iteg.exe 220 PID 3592 set thread context of 756 3592 rqrt.exe 227 PID 3036 set thread context of 2020 3036 wrzo.exe 233 PID 4956 set thread context of 3940 4956 aetw.exe 239 PID 3656 set thread context of 2264 3656 jtpj.exe 245 PID 1136 set thread context of 5012 1136 ngir.exe 251 PID 3848 set thread context of 4712 3848 ovwe.exe 257 PID 3592 set thread context of 4000 3592 sipm.exe 263 PID 4928 set thread context of 3572 4928 abom.exe 269 PID 1744 set thread context of 5088 1744 iycz.exe 275 PID 2824 set thread context of 4012 2824 ndvh.exe 282 PID 696 set thread context of 4784 696 varu.exe 288 PID 772 set thread context of 4668 772 afdc.exe 294 PID 212 set thread context of 4808 212 icyp.exe 300 PID 1652 set thread context of 4528 1652 nhsx.exe 306 PID 2560 set thread context of 1984 2560 vefl.exe 312 PID 2652 set thread context of 4672 2652 dxel.exe 318 PID 2680 set thread context of 2288 2680 ijyt.exe 324 PID 1900 set thread context of 3180 1900 qzlg.exe 330 PID 3036 set thread context of 4148 3036 vlfo.exe 336 PID 2416 set thread context of 4816 2416 deeo.exe 344 PID 4524 set thread context of 3676 4524 irxw.exe 350 PID 3540 set thread context of 3408 3540 npce.exe 356 PID 3592 set thread context of 2376 3592 vmqr.exe 362 PID 3700 set thread context of 1928 3700 arkz.exe 368 PID 4012 set thread context of 1260 4012 iriz.exe 374 PID 4156 set thread context of 1504 4156 qgem.exe 380 PID 2084 set thread context of 3540 2084 vtqu.exe 386 PID 3396 set thread context of 4808 3396 dilh.exe 392 PID 1604 set thread context of 3700 1604 ivfp.exe 398 PID 2708 set thread context of 2292 2708 qoep.exe 404 PID 1900 set thread context of 3312 1900 ypdp.exe 410 PID 740 set thread context of 2476 740 dbwx.exe 416 PID 244 set thread context of 3176 244 lrkl.exe 422 PID 4672 set thread context of 5048 4672 qdds.exe 428 PID 3844 set thread context of 520 3844 ytrg.exe 434 PID 3160 set thread context of 4520 3160 duhb.exe 440 PID 4564 set thread context of 3396 4564 lvgb.exe 446 PID 4072 set thread context of 4024 4072 ihaj.exe 452 PID 3916 set thread context of 3124 3916 qxnw.exe 458 PID 4556 set thread context of 2016 4556 vjhe.exe 464 PID 4104 set thread context of 1616 4104 dcge.exe 470 PID 4712 set thread context of 2328 4712 lrtr.exe 476 PID 1176 set thread context of 4068 1176 tssr.exe 482 -
Program crash 64 IoCs
pid pid_target Process procid_target 3464 4196 WerFault.exe 90 2292 4544 WerFault.exe 98 1040 4196 WerFault.exe 90 1136 4544 WerFault.exe 98 1504 784 WerFault.exe 104 8 784 WerFault.exe 104 2680 3656 WerFault.exe 111 1016 3656 WerFault.exe 111 4980 5020 WerFault.exe 117 4648 5020 WerFault.exe 117 3484 4448 WerFault.exe 123 332 4448 WerFault.exe 123 3036 2184 WerFault.exe 129 1176 2184 WerFault.exe 129 4808 2292 WerFault.exe 135 2848 2292 WerFault.exe 135 4944 3540 WerFault.exe 141 2712 3540 WerFault.exe 141 1744 1236 WerFault.exe 147 4148 1236 WerFault.exe 147 3148 740 WerFault.exe 153 3484 740 WerFault.exe 153 4352 4500 WerFault.exe 159 3436 4500 WerFault.exe 159 1136 3632 WerFault.exe 164 1800 3632 WerFault.exe 164 784 3172 WerFault.exe 172 2680 3172 WerFault.exe 172 3808 4684 WerFault.exe 177 4420 4684 WerFault.exe 177 4020 1016 WerFault.exe 182 3024 1016 WerFault.exe 182 4836 3672 WerFault.exe 189 4544 3672 WerFault.exe 189 1564 2228 WerFault.exe 195 1776 2228 WerFault.exe 195 2680 2708 WerFault.exe 204 2712 2708 WerFault.exe 204 4420 1176 WerFault.exe 209 520 1176 WerFault.exe 209 4952 1660 WerFault.exe 215 2416 1660 WerFault.exe 215 2060 3592 WerFault.exe 223 1820 3592 WerFault.exe 223 2328 3036 WerFault.exe 230 4668 3036 WerFault.exe 230 3828 4956 WerFault.exe 236 3808 4956 WerFault.exe 236 3960 3656 WerFault.exe 242 2032 3656 WerFault.exe 242 4472 1136 WerFault.exe 248 4072 1136 WerFault.exe 248 2288 3848 WerFault.exe 254 3768 3848 WerFault.exe 254 3408 3592 WerFault.exe 260 4504 3592 WerFault.exe 260 1176 4928 WerFault.exe 266 4792 4928 WerFault.exe 266 3960 1744 WerFault.exe 272 2560 1744 WerFault.exe 272 4072 2824 WerFault.exe 278 4572 2824 WerFault.exe 278 2908 696 WerFault.exe 285 2328 696 WerFault.exe 285 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fyqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iphq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wrzo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qzlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dilh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language szmw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecxe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sdim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fkwb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language afdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language afip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jprm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vrwl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language szmw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ctsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lkzu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lonk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icyp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eabo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vmcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qoia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rmdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wrzo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vnav.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4196 wrote to memory of 2976 4196 b7397acfd3191c9c48ab4133830f7e40_JaffaCakes118.exe 93 PID 4196 wrote to memory of 2976 4196 b7397acfd3191c9c48ab4133830f7e40_JaffaCakes118.exe 93 PID 4196 wrote to memory of 2976 4196 b7397acfd3191c9c48ab4133830f7e40_JaffaCakes118.exe 93 PID 4196 wrote to memory of 2976 4196 b7397acfd3191c9c48ab4133830f7e40_JaffaCakes118.exe 93 PID 4196 wrote to memory of 2976 4196 b7397acfd3191c9c48ab4133830f7e40_JaffaCakes118.exe 93 PID 2976 wrote to memory of 4544 2976 b7397acfd3191c9c48ab4133830f7e40_JaffaCakes118.exe 98 PID 2976 wrote to memory of 4544 2976 b7397acfd3191c9c48ab4133830f7e40_JaffaCakes118.exe 98 PID 2976 wrote to memory of 4544 2976 b7397acfd3191c9c48ab4133830f7e40_JaffaCakes118.exe 98 PID 4544 wrote to memory of 2980 4544 vmcf.exe 99 PID 4544 wrote to memory of 2980 4544 vmcf.exe 99 PID 4544 wrote to memory of 2980 4544 vmcf.exe 99 PID 4544 wrote to memory of 2980 4544 vmcf.exe 99 PID 4544 wrote to memory of 2980 4544 vmcf.exe 99 PID 2980 wrote to memory of 784 2980 vmcf.exe 104 PID 2980 wrote to memory of 784 2980 vmcf.exe 104 PID 2980 wrote to memory of 784 2980 vmcf.exe 104 PID 784 wrote to memory of 2264 784 ofrl.exe 107 PID 784 wrote to memory of 2264 784 ofrl.exe 107 PID 784 wrote to memory of 2264 784 ofrl.exe 107 PID 784 wrote to memory of 2264 784 ofrl.exe 107 PID 784 wrote to memory of 2264 784 ofrl.exe 107 PID 2264 wrote to memory of 3656 2264 ofrl.exe 111 PID 2264 wrote to memory of 3656 2264 ofrl.exe 111 PID 2264 wrote to memory of 3656 2264 ofrl.exe 111 PID 3656 wrote to memory of 4076 3656 qoia.exe 114 PID 3656 wrote to memory of 4076 3656 qoia.exe 114 PID 3656 wrote to memory of 4076 3656 qoia.exe 114 PID 3656 wrote to memory of 4076 3656 qoia.exe 114 PID 3656 wrote to memory of 4076 3656 qoia.exe 114 PID 4076 wrote to memory of 5020 4076 qoia.exe 117 PID 4076 wrote to memory of 5020 4076 qoia.exe 117 PID 4076 wrote to memory of 5020 4076 qoia.exe 117 PID 5020 wrote to memory of 2640 5020 qsvt.exe 120 PID 5020 wrote to memory of 2640 5020 qsvt.exe 120 PID 5020 wrote to memory of 2640 5020 qsvt.exe 120 PID 5020 wrote to memory of 2640 5020 qsvt.exe 120 PID 5020 wrote to memory of 2640 5020 qsvt.exe 120 PID 2640 wrote to memory of 4448 2640 qsvt.exe 123 PID 2640 wrote to memory of 4448 2640 qsvt.exe 123 PID 2640 wrote to memory of 4448 2640 qsvt.exe 123 PID 4448 wrote to memory of 4624 4448 wysj.exe 126 PID 4448 wrote to memory of 4624 4448 wysj.exe 126 PID 4448 wrote to memory of 4624 4448 wysj.exe 126 PID 4448 wrote to memory of 4624 4448 wysj.exe 126 PID 4448 wrote to memory of 4624 4448 wysj.exe 126 PID 4624 wrote to memory of 2184 4624 wysj.exe 129 PID 4624 wrote to memory of 2184 4624 wysj.exe 129 PID 4624 wrote to memory of 2184 4624 wysj.exe 129 PID 2184 wrote to memory of 4816 2184 bzie.exe 132 PID 2184 wrote to memory of 4816 2184 bzie.exe 132 PID 2184 wrote to memory of 4816 2184 bzie.exe 132 PID 2184 wrote to memory of 4816 2184 bzie.exe 132 PID 2184 wrote to memory of 4816 2184 bzie.exe 132 PID 4816 wrote to memory of 2292 4816 bzie.exe 135 PID 4816 wrote to memory of 2292 4816 bzie.exe 135 PID 4816 wrote to memory of 2292 4816 bzie.exe 135 PID 2292 wrote to memory of 3700 2292 gxfm.exe 138 PID 2292 wrote to memory of 3700 2292 gxfm.exe 138 PID 2292 wrote to memory of 3700 2292 gxfm.exe 138 PID 2292 wrote to memory of 3700 2292 gxfm.exe 138 PID 2292 wrote to memory of 3700 2292 gxfm.exe 138 PID 3700 wrote to memory of 3540 3700 gxfm.exe 141 PID 3700 wrote to memory of 3540 3700 gxfm.exe 141 PID 3700 wrote to memory of 3540 3700 gxfm.exe 141
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7397acfd3191c9c48ab4133830f7e40_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b7397acfd3191c9c48ab4133830f7e40_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Users\Admin\AppData\Local\Temp\b7397acfd3191c9c48ab4133830f7e40_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\b7397acfd3191c9c48ab4133830f7e40_JaffaCakes118.exe H:\Hex Projects\LiquidBot.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\vmcf.exeC:\Windows\system32\vmcf.exe 1176 "C:\Users\Admin\AppData\Local\Temp\b7397acfd3191c9c48ab4133830f7e40_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\SysWOW64\vmcf.exeC:\Windows\SysWOW64\vmcf.exe H:\Hex Projects\LiquidBot.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\ofrl.exeC:\Windows\system32\ofrl.exe 1072 "C:\Windows\SysWOW64\vmcf.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\SysWOW64\ofrl.exeC:\Windows\SysWOW64\ofrl.exe H:\Hex Projects\LiquidBot.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\qoia.exeC:\Windows\system32\qoia.exe 1068 "C:\Windows\SysWOW64\ofrl.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\qoia.exeC:\Windows\SysWOW64\qoia.exe H:\Hex Projects\LiquidBot.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\SysWOW64\qsvt.exeC:\Windows\system32\qsvt.exe 1056 "C:\Windows\SysWOW64\qoia.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\SysWOW64\qsvt.exeC:\Windows\SysWOW64\qsvt.exe H:\Hex Projects\LiquidBot.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\wysj.exeC:\Windows\system32\wysj.exe 1044 "C:\Windows\SysWOW64\qsvt.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\SysWOW64\wysj.exeC:\Windows\SysWOW64\wysj.exe H:\Hex Projects\LiquidBot.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\bzie.exeC:\Windows\system32\bzie.exe 1056 "C:\Windows\SysWOW64\wysj.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\bzie.exeC:\Windows\SysWOW64\bzie.exe H:\Hex Projects\LiquidBot.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\SysWOW64\gxfm.exeC:\Windows\system32\gxfm.exe 1068 "C:\Windows\SysWOW64\bzie.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\gxfm.exeC:\Windows\SysWOW64\gxfm.exe H:\Hex Projects\LiquidBot.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\SysWOW64\lkzu.exeC:\Windows\system32\lkzu.exe 1056 "C:\Windows\SysWOW64\gxfm.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3540 -
C:\Windows\SysWOW64\lkzu.exeC:\Windows\SysWOW64\lkzu.exe H:\Hex Projects\LiquidBot.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3316 -
C:\Windows\SysWOW64\tzmh.exeC:\Windows\system32\tzmh.exe 1064 "C:\Windows\SysWOW64\lkzu.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1236 -
C:\Windows\SysWOW64\tzmh.exeC:\Windows\SysWOW64\tzmh.exe H:\Hex Projects\LiquidBot.exe20⤵
- Executes dropped EXE
PID:4912 -
C:\Windows\SysWOW64\ymgp.exeC:\Windows\system32\ymgp.exe 1060 "C:\Windows\SysWOW64\tzmh.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:740 -
C:\Windows\SysWOW64\ymgp.exeC:\Windows\SysWOW64\ymgp.exe H:\Hex Projects\LiquidBot.exe22⤵
- Executes dropped EXE
PID:3916 -
C:\Windows\SysWOW64\gbbc.exeC:\Windows\system32\gbbc.exe 1064 "C:\Windows\SysWOW64\ymgp.exe"23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4500 -
C:\Windows\SysWOW64\gbbc.exeC:\Windows\SysWOW64\gbbc.exe H:\Hex Projects\LiquidBot.exe24⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\lonk.exeC:\Windows\system32\lonk.exe 1032 "C:\Windows\SysWOW64\gbbc.exe"25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3632 -
C:\Windows\SysWOW64\lonk.exeC:\Windows\SysWOW64\lonk.exe H:\Hex Projects\LiquidBot.exe26⤵
- Executes dropped EXE
PID:1176 -
C:\Windows\SysWOW64\rihn.exeC:\Windows\system32\rihn.exe 1060 "C:\Windows\SysWOW64\lonk.exe"27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3172 -
C:\Windows\SysWOW64\rihn.exeC:\Windows\SysWOW64\rihn.exe H:\Hex Projects\LiquidBot.exe28⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\vnav.exeC:\Windows\system32\vnav.exe 1056 "C:\Windows\SysWOW64\rihn.exe"29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4684 -
C:\Windows\SysWOW64\vnav.exeC:\Windows\SysWOW64\vnav.exe H:\Hex Projects\LiquidBot.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2560 -
C:\Windows\SysWOW64\ekoi.exeC:\Windows\system32\ekoi.exe 1052 "C:\Windows\SysWOW64\vnav.exe"31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1016 -
C:\Windows\SysWOW64\ekoi.exeC:\Windows\SysWOW64\ekoi.exe H:\Hex Projects\LiquidBot.exe32⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\iphq.exeC:\Windows\system32\iphq.exe 1068 "C:\Windows\SysWOW64\ekoi.exe"33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3672 -
C:\Windows\SysWOW64\iphq.exeC:\Windows\SysWOW64\iphq.exe H:\Hex Projects\LiquidBot.exe34⤵
- Executes dropped EXE
PID:4432 -
C:\Windows\SysWOW64\rmdd.exeC:\Windows\system32\rmdd.exe 1060 "C:\Windows\SysWOW64\iphq.exe"35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2228 -
C:\Windows\SysWOW64\rmdd.exeC:\Windows\SysWOW64\rmdd.exe H:\Hex Projects\LiquidBot.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1900 -
C:\Windows\SysWOW64\vrwl.exeC:\Windows\system32\vrwl.exe 1072 "C:\Windows\SysWOW64\rmdd.exe"37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2708 -
C:\Windows\SysWOW64\vrwl.exeC:\Windows\SysWOW64\vrwl.exe H:\Hex Projects\LiquidBot.exe38⤵
- Executes dropped EXE
PID:4728 -
C:\Windows\SysWOW64\eoky.exeC:\Windows\system32\eoky.exe 1056 "C:\Windows\SysWOW64\vrwl.exe"39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1176 -
C:\Windows\SysWOW64\eoky.exeC:\Windows\SysWOW64\eoky.exe H:\Hex Projects\LiquidBot.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3624 -
C:\Windows\SysWOW64\iteg.exeC:\Windows\system32\iteg.exe 1044 "C:\Windows\SysWOW64\eoky.exe"41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1660 -
C:\Windows\SysWOW64\iteg.exeC:\Windows\SysWOW64\iteg.exe H:\Hex Projects\LiquidBot.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4784 -
C:\Windows\SysWOW64\rqrt.exeC:\Windows\system32\rqrt.exe 1056 "C:\Windows\SysWOW64\iteg.exe"43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3592 -
C:\Windows\SysWOW64\rqrt.exeC:\Windows\SysWOW64\rqrt.exe H:\Hex Projects\LiquidBot.exe44⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\wrzo.exeC:\Windows\system32\wrzo.exe 1052 "C:\Windows\SysWOW64\rqrt.exe"45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3036 -
C:\Windows\SysWOW64\wrzo.exeC:\Windows\SysWOW64\wrzo.exe H:\Hex Projects\LiquidBot.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2020 -
C:\Windows\SysWOW64\aetw.exeC:\Windows\system32\aetw.exe 1032 "C:\Windows\SysWOW64\wrzo.exe"47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4956 -
C:\Windows\SysWOW64\aetw.exeC:\Windows\SysWOW64\aetw.exe H:\Hex Projects\LiquidBot.exe48⤵
- Executes dropped EXE
PID:3940 -
C:\Windows\SysWOW64\jtpj.exeC:\Windows\system32\jtpj.exe 1160 "C:\Windows\SysWOW64\aetw.exe"49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3656 -
C:\Windows\SysWOW64\jtpj.exeC:\Windows\SysWOW64\jtpj.exe H:\Hex Projects\LiquidBot.exe50⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\ngir.exeC:\Windows\system32\ngir.exe 1040 "C:\Windows\SysWOW64\jtpj.exe"51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1136 -
C:\Windows\SysWOW64\ngir.exeC:\Windows\SysWOW64\ngir.exe H:\Hex Projects\LiquidBot.exe52⤵
- Executes dropped EXE
PID:5012 -
C:\Windows\SysWOW64\ovwe.exeC:\Windows\system32\ovwe.exe 1100 "C:\Windows\SysWOW64\ngir.exe"53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3848 -
C:\Windows\SysWOW64\ovwe.exeC:\Windows\SysWOW64\ovwe.exe H:\Hex Projects\LiquidBot.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4712 -
C:\Windows\SysWOW64\sipm.exeC:\Windows\system32\sipm.exe 1056 "C:\Windows\SysWOW64\ovwe.exe"55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3592 -
C:\Windows\SysWOW64\sipm.exeC:\Windows\SysWOW64\sipm.exe H:\Hex Projects\LiquidBot.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4000 -
C:\Windows\SysWOW64\abom.exeC:\Windows\system32\abom.exe 1056 "C:\Windows\SysWOW64\sipm.exe"57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4928 -
C:\Windows\SysWOW64\abom.exeC:\Windows\SysWOW64\abom.exe H:\Hex Projects\LiquidBot.exe58⤵
- Executes dropped EXE
PID:3572 -
C:\Windows\SysWOW64\iycz.exeC:\Windows\system32\iycz.exe 1056 "C:\Windows\SysWOW64\abom.exe"59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1744 -
C:\Windows\SysWOW64\iycz.exeC:\Windows\SysWOW64\iycz.exe H:\Hex Projects\LiquidBot.exe60⤵
- Executes dropped EXE
PID:5088 -
C:\Windows\SysWOW64\ndvh.exeC:\Windows\system32\ndvh.exe 1056 "C:\Windows\SysWOW64\iycz.exe"61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2824 -
C:\Windows\SysWOW64\ndvh.exeC:\Windows\SysWOW64\ndvh.exe H:\Hex Projects\LiquidBot.exe62⤵
- Executes dropped EXE
PID:4012 -
C:\Windows\SysWOW64\varu.exeC:\Windows\system32\varu.exe 1044 "C:\Windows\SysWOW64\ndvh.exe"63⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:696 -
C:\Windows\SysWOW64\varu.exeC:\Windows\SysWOW64\varu.exe H:\Hex Projects\LiquidBot.exe64⤵
- Executes dropped EXE
PID:4784 -
C:\Windows\SysWOW64\afdc.exeC:\Windows\system32\afdc.exe 1056 "C:\Windows\SysWOW64\varu.exe"65⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:772 -
C:\Windows\SysWOW64\afdc.exeC:\Windows\SysWOW64\afdc.exe H:\Hex Projects\LiquidBot.exe66⤵
- Executes dropped EXE
PID:4668 -
C:\Windows\SysWOW64\icyp.exeC:\Windows\system32\icyp.exe 1056 "C:\Windows\SysWOW64\afdc.exe"67⤵
- Suspicious use of SetThreadContext
PID:212 -
C:\Windows\SysWOW64\icyp.exeC:\Windows\SysWOW64\icyp.exe H:\Hex Projects\LiquidBot.exe68⤵
- System Location Discovery: System Language Discovery
PID:4808 -
C:\Windows\SysWOW64\nhsx.exeC:\Windows\system32\nhsx.exe 1064 "C:\Windows\SysWOW64\icyp.exe"69⤵
- Suspicious use of SetThreadContext
PID:1652 -
C:\Windows\SysWOW64\nhsx.exeC:\Windows\SysWOW64\nhsx.exe H:\Hex Projects\LiquidBot.exe70⤵PID:4528
-
C:\Windows\SysWOW64\vefl.exeC:\Windows\system32\vefl.exe 1056 "C:\Windows\SysWOW64\nhsx.exe"71⤵
- Suspicious use of SetThreadContext
PID:2560 -
C:\Windows\SysWOW64\vefl.exeC:\Windows\SysWOW64\vefl.exe H:\Hex Projects\LiquidBot.exe72⤵
- Drops file in System32 directory
PID:1984 -
C:\Windows\SysWOW64\dxel.exeC:\Windows\system32\dxel.exe 1064 "C:\Windows\SysWOW64\vefl.exe"73⤵
- Suspicious use of SetThreadContext
PID:2652 -
C:\Windows\SysWOW64\dxel.exeC:\Windows\SysWOW64\dxel.exe H:\Hex Projects\LiquidBot.exe74⤵PID:4672
-
C:\Windows\SysWOW64\ijyt.exeC:\Windows\system32\ijyt.exe 1056 "C:\Windows\SysWOW64\dxel.exe"75⤵
- Suspicious use of SetThreadContext
PID:2680 -
C:\Windows\SysWOW64\ijyt.exeC:\Windows\SysWOW64\ijyt.exe H:\Hex Projects\LiquidBot.exe76⤵PID:2288
-
C:\Windows\SysWOW64\qzlg.exeC:\Windows\system32\qzlg.exe 1056 "C:\Windows\SysWOW64\ijyt.exe"77⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1900 -
C:\Windows\SysWOW64\qzlg.exeC:\Windows\SysWOW64\qzlg.exe H:\Hex Projects\LiquidBot.exe78⤵PID:3180
-
C:\Windows\SysWOW64\vlfo.exeC:\Windows\system32\vlfo.exe 1056 "C:\Windows\SysWOW64\qzlg.exe"79⤵
- Suspicious use of SetThreadContext
PID:3036 -
C:\Windows\SysWOW64\vlfo.exeC:\Windows\SysWOW64\vlfo.exe H:\Hex Projects\LiquidBot.exe80⤵PID:4148
-
C:\Windows\SysWOW64\deeo.exeC:\Windows\system32\deeo.exe 1060 "C:\Windows\SysWOW64\vlfo.exe"81⤵
- Suspicious use of SetThreadContext
PID:2416 -
C:\Windows\SysWOW64\deeo.exeC:\Windows\SysWOW64\deeo.exe H:\Hex Projects\LiquidBot.exe82⤵PID:4816
-
C:\Windows\SysWOW64\irxw.exeC:\Windows\system32\irxw.exe 1064 "C:\Windows\SysWOW64\deeo.exe"83⤵
- Suspicious use of SetThreadContext
PID:4524 -
C:\Windows\SysWOW64\irxw.exeC:\Windows\SysWOW64\irxw.exe H:\Hex Projects\LiquidBot.exe84⤵PID:3676
-
C:\Windows\SysWOW64\npce.exeC:\Windows\system32\npce.exe 1044 "C:\Windows\SysWOW64\irxw.exe"85⤵
- Suspicious use of SetThreadContext
PID:3540 -
C:\Windows\SysWOW64\npce.exeC:\Windows\SysWOW64\npce.exe H:\Hex Projects\LiquidBot.exe86⤵PID:3408
-
C:\Windows\SysWOW64\vmqr.exeC:\Windows\system32\vmqr.exe 1056 "C:\Windows\SysWOW64\npce.exe"87⤵
- Suspicious use of SetThreadContext
PID:3592 -
C:\Windows\SysWOW64\vmqr.exeC:\Windows\SysWOW64\vmqr.exe H:\Hex Projects\LiquidBot.exe88⤵
- Drops file in System32 directory
PID:2376 -
C:\Windows\SysWOW64\arkz.exeC:\Windows\system32\arkz.exe 1044 "C:\Windows\SysWOW64\vmqr.exe"89⤵
- Suspicious use of SetThreadContext
PID:3700 -
C:\Windows\SysWOW64\arkz.exeC:\Windows\SysWOW64\arkz.exe H:\Hex Projects\LiquidBot.exe90⤵PID:1928
-
C:\Windows\SysWOW64\iriz.exeC:\Windows\system32\iriz.exe 1056 "C:\Windows\SysWOW64\arkz.exe"91⤵
- Suspicious use of SetThreadContext
PID:4012 -
C:\Windows\SysWOW64\iriz.exeC:\Windows\SysWOW64\iriz.exe H:\Hex Projects\LiquidBot.exe92⤵PID:1260
-
C:\Windows\SysWOW64\qgem.exeC:\Windows\system32\qgem.exe 1060 "C:\Windows\SysWOW64\iriz.exe"93⤵
- Suspicious use of SetThreadContext
PID:4156 -
C:\Windows\SysWOW64\qgem.exeC:\Windows\SysWOW64\qgem.exe H:\Hex Projects\LiquidBot.exe94⤵PID:1504
-
C:\Windows\SysWOW64\vtqu.exeC:\Windows\system32\vtqu.exe 1044 "C:\Windows\SysWOW64\qgem.exe"95⤵
- Suspicious use of SetThreadContext
PID:2084 -
C:\Windows\SysWOW64\vtqu.exeC:\Windows\SysWOW64\vtqu.exe H:\Hex Projects\LiquidBot.exe96⤵PID:3540
-
C:\Windows\SysWOW64\dilh.exeC:\Windows\system32\dilh.exe 1056 "C:\Windows\SysWOW64\vtqu.exe"97⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3396 -
C:\Windows\SysWOW64\dilh.exeC:\Windows\SysWOW64\dilh.exe H:\Hex Projects\LiquidBot.exe98⤵PID:4808
-
C:\Windows\SysWOW64\ivfp.exeC:\Windows\system32\ivfp.exe 1056 "C:\Windows\SysWOW64\dilh.exe"99⤵
- Suspicious use of SetThreadContext
PID:1604 -
C:\Windows\SysWOW64\ivfp.exeC:\Windows\SysWOW64\ivfp.exe H:\Hex Projects\LiquidBot.exe100⤵PID:3700
-
C:\Windows\SysWOW64\qoep.exeC:\Windows\system32\qoep.exe 1056 "C:\Windows\SysWOW64\ivfp.exe"101⤵
- Suspicious use of SetThreadContext
PID:2708 -
C:\Windows\SysWOW64\qoep.exeC:\Windows\SysWOW64\qoep.exe H:\Hex Projects\LiquidBot.exe102⤵PID:2292
-
C:\Windows\SysWOW64\ypdp.exeC:\Windows\system32\ypdp.exe 1056 "C:\Windows\SysWOW64\qoep.exe"103⤵
- Suspicious use of SetThreadContext
PID:1900 -
C:\Windows\SysWOW64\ypdp.exeC:\Windows\SysWOW64\ypdp.exe H:\Hex Projects\LiquidBot.exe104⤵PID:3312
-
C:\Windows\SysWOW64\dbwx.exeC:\Windows\system32\dbwx.exe 1056 "C:\Windows\SysWOW64\ypdp.exe"105⤵
- Suspicious use of SetThreadContext
PID:740 -
C:\Windows\SysWOW64\dbwx.exeC:\Windows\SysWOW64\dbwx.exe H:\Hex Projects\LiquidBot.exe106⤵
- Drops file in System32 directory
PID:2476 -
C:\Windows\SysWOW64\lrkl.exeC:\Windows\system32\lrkl.exe 1040 "C:\Windows\SysWOW64\dbwx.exe"107⤵
- Suspicious use of SetThreadContext
PID:244 -
C:\Windows\SysWOW64\lrkl.exeC:\Windows\SysWOW64\lrkl.exe H:\Hex Projects\LiquidBot.exe108⤵
- System Location Discovery: System Language Discovery
PID:3176 -
C:\Windows\SysWOW64\qdds.exeC:\Windows\system32\qdds.exe 1056 "C:\Windows\SysWOW64\lrkl.exe"109⤵
- Suspicious use of SetThreadContext
PID:4672 -
C:\Windows\SysWOW64\qdds.exeC:\Windows\SysWOW64\qdds.exe H:\Hex Projects\LiquidBot.exe110⤵PID:5048
-
C:\Windows\SysWOW64\ytrg.exeC:\Windows\system32\ytrg.exe 1052 "C:\Windows\SysWOW64\qdds.exe"111⤵
- Suspicious use of SetThreadContext
PID:3844 -
C:\Windows\SysWOW64\ytrg.exeC:\Windows\SysWOW64\ytrg.exe H:\Hex Projects\LiquidBot.exe112⤵PID:520
-
C:\Windows\SysWOW64\duhb.exeC:\Windows\system32\duhb.exe 1068 "C:\Windows\SysWOW64\ytrg.exe"113⤵
- Suspicious use of SetThreadContext
PID:3160 -
C:\Windows\SysWOW64\duhb.exeC:\Windows\SysWOW64\duhb.exe H:\Hex Projects\LiquidBot.exe114⤵PID:4520
-
C:\Windows\SysWOW64\lvgb.exeC:\Windows\system32\lvgb.exe 1056 "C:\Windows\SysWOW64\duhb.exe"115⤵
- Suspicious use of SetThreadContext
PID:4564 -
C:\Windows\SysWOW64\lvgb.exeC:\Windows\SysWOW64\lvgb.exe H:\Hex Projects\LiquidBot.exe116⤵
- Drops file in System32 directory
PID:3396 -
C:\Windows\SysWOW64\ihaj.exeC:\Windows\system32\ihaj.exe 1056 "C:\Windows\SysWOW64\lvgb.exe"117⤵
- Suspicious use of SetThreadContext
PID:4072 -
C:\Windows\SysWOW64\ihaj.exeC:\Windows\SysWOW64\ihaj.exe H:\Hex Projects\LiquidBot.exe118⤵PID:4024
-
C:\Windows\SysWOW64\qxnw.exeC:\Windows\system32\qxnw.exe 1032 "C:\Windows\SysWOW64\ihaj.exe"119⤵
- Suspicious use of SetThreadContext
PID:3916 -
C:\Windows\SysWOW64\qxnw.exeC:\Windows\SysWOW64\qxnw.exe H:\Hex Projects\LiquidBot.exe120⤵PID:3124
-
C:\Windows\SysWOW64\vjhe.exeC:\Windows\system32\vjhe.exe 1064 "C:\Windows\SysWOW64\qxnw.exe"121⤵
- Suspicious use of SetThreadContext
PID:4556
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-