Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
06/10/2024, 11:42
General
-
Target
17f04436d0d51b7e95655299a8ba30dd_JaffaCakes118.exe
-
Size
552KB
-
MD5
17f04436d0d51b7e95655299a8ba30dd
-
SHA1
a5448c84681e2edfce234b0c5efaba5280df6d03
-
SHA256
185c9a62e294e9c6793152ef0be8372d36d05cb73b5873b4fd90b63541d75d64
-
SHA512
524de2e0393d7403cb7de955b4e42264a119da469d3af81bc3139aa513e82f63659122e0ab9d2041e73a35d267ea5524b86bdb529e7e42e6691fa96ceb09ff00
-
SSDEEP
6144:dwVPqTSTVFhaae3OR3wxJXSMaAA4OUi1DZyRn5ERmnfN/05YacxIBnn8H2QYvM4d:Gxfw3OR3cdAV51ch5ERa/3nxIl4i6AAe
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 64 IoCs
-
Loads dropped DLL 64 IoCs
-
Drops file in System32 directory 64 IoCs
-
Suspicious use of SetThreadContext 64 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\17f04436d0d51b7e95655299a8ba30dd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\17f04436d0d51b7e95655299a8ba30dd_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\17f04436d0d51b7e95655299a8ba30dd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\17f04436d0d51b7e95655299a8ba30dd_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\xltmzj.exeC:\Windows\system32\xltmzj.exe 472 "C:\Users\Admin\AppData\Local\Temp\17f04436d0d51b7e95655299a8ba30dd_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\xltmzj.exeC:\Windows\system32\xltmzj.exe 472 "C:\Users\Admin\AppData\Local\Temp\17f04436d0d51b7e95655299a8ba30dd_JaffaCakes118.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\plejyx.exeC:\Windows\system32\plejyx.exe 528 "C:\Windows\SysWOW64\xltmzj.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\plejyx.exeC:\Windows\system32\plejyx.exe 528 "C:\Windows\SysWOW64\xltmzj.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mmowca.exeC:\Windows\system32\mmowca.exe 452 "C:\Windows\SysWOW64\plejyx.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mmowca.exeC:\Windows\system32\mmowca.exe 452 "C:\Windows\SysWOW64\plejyx.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tqycll.exeC:\Windows\system32\tqycll.exe 452 "C:\Windows\SysWOW64\mmowca.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tqycll.exeC:\Windows\system32\tqycll.exe 452 "C:\Windows\SysWOW64\mmowca.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\abxhin.exeC:\Windows\system32\abxhin.exe 496 "C:\Windows\SysWOW64\tqycll.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\abxhin.exeC:\Windows\system32\abxhin.exe 496 "C:\Windows\SysWOW64\tqycll.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\lxyzqh.exeC:\Windows\system32\lxyzqh.exe 528 "C:\Windows\SysWOW64\abxhin.exe"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\lxyzqh.exeC:\Windows\system32\lxyzqh.exe 528 "C:\Windows\SysWOW64\abxhin.exe"14⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\vznkdk.exeC:\Windows\system32\vznkdk.exe 496 "C:\Windows\SysWOW64\lxyzqh.exe"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\vznkdk.exeC:\Windows\system32\vznkdk.exe 496 "C:\Windows\SysWOW64\lxyzqh.exe"16⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\hyimuk.exeC:\Windows\system32\hyimuk.exe 496 "C:\Windows\SysWOW64\vznkdk.exe"17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\hyimuk.exeC:\Windows\system32\hyimuk.exe 496 "C:\Windows\SysWOW64\vznkdk.exe"18⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\uolpct.exeC:\Windows\system32\uolpct.exe 504 "C:\Windows\SysWOW64\hyimuk.exe"19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\uolpct.exeC:\Windows\system32\uolpct.exe 504 "C:\Windows\SysWOW64\hyimuk.exe"20⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cakurm.exeC:\Windows\system32\cakurm.exe 496 "C:\Windows\SysWOW64\uolpct.exe"21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cakurm.exeC:\Windows\system32\cakurm.exe 496 "C:\Windows\SysWOW64\uolpct.exe"22⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\ukxmzk.exeC:\Windows\system32\ukxmzk.exe 528 "C:\Windows\SysWOW64\cakurm.exe"23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\ukxmzk.exeC:\Windows\system32\ukxmzk.exe 528 "C:\Windows\SysWOW64\cakurm.exe"24⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\hjspis.exeC:\Windows\system32\hjspis.exe 528 "C:\Windows\SysWOW64\ukxmzk.exe"25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\hjspis.exeC:\Windows\system32\hjspis.exe 528 "C:\Windows\SysWOW64\ukxmzk.exe"26⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\riemsq.exeC:\Windows\system32\riemsq.exe 528 "C:\Windows\SysWOW64\hjspis.exe"27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\riemsq.exeC:\Windows\system32\riemsq.exe 528 "C:\Windows\SysWOW64\hjspis.exe"28⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\dkkcmv.exeC:\Windows\system32\dkkcmv.exe 528 "C:\Windows\SysWOW64\riemsq.exe"29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\dkkcmv.exeC:\Windows\system32\dkkcmv.exe 528 "C:\Windows\SysWOW64\riemsq.exe"30⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\qeqkxh.exeC:\Windows\system32\qeqkxh.exe 528 "C:\Windows\SysWOW64\dkkcmv.exe"31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\qeqkxh.exeC:\Windows\system32\qeqkxh.exe 528 "C:\Windows\SysWOW64\dkkcmv.exe"32⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\ddlmgq.exeC:\Windows\system32\ddlmgq.exe 528 "C:\Windows\SysWOW64\qeqkxh.exe"33⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\ddlmgq.exeC:\Windows\system32\ddlmgq.exe 528 "C:\Windows\SysWOW64\qeqkxh.exe"34⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\iqdcll.exeC:\Windows\system32\iqdcll.exe 528 "C:\Windows\SysWOW64\ddlmgq.exe"35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\iqdcll.exeC:\Windows\system32\iqdcll.exe 528 "C:\Windows\SysWOW64\ddlmgq.exe"36⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\sasnzp.exeC:\Windows\system32\sasnzp.exe 528 "C:\Windows\SysWOW64\iqdcll.exe"37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\sasnzp.exeC:\Windows\system32\sasnzp.exe 528 "C:\Windows\SysWOW64\iqdcll.exe"38⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cdhxus.exeC:\Windows\system32\cdhxus.exe 528 "C:\Windows\SysWOW64\sasnzp.exe"39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cdhxus.exeC:\Windows\system32\cdhxus.exe 528 "C:\Windows\SysWOW64\sasnzp.exe"40⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\pqrnaw.exeC:\Windows\system32\pqrnaw.exe 528 "C:\Windows\SysWOW64\cdhxus.exe"41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\pqrnaw.exeC:\Windows\system32\pqrnaw.exe 528 "C:\Windows\SysWOW64\cdhxus.exe"42⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\coupiw.exeC:\Windows\system32\coupiw.exe 528 "C:\Windows\SysWOW64\pqrnaw.exe"43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\coupiw.exeC:\Windows\system32\coupiw.exe 528 "C:\Windows\SysWOW64\pqrnaw.exe"44⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\piafui.exeC:\Windows\system32\piafui.exe 528 "C:\Windows\SysWOW64\coupiw.exe"45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\piafui.exeC:\Windows\system32\piafui.exe 528 "C:\Windows\SysWOW64\coupiw.exe"46⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\ztpphl.exeC:\Windows\system32\ztpphl.exe 528 "C:\Windows\SysWOW64\piafui.exe"47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\ztpphl.exeC:\Windows\system32\ztpphl.exe 528 "C:\Windows\SysWOW64\piafui.exe"48⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\jstnzk.exeC:\Windows\system32\jstnzk.exe 528 "C:\Windows\SysWOW64\ztpphl.exe"49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\jstnzk.exeC:\Windows\system32\jstnzk.exe 528 "C:\Windows\SysWOW64\ztpphl.exe"50⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\wiwpis.exeC:\Windows\system32\wiwpis.exe 528 "C:\Windows\SysWOW64\jstnzk.exe"51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\wiwpis.exeC:\Windows\system32\wiwpis.exe 528 "C:\Windows\SysWOW64\jstnzk.exe"52⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\jhrsrs.exeC:\Windows\system32\jhrsrs.exe 528 "C:\Windows\SysWOW64\wiwpis.exe"53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\jhrsrs.exeC:\Windows\system32\jhrsrs.exe 528 "C:\Windows\SysWOW64\wiwpis.exe"54⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\sjgdew.exeC:\Windows\system32\sjgdew.exe 528 "C:\Windows\SysWOW64\jhrsrs.exe"55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\sjgdew.exeC:\Windows\system32\sjgdew.exe 528 "C:\Windows\SysWOW64\jhrsrs.exe"56⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\fijfme.exeC:\Windows\system32\fijfme.exe 528 "C:\Windows\SysWOW64\sjgdew.exe"57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\fijfme.exeC:\Windows\system32\fijfme.exe 528 "C:\Windows\SysWOW64\sjgdew.exe"58⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\syeive.exeC:\Windows\system32\syeive.exe 528 "C:\Windows\SysWOW64\fijfme.exe"59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\syeive.exeC:\Windows\system32\syeive.exe 528 "C:\Windows\SysWOW64\fijfme.exe"60⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cjtsqh.exeC:\Windows\system32\cjtsqh.exe 528 "C:\Windows\SysWOW64\syeive.exe"61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cjtsqh.exeC:\Windows\system32\cjtsqh.exe 528 "C:\Windows\SysWOW64\syeive.exe"62⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\paovzp.exeC:\Windows\system32\paovzp.exe 536 "C:\Windows\SysWOW64\cjtsqh.exe"63⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\paovzp.exeC:\Windows\system32\paovzp.exe 536 "C:\Windows\SysWOW64\cjtsqh.exe"64⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cqrqhx.exeC:\Windows\system32\cqrqhx.exe 528 "C:\Windows\SysWOW64\paovzp.exe"65⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cqrqhx.exeC:\Windows\system32\cqrqhx.exe 528 "C:\Windows\SysWOW64\paovzp.exe"66⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mbgava.exeC:\Windows\system32\mbgava.exe 528 "C:\Windows\SysWOW64\cqrqhx.exe"67⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\mbgava.exeC:\Windows\system32\mbgava.exe 528 "C:\Windows\SysWOW64\cqrqhx.exe"68⤵
-
C:\Windows\SysWOW64\zrbddb.exeC:\Windows\system32\zrbddb.exe 528 "C:\Windows\SysWOW64\mbgava.exe"69⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\zrbddb.exeC:\Windows\system32\zrbddb.exe 528 "C:\Windows\SysWOW64\mbgava.exe"70⤵
-
C:\Windows\SysWOW64\lthsxn.exeC:\Windows\system32\lthsxn.exe 528 "C:\Windows\SysWOW64\zrbddb.exe"71⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\lthsxn.exeC:\Windows\system32\lthsxn.exe 528 "C:\Windows\SysWOW64\zrbddb.exe"72⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\zgzicr.exeC:\Windows\system32\zgzicr.exe 528 "C:\Windows\SysWOW64\lthsxn.exe"73⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\zgzicr.exeC:\Windows\system32\zgzicr.exe 528 "C:\Windows\SysWOW64\lthsxn.exe"74⤵
-
C:\Windows\SysWOW64\iuzgtq.exeC:\Windows\system32\iuzgtq.exe 528 "C:\Windows\SysWOW64\zgzicr.exe"75⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\iuzgtq.exeC:\Windows\system32\iuzgtq.exe 528 "C:\Windows\SysWOW64\zgzicr.exe"76⤵
-
C:\Windows\SysWOW64\vluibz.exeC:\Windows\system32\vluibz.exe 528 "C:\Windows\SysWOW64\iuzgtq.exe"77⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\vluibz.exeC:\Windows\system32\vluibz.exe 528 "C:\Windows\SysWOW64\iuzgtq.exe"78⤵
-
C:\Windows\SysWOW64\ijplkh.exeC:\Windows\system32\ijplkh.exe 528 "C:\Windows\SysWOW64\vluibz.exe"79⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\ijplkh.exeC:\Windows\system32\ijplkh.exe 528 "C:\Windows\SysWOW64\vluibz.exe"80⤵
-
C:\Windows\SysWOW64\vasosh.exeC:\Windows\system32\vasosh.exe 528 "C:\Windows\SysWOW64\ijplkh.exe"81⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\vasosh.exeC:\Windows\system32\vasosh.exe 528 "C:\Windows\SysWOW64\ijplkh.exe"82⤵
-
C:\Windows\SysWOW64\iynqbp.exeC:\Windows\system32\iynqbp.exe 528 "C:\Windows\SysWOW64\vasosh.exe"83⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\iynqbp.exeC:\Windows\system32\iynqbp.exe 528 "C:\Windows\SysWOW64\vasosh.exe"84⤵
-
C:\Windows\SysWOW64\sengzw.exeC:\Windows\system32\sengzw.exe 528 "C:\Windows\SysWOW64\iynqbp.exe"85⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\sengzw.exeC:\Windows\system32\sengzw.exe 528 "C:\Windows\SysWOW64\iynqbp.exe"86⤵
-
C:\Windows\SysWOW64\fdiiif.exeC:\Windows\system32\fdiiif.exe 528 "C:\Windows\SysWOW64\sengzw.exe"87⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\fdiiif.exeC:\Windows\system32\fdiiif.exe 528 "C:\Windows\SysWOW64\sengzw.exe"88⤵
-
C:\Windows\SysWOW64\sqayna.exeC:\Windows\system32\sqayna.exe 536 "C:\Windows\SysWOW64\fdiiif.exe"89⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\sqayna.exeC:\Windows\system32\sqayna.exe 536 "C:\Windows\SysWOW64\fdiiif.exe"90⤵
-
C:\Windows\SysWOW64\beavdi.exeC:\Windows\system32\beavdi.exe 528 "C:\Windows\SysWOW64\sqayna.exe"91⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\beavdi.exeC:\Windows\system32\beavdi.exe 528 "C:\Windows\SysWOW64\sqayna.exe"92⤵
-
C:\Windows\SysWOW64\ouvyuq.exeC:\Windows\system32\ouvyuq.exe 528 "C:\Windows\SysWOW64\beavdi.exe"93⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\ouvyuq.exeC:\Windows\system32\ouvyuq.exe 528 "C:\Windows\SysWOW64\beavdi.exe"94⤵
-
C:\Windows\SysWOW64\blqbdq.exeC:\Windows\system32\blqbdq.exe 528 "C:\Windows\SysWOW64\ouvyuq.exe"95⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\blqbdq.exeC:\Windows\system32\blqbdq.exe 528 "C:\Windows\SysWOW64\ouvyuq.exe"96⤵
-
C:\Windows\SysWOW64\ojtdly.exeC:\Windows\system32\ojtdly.exe 528 "C:\Windows\SysWOW64\blqbdq.exe"97⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\ojtdly.exeC:\Windows\system32\ojtdly.exe 528 "C:\Windows\SysWOW64\blqbdq.exe"98⤵
-
C:\Windows\SysWOW64\ymioyb.exeC:\Windows\system32\ymioyb.exe 528 "C:\Windows\SysWOW64\ojtdly.exe"99⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\ymioyb.exeC:\Windows\system32\ymioyb.exe 528 "C:\Windows\SysWOW64\ojtdly.exe"100⤵
-
C:\Windows\SysWOW64\lkdrhk.exeC:\Windows\system32\lkdrhk.exe 528 "C:\Windows\SysWOW64\ymioyb.exe"101⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\lkdrhk.exeC:\Windows\system32\lkdrhk.exe 528 "C:\Windows\SysWOW64\ymioyb.exe"102⤵
-
C:\Windows\SysWOW64\ybglqk.exeC:\Windows\system32\ybglqk.exe 528 "C:\Windows\SysWOW64\lkdrhk.exe"103⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\ybglqk.exeC:\Windows\system32\ybglqk.exe 528 "C:\Windows\SysWOW64\lkdrhk.exe"104⤵
-
C:\Windows\SysWOW64\lzaoys.exeC:\Windows\system32\lzaoys.exe 536 "C:\Windows\SysWOW64\ybglqk.exe"105⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\lzaoys.exeC:\Windows\system32\lzaoys.exe 536 "C:\Windows\SysWOW64\ybglqk.exe"106⤵
-
C:\Windows\SysWOW64\ugblwz.exeC:\Windows\system32\ugblwz.exe 528 "C:\Windows\SysWOW64\lzaoys.exe"107⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\ugblwz.exeC:\Windows\system32\ugblwz.exe 528 "C:\Windows\SysWOW64\lzaoys.exe"108⤵
-
C:\Windows\SysWOW64\ksbgaf.exeC:\Windows\system32\ksbgaf.exe 528 "C:\Windows\SysWOW64\ugblwz.exe"109⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\ksbgaf.exeC:\Windows\system32\ksbgaf.exe 528 "C:\Windows\SysWOW64\ugblwz.exe"110⤵
-
C:\Windows\SysWOW64\uvrroi.exeC:\Windows\system32\uvrroi.exe 528 "C:\Windows\SysWOW64\ksbgaf.exe"111⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\uvrroi.exeC:\Windows\system32\uvrroi.exe 528 "C:\Windows\SysWOW64\ksbgaf.exe"112⤵
-
C:\Windows\SysWOW64\htttwq.exeC:\Windows\system32\htttwq.exe 528 "C:\Windows\SysWOW64\uvrroi.exe"113⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\htttwq.exeC:\Windows\system32\htttwq.exe 528 "C:\Windows\SysWOW64\uvrroi.exe"114⤵
-
C:\Windows\SysWOW64\ukowfy.exeC:\Windows\system32\ukowfy.exe 528 "C:\Windows\SysWOW64\htttwq.exe"115⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\ukowfy.exeC:\Windows\system32\ukowfy.exe 528 "C:\Windows\SysWOW64\htttwq.exe"116⤵
-
C:\Windows\SysWOW64\euegat.exeC:\Windows\system32\euegat.exe 528 "C:\Windows\SysWOW64\ukowfy.exe"117⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\euegat.exeC:\Windows\system32\euegat.exe 528 "C:\Windows\SysWOW64\ukowfy.exe"118⤵
-
C:\Windows\SysWOW64\rokolg.exeC:\Windows\system32\rokolg.exe 528 "C:\Windows\SysWOW64\euegat.exe"119⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\rokolg.exeC:\Windows\system32\rokolg.exe 528 "C:\Windows\SysWOW64\euegat.exe"120⤵
-
C:\Windows\SysWOW64\ebbmrk.exeC:\Windows\system32\ebbmrk.exe 528 "C:\Windows\SysWOW64\rokolg.exe"121⤵
- Suspicious use of SetThreadContext
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-