Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
15-12-2024 09:15
General
-
Target
f3501af5dc8b0b319e544e6a10e1906a_JaffaCakes118.exe
-
Size
237KB
-
MD5
f3501af5dc8b0b319e544e6a10e1906a
-
SHA1
75197310bd9e7ef576bbf4166fc1044c374d8aa4
-
SHA256
e0ae1fd7a171e754d040c4a1e6a7ea5e130b354498e1d8ebfb7592e3edb10e8d
-
SHA512
23f1c6ec841377fed2744ac71303c84cc82e68a00744d19e67fba7d15734b190c1127db64798ee88a28084836b8631255f2d2ce40699b62cd065185427161a99
-
SSDEEP
6144:c8uZgVdFVTjOYkli66UpQrASF2nOewP/wnwR3:cXZi8pY66UpQ/F6O9t
Score
10/10
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 21 IoCs
-
Executes dropped EXE 64 IoCs
-
Drops file in System32 directory 64 IoCs
-
Suspicious use of SetThreadContext 64 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f3501af5dc8b0b319e544e6a10e1906a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f3501af5dc8b0b319e544e6a10e1906a_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f3501af5dc8b0b319e544e6a10e1906a_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\f3501af5dc8b0b319e544e6a10e1906a_JaffaCakes118.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ggvnlqub.exeC:\Windows\system32\ggvnlqub.exe 1000 "C:\Users\Admin\AppData\Local\Temp\f3501af5dc8b0b319e544e6a10e1906a_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ggvnlqub.exeC:\Windows\SysWOW64\ggvnlqub.exe 1000 C:\Users\Admin\AppData\Local\Temp\f3501af5dc8b0b319e544e6a10e1906a_JaffaCakes118.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\gjhfauzv.exeC:\Windows\system32\gjhfauzv.exe 1148 "C:\Windows\SysWOW64\ggvnlqub.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\gjhfauzv.exeC:\Windows\SysWOW64\gjhfauzv.exe 1148 C:\Windows\SysWOW64\ggvnlqub.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ohvsleeo.exeC:\Windows\system32\ohvsleeo.exe 1148 "C:\Windows\SysWOW64\gjhfauzv.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ohvsleeo.exeC:\Windows\SysWOW64\ohvsleeo.exe 1148 C:\Windows\SysWOW64\gjhfauzv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dedsyxfa.exeC:\Windows\system32\dedsyxfa.exe 1148 "C:\Windows\SysWOW64\ohvsleeo.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dedsyxfa.exeC:\Windows\SysWOW64\dedsyxfa.exe 1148 C:\Windows\SysWOW64\ohvsleeo.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\oosydnhc.exeC:\Windows\system32\oosydnhc.exe 1148 "C:\Windows\SysWOW64\dedsyxfa.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\oosydnhc.exeC:\Windows\SysWOW64\oosydnhc.exe 1148 C:\Windows\SysWOW64\dedsyxfa.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\gvvdigjh.exeC:\Windows\system32\gvvdigjh.exe 1148 "C:\Windows\SysWOW64\oosydnhc.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\gvvdigjh.exeC:\Windows\SysWOW64\gvvdigjh.exe 1148 C:\Windows\SysWOW64\oosydnhc.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ndqdudkr.exeC:\Windows\system32\ndqdudkr.exe 1148 "C:\Windows\SysWOW64\gvvdigjh.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ndqdudkr.exeC:\Windows\SysWOW64\ndqdudkr.exe 1148 C:\Windows\SysWOW64\gvvdigjh.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ablgcdqg.exeC:\Windows\system32\ablgcdqg.exe 1044 "C:\Windows\SysWOW64\ndqdudkr.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\ablgcdqg.exeC:\Windows\SysWOW64\ablgcdqg.exe 1044 C:\Windows\SysWOW64\ndqdudkr.exe18⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\gzqoqexj.exeC:\Windows\system32\gzqoqexj.exe 1148 "C:\Windows\SysWOW64\ablgcdqg.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\gzqoqexj.exeC:\Windows\SysWOW64\gzqoqexj.exe 1148 C:\Windows\SysWOW64\ablgcdqg.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\oodbcpuc.exeC:\Windows\system32\oodbcpuc.exe 1148 "C:\Windows\SysWOW64\gzqoqexj.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\oodbcpuc.exeC:\Windows\SysWOW64\oodbcpuc.exe 1148 C:\Windows\SysWOW64\gzqoqexj.exe22⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\vwrboeev.exeC:\Windows\system32\vwrboeev.exe 1032 "C:\Windows\SysWOW64\oodbcpuc.exe"23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\vwrboeev.exeC:\Windows\SysWOW64\vwrboeev.exe 1032 C:\Windows\SysWOW64\oodbcpuc.exe24⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\jfxerewf.exeC:\Windows\system32\jfxerewf.exe 1148 "C:\Windows\SysWOW64\vwrboeev.exe"25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\jfxerewf.exeC:\Windows\SysWOW64\jfxerewf.exe 1148 C:\Windows\SysWOW64\vwrboeev.exe26⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\weahaebm.exeC:\Windows\system32\weahaebm.exe 1016 "C:\Windows\SysWOW64\jfxerewf.exe"27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\weahaebm.exeC:\Windows\SysWOW64\weahaebm.exe 1016 C:\Windows\SysWOW64\jfxerewf.exe28⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\gdeesdjm.exeC:\Windows\system32\gdeesdjm.exe 1036 "C:\Windows\SysWOW64\weahaebm.exe"29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\gdeesdjm.exeC:\Windows\SysWOW64\gdeesdjm.exe 1036 C:\Windows\SysWOW64\weahaebm.exe30⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\lemzbips.exeC:\Windows\system32\lemzbips.exe 1148 "C:\Windows\SysWOW64\gdeesdjm.exe"31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\lemzbips.exeC:\Windows\SysWOW64\lemzbips.exe 1148 C:\Windows\SysWOW64\gdeesdjm.exe32⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\yotklihc.exeC:\Windows\system32\yotklihc.exe 1016 "C:\Windows\SysWOW64\lemzbips.exe"33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\yotklihc.exeC:\Windows\SysWOW64\yotklihc.exe 1016 C:\Windows\SysWOW64\lemzbips.exe34⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\lmnmuqmj.exeC:\Windows\system32\lmnmuqmj.exe 1148 "C:\Windows\SysWOW64\yotklihc.exe"35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\lmnmuqmj.exeC:\Windows\SysWOW64\lmnmuqmj.exe 1148 C:\Windows\SysWOW64\yotklihc.exe36⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\ydqpdqsz.exeC:\Windows\system32\ydqpdqsz.exe 1148 "C:\Windows\SysWOW64\lmnmuqmj.exe"37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\ydqpdqsz.exeC:\Windows\SysWOW64\ydqpdqsz.exe 1148 C:\Windows\SysWOW64\lmnmuqmj.exe38⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\yhaumjuo.exeC:\Windows\system32\yhaumjuo.exe 1032 "C:\Windows\SysWOW64\ydqpdqsz.exe"39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\yhaumjuo.exeC:\Windows\SysWOW64\yhaumjuo.exe 1032 C:\Windows\SysWOW64\ydqpdqsz.exe40⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\dijpdgau.exeC:\Windows\system32\dijpdgau.exe 1044 "C:\Windows\SysWOW64\yhaumjuo.exe"41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\dijpdgau.exeC:\Windows\SysWOW64\dijpdgau.exe 1044 C:\Windows\SysWOW64\yhaumjuo.exe42⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\nekikbbr.exeC:\Windows\system32\nekikbbr.exe 1032 "C:\Windows\SysWOW64\dijpdgau.exe"43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\nekikbbr.exeC:\Windows\SysWOW64\nekikbbr.exe 1032 C:\Windows\SysWOW64\dijpdgau.exe44⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\vfiizqfn.exeC:\Windows\system32\vfiizqfn.exe 1032 "C:\Windows\SysWOW64\nekikbbr.exe"45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\vfiizqfn.exeC:\Windows\SysWOW64\vfiizqfn.exe 1032 C:\Windows\SysWOW64\nekikbbr.exe46⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\issxfles.exeC:\Windows\system32\issxfles.exe 1152 "C:\Windows\SysWOW64\vfiizqfn.exe"47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\issxfles.exeC:\Windows\SysWOW64\issxfles.exe 1152 C:\Windows\SysWOW64\vfiizqfn.exe48⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\srevpklr.exeC:\Windows\system32\srevpklr.exe 1148 "C:\Windows\SysWOW64\issxfles.exe"49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\srevpklr.exeC:\Windows\SysWOW64\srevpklr.exe 1148 C:\Windows\SysWOW64\issxfles.exe50⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\djuauinu.exeC:\Windows\system32\djuauinu.exe 1000 "C:\Windows\SysWOW64\srevpklr.exe"51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\djuauinu.exeC:\Windows\SysWOW64\djuauinu.exe 1000 C:\Windows\SysWOW64\srevpklr.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\scrndwql.exeC:\Windows\system32\scrndwql.exe 1020 "C:\Windows\SysWOW64\djuauinu.exe"53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\scrndwql.exeC:\Windows\SysWOW64\scrndwql.exe 1020 C:\Windows\SysWOW64\djuauinu.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\vmilwsyk.exeC:\Windows\system32\vmilwsyk.exe 1048 "C:\Windows\SysWOW64\scrndwql.exe"55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\vmilwsyk.exeC:\Windows\SysWOW64\vmilwsyk.exe 1048 C:\Windows\SysWOW64\scrndwql.exe56⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\kculccty.exeC:\Windows\system32\kculccty.exe 1032 "C:\Windows\SysWOW64\vmilwsyk.exe"57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\kculccty.exeC:\Windows\SysWOW64\kculccty.exe 1032 C:\Windows\SysWOW64\vmilwsyk.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\agcggpyt.exeC:\Windows\system32\agcggpyt.exe 1148 "C:\Windows\SysWOW64\kculccty.exe"59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\agcggpyt.exeC:\Windows\SysWOW64\agcggpyt.exe 1148 C:\Windows\SysWOW64\kculccty.exe60⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\nxxippva.exeC:\Windows\system32\nxxippva.exe 1044 "C:\Windows\SysWOW64\agcggpyt.exe"61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\nxxippva.exeC:\Windows\SysWOW64\nxxippva.exe 1044 C:\Windows\SysWOW64\agcggpyt.exe62⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\xebghodz.exeC:\Windows\system32\xebghodz.exe 1020 "C:\Windows\SysWOW64\nxxippva.exe"63⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\xebghodz.exeC:\Windows\SysWOW64\xebghodz.exe 1020 C:\Windows\SysWOW64\nxxippva.exe64⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\kuejqwjh.exeC:\Windows\system32\kuejqwjh.exe 1152 "C:\Windows\SysWOW64\xebghodz.exe"65⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\kuejqwjh.exeC:\Windows\SysWOW64\kuejqwjh.exe 1152 C:\Windows\SysWOW64\xebghodz.exe66⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\tkrwuzga.exeC:\Windows\system32\tkrwuzga.exe 1148 "C:\Windows\SysWOW64\kuejqwjh.exe"67⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\tkrwuzga.exeC:\Windows\SysWOW64\tkrwuzga.exe 1148 C:\Windows\SysWOW64\kuejqwjh.exe68⤵
-
C:\Windows\SysWOW64\akqwinkv.exeC:\Windows\system32\akqwinkv.exe 1032 "C:\Windows\SysWOW64\tkrwuzga.exe"69⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\akqwinkv.exeC:\Windows\SysWOW64\akqwinkv.exe 1032 C:\Windows\SysWOW64\tkrwuzga.exe70⤵
-
C:\Windows\SysWOW64\aocoxrop.exeC:\Windows\system32\aocoxrop.exe 1032 "C:\Windows\SysWOW64\akqwinkv.exe"71⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\aocoxrop.exeC:\Windows\SysWOW64\aocoxrop.exe 1032 C:\Windows\SysWOW64\akqwinkv.exe72⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\ljdhempm.exeC:\Windows\system32\ljdhempm.exe 1040 "C:\Windows\SysWOW64\aocoxrop.exe"73⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\ljdhempm.exeC:\Windows\SysWOW64\ljdhempm.exe 1040 C:\Windows\SysWOW64\aocoxrop.exe74⤵
-
C:\Windows\SysWOW64\nbvwxixl.exeC:\Windows\system32\nbvwxixl.exe 1032 "C:\Windows\SysWOW64\ljdhempm.exe"75⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\nbvwxixl.exeC:\Windows\SysWOW64\nbvwxixl.exe 1032 C:\Windows\SysWOW64\ljdhempm.exe76⤵
-
C:\Windows\SysWOW64\asqzfqcs.exeC:\Windows\system32\asqzfqcs.exe 1148 "C:\Windows\SysWOW64\nbvwxixl.exe"77⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\asqzfqcs.exeC:\Windows\SysWOW64\asqzfqcs.exe 1148 C:\Windows\SysWOW64\nbvwxixl.exe78⤵
-
C:\Windows\SysWOW64\nqtcoyaz.exeC:\Windows\system32\nqtcoyaz.exe 1148 "C:\Windows\SysWOW64\asqzfqcs.exe"79⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\nqtcoyaz.exeC:\Windows\SysWOW64\nqtcoyaz.exe 1148 C:\Windows\SysWOW64\asqzfqcs.exe80⤵
-
C:\Windows\SysWOW64\adcsuuhm.exeC:\Windows\system32\adcsuuhm.exe 1148 "C:\Windows\SysWOW64\nqtcoyaz.exe"81⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\adcsuuhm.exeC:\Windows\SysWOW64\adcsuuhm.exe 1148 C:\Windows\SysWOW64\nqtcoyaz.exe82⤵
-
C:\Windows\SysWOW64\nquhzyfr.exeC:\Windows\system32\nquhzyfr.exe 1148 "C:\Windows\SysWOW64\adcsuuhm.exe"83⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\nquhzyfr.exeC:\Windows\SysWOW64\nquhzyfr.exe 1148 C:\Windows\SysWOW64\adcsuuhm.exe84⤵
-
C:\Windows\SysWOW64\ahokigdg.exeC:\Windows\system32\ahokigdg.exe 1152 "C:\Windows\SysWOW64\nquhzyfr.exe"85⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\ahokigdg.exeC:\Windows\SysWOW64\ahokigdg.exe 1152 C:\Windows\SysWOW64\nquhzyfr.exe86⤵
-
C:\Windows\SysWOW64\nfrnzoin.exeC:\Windows\system32\nfrnzoin.exe 1148 "C:\Windows\SysWOW64\ahokigdg.exe"87⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\nfrnzoin.exeC:\Windows\SysWOW64\nfrnzoin.exe 1148 C:\Windows\SysWOW64\ahokigdg.exe88⤵
-
C:\Windows\SysWOW64\xevkjnqn.exeC:\Windows\system32\xevkjnqn.exe 1148 "C:\Windows\SysWOW64\nfrnzoin.exe"89⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\xevkjnqn.exeC:\Windows\SysWOW64\xevkjnqn.exe 1148 C:\Windows\SysWOW64\nfrnzoin.exe90⤵
-
C:\Windows\SysWOW64\locvmfqx.exeC:\Windows\system32\locvmfqx.exe 1152 "C:\Windows\SysWOW64\xevkjnqn.exe"91⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\locvmfqx.exeC:\Windows\SysWOW64\locvmfqx.exe 1152 C:\Windows\SysWOW64\xevkjnqn.exe92⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\yewxvnne.exeC:\Windows\system32\yewxvnne.exe 1148 "C:\Windows\SysWOW64\locvmfqx.exe"93⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\yewxvnne.exeC:\Windows\SysWOW64\yewxvnne.exe 1148 C:\Windows\SysWOW64\locvmfqx.exe94⤵
-
C:\Windows\SysWOW64\lronaruj.exeC:\Windows\system32\lronaruj.exe 1152 "C:\Windows\SysWOW64\yewxvnne.exe"95⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\lronaruj.exeC:\Windows\SysWOW64\lronaruj.exe 1152 C:\Windows\SysWOW64\yewxvnne.exe96⤵
-
C:\Windows\SysWOW64\vysllpuj.exeC:\Windows\system32\vysllpuj.exe 1152 "C:\Windows\SysWOW64\lronaruj.exe"97⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\vysllpuj.exeC:\Windows\SysWOW64\vysllpuj.exe 1152 C:\Windows\SysWOW64\lronaruj.exe98⤵
-
C:\Windows\SysWOW64\ldagpvrd.exeC:\Windows\system32\ldagpvrd.exe 1148 "C:\Windows\SysWOW64\vysllpuj.exe"99⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\ldagpvrd.exeC:\Windows\SysWOW64\ldagpvrd.exe 1148 C:\Windows\SysWOW64\vysllpuj.exe100⤵
-
C:\Windows\SysWOW64\vytqepza.exeC:\Windows\system32\vytqepza.exe 1148 "C:\Windows\SysWOW64\ldagpvrd.exe"101⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\vytqepza.exeC:\Windows\SysWOW64\vytqepza.exe 1148 C:\Windows\SysWOW64\ldagpvrd.exe102⤵
-
C:\Windows\SysWOW64\ipwtnxxh.exeC:\Windows\system32\ipwtnxxh.exe 1148 "C:\Windows\SysWOW64\vytqepza.exe"103⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\ipwtnxxh.exeC:\Windows\SysWOW64\ipwtnxxh.exe 1148 C:\Windows\SysWOW64\vytqepza.exe104⤵
-
C:\Windows\SysWOW64\swaqxweh.exeC:\Windows\system32\swaqxweh.exe 1148 "C:\Windows\SysWOW64\ipwtnxxh.exe"105⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\swaqxweh.exeC:\Windows\SysWOW64\swaqxweh.exe 1148 C:\Windows\SysWOW64\ipwtnxxh.exe106⤵
-
C:\Windows\SysWOW64\fjsodadu.exeC:\Windows\system32\fjsodadu.exe 1164 "C:\Windows\SysWOW64\swaqxweh.exe"107⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\fjsodadu.exeC:\Windows\SysWOW64\fjsodadu.exe 1164 C:\Windows\SysWOW64\swaqxweh.exe108⤵
-
C:\Windows\SysWOW64\twbdjwkz.exeC:\Windows\system32\twbdjwkz.exe 1148 "C:\Windows\SysWOW64\fjsodadu.exe"109⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\twbdjwkz.exeC:\Windows\SysWOW64\twbdjwkz.exe 1148 C:\Windows\SysWOW64\fjsodadu.exe110⤵
-
C:\Windows\SysWOW64\fyptuioi.exeC:\Windows\system32\fyptuioi.exe 1148 "C:\Windows\SysWOW64\twbdjwkz.exe"111⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\fyptuioi.exeC:\Windows\SysWOW64\fyptuioi.exe 1148 C:\Windows\SysWOW64\twbdjwkz.exe112⤵
-
C:\Windows\SysWOW64\pxtrnhwi.exeC:\Windows\system32\pxtrnhwi.exe 1148 "C:\Windows\SysWOW64\fyptuioi.exe"113⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\pxtrnhwi.exeC:\Windows\SysWOW64\pxtrnhwi.exe 1148 C:\Windows\SysWOW64\fyptuioi.exe114⤵
-
C:\Windows\SysWOW64\dhatqgos.exeC:\Windows\system32\dhatqgos.exe 1148 "C:\Windows\SysWOW64\pxtrnhwi.exe"115⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\dhatqgos.exeC:\Windows\SysWOW64\dhatqgos.exe 1148 C:\Windows\SysWOW64\pxtrnhwi.exe116⤵
-
C:\Windows\SysWOW64\qxvwyhta.exeC:\Windows\system32\qxvwyhta.exe 1148 "C:\Windows\SysWOW64\dhatqgos.exe"117⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\qxvwyhta.exeC:\Windows\SysWOW64\qxvwyhta.exe 1148 C:\Windows\SysWOW64\dhatqgos.exe118⤵
-
C:\Windows\SysWOW64\atvggbuf.exeC:\Windows\system32\atvggbuf.exe 1148 "C:\Windows\SysWOW64\qxvwyhta.exe"119⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\atvggbuf.exeC:\Windows\SysWOW64\atvggbuf.exe 1148 C:\Windows\SysWOW64\qxvwyhta.exe120⤵
-
C:\Windows\SysWOW64\ksamqacx.exeC:\Windows\system32\ksamqacx.exe 1148 "C:\Windows\SysWOW64\atvggbuf.exe"121⤵
- Suspicious use of SetThreadContext
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-