Analysis Overview
SHA256
dcfac4cd97fab0cf3a91febe447faad646115d46429349af1b80452dd446498a
Threat Level: Shows suspicious behavior
The file e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Executes dropped EXE
Writes to the Master Boot Record (MBR)
Drops file in System32 directory
Suspicious use of SetThreadContext
Unsigned PE
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-06 21:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 21:57
Reported
2024-04-06 21:58
Platform
win7-20240215-en
Max time kernel
46s
Max time network
16s
Command Line
Signatures
Executes dropped EXE
Loads dropped DLL
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\sykf.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\usly.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\cstw.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\sqdx.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\gbjz.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\cxqh.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\rajc.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\iyfq.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\eesg.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\jcmh.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\muuh.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\msgd.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\ilnu.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\rvpr.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\ywqv.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\zvet.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\ufvs.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\temi.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\mlpq.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\phgu.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\kclk.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\liyp.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\lvdf.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\juue.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\fcnl.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\mnni.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\klim.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\advy.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\zfbr.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\ypro.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\ojlw.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\lbzx.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\ikqr.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\shwd.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\dhwr.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\pxog.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\lqmf.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\qjsa.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\lagj.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\ythx.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\rqsy.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\fiqi.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\rvgb.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\orzw.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\vcjq.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\rwqh.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\dkbk.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\hbpl.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\ycgw.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\dauf.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\fyti.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\cabn.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\uiaf.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\ttou.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\hhlg.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\zfsb.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\ebjh.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\psny.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\yomu.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\tcvc.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\aghd.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\ujnh.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\yksr.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\rwqh.exe | C:\Windows\SysWOW64\ebjh.exe | N/A |
| File created | C:\Windows\SysWOW64\ujnh.exe | C:\Windows\SysWOW64\ilnu.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\uiaf.exe | C:\Windows\SysWOW64\lbzx.exe | N/A |
| File created | C:\Windows\SysWOW64\dhwr.exe | C:\Windows\SysWOW64\rvpr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pxog.exe | C:\Windows\SysWOW64\vcjq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dauf.exe | C:\Windows\SysWOW64\muuh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fiqi.exe | C:\Windows\SysWOW64\aghd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ufvs.exe | C:\Windows\SysWOW64\plme.exe | N/A |
| File created | C:\Windows\SysWOW64\advy.exe | C:\Windows\SysWOW64\fiqi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ycgw.exe | C:\Windows\SysWOW64\juue.exe | N/A |
| File created | C:\Windows\SysWOW64\plme.exe | C:\Windows\SysWOW64\ojlw.exe | N/A |
| File created | C:\Windows\SysWOW64\dkbk.exe | C:\Windows\SysWOW64\ttou.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\jcmh.exe | C:\Windows\SysWOW64\eesg.exe | N/A |
| File created | C:\Windows\SysWOW64\aghd.exe | C:\Windows\SysWOW64\gffn.exe | N/A |
| File created | C:\Windows\SysWOW64\uiaf.exe | C:\Windows\SysWOW64\lbzx.exe | N/A |
| File created | C:\Windows\SysWOW64\rvpr.exe | C:\Windows\SysWOW64\zvet.exe | N/A |
| File created | C:\Windows\SysWOW64\iyfq.exe | C:\Windows\SysWOW64\liyp.exe | N/A |
| File created | C:\Windows\SysWOW64\vcjq.exe | C:\Windows\SysWOW64\rqsy.exe | N/A |
| File created | C:\Windows\SysWOW64\kxhr.exe | C:\Windows\SysWOW64\yksr.exe | N/A |
| File created | C:\Windows\SysWOW64\psny.exe | C:\Windows\SysWOW64\ypro.exe | N/A |
| File created | C:\Windows\SysWOW64\cstw.exe | C:\Windows\SysWOW64\pxog.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\advy.exe | C:\Windows\SysWOW64\fiqi.exe | N/A |
| File created | C:\Windows\SysWOW64\usly.exe | C:\Windows\SysWOW64\hbpl.exe | N/A |
| File created | C:\Windows\SysWOW64\muuh.exe | C:\Windows\SysWOW64\ufvs.exe | N/A |
| File created | C:\Windows\SysWOW64\shwd.exe | C:\Windows\SysWOW64\fyti.exe | N/A |
| File created | C:\Windows\SysWOW64\ilnu.exe | C:\Windows\SysWOW64\knou.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zfbr.exe | C:\Windows\SysWOW64\kxhr.exe | N/A |
| File created | C:\Windows\SysWOW64\ebjh.exe | C:\Windows\SysWOW64\dvfm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dhwr.exe | C:\Windows\SysWOW64\rvpr.exe | N/A |
| File created | C:\Windows\SysWOW64\lagj.exe | C:\Windows\SysWOW64\cxqh.exe | N/A |
| File created | C:\Windows\SysWOW64\hbpl.exe | C:\Windows\SysWOW64\sykf.exe | N/A |
| File created | C:\Windows\SysWOW64\ihad.exe | C:\Windows\SysWOW64\lvdf.exe | N/A |
| File created | C:\Windows\SysWOW64\ldxq.exe | C:\Windows\SysWOW64\qjsa.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\eesg.exe | C:\Windows\SysWOW64\hhlg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\qeli.exe | C:\Windows\SysWOW64\ihad.exe | N/A |
| File created | C:\Windows\SysWOW64\ufvs.exe | C:\Windows\SysWOW64\plme.exe | N/A |
| File created | C:\Windows\SysWOW64\juue.exe | C:\Windows\SysWOW64\zfsb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\knou.exe | C:\Windows\SysWOW64\gbzu.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ldxq.exe | C:\Windows\SysWOW64\qjsa.exe | N/A |
| File created | C:\Windows\SysWOW64\yomu.exe | C:\Windows\SysWOW64\dhwr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vcjq.exe | C:\Windows\SysWOW64\rqsy.exe | N/A |
| File created | C:\Windows\SysWOW64\ikqr.exe | C:\Windows\SysWOW64\vfxi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gffn.exe | C:\Windows\SysWOW64\shwd.exe | N/A |
| File created | C:\Windows\SysWOW64\gbzu.exe | C:\Windows\SysWOW64\rwqh.exe | N/A |
| File created | C:\Windows\SysWOW64\ypro.exe | C:\Windows\SysWOW64\ywqv.exe | N/A |
| File created | C:\Windows\SysWOW64\temi.exe | C:\Windows\SysWOW64\msgd.exe | N/A |
| File created | C:\Windows\SysWOW64\mnni.exe | C:\Windows\SysWOW64\fcnl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ikqr.exe | C:\Windows\SysWOW64\vfxi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\lvdf.exe | C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\mlpq.exe | C:\Windows\SysWOW64\uiaf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ltww.exe | C:\Windows\SysWOW64\rvgb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ujnh.exe | C:\Windows\SysWOW64\ilnu.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\lqmf.exe | C:\Windows\SysWOW64\ujnh.exe | N/A |
| File created | C:\Windows\SysWOW64\kclk.exe | C:\Windows\SysWOW64\phgu.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msgd.exe | C:\Windows\SysWOW64\cabn.exe | N/A |
| File created | C:\Windows\SysWOW64\gffn.exe | C:\Windows\SysWOW64\shwd.exe | N/A |
| File created | C:\Windows\SysWOW64\ojlw.exe | C:\Windows\SysWOW64\tcvc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\muuh.exe | C:\Windows\SysWOW64\ufvs.exe | N/A |
| File created | C:\Windows\SysWOW64\fiqi.exe | C:\Windows\SysWOW64\aghd.exe | N/A |
| File created | C:\Windows\SysWOW64\rvgb.exe | C:\Windows\SysWOW64\advy.exe | N/A |
| File created | C:\Windows\SysWOW64\yksr.exe | C:\Windows\SysWOW64\ltww.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\liyp.exe | C:\Windows\SysWOW64\wlpx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wmdl.exe | C:\Windows\SysWOW64\qeli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\iutm.exe | C:\Windows\SysWOW64\ycgw.exe | N/A |
Suspicious use of SetThreadContext
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\yodt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\psny.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\hbpl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\rqsy.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\pxog.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\temi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\fyti.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\advy.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\yksr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\dvfm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\ujnh.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\yomu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\lagj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\zfsb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\muuh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\gffn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\cstw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\jcmh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\jcmh.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\advy.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\liyp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\pxog.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\usly.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\dvfm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\mlpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\iyfq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\sqdx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\ypro.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\dhwr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\ythx.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\wlpx.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\fyti.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\dvfm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\yomu.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\rajc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\vcjq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\juue.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\temi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\zvet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\vfxi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\advy.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\ltww.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\fcnl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\lqmf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\phgu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\cxqh.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\vcjq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\ikqr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\lvdf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\zvet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\rvpr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\zvet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\ttou.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\rqsy.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\jcmh.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\juue.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\ycgw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\fcnl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\rvgb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\ebjh.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\iyfq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\jdym.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\wlpx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\hhlg.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe
C:\Windows\SysWOW64\lvdf.exe
C:\Windows\system32\lvdf.exe 500 "C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe"
C:\Windows\SysWOW64\lvdf.exe
C:\Windows\SysWOW64\lvdf.exe
C:\Windows\SysWOW64\ihad.exe
C:\Windows\system32\ihad.exe 456 "C:\Windows\SysWOW64\lvdf.exe"
C:\Windows\SysWOW64\ihad.exe
C:\Windows\SysWOW64\ihad.exe
C:\Windows\SysWOW64\qeli.exe
C:\Windows\system32\qeli.exe 456 "C:\Windows\SysWOW64\ihad.exe"
C:\Windows\SysWOW64\qeli.exe
C:\Windows\SysWOW64\qeli.exe
C:\Windows\SysWOW64\wmdl.exe
C:\Windows\system32\wmdl.exe 456 "C:\Windows\SysWOW64\qeli.exe"
C:\Windows\SysWOW64\wmdl.exe
C:\Windows\SysWOW64\wmdl.exe
C:\Windows\SysWOW64\yodt.exe
C:\Windows\system32\yodt.exe 432 "C:\Windows\SysWOW64\wmdl.exe"
C:\Windows\SysWOW64\yodt.exe
C:\Windows\SysWOW64\yodt.exe
C:\Windows\SysWOW64\zfsb.exe
C:\Windows\system32\zfsb.exe 456 "C:\Windows\SysWOW64\yodt.exe"
C:\Windows\SysWOW64\zfsb.exe
C:\Windows\SysWOW64\zfsb.exe
C:\Windows\SysWOW64\juue.exe
C:\Windows\system32\juue.exe 460 "C:\Windows\SysWOW64\zfsb.exe"
C:\Windows\SysWOW64\juue.exe
C:\Windows\SysWOW64\juue.exe
C:\Windows\SysWOW64\ycgw.exe
C:\Windows\system32\ycgw.exe 460 "C:\Windows\SysWOW64\juue.exe"
C:\Windows\SysWOW64\ycgw.exe
C:\Windows\SysWOW64\ycgw.exe
C:\Windows\SysWOW64\iutm.exe
C:\Windows\system32\iutm.exe 460 "C:\Windows\SysWOW64\ycgw.exe"
C:\Windows\SysWOW64\iutm.exe
C:\Windows\SysWOW64\iutm.exe
C:\Windows\SysWOW64\klim.exe
C:\Windows\system32\klim.exe 480 "C:\Windows\SysWOW64\iutm.exe"
C:\Windows\SysWOW64\klim.exe
C:\Windows\SysWOW64\klim.exe
C:\Windows\SysWOW64\tcvc.exe
C:\Windows\system32\tcvc.exe 460 "C:\Windows\SysWOW64\klim.exe"
C:\Windows\SysWOW64\tcvc.exe
C:\Windows\SysWOW64\tcvc.exe
C:\Windows\SysWOW64\ojlw.exe
C:\Windows\system32\ojlw.exe 480 "C:\Windows\SysWOW64\tcvc.exe"
C:\Windows\SysWOW64\ojlw.exe
C:\Windows\SysWOW64\ojlw.exe
C:\Windows\SysWOW64\plme.exe
C:\Windows\system32\plme.exe 472 "C:\Windows\SysWOW64\ojlw.exe"
C:\Windows\SysWOW64\plme.exe
C:\Windows\SysWOW64\plme.exe
C:\Windows\SysWOW64\ufvs.exe
C:\Windows\system32\ufvs.exe 480 "C:\Windows\SysWOW64\plme.exe"
C:\Windows\SysWOW64\ufvs.exe
C:\Windows\SysWOW64\ufvs.exe
C:\Windows\SysWOW64\muuh.exe
C:\Windows\system32\muuh.exe 536 "C:\Windows\SysWOW64\ufvs.exe"
C:\Windows\SysWOW64\muuh.exe
C:\Windows\SysWOW64\muuh.exe
C:\Windows\SysWOW64\dauf.exe
C:\Windows\system32\dauf.exe 468 "C:\Windows\SysWOW64\muuh.exe"
C:\Windows\SysWOW64\dauf.exe
C:\Windows\SysWOW64\dauf.exe
C:\Windows\SysWOW64\sqdx.exe
C:\Windows\system32\sqdx.exe 468 "C:\Windows\SysWOW64\dauf.exe"
C:\Windows\SysWOW64\sqdx.exe
C:\Windows\SysWOW64\sqdx.exe
C:\Windows\SysWOW64\cabn.exe
C:\Windows\system32\cabn.exe 460 "C:\Windows\SysWOW64\sqdx.exe"
C:\Windows\SysWOW64\cabn.exe
C:\Windows\SysWOW64\cabn.exe
C:\Windows\SysWOW64\msgd.exe
C:\Windows\system32\msgd.exe 472 "C:\Windows\SysWOW64\cabn.exe"
C:\Windows\SysWOW64\msgd.exe
C:\Windows\SysWOW64\msgd.exe
C:\Windows\SysWOW64\temi.exe
C:\Windows\system32\temi.exe 464 "C:\Windows\SysWOW64\msgd.exe"
C:\Windows\SysWOW64\temi.exe
C:\Windows\SysWOW64\temi.exe
C:\Windows\SysWOW64\fyti.exe
C:\Windows\system32\fyti.exe 464 "C:\Windows\SysWOW64\temi.exe"
C:\Windows\SysWOW64\fyti.exe
C:\Windows\SysWOW64\fyti.exe
C:\Windows\SysWOW64\shwd.exe
C:\Windows\system32\shwd.exe 456 "C:\Windows\SysWOW64\fyti.exe"
C:\Windows\SysWOW64\shwd.exe
C:\Windows\SysWOW64\shwd.exe
C:\Windows\SysWOW64\gffn.exe
C:\Windows\system32\gffn.exe 468 "C:\Windows\SysWOW64\shwd.exe"
C:\Windows\SysWOW64\gffn.exe
C:\Windows\SysWOW64\gffn.exe
C:\Windows\SysWOW64\aghd.exe
C:\Windows\system32\aghd.exe 456 "C:\Windows\SysWOW64\gffn.exe"
C:\Windows\SysWOW64\aghd.exe
C:\Windows\SysWOW64\aghd.exe
C:\Windows\SysWOW64\fiqi.exe
C:\Windows\system32\fiqi.exe 464 "C:\Windows\SysWOW64\aghd.exe"
C:\Windows\SysWOW64\fiqi.exe
C:\Windows\SysWOW64\fiqi.exe
C:\Windows\SysWOW64\advy.exe
C:\Windows\system32\advy.exe 468 "C:\Windows\SysWOW64\fiqi.exe"
C:\Windows\SysWOW64\advy.exe
C:\Windows\SysWOW64\advy.exe
C:\Windows\SysWOW64\rvgb.exe
C:\Windows\system32\rvgb.exe 468 "C:\Windows\SysWOW64\advy.exe"
C:\Windows\SysWOW64\rvgb.exe
C:\Windows\SysWOW64\rvgb.exe
C:\Windows\SysWOW64\ltww.exe
C:\Windows\system32\ltww.exe 464 "C:\Windows\SysWOW64\rvgb.exe"
C:\Windows\SysWOW64\ltww.exe
C:\Windows\SysWOW64\ltww.exe
C:\Windows\SysWOW64\yksr.exe
C:\Windows\system32\yksr.exe 504 "C:\Windows\SysWOW64\ltww.exe"
C:\Windows\SysWOW64\yksr.exe
C:\Windows\SysWOW64\yksr.exe
C:\Windows\SysWOW64\kxhr.exe
C:\Windows\system32\kxhr.exe 500 "C:\Windows\SysWOW64\yksr.exe"
C:\Windows\SysWOW64\kxhr.exe
C:\Windows\SysWOW64\kxhr.exe
C:\Windows\SysWOW64\zfbr.exe
C:\Windows\system32\zfbr.exe 480 "C:\Windows\SysWOW64\kxhr.exe"
C:\Windows\SysWOW64\zfbr.exe
C:\Windows\SysWOW64\zfbr.exe
C:\Windows\SysWOW64\orzw.exe
C:\Windows\system32\orzw.exe 476 "C:\Windows\SysWOW64\zfbr.exe"
C:\Windows\SysWOW64\orzw.exe
C:\Windows\SysWOW64\orzw.exe
C:\Windows\SysWOW64\gbjz.exe
C:\Windows\system32\gbjz.exe 464 "C:\Windows\SysWOW64\orzw.exe"
C:\Windows\SysWOW64\gbjz.exe
C:\Windows\SysWOW64\gbjz.exe
C:\Windows\SysWOW64\dvfm.exe
C:\Windows\system32\dvfm.exe 460 "C:\Windows\SysWOW64\gbjz.exe"
C:\Windows\SysWOW64\dvfm.exe
C:\Windows\SysWOW64\dvfm.exe
C:\Windows\SysWOW64\ebjh.exe
C:\Windows\system32\ebjh.exe 468 "C:\Windows\SysWOW64\dvfm.exe"
C:\Windows\SysWOW64\ebjh.exe
C:\Windows\SysWOW64\ebjh.exe
C:\Windows\SysWOW64\rwqh.exe
C:\Windows\system32\rwqh.exe 480 "C:\Windows\SysWOW64\ebjh.exe"
C:\Windows\SysWOW64\rwqh.exe
C:\Windows\SysWOW64\rwqh.exe
C:\Windows\SysWOW64\gbzu.exe
C:\Windows\system32\gbzu.exe 464 "C:\Windows\SysWOW64\rwqh.exe"
C:\Windows\SysWOW64\gbzu.exe
C:\Windows\SysWOW64\gbzu.exe
C:\Windows\SysWOW64\knou.exe
C:\Windows\system32\knou.exe 456 "C:\Windows\SysWOW64\gbzu.exe"
C:\Windows\SysWOW64\knou.exe
C:\Windows\SysWOW64\knou.exe
C:\Windows\SysWOW64\ilnu.exe
C:\Windows\system32\ilnu.exe 464 "C:\Windows\SysWOW64\knou.exe"
C:\Windows\SysWOW64\ilnu.exe
C:\Windows\SysWOW64\ilnu.exe
C:\Windows\SysWOW64\ujnh.exe
C:\Windows\system32\ujnh.exe 468 "C:\Windows\SysWOW64\ilnu.exe"
C:\Windows\SysWOW64\ujnh.exe
C:\Windows\SysWOW64\ujnh.exe
C:\Windows\SysWOW64\lqmf.exe
C:\Windows\system32\lqmf.exe 476 "C:\Windows\SysWOW64\ujnh.exe"
C:\Windows\SysWOW64\lqmf.exe
C:\Windows\SysWOW64\lqmf.exe
C:\Windows\SysWOW64\lbzx.exe
C:\Windows\system32\lbzx.exe 476 "C:\Windows\SysWOW64\lqmf.exe"
C:\Windows\SysWOW64\lbzx.exe
C:\Windows\SysWOW64\lbzx.exe
C:\Windows\SysWOW64\uiaf.exe
C:\Windows\system32\uiaf.exe 492 "C:\Windows\SysWOW64\lbzx.exe"
C:\Windows\SysWOW64\uiaf.exe
C:\Windows\SysWOW64\uiaf.exe
C:\Windows\SysWOW64\mlpq.exe
C:\Windows\system32\mlpq.exe 464 "C:\Windows\SysWOW64\uiaf.exe"
C:\Windows\SysWOW64\mlpq.exe
C:\Windows\SysWOW64\mlpq.exe
C:\Windows\SysWOW64\jbvq.exe
C:\Windows\system32\jbvq.exe 472 "C:\Windows\SysWOW64\mlpq.exe"
C:\Windows\SysWOW64\jbvq.exe
C:\Windows\SysWOW64\jbvq.exe
C:\Windows\SysWOW64\qjsa.exe
C:\Windows\system32\qjsa.exe 460 "C:\Windows\SysWOW64\jbvq.exe"
C:\Windows\SysWOW64\qjsa.exe
C:\Windows\SysWOW64\qjsa.exe
C:\Windows\SysWOW64\ldxq.exe
C:\Windows\system32\ldxq.exe 460 "C:\Windows\SysWOW64\qjsa.exe"
C:\Windows\SysWOW64\ldxq.exe
C:\Windows\SysWOW64\ldxq.exe
C:\Windows\SysWOW64\fcnl.exe
C:\Windows\system32\fcnl.exe 468 "C:\Windows\SysWOW64\ldxq.exe"
C:\Windows\SysWOW64\fcnl.exe
C:\Windows\SysWOW64\fcnl.exe
C:\Windows\SysWOW64\mnni.exe
C:\Windows\system32\mnni.exe 464 "C:\Windows\SysWOW64\fcnl.exe"
C:\Windows\SysWOW64\mnni.exe
C:\Windows\SysWOW64\mnni.exe
C:\Windows\SysWOW64\ywqv.exe
C:\Windows\system32\ywqv.exe 456 "C:\Windows\SysWOW64\mnni.exe"
C:\Windows\SysWOW64\ywqv.exe
C:\Windows\SysWOW64\ywqv.exe
C:\Windows\SysWOW64\ypro.exe
C:\Windows\system32\ypro.exe 480 "C:\Windows\SysWOW64\ywqv.exe"
C:\Windows\SysWOW64\ypro.exe
C:\Windows\SysWOW64\ypro.exe
C:\Windows\SysWOW64\psny.exe
C:\Windows\system32\psny.exe 464 "C:\Windows\SysWOW64\ypro.exe"
C:\Windows\SysWOW64\psny.exe
C:\Windows\SysWOW64\psny.exe
C:\Windows\SysWOW64\zvet.exe
C:\Windows\system32\zvet.exe 468 "C:\Windows\SysWOW64\psny.exe"
C:\Windows\SysWOW64\zvet.exe
C:\Windows\SysWOW64\zvet.exe
C:\Windows\SysWOW64\rvpr.exe
C:\Windows\system32\rvpr.exe 472 "C:\Windows\SysWOW64\zvet.exe"
C:\Windows\SysWOW64\rvpr.exe
C:\Windows\SysWOW64\rvpr.exe
C:\Windows\SysWOW64\dhwr.exe
C:\Windows\system32\dhwr.exe 472 "C:\Windows\SysWOW64\rvpr.exe"
C:\Windows\SysWOW64\dhwr.exe
C:\Windows\SysWOW64\dhwr.exe
C:\Windows\SysWOW64\yomu.exe
C:\Windows\system32\yomu.exe 460 "C:\Windows\SysWOW64\dhwr.exe"
C:\Windows\SysWOW64\yomu.exe
C:\Windows\SysWOW64\yomu.exe
C:\Windows\SysWOW64\cxqh.exe
C:\Windows\system32\cxqh.exe 460 "C:\Windows\SysWOW64\yomu.exe"
C:\Windows\SysWOW64\cxqh.exe
C:\Windows\SysWOW64\cxqh.exe
C:\Windows\SysWOW64\lagj.exe
C:\Windows\system32\lagj.exe 476 "C:\Windows\SysWOW64\cxqh.exe"
C:\Windows\SysWOW64\lagj.exe
C:\Windows\SysWOW64\lagj.exe
C:\Windows\SysWOW64\ttou.exe
C:\Windows\system32\ttou.exe 460 "C:\Windows\SysWOW64\lagj.exe"
C:\Windows\SysWOW64\ttou.exe
C:\Windows\SysWOW64\ttou.exe
C:\Windows\SysWOW64\dkbk.exe
C:\Windows\system32\dkbk.exe 464 "C:\Windows\SysWOW64\ttou.exe"
C:\Windows\SysWOW64\dkbk.exe
C:\Windows\SysWOW64\dkbk.exe
C:\Windows\SysWOW64\rajc.exe
C:\Windows\system32\rajc.exe 464 "C:\Windows\SysWOW64\dkbk.exe"
C:\Windows\SysWOW64\rajc.exe
C:\Windows\SysWOW64\rajc.exe
C:\Windows\SysWOW64\jdym.exe
C:\Windows\system32\jdym.exe 468 "C:\Windows\SysWOW64\rajc.exe"
C:\Windows\SysWOW64\jdym.exe
C:\Windows\SysWOW64\jdym.exe
C:\Windows\SysWOW64\ythx.exe
C:\Windows\system32\ythx.exe 472 "C:\Windows\SysWOW64\jdym.exe"
C:\Windows\SysWOW64\ythx.exe
C:\Windows\SysWOW64\ythx.exe
C:\Windows\SysWOW64\phgu.exe
C:\Windows\system32\phgu.exe 472 "C:\Windows\SysWOW64\ythx.exe"
C:\Windows\SysWOW64\phgu.exe
C:\Windows\SysWOW64\phgu.exe
C:\Windows\SysWOW64\kclk.exe
C:\Windows\system32\kclk.exe 480 "C:\Windows\SysWOW64\phgu.exe"
C:\Windows\SysWOW64\kclk.exe
C:\Windows\SysWOW64\kclk.exe
C:\Windows\SysWOW64\wlpx.exe
C:\Windows\system32\wlpx.exe 476 "C:\Windows\SysWOW64\kclk.exe"
C:\Windows\SysWOW64\wlpx.exe
C:\Windows\SysWOW64\wlpx.exe
C:\Windows\SysWOW64\liyp.exe
C:\Windows\system32\liyp.exe 456 "C:\Windows\SysWOW64\wlpx.exe"
C:\Windows\SysWOW64\liyp.exe
C:\Windows\SysWOW64\liyp.exe
C:\Windows\SysWOW64\iyfq.exe
C:\Windows\system32\iyfq.exe 460 "C:\Windows\SysWOW64\liyp.exe"
C:\Windows\SysWOW64\iyfq.exe
C:\Windows\SysWOW64\iyfq.exe
C:\Windows\SysWOW64\sykf.exe
C:\Windows\system32\sykf.exe 476 "C:\Windows\SysWOW64\iyfq.exe"
C:\Windows\SysWOW64\sykf.exe
C:\Windows\SysWOW64\sykf.exe
C:\Windows\SysWOW64\hbpl.exe
C:\Windows\system32\hbpl.exe 468 "C:\Windows\SysWOW64\sykf.exe"
C:\Windows\SysWOW64\hbpl.exe
C:\Windows\SysWOW64\hbpl.exe
C:\Windows\SysWOW64\usly.exe
C:\Windows\system32\usly.exe 460 "C:\Windows\SysWOW64\hbpl.exe"
C:\Windows\SysWOW64\usly.exe
C:\Windows\SysWOW64\usly.exe
C:\Windows\SysWOW64\rqsy.exe
C:\Windows\system32\rqsy.exe 456 "C:\Windows\SysWOW64\usly.exe"
C:\Windows\SysWOW64\rqsy.exe
C:\Windows\SysWOW64\rqsy.exe
C:\Windows\SysWOW64\vcjq.exe
C:\Windows\system32\vcjq.exe 468 "C:\Windows\SysWOW64\rqsy.exe"
C:\Windows\SysWOW64\vcjq.exe
C:\Windows\SysWOW64\vcjq.exe
C:\Windows\SysWOW64\pxog.exe
C:\Windows\system32\pxog.exe 472 "C:\Windows\SysWOW64\vcjq.exe"
C:\Windows\SysWOW64\pxog.exe
C:\Windows\SysWOW64\pxog.exe
C:\Windows\SysWOW64\cstw.exe
C:\Windows\system32\cstw.exe 488 "C:\Windows\SysWOW64\pxog.exe"
C:\Windows\SysWOW64\cstw.exe
C:\Windows\SysWOW64\cstw.exe
C:\Windows\SysWOW64\vfxi.exe
C:\Windows\system32\vfxi.exe 464 "C:\Windows\SysWOW64\cstw.exe"
C:\Windows\SysWOW64\vfxi.exe
C:\Windows\SysWOW64\vfxi.exe
C:\Windows\SysWOW64\ikqr.exe
C:\Windows\system32\ikqr.exe 460 "C:\Windows\SysWOW64\vfxi.exe"
C:\Windows\SysWOW64\ikqr.exe
C:\Windows\SysWOW64\ikqr.exe
C:\Windows\SysWOW64\hhlg.exe
C:\Windows\system32\hhlg.exe 456 "C:\Windows\SysWOW64\ikqr.exe"
C:\Windows\SysWOW64\hhlg.exe
C:\Windows\SysWOW64\hhlg.exe
C:\Windows\SysWOW64\eesg.exe
C:\Windows\system32\eesg.exe 472 "C:\Windows\SysWOW64\hhlg.exe"
C:\Windows\SysWOW64\eesg.exe
C:\Windows\SysWOW64\eesg.exe
C:\Windows\SysWOW64\jcmh.exe
C:\Windows\system32\jcmh.exe 468 "C:\Windows\SysWOW64\eesg.exe"
C:\Windows\SysWOW64\jcmh.exe
C:\Windows\SysWOW64\jcmh.exe
C:\Windows\SysWOW64\vwth.exe
C:\Windows\system32\vwth.exe 460 "C:\Windows\SysWOW64\jcmh.exe"
C:\Windows\SysWOW64\vwth.exe
C:\Windows\SysWOW64\vwth.exe
C:\Windows\SysWOW64\prgo.exe
C:\Windows\system32\prgo.exe 484 "C:\Windows\SysWOW64\vwth.exe"
C:\Windows\SysWOW64\prgo.exe
C:\Windows\SysWOW64\prgo.exe
C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
C:\Windows\SysWOW64\hggm.exe
C:\Windows\system32\hggm.exe 476 "C:\Windows\SysWOW64\prgo.exe"
C:\Windows\SysWOW64\hggm.exe
C:\Windows\SysWOW64\hggm.exe
C:\Windows\SysWOW64\jiyu.exe
C:\Windows\system32\jiyu.exe 468 "C:\Windows\SysWOW64\hggm.exe"
C:\Windows\SysWOW64\jiyu.exe
C:\Windows\SysWOW64\jiyu.exe
C:\Windows\SysWOW64\ibhm.exe
C:\Windows\system32\ibhm.exe 472 "C:\Windows\SysWOW64\jiyu.exe"
C:\Windows\SysWOW64\ibhm.exe
C:\Windows\SysWOW64\ibhm.exe
C:\Windows\SysWOW64\xqqx.exe
C:\Windows\system32\xqqx.exe 480 "C:\Windows\SysWOW64\ibhm.exe"
C:\Windows\SysWOW64\xqqx.exe
C:\Windows\SysWOW64\xqqx.exe
C:\Windows\SysWOW64\mycx.exe
C:\Windows\system32\mycx.exe 484 "C:\Windows\SysWOW64\xqqx.exe"
C:\Windows\SysWOW64\mycx.exe
C:\Windows\SysWOW64\mycx.exe
C:\Windows\SysWOW64\efcn.exe
C:\Windows\system32\efcn.exe 460 "C:\Windows\SysWOW64\mycx.exe"
C:\Windows\SysWOW64\efcn.exe
C:\Windows\SysWOW64\efcn.exe
C:\Windows\SysWOW64\town.exe
C:\Windows\system32\town.exe 460 "C:\Windows\SysWOW64\efcn.exe"
C:\Windows\SysWOW64\town.exe
C:\Windows\SysWOW64\town.exe
C:\Windows\SysWOW64\arwc.exe
C:\Windows\system32\arwc.exe 460 "C:\Windows\SysWOW64\town.exe"
C:\Windows\SysWOW64\arwc.exe
C:\Windows\SysWOW64\arwc.exe
C:\Windows\SysWOW64\hkev.exe
C:\Windows\system32\hkev.exe 480 "C:\Windows\SysWOW64\arwc.exe"
C:\Windows\SysWOW64\hkev.exe
C:\Windows\SysWOW64\hkev.exe
C:\Windows\SysWOW64\zosf.exe
C:\Windows\system32\zosf.exe 464 "C:\Windows\SysWOW64\hkev.exe"
C:\Windows\SysWOW64\zosf.exe
C:\Windows\SysWOW64\zosf.exe
C:\Windows\SysWOW64\ghmd.exe
C:\Windows\system32\ghmd.exe 456 "C:\Windows\SysWOW64\zosf.exe"
C:\Windows\SysWOW64\ghmd.exe
C:\Windows\SysWOW64\ghmd.exe
C:\Windows\SysWOW64\iyda.exe
C:\Windows\system32\iyda.exe 460 "C:\Windows\SysWOW64\ghmd.exe"
C:\Windows\SysWOW64\iyda.exe
C:\Windows\SysWOW64\iyda.exe
C:\Windows\SysWOW64\pzal.exe
C:\Windows\system32\pzal.exe 460 "C:\Windows\SysWOW64\iyda.exe"
C:\Windows\SysWOW64\pzal.exe
C:\Windows\SysWOW64\pzal.exe
C:\Windows\SysWOW64\kqcg.exe
C:\Windows\system32\kqcg.exe 456 "C:\Windows\SysWOW64\pzal.exe"
C:\Windows\SysWOW64\kqcg.exe
C:\Windows\SysWOW64\kqcg.exe
C:\Windows\SysWOW64\eokj.exe
C:\Windows\system32\eokj.exe 464 "C:\Windows\SysWOW64\kqcg.exe"
C:\Windows\SysWOW64\eokj.exe
C:\Windows\SysWOW64\eokj.exe
C:\Windows\SysWOW64\tapo.exe
C:\Windows\system32\tapo.exe 460 "C:\Windows\SysWOW64\eokj.exe"
C:\Windows\SysWOW64\tapo.exe
C:\Windows\SysWOW64\tapo.exe
C:\Windows\SysWOW64\votb.exe
C:\Windows\system32\votb.exe 464 "C:\Windows\SysWOW64\tapo.exe"
C:\Windows\SysWOW64\votb.exe
C:\Windows\SysWOW64\votb.exe
C:\Windows\SysWOW64\ejre.exe
C:\Windows\system32\ejre.exe 468 "C:\Windows\SysWOW64\votb.exe"
C:\Windows\SysWOW64\ejre.exe
C:\Windows\SysWOW64\ejre.exe
C:\Windows\SysWOW64\qdye.exe
C:\Windows\system32\qdye.exe 468 "C:\Windows\SysWOW64\ejre.exe"
C:\Windows\SysWOW64\qdye.exe
C:\Windows\SysWOW64\qdye.exe
C:\Windows\SysWOW64\bopt.exe
C:\Windows\system32\bopt.exe 456 "C:\Windows\SysWOW64\qdye.exe"
C:\Windows\SysWOW64\bopt.exe
C:\Windows\SysWOW64\bopt.exe
C:\Windows\SysWOW64\vqqj.exe
C:\Windows\system32\vqqj.exe 468 "C:\Windows\SysWOW64\bopt.exe"
C:\Windows\SysWOW64\vqqj.exe
C:\Windows\SysWOW64\vqqj.exe
C:\Windows\SysWOW64\xltm.exe
C:\Windows\system32\xltm.exe 484 "C:\Windows\SysWOW64\vqqj.exe"
C:\Windows\SysWOW64\xltm.exe
C:\Windows\SysWOW64\xltm.exe
C:\Windows\SysWOW64\hzvp.exe
C:\Windows\system32\hzvp.exe 468 "C:\Windows\SysWOW64\xltm.exe"
C:\Windows\SysWOW64\hzvp.exe
C:\Windows\SysWOW64\hzvp.exe
C:\Windows\SysWOW64\gvhm.exe
C:\Windows\system32\gvhm.exe 476 "C:\Windows\SysWOW64\hzvp.exe"
C:\Windows\SysWOW64\gvhm.exe
C:\Windows\SysWOW64\gvhm.exe
Network
Files
memory/1288-1-0x0000000000250000-0x0000000000280000-memory.dmp
memory/1288-0-0x0000000013140000-0x000000001318E000-memory.dmp
memory/1288-4-0x00000000021A0000-0x00000000021A1000-memory.dmp
memory/1288-5-0x0000000002190000-0x0000000002191000-memory.dmp
memory/1288-3-0x0000000000240000-0x0000000000244000-memory.dmp
memory/1288-7-0x0000000002100000-0x0000000002101000-memory.dmp
memory/1288-11-0x0000000002170000-0x0000000002171000-memory.dmp
memory/1288-9-0x00000000020F0000-0x00000000020F1000-memory.dmp
memory/1288-2-0x0000000000590000-0x0000000000591000-memory.dmp
memory/1288-12-0x0000000002140000-0x0000000002141000-memory.dmp
memory/2800-13-0x0000000000400000-0x00000000004CE000-memory.dmp
memory/1288-15-0x0000000002130000-0x0000000002131000-memory.dmp
memory/2800-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2800-21-0x0000000000400000-0x00000000004CE000-memory.dmp
memory/1288-20-0x00000000021A0000-0x00000000021A1000-memory.dmp
memory/2800-27-0x0000000013140000-0x000000001318E000-memory.dmp
memory/1288-26-0x0000000000250000-0x0000000000280000-memory.dmp
memory/2800-29-0x0000000000020000-0x000000000002F000-memory.dmp
memory/2800-28-0x0000000000400000-0x00000000004CE000-memory.dmp
memory/2800-25-0x0000000000400000-0x00000000004CE000-memory.dmp
memory/1288-23-0x0000000013140000-0x000000001318E000-memory.dmp
memory/1288-22-0x0000000002180000-0x0000000002181000-memory.dmp
memory/1288-18-0x0000000002290000-0x00000000022DE000-memory.dmp
memory/1288-16-0x00000000020D0000-0x00000000020D1000-memory.dmp
\Windows\SysWOW64\lvdf.exe
| MD5 | e3606fe661cb86e3fe8843d598d9ac13 |
| SHA1 | 7c63a823717d43257e641bd42d37ed5b415308f7 |
| SHA256 | dcfac4cd97fab0cf3a91febe447faad646115d46429349af1b80452dd446498a |
| SHA512 | d57b158fc275400506ddb655c48d5fa6a24a8304ca7ca194ec4f74581c9a5998f88f3c24347dcaaab6c2e724580e69770fb2a722cdd2353459699526f5bb8344 |
memory/2800-40-0x00000000025B0000-0x00000000025FE000-memory.dmp
memory/2980-41-0x0000000013140000-0x000000001318E000-memory.dmp
memory/2980-44-0x0000000000320000-0x0000000000350000-memory.dmp
memory/2980-46-0x00000000002C0000-0x00000000002C4000-memory.dmp
memory/2800-52-0x0000000000400000-0x00000000004CE000-memory.dmp
memory/2980-51-0x0000000001E80000-0x0000000001E81000-memory.dmp
memory/2980-54-0x0000000001DF0000-0x0000000001DF1000-memory.dmp
memory/2980-56-0x0000000001E30000-0x0000000001E31000-memory.dmp
memory/2980-58-0x0000000001CB0000-0x0000000001CB1000-memory.dmp
memory/2980-60-0x0000000001EA0000-0x0000000001EA1000-memory.dmp
memory/2980-61-0x0000000001E90000-0x0000000001E91000-memory.dmp
memory/2800-50-0x0000000000020000-0x000000000002F000-memory.dmp
memory/2980-48-0x0000000001E70000-0x0000000001E71000-memory.dmp
memory/2980-65-0x0000000013140000-0x000000001318E000-memory.dmp
memory/2620-69-0x0000000000020000-0x000000000002F000-memory.dmp
memory/2620-68-0x0000000000400000-0x00000000004CE000-memory.dmp
memory/2620-79-0x0000000002540000-0x000000000258E000-memory.dmp
memory/2896-80-0x0000000013140000-0x000000001318E000-memory.dmp
memory/2896-83-0x00000000002C0000-0x00000000002C4000-memory.dmp
memory/2896-85-0x0000000002180000-0x0000000002181000-memory.dmp
memory/2896-90-0x0000000001CD0000-0x0000000001CD1000-memory.dmp
memory/2620-92-0x0000000000400000-0x00000000004CE000-memory.dmp
memory/2896-94-0x0000000000300000-0x0000000000330000-memory.dmp
memory/2896-95-0x0000000001CB0000-0x0000000001CB1000-memory.dmp
memory/2896-97-0x00000000021B0000-0x00000000021B1000-memory.dmp
memory/2896-91-0x0000000002140000-0x0000000002141000-memory.dmp
memory/2620-89-0x0000000000020000-0x000000000002F000-memory.dmp
memory/2896-87-0x0000000002190000-0x0000000002191000-memory.dmp
memory/2896-101-0x0000000013140000-0x000000001318E000-memory.dmp
memory/2668-104-0x0000000000400000-0x00000000004CE000-memory.dmp
memory/2668-105-0x0000000000020000-0x000000000002F000-memory.dmp
memory/2668-115-0x0000000002610000-0x000000000265E000-memory.dmp
memory/2668-116-0x0000000002610000-0x000000000265E000-memory.dmp
memory/2888-119-0x0000000013140000-0x000000001318E000-memory.dmp
memory/2888-121-0x0000000000240000-0x0000000000244000-memory.dmp
memory/2668-126-0x0000000000400000-0x00000000004CE000-memory.dmp
memory/2888-127-0x0000000000700000-0x0000000000701000-memory.dmp
memory/2888-124-0x00000000006F0000-0x00000000006F1000-memory.dmp
memory/2888-130-0x00000000003E0000-0x00000000003E1000-memory.dmp
memory/2888-131-0x0000000000420000-0x0000000000421000-memory.dmp
memory/2888-136-0x0000000000250000-0x0000000000280000-memory.dmp
memory/2888-140-0x0000000001DC0000-0x0000000001DC1000-memory.dmp
memory/2888-133-0x0000000000380000-0x0000000000381000-memory.dmp
memory/2668-123-0x0000000000020000-0x000000000002F000-memory.dmp
memory/2888-138-0x0000000013140000-0x000000001318E000-memory.dmp
memory/1236-143-0x0000000000020000-0x000000000002F000-memory.dmp
memory/1236-142-0x0000000000400000-0x00000000004CE000-memory.dmp
memory/1236-153-0x0000000000D30000-0x0000000000D7E000-memory.dmp
memory/1520-157-0x0000000013140000-0x000000001318E000-memory.dmp
memory/1236-154-0x0000000000D30000-0x0000000000D7E000-memory.dmp
memory/1520-159-0x0000000000240000-0x0000000000244000-memory.dmp
memory/1520-164-0x0000000001DA0000-0x0000000001DA1000-memory.dmp
memory/1236-166-0x0000000000400000-0x00000000004CE000-memory.dmp
memory/1520-167-0x00000000005C0000-0x00000000005C1000-memory.dmp
memory/1520-165-0x0000000000330000-0x0000000000331000-memory.dmp
memory/1236-163-0x0000000000020000-0x000000000002F000-memory.dmp
memory/1520-161-0x0000000000600000-0x0000000000601000-memory.dmp
memory/1520-176-0x0000000013140000-0x000000001318E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-06 21:57
Reported
2024-04-06 21:59
Platform
win10v2004-20240226-en
Max time kernel
21s
Max time network
25s
Command Line
Signatures
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\jxhf.exe | C:\Windows\SysWOW64\mwxs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wzvb.exe | C:\Windows\SysWOW64\jtfg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dklq.exe | C:\Windows\SysWOW64\lvwk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\jxge.exe | C:\Windows\SysWOW64\ragu.exe | N/A |
| File created | C:\Windows\SysWOW64\wzvb.exe | C:\Windows\SysWOW64\jtfg.exe | N/A |
| File created | C:\Windows\SysWOW64\osvn.exe | C:\Windows\SysWOW64\jybk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bwqq.exe | C:\Windows\SysWOW64\dkuv.exe | N/A |
| File created | C:\Windows\SysWOW64\blgv.exe | C:\Windows\SysWOW64\bwqq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\yiob.exe | C:\Windows\SysWOW64\dojl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gjwh.exe | C:\Windows\SysWOW64\blrz.exe | N/A |
| File created | C:\Windows\SysWOW64\hxet.exe | C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wgsz.exe | C:\Windows\SysWOW64\wrct.exe | N/A |
| File created | C:\Windows\SysWOW64\eunr.exe | C:\Windows\SysWOW64\zlfo.exe | N/A |
| File created | C:\Windows\SysWOW64\dwsm.exe | C:\Windows\SysWOW64\ddrc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\olue.exe | C:\Windows\SysWOW64\txdg.exe | N/A |
| File created | C:\Windows\SysWOW64\jxge.exe | C:\Windows\SysWOW64\ragu.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\txdg.exe | C:\Windows\SysWOW64\zcyy.exe | N/A |
| File created | C:\Windows\SysWOW64\wbom.exe | C:\Windows\SysWOW64\ysdm.exe | N/A |
| File created | C:\Windows\SysWOW64\mhyh.exe | C:\Windows\SysWOW64\hfqn.exe | N/A |
| File created | C:\Windows\SysWOW64\efoy.exe | C:\Windows\SysWOW64\eqrb.exe | N/A |
| File created | C:\Windows\SysWOW64\otfk.exe | C:\Windows\SysWOW64\mmqa.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rdxf.exe | C:\Windows\SysWOW64\owrd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\jtfg.exe | C:\Windows\SysWOW64\jxhf.exe | N/A |
| File created | C:\Windows\SysWOW64\jybk.exe | C:\Windows\SysWOW64\rvnz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mmqa.exe | C:\Windows\SysWOW64\osvn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ysdm.exe | C:\Windows\SysWOW64\eunr.exe | N/A |
| File created | C:\Windows\SysWOW64\ddrc.exe | C:\Windows\SysWOW64\gjwh.exe | N/A |
| File created | C:\Windows\SysWOW64\daoc.exe | C:\Windows\SysWOW64\dlrx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ddbv.exe | C:\Windows\SysWOW64\daoc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\hxet.exe | C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pnns.exe | C:\Windows\SysWOW64\mhyh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\osvn.exe | C:\Windows\SysWOW64\jybk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\qshp.exe | C:\Windows\SysWOW64\wbom.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\lvwk.exe | C:\Windows\SysWOW64\lgyf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\hfqn.exe | C:\Windows\SysWOW64\jxge.exe | N/A |
| File created | C:\Windows\SysWOW64\zcyy.exe | C:\Windows\SysWOW64\wzvb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\lgyf.exe | C:\Windows\SysWOW64\qshp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zmgj.exe | C:\Windows\SysWOW64\wgsz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mwxs.exe | C:\Windows\SysWOW64\pnns.exe | N/A |
| File created | C:\Windows\SysWOW64\owrd.exe | C:\Windows\SysWOW64\otfk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbom.exe | C:\Windows\SysWOW64\ysdm.exe | N/A |
| File created | C:\Windows\SysWOW64\qshp.exe | C:\Windows\SysWOW64\wbom.exe | N/A |
| File created | C:\Windows\SysWOW64\yiob.exe | C:\Windows\SysWOW64\dojl.exe | N/A |
| File created | C:\Windows\SysWOW64\blrz.exe | C:\Windows\SysWOW64\yiob.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\blrz.exe | C:\Windows\SysWOW64\yiob.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mhyh.exe | C:\Windows\SysWOW64\hfqn.exe | N/A |
| File created | C:\Windows\SysWOW64\txdg.exe | C:\Windows\SysWOW64\zcyy.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dlrx.exe | C:\Windows\SysWOW64\gcgx.exe | N/A |
| File created | C:\Windows\SysWOW64\mwxs.exe | C:\Windows\SysWOW64\pnns.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zcyy.exe | C:\Windows\SysWOW64\wzvb.exe | N/A |
| File created | C:\Windows\SysWOW64\rvnz.exe | C:\Windows\SysWOW64\jfzm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\owrd.exe | C:\Windows\SysWOW64\otfk.exe | N/A |
| File created | C:\Windows\SysWOW64\zhiy.exe | C:\Windows\SysWOW64\zdwg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\eunr.exe | C:\Windows\SysWOW64\zlfo.exe | N/A |
| File created | C:\Windows\SysWOW64\lgyf.exe | C:\Windows\SysWOW64\qshp.exe | N/A |
| File created | C:\Windows\SysWOW64\dojl.exe | C:\Windows\SysWOW64\blgv.exe | N/A |
| File created | C:\Windows\SysWOW64\dlrx.exe | C:\Windows\SysWOW64\gcgx.exe | N/A |
| File created | C:\Windows\SysWOW64\pnns.exe | C:\Windows\SysWOW64\mhyh.exe | N/A |
| File created | C:\Windows\SysWOW64\mmqa.exe | C:\Windows\SysWOW64\osvn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zhiy.exe | C:\Windows\SysWOW64\zdwg.exe | N/A |
| File created | C:\Windows\SysWOW64\eqrb.exe | C:\Windows\SysWOW64\zhiy.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\jxhf.exe | C:\Windows\SysWOW64\mwxs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\otfk.exe | C:\Windows\SysWOW64\mmqa.exe | N/A |
| File created | C:\Windows\SysWOW64\dkuv.exe | C:\Windows\SysWOW64\dklq.exe | N/A |
Suspicious use of SetThreadContext
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\jfzm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\otfk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\eqrb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\zlfo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\qshp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\lvwk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\gjwh.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\hxet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\ragu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\mwxs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\jybk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\eunr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\jxhf.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\wbom.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\dwsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\gcgx.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\wzvb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\efoy.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\bwqq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\wzvb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\mmqa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\dojl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\eunr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\wbom.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\ddrc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\mwxs.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\zcyy.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\txdg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\txdg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\mmqa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\zlfo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\ysdm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\dojl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\blrz.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\daoc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\daoc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\wrct.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\hfqn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\jtfg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\owrd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\zhiy.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\ddrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\zmgj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\mhyh.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\pnns.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\rdxf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\zdwg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\dklq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\ddrc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\wrct.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\wgsz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\mhyh.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\rdxf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\qshp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\wgsz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\zmgj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\zlfo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\eqrb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\eqrb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\eunr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\blrz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\jxge.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe
C:\Windows\SysWOW64\hxet.exe
C:\Windows\system32\hxet.exe 1004 "C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe"
C:\Windows\SysWOW64\hxet.exe
C:\Windows\SysWOW64\hxet.exe
C:\Windows\SysWOW64\wrct.exe
C:\Windows\system32\wrct.exe 1020 "C:\Windows\SysWOW64\hxet.exe"
C:\Windows\SysWOW64\wrct.exe
C:\Windows\SysWOW64\wrct.exe
C:\Windows\SysWOW64\wgsz.exe
C:\Windows\system32\wgsz.exe 1152 "C:\Windows\SysWOW64\wrct.exe"
C:\Windows\SysWOW64\wgsz.exe
C:\Windows\SysWOW64\wgsz.exe
C:\Windows\SysWOW64\zmgj.exe
C:\Windows\system32\zmgj.exe 1048 "C:\Windows\SysWOW64\wgsz.exe"
C:\Windows\SysWOW64\zmgj.exe
C:\Windows\SysWOW64\zmgj.exe
C:\Windows\SysWOW64\ragu.exe
C:\Windows\system32\ragu.exe 1156 "C:\Windows\SysWOW64\zmgj.exe"
C:\Windows\SysWOW64\ragu.exe
C:\Windows\SysWOW64\ragu.exe
C:\Windows\SysWOW64\jxge.exe
C:\Windows\system32\jxge.exe 1048 "C:\Windows\SysWOW64\ragu.exe"
C:\Windows\SysWOW64\jxge.exe
C:\Windows\SysWOW64\jxge.exe
C:\Windows\SysWOW64\hfqn.exe
C:\Windows\system32\hfqn.exe 1028 "C:\Windows\SysWOW64\jxge.exe"
C:\Windows\SysWOW64\hfqn.exe
C:\Windows\SysWOW64\hfqn.exe
C:\Windows\SysWOW64\mhyh.exe
C:\Windows\system32\mhyh.exe 1048 "C:\Windows\SysWOW64\hfqn.exe"
C:\Windows\SysWOW64\mhyh.exe
C:\Windows\SysWOW64\mhyh.exe
C:\Windows\SysWOW64\pnns.exe
C:\Windows\system32\pnns.exe 1036 "C:\Windows\SysWOW64\mhyh.exe"
C:\Windows\SysWOW64\pnns.exe
C:\Windows\SysWOW64\pnns.exe
C:\Windows\SysWOW64\mwxs.exe
C:\Windows\system32\mwxs.exe 1164 "C:\Windows\SysWOW64\pnns.exe"
C:\Windows\SysWOW64\mwxs.exe
C:\Windows\SysWOW64\mwxs.exe
C:\Windows\SysWOW64\jxhf.exe
C:\Windows\system32\jxhf.exe 1020 "C:\Windows\SysWOW64\mwxs.exe"
C:\Windows\SysWOW64\jxhf.exe
C:\Windows\SysWOW64\jxhf.exe
C:\Windows\SysWOW64\jtfg.exe
C:\Windows\system32\jtfg.exe 1028 "C:\Windows\SysWOW64\jxhf.exe"
C:\Windows\SysWOW64\jtfg.exe
C:\Windows\SysWOW64\jtfg.exe
C:\Windows\SysWOW64\wzvb.exe
C:\Windows\system32\wzvb.exe 1040 "C:\Windows\SysWOW64\jtfg.exe"
C:\Windows\SysWOW64\wzvb.exe
C:\Windows\SysWOW64\wzvb.exe
C:\Windows\SysWOW64\zcyy.exe
C:\Windows\system32\zcyy.exe 1048 "C:\Windows\SysWOW64\wzvb.exe"
C:\Windows\SysWOW64\zcyy.exe
C:\Windows\SysWOW64\zcyy.exe
C:\Windows\SysWOW64\txdg.exe
C:\Windows\system32\txdg.exe 900 "C:\Windows\SysWOW64\zcyy.exe"
C:\Windows\SysWOW64\txdg.exe
C:\Windows\SysWOW64\txdg.exe
C:\Windows\SysWOW64\olue.exe
C:\Windows\system32\olue.exe 1048 "C:\Windows\SysWOW64\txdg.exe"
C:\Windows\SysWOW64\olue.exe
C:\Windows\SysWOW64\olue.exe
C:\Windows\SysWOW64\jfzm.exe
C:\Windows\system32\jfzm.exe 1032 "C:\Windows\SysWOW64\olue.exe"
C:\Windows\SysWOW64\jfzm.exe
C:\Windows\SysWOW64\jfzm.exe
C:\Windows\SysWOW64\rvnz.exe
C:\Windows\system32\rvnz.exe 1096 "C:\Windows\SysWOW64\jfzm.exe"
C:\Windows\SysWOW64\rvnz.exe
C:\Windows\SysWOW64\rvnz.exe
C:\Windows\SysWOW64\jybk.exe
C:\Windows\system32\jybk.exe 1064 "C:\Windows\SysWOW64\rvnz.exe"
C:\Windows\SysWOW64\jybk.exe
C:\Windows\SysWOW64\jybk.exe
C:\Windows\SysWOW64\osvn.exe
C:\Windows\system32\osvn.exe 1036 "C:\Windows\SysWOW64\jybk.exe"
C:\Windows\SysWOW64\osvn.exe
C:\Windows\SysWOW64\osvn.exe
C:\Windows\SysWOW64\mmqa.exe
C:\Windows\system32\mmqa.exe 1036 "C:\Windows\SysWOW64\osvn.exe"
C:\Windows\SysWOW64\mmqa.exe
C:\Windows\SysWOW64\mmqa.exe
C:\Windows\SysWOW64\otfk.exe
C:\Windows\system32\otfk.exe 1036 "C:\Windows\SysWOW64\mmqa.exe"
C:\Windows\SysWOW64\otfk.exe
C:\Windows\SysWOW64\otfk.exe
C:\Windows\SysWOW64\owrd.exe
C:\Windows\system32\owrd.exe 1044 "C:\Windows\SysWOW64\otfk.exe"
C:\Windows\SysWOW64\owrd.exe
C:\Windows\SysWOW64\owrd.exe
C:\Windows\SysWOW64\rdxf.exe
C:\Windows\system32\rdxf.exe 1056 "C:\Windows\SysWOW64\owrd.exe"
C:\Windows\SysWOW64\rdxf.exe
C:\Windows\SysWOW64\rdxf.exe
C:\Windows\SysWOW64\zdwg.exe
C:\Windows\system32\zdwg.exe 1052 "C:\Windows\SysWOW64\rdxf.exe"
C:\Windows\SysWOW64\zdwg.exe
C:\Windows\SysWOW64\zdwg.exe
C:\Windows\SysWOW64\zhiy.exe
C:\Windows\system32\zhiy.exe 1036 "C:\Windows\SysWOW64\zdwg.exe"
C:\Windows\SysWOW64\zhiy.exe
C:\Windows\SysWOW64\zhiy.exe
C:\Windows\SysWOW64\eqrb.exe
C:\Windows\system32\eqrb.exe 1032 "C:\Windows\SysWOW64\zhiy.exe"
C:\Windows\SysWOW64\eqrb.exe
C:\Windows\SysWOW64\eqrb.exe
C:\Windows\SysWOW64\efoy.exe
C:\Windows\system32\efoy.exe 1084 "C:\Windows\SysWOW64\eqrb.exe"
C:\Windows\SysWOW64\efoy.exe
C:\Windows\SysWOW64\efoy.exe
C:\Windows\SysWOW64\zlfo.exe
C:\Windows\system32\zlfo.exe 1028 "C:\Windows\SysWOW64\efoy.exe"
C:\Windows\SysWOW64\zlfo.exe
C:\Windows\SysWOW64\zlfo.exe
C:\Windows\SysWOW64\eunr.exe
C:\Windows\system32\eunr.exe 1032 "C:\Windows\SysWOW64\zlfo.exe"
C:\Windows\SysWOW64\eunr.exe
C:\Windows\SysWOW64\eunr.exe
C:\Windows\SysWOW64\ysdm.exe
C:\Windows\system32\ysdm.exe 1160 "C:\Windows\SysWOW64\eunr.exe"
C:\Windows\SysWOW64\ysdm.exe
C:\Windows\SysWOW64\ysdm.exe
C:\Windows\SysWOW64\wbom.exe
C:\Windows\system32\wbom.exe 1052 "C:\Windows\SysWOW64\ysdm.exe"
C:\Windows\SysWOW64\wbom.exe
C:\Windows\SysWOW64\wbom.exe
C:\Windows\SysWOW64\qshp.exe
C:\Windows\system32\qshp.exe 1152 "C:\Windows\SysWOW64\wbom.exe"
C:\Windows\SysWOW64\qshp.exe
C:\Windows\SysWOW64\qshp.exe
C:\Windows\SysWOW64\lgyf.exe
C:\Windows\system32\lgyf.exe 1056 "C:\Windows\SysWOW64\qshp.exe"
C:\Windows\SysWOW64\lgyf.exe
C:\Windows\SysWOW64\lgyf.exe
C:\Windows\SysWOW64\lvwk.exe
C:\Windows\system32\lvwk.exe 1056 "C:\Windows\SysWOW64\lgyf.exe"
C:\Windows\SysWOW64\lvwk.exe
C:\Windows\SysWOW64\lvwk.exe
C:\Windows\SysWOW64\dklq.exe
C:\Windows\system32\dklq.exe 1020 "C:\Windows\SysWOW64\lvwk.exe"
C:\Windows\SysWOW64\dklq.exe
C:\Windows\SysWOW64\dklq.exe
C:\Windows\SysWOW64\dkuv.exe
C:\Windows\system32\dkuv.exe 1032 "C:\Windows\SysWOW64\dklq.exe"
C:\Windows\SysWOW64\dkuv.exe
C:\Windows\SysWOW64\dkuv.exe
C:\Windows\SysWOW64\bwqq.exe
C:\Windows\system32\bwqq.exe 1036 "C:\Windows\SysWOW64\dkuv.exe"
C:\Windows\SysWOW64\bwqq.exe
C:\Windows\SysWOW64\bwqq.exe
C:\Windows\SysWOW64\blgv.exe
C:\Windows\system32\blgv.exe 1040 "C:\Windows\SysWOW64\bwqq.exe"
C:\Windows\SysWOW64\blgv.exe
C:\Windows\SysWOW64\blgv.exe
C:\Windows\SysWOW64\dojl.exe
C:\Windows\system32\dojl.exe 1036 "C:\Windows\SysWOW64\blgv.exe"
C:\Windows\SysWOW64\dojl.exe
C:\Windows\SysWOW64\dojl.exe
C:\Windows\SysWOW64\yiob.exe
C:\Windows\system32\yiob.exe 1044 "C:\Windows\SysWOW64\dojl.exe"
C:\Windows\SysWOW64\yiob.exe
C:\Windows\SysWOW64\yiob.exe
C:\Windows\SysWOW64\blrz.exe
C:\Windows\system32\blrz.exe 1060 "C:\Windows\SysWOW64\yiob.exe"
C:\Windows\SysWOW64\blrz.exe
C:\Windows\SysWOW64\blrz.exe
C:\Windows\SysWOW64\gjwh.exe
C:\Windows\system32\gjwh.exe 1048 "C:\Windows\SysWOW64\blrz.exe"
C:\Windows\SysWOW64\gjwh.exe
C:\Windows\SysWOW64\gjwh.exe
C:\Windows\SysWOW64\ddrc.exe
C:\Windows\system32\ddrc.exe 1048 "C:\Windows\SysWOW64\gjwh.exe"
C:\Windows\SysWOW64\ddrc.exe
C:\Windows\SysWOW64\ddrc.exe
C:\Windows\SysWOW64\dwsm.exe
C:\Windows\system32\dwsm.exe 1036 "C:\Windows\SysWOW64\ddrc.exe"
C:\Windows\SysWOW64\dwsm.exe
C:\Windows\SysWOW64\dwsm.exe
C:\Windows\SysWOW64\gcgx.exe
C:\Windows\system32\gcgx.exe 1044 "C:\Windows\SysWOW64\dwsm.exe"
C:\Windows\SysWOW64\gcgx.exe
C:\Windows\SysWOW64\gcgx.exe
C:\Windows\SysWOW64\dlrx.exe
C:\Windows\system32\dlrx.exe 1048 "C:\Windows\SysWOW64\gcgx.exe"
C:\Windows\SysWOW64\dlrx.exe
C:\Windows\SysWOW64\dlrx.exe
C:\Windows\SysWOW64\daoc.exe
C:\Windows\system32\daoc.exe 1048 "C:\Windows\SysWOW64\dlrx.exe"
C:\Windows\SysWOW64\daoc.exe
C:\Windows\SysWOW64\daoc.exe
C:\Windows\SysWOW64\ddbv.exe
C:\Windows\system32\ddbv.exe 1048 "C:\Windows\SysWOW64\daoc.exe"
C:\Windows\SysWOW64\ddbv.exe
C:\Windows\SysWOW64\ddbv.exe
C:\Windows\SysWOW64\dpfv.exe
C:\Windows\system32\dpfv.exe 1032 "C:\Windows\SysWOW64\ddbv.exe"
C:\Windows\SysWOW64\dpfv.exe
C:\Windows\SysWOW64\dpfv.exe
C:\Windows\SysWOW64\yghq.exe
C:\Windows\system32\yghq.exe 1152 "C:\Windows\SysWOW64\dpfv.exe"
C:\Windows\SysWOW64\yghq.exe
C:\Windows\SysWOW64\yghq.exe
C:\Windows\SysWOW64\gvvd.exe
C:\Windows\system32\gvvd.exe 1040 "C:\Windows\SysWOW64\yghq.exe"
C:\Windows\SysWOW64\gvvd.exe
C:\Windows\SysWOW64\gvvd.exe
C:\Windows\SysWOW64\yvgj.exe
C:\Windows\system32\yvgj.exe 1036 "C:\Windows\SysWOW64\gvvd.exe"
C:\Windows\SysWOW64\yvgj.exe
C:\Windows\SysWOW64\yvgj.exe
C:\Windows\SysWOW64\ygsb.exe
C:\Windows\system32\ygsb.exe 1036 "C:\Windows\SysWOW64\yvgj.exe"
C:\Windows\SysWOW64\ygsb.exe
C:\Windows\SysWOW64\ygsb.exe
C:\Windows\SysWOW64\yket.exe
C:\Windows\system32\yket.exe 1036 "C:\Windows\SysWOW64\ygsb.exe"
C:\Windows\SysWOW64\yket.exe
C:\Windows\SysWOW64\yket.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.1.37.23.in-addr.arpa | udp |
Files
memory/4752-0-0x0000000013140000-0x000000001318E000-memory.dmp
memory/4752-1-0x0000000002190000-0x00000000021C0000-memory.dmp
memory/4752-2-0x0000000002170000-0x0000000002171000-memory.dmp
memory/4752-3-0x0000000002160000-0x0000000002164000-memory.dmp
memory/4752-4-0x00000000023D0000-0x00000000023D1000-memory.dmp
memory/4752-5-0x00000000023E0000-0x00000000023E1000-memory.dmp
memory/4752-8-0x0000000002330000-0x0000000002331000-memory.dmp
memory/4752-12-0x00000000023C0000-0x00000000023C1000-memory.dmp
memory/4752-13-0x0000000002190000-0x00000000021C0000-memory.dmp
memory/4752-16-0x0000000002380000-0x0000000002381000-memory.dmp
memory/3236-18-0x0000000013140000-0x000000001318E000-memory.dmp
memory/3236-17-0x0000000000400000-0x00000000004CE000-memory.dmp
memory/3236-15-0x0000000000020000-0x000000000002F000-memory.dmp
memory/4752-14-0x0000000002390000-0x0000000002391000-memory.dmp
memory/3236-11-0x0000000000400000-0x00000000004CE000-memory.dmp
memory/4752-10-0x0000000013140000-0x000000001318E000-memory.dmp
memory/3236-7-0x0000000000400000-0x00000000004CE000-memory.dmp
memory/4752-6-0x0000000002350000-0x0000000002351000-memory.dmp
C:\Windows\SysWOW64\hxet.exe
| MD5 | e3606fe661cb86e3fe8843d598d9ac13 |
| SHA1 | 7c63a823717d43257e641bd42d37ed5b415308f7 |
| SHA256 | dcfac4cd97fab0cf3a91febe447faad646115d46429349af1b80452dd446498a |
| SHA512 | d57b158fc275400506ddb655c48d5fa6a24a8304ca7ca194ec4f74581c9a5998f88f3c24347dcaaab6c2e724580e69770fb2a722cdd2353459699526f5bb8344 |
memory/5024-25-0x0000000013140000-0x000000001318E000-memory.dmp
memory/5024-26-0x0000000002040000-0x0000000002070000-memory.dmp
memory/5024-28-0x00000000022E0000-0x00000000022E1000-memory.dmp
memory/5024-27-0x0000000000580000-0x0000000000584000-memory.dmp
memory/5024-30-0x00000000022F0000-0x00000000022F1000-memory.dmp
memory/5024-31-0x0000000002250000-0x0000000002251000-memory.dmp
memory/5024-35-0x00000000022A0000-0x00000000022A1000-memory.dmp
memory/5024-34-0x0000000013140000-0x000000001318E000-memory.dmp
memory/5024-37-0x0000000002040000-0x0000000002070000-memory.dmp
memory/5024-38-0x0000000002220000-0x0000000002221000-memory.dmp
memory/5068-41-0x0000000000400000-0x00000000004CE000-memory.dmp
memory/3236-42-0x0000000000400000-0x00000000004CE000-memory.dmp
memory/5068-40-0x00000000001C0000-0x00000000001CF000-memory.dmp
memory/3236-39-0x0000000000020000-0x000000000002F000-memory.dmp
memory/5080-48-0x0000000000550000-0x0000000000580000-memory.dmp
memory/5080-51-0x00000000022E0000-0x00000000022E1000-memory.dmp
memory/5080-49-0x0000000000540000-0x0000000000544000-memory.dmp
memory/5080-54-0x0000000002250000-0x0000000002251000-memory.dmp
memory/5080-52-0x00000000022F0000-0x00000000022F1000-memory.dmp
memory/5080-56-0x0000000013140000-0x000000001318E000-memory.dmp
memory/5080-57-0x00000000022A0000-0x00000000022A1000-memory.dmp
memory/5068-62-0x00000000001C0000-0x00000000001CF000-memory.dmp
memory/5068-64-0x0000000000400000-0x00000000004CE000-memory.dmp
memory/2232-63-0x0000000000400000-0x00000000004CE000-memory.dmp
memory/2232-61-0x00000000001C0000-0x00000000001CF000-memory.dmp
memory/5080-60-0x0000000002310000-0x0000000002311000-memory.dmp
memory/5080-59-0x0000000000550000-0x0000000000580000-memory.dmp
memory/1644-71-0x0000000002040000-0x0000000002070000-memory.dmp
memory/1644-70-0x0000000013140000-0x000000001318E000-memory.dmp
memory/1644-74-0x0000000002190000-0x0000000002194000-memory.dmp
memory/1644-77-0x00000000022D0000-0x00000000022D1000-memory.dmp
memory/3112-80-0x00000000001C0000-0x00000000001CF000-memory.dmp
memory/1644-82-0x0000000002250000-0x0000000002251000-memory.dmp
memory/2232-83-0x00000000001C0000-0x00000000001CF000-memory.dmp
memory/1644-84-0x0000000002290000-0x0000000002291000-memory.dmp
memory/1644-81-0x0000000002040000-0x0000000002070000-memory.dmp
memory/1644-79-0x00000000022E0000-0x00000000022E1000-memory.dmp
memory/1644-78-0x0000000013140000-0x000000001318E000-memory.dmp
memory/2232-86-0x0000000000400000-0x00000000004CE000-memory.dmp
memory/3112-85-0x0000000000400000-0x00000000004CE000-memory.dmp
memory/5024-91-0x0000000002220000-0x0000000002221000-memory.dmp
memory/4444-93-0x0000000000470000-0x00000000004A0000-memory.dmp
memory/4444-94-0x0000000000460000-0x0000000000464000-memory.dmp
memory/4444-97-0x00000000022F0000-0x00000000022F1000-memory.dmp
memory/4444-95-0x00000000022E0000-0x00000000022E1000-memory.dmp
memory/4444-100-0x0000000013140000-0x000000001318E000-memory.dmp
memory/4444-102-0x0000000000470000-0x00000000004A0000-memory.dmp
memory/4444-101-0x0000000002260000-0x0000000002261000-memory.dmp
memory/4448-106-0x00000000001C0000-0x00000000001CF000-memory.dmp
memory/4444-104-0x00000000022A0000-0x00000000022A1000-memory.dmp
memory/3112-105-0x00000000001C0000-0x00000000001CF000-memory.dmp
memory/3112-108-0x0000000000400000-0x00000000004CE000-memory.dmp
memory/4448-107-0x0000000000400000-0x00000000004CE000-memory.dmp
memory/4980-114-0x0000000013140000-0x000000001318E000-memory.dmp
memory/4980-115-0x0000000002040000-0x0000000002070000-memory.dmp
memory/4980-116-0x0000000002020000-0x0000000002024000-memory.dmp
memory/4980-122-0x00000000022F0000-0x00000000022F1000-memory.dmp
memory/4980-121-0x0000000013140000-0x000000001318E000-memory.dmp
memory/4448-126-0x00000000001C0000-0x00000000001CF000-memory.dmp
memory/2224-128-0x00000000001C0000-0x00000000001CF000-memory.dmp
memory/4448-129-0x0000000000400000-0x00000000004CE000-memory.dmp
memory/2224-127-0x0000000000400000-0x00000000004CE000-memory.dmp
memory/4980-125-0x0000000002300000-0x0000000002301000-memory.dmp
memory/4980-124-0x0000000002040000-0x0000000002070000-memory.dmp
memory/4980-118-0x00000000022E0000-0x00000000022E1000-memory.dmp
memory/2076-142-0x0000000013140000-0x000000001318E000-memory.dmp
memory/2224-146-0x00000000001C0000-0x00000000001CF000-memory.dmp
memory/2836-162-0x0000000013140000-0x000000001318E000-memory.dmp
memory/4384-168-0x00000000001C0000-0x00000000001CF000-memory.dmp
memory/4896-180-0x0000000013140000-0x000000001318E000-memory.dmp
memory/4384-187-0x00000000001C0000-0x00000000001CF000-memory.dmp
memory/4196-205-0x0000000013140000-0x000000001318E000-memory.dmp
memory/4376-210-0x00000000001C0000-0x00000000001CF000-memory.dmp
memory/4648-227-0x0000000013140000-0x000000001318E000-memory.dmp
memory/4376-232-0x00000000001C0000-0x00000000001CF000-memory.dmp