Malware Analysis Report

2025-03-14 22:35

Sample ID 240406-1t1vfscb7y
Target e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118
SHA256 dcfac4cd97fab0cf3a91febe447faad646115d46429349af1b80452dd446498a
Tags
bootkit persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

dcfac4cd97fab0cf3a91febe447faad646115d46429349af1b80452dd446498a

Threat Level: Shows suspicious behavior

The file e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence

Loads dropped DLL

Executes dropped EXE

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Suspicious use of SetThreadContext

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 21:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 21:57

Reported

2024-04-06 21:58

Platform

win7-20240215-en

Max time kernel

46s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\lvdf.exe N/A
N/A N/A C:\Windows\SysWOW64\lvdf.exe N/A
N/A N/A C:\Windows\SysWOW64\ihad.exe N/A
N/A N/A C:\Windows\SysWOW64\ihad.exe N/A
N/A N/A C:\Windows\SysWOW64\qeli.exe N/A
N/A N/A C:\Windows\SysWOW64\qeli.exe N/A
N/A N/A C:\Windows\SysWOW64\wmdl.exe N/A
N/A N/A C:\Windows\SysWOW64\wmdl.exe N/A
N/A N/A C:\Windows\SysWOW64\yodt.exe N/A
N/A N/A C:\Windows\SysWOW64\yodt.exe N/A
N/A N/A C:\Windows\SysWOW64\zfsb.exe N/A
N/A N/A C:\Windows\SysWOW64\zfsb.exe N/A
N/A N/A C:\Windows\SysWOW64\juue.exe N/A
N/A N/A C:\Windows\SysWOW64\juue.exe N/A
N/A N/A C:\Windows\SysWOW64\ycgw.exe N/A
N/A N/A C:\Windows\SysWOW64\ycgw.exe N/A
N/A N/A C:\Windows\SysWOW64\iutm.exe N/A
N/A N/A C:\Windows\SysWOW64\iutm.exe N/A
N/A N/A C:\Windows\SysWOW64\klim.exe N/A
N/A N/A C:\Windows\SysWOW64\klim.exe N/A
N/A N/A C:\Windows\SysWOW64\tcvc.exe N/A
N/A N/A C:\Windows\SysWOW64\tcvc.exe N/A
N/A N/A C:\Windows\SysWOW64\ojlw.exe N/A
N/A N/A C:\Windows\SysWOW64\ojlw.exe N/A
N/A N/A C:\Windows\SysWOW64\plme.exe N/A
N/A N/A C:\Windows\SysWOW64\plme.exe N/A
N/A N/A C:\Windows\SysWOW64\ufvs.exe N/A
N/A N/A C:\Windows\SysWOW64\ufvs.exe N/A
N/A N/A C:\Windows\SysWOW64\muuh.exe N/A
N/A N/A C:\Windows\SysWOW64\muuh.exe N/A
N/A N/A C:\Windows\SysWOW64\dauf.exe N/A
N/A N/A C:\Windows\SysWOW64\dauf.exe N/A
N/A N/A C:\Windows\SysWOW64\sqdx.exe N/A
N/A N/A C:\Windows\SysWOW64\sqdx.exe N/A
N/A N/A C:\Windows\SysWOW64\cabn.exe N/A
N/A N/A C:\Windows\SysWOW64\cabn.exe N/A
N/A N/A C:\Windows\SysWOW64\msgd.exe N/A
N/A N/A C:\Windows\SysWOW64\msgd.exe N/A
N/A N/A C:\Windows\SysWOW64\temi.exe N/A
N/A N/A C:\Windows\SysWOW64\temi.exe N/A
N/A N/A C:\Windows\SysWOW64\fyti.exe N/A
N/A N/A C:\Windows\SysWOW64\fyti.exe N/A
N/A N/A C:\Windows\SysWOW64\shwd.exe N/A
N/A N/A C:\Windows\SysWOW64\shwd.exe N/A
N/A N/A C:\Windows\SysWOW64\gffn.exe N/A
N/A N/A C:\Windows\SysWOW64\gffn.exe N/A
N/A N/A C:\Windows\SysWOW64\aghd.exe N/A
N/A N/A C:\Windows\SysWOW64\aghd.exe N/A
N/A N/A C:\Windows\SysWOW64\fiqi.exe N/A
N/A N/A C:\Windows\SysWOW64\fiqi.exe N/A
N/A N/A C:\Windows\SysWOW64\advy.exe N/A
N/A N/A C:\Windows\SysWOW64\advy.exe N/A
N/A N/A C:\Windows\SysWOW64\rvgb.exe N/A
N/A N/A C:\Windows\SysWOW64\rvgb.exe N/A
N/A N/A C:\Windows\SysWOW64\ltww.exe N/A
N/A N/A C:\Windows\SysWOW64\ltww.exe N/A
N/A N/A C:\Windows\SysWOW64\yksr.exe N/A
N/A N/A C:\Windows\SysWOW64\yksr.exe N/A
N/A N/A C:\Windows\SysWOW64\kxhr.exe N/A
N/A N/A C:\Windows\SysWOW64\kxhr.exe N/A
N/A N/A C:\Windows\SysWOW64\zfbr.exe N/A
N/A N/A C:\Windows\SysWOW64\zfbr.exe N/A
N/A N/A C:\Windows\SysWOW64\orzw.exe N/A
N/A N/A C:\Windows\SysWOW64\orzw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\lvdf.exe N/A
N/A N/A C:\Windows\SysWOW64\lvdf.exe N/A
N/A N/A C:\Windows\SysWOW64\lvdf.exe N/A
N/A N/A C:\Windows\SysWOW64\ihad.exe N/A
N/A N/A C:\Windows\SysWOW64\ihad.exe N/A
N/A N/A C:\Windows\SysWOW64\qeli.exe N/A
N/A N/A C:\Windows\SysWOW64\qeli.exe N/A
N/A N/A C:\Windows\SysWOW64\wmdl.exe N/A
N/A N/A C:\Windows\SysWOW64\wmdl.exe N/A
N/A N/A C:\Windows\SysWOW64\yodt.exe N/A
N/A N/A C:\Windows\SysWOW64\yodt.exe N/A
N/A N/A C:\Windows\SysWOW64\zfsb.exe N/A
N/A N/A C:\Windows\SysWOW64\zfsb.exe N/A
N/A N/A C:\Windows\SysWOW64\juue.exe N/A
N/A N/A C:\Windows\SysWOW64\juue.exe N/A
N/A N/A C:\Windows\SysWOW64\ycgw.exe N/A
N/A N/A C:\Windows\SysWOW64\ycgw.exe N/A
N/A N/A C:\Windows\SysWOW64\iutm.exe N/A
N/A N/A C:\Windows\SysWOW64\iutm.exe N/A
N/A N/A C:\Windows\SysWOW64\klim.exe N/A
N/A N/A C:\Windows\SysWOW64\klim.exe N/A
N/A N/A C:\Windows\SysWOW64\tcvc.exe N/A
N/A N/A C:\Windows\SysWOW64\tcvc.exe N/A
N/A N/A C:\Windows\SysWOW64\ojlw.exe N/A
N/A N/A C:\Windows\SysWOW64\ojlw.exe N/A
N/A N/A C:\Windows\SysWOW64\plme.exe N/A
N/A N/A C:\Windows\SysWOW64\plme.exe N/A
N/A N/A C:\Windows\SysWOW64\ufvs.exe N/A
N/A N/A C:\Windows\SysWOW64\ufvs.exe N/A
N/A N/A C:\Windows\SysWOW64\muuh.exe N/A
N/A N/A C:\Windows\SysWOW64\muuh.exe N/A
N/A N/A C:\Windows\SysWOW64\dauf.exe N/A
N/A N/A C:\Windows\SysWOW64\dauf.exe N/A
N/A N/A C:\Windows\SysWOW64\sqdx.exe N/A
N/A N/A C:\Windows\SysWOW64\sqdx.exe N/A
N/A N/A C:\Windows\SysWOW64\cabn.exe N/A
N/A N/A C:\Windows\SysWOW64\cabn.exe N/A
N/A N/A C:\Windows\SysWOW64\msgd.exe N/A
N/A N/A C:\Windows\SysWOW64\msgd.exe N/A
N/A N/A C:\Windows\SysWOW64\temi.exe N/A
N/A N/A C:\Windows\SysWOW64\temi.exe N/A
N/A N/A C:\Windows\SysWOW64\fyti.exe N/A
N/A N/A C:\Windows\SysWOW64\fyti.exe N/A
N/A N/A C:\Windows\SysWOW64\shwd.exe N/A
N/A N/A C:\Windows\SysWOW64\shwd.exe N/A
N/A N/A C:\Windows\SysWOW64\gffn.exe N/A
N/A N/A C:\Windows\SysWOW64\gffn.exe N/A
N/A N/A C:\Windows\SysWOW64\aghd.exe N/A
N/A N/A C:\Windows\SysWOW64\aghd.exe N/A
N/A N/A C:\Windows\SysWOW64\fiqi.exe N/A
N/A N/A C:\Windows\SysWOW64\fiqi.exe N/A
N/A N/A C:\Windows\SysWOW64\advy.exe N/A
N/A N/A C:\Windows\SysWOW64\advy.exe N/A
N/A N/A C:\Windows\SysWOW64\rvgb.exe N/A
N/A N/A C:\Windows\SysWOW64\rvgb.exe N/A
N/A N/A C:\Windows\SysWOW64\ltww.exe N/A
N/A N/A C:\Windows\SysWOW64\ltww.exe N/A
N/A N/A C:\Windows\SysWOW64\yksr.exe N/A
N/A N/A C:\Windows\SysWOW64\yksr.exe N/A
N/A N/A C:\Windows\SysWOW64\kxhr.exe N/A
N/A N/A C:\Windows\SysWOW64\kxhr.exe N/A
N/A N/A C:\Windows\SysWOW64\zfbr.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\sykf.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\usly.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\cstw.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\sqdx.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\gbjz.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\cxqh.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\rajc.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\iyfq.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\eesg.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\jcmh.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\muuh.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\msgd.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\ilnu.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\rvpr.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\ywqv.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\zvet.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\ufvs.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\temi.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\mlpq.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\phgu.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\kclk.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\liyp.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\lvdf.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\juue.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\fcnl.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\mnni.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\klim.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\advy.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\zfbr.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\ypro.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\ojlw.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\lbzx.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\ikqr.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\shwd.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\dhwr.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\pxog.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\lqmf.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\qjsa.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\lagj.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\ythx.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\rqsy.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\fiqi.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\rvgb.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\orzw.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\vcjq.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\rwqh.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\dkbk.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\hbpl.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\ycgw.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\dauf.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\fyti.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\cabn.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\uiaf.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\ttou.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\hhlg.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\zfsb.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\ebjh.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\psny.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\yomu.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\tcvc.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\aghd.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\ujnh.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\yksr.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\rwqh.exe C:\Windows\SysWOW64\ebjh.exe N/A
File created C:\Windows\SysWOW64\ujnh.exe C:\Windows\SysWOW64\ilnu.exe N/A
File opened for modification C:\Windows\SysWOW64\uiaf.exe C:\Windows\SysWOW64\lbzx.exe N/A
File created C:\Windows\SysWOW64\dhwr.exe C:\Windows\SysWOW64\rvpr.exe N/A
File opened for modification C:\Windows\SysWOW64\pxog.exe C:\Windows\SysWOW64\vcjq.exe N/A
File opened for modification C:\Windows\SysWOW64\dauf.exe C:\Windows\SysWOW64\muuh.exe N/A
File opened for modification C:\Windows\SysWOW64\fiqi.exe C:\Windows\SysWOW64\aghd.exe N/A
File opened for modification C:\Windows\SysWOW64\ufvs.exe C:\Windows\SysWOW64\plme.exe N/A
File created C:\Windows\SysWOW64\advy.exe C:\Windows\SysWOW64\fiqi.exe N/A
File opened for modification C:\Windows\SysWOW64\ycgw.exe C:\Windows\SysWOW64\juue.exe N/A
File created C:\Windows\SysWOW64\plme.exe C:\Windows\SysWOW64\ojlw.exe N/A
File created C:\Windows\SysWOW64\dkbk.exe C:\Windows\SysWOW64\ttou.exe N/A
File opened for modification C:\Windows\SysWOW64\jcmh.exe C:\Windows\SysWOW64\eesg.exe N/A
File created C:\Windows\SysWOW64\aghd.exe C:\Windows\SysWOW64\gffn.exe N/A
File created C:\Windows\SysWOW64\uiaf.exe C:\Windows\SysWOW64\lbzx.exe N/A
File created C:\Windows\SysWOW64\rvpr.exe C:\Windows\SysWOW64\zvet.exe N/A
File created C:\Windows\SysWOW64\iyfq.exe C:\Windows\SysWOW64\liyp.exe N/A
File created C:\Windows\SysWOW64\vcjq.exe C:\Windows\SysWOW64\rqsy.exe N/A
File created C:\Windows\SysWOW64\kxhr.exe C:\Windows\SysWOW64\yksr.exe N/A
File created C:\Windows\SysWOW64\psny.exe C:\Windows\SysWOW64\ypro.exe N/A
File created C:\Windows\SysWOW64\cstw.exe C:\Windows\SysWOW64\pxog.exe N/A
File opened for modification C:\Windows\SysWOW64\advy.exe C:\Windows\SysWOW64\fiqi.exe N/A
File created C:\Windows\SysWOW64\usly.exe C:\Windows\SysWOW64\hbpl.exe N/A
File created C:\Windows\SysWOW64\muuh.exe C:\Windows\SysWOW64\ufvs.exe N/A
File created C:\Windows\SysWOW64\shwd.exe C:\Windows\SysWOW64\fyti.exe N/A
File created C:\Windows\SysWOW64\ilnu.exe C:\Windows\SysWOW64\knou.exe N/A
File opened for modification C:\Windows\SysWOW64\zfbr.exe C:\Windows\SysWOW64\kxhr.exe N/A
File created C:\Windows\SysWOW64\ebjh.exe C:\Windows\SysWOW64\dvfm.exe N/A
File opened for modification C:\Windows\SysWOW64\dhwr.exe C:\Windows\SysWOW64\rvpr.exe N/A
File created C:\Windows\SysWOW64\lagj.exe C:\Windows\SysWOW64\cxqh.exe N/A
File created C:\Windows\SysWOW64\hbpl.exe C:\Windows\SysWOW64\sykf.exe N/A
File created C:\Windows\SysWOW64\ihad.exe C:\Windows\SysWOW64\lvdf.exe N/A
File created C:\Windows\SysWOW64\ldxq.exe C:\Windows\SysWOW64\qjsa.exe N/A
File opened for modification C:\Windows\SysWOW64\eesg.exe C:\Windows\SysWOW64\hhlg.exe N/A
File opened for modification C:\Windows\SysWOW64\qeli.exe C:\Windows\SysWOW64\ihad.exe N/A
File created C:\Windows\SysWOW64\ufvs.exe C:\Windows\SysWOW64\plme.exe N/A
File created C:\Windows\SysWOW64\juue.exe C:\Windows\SysWOW64\zfsb.exe N/A
File opened for modification C:\Windows\SysWOW64\knou.exe C:\Windows\SysWOW64\gbzu.exe N/A
File opened for modification C:\Windows\SysWOW64\ldxq.exe C:\Windows\SysWOW64\qjsa.exe N/A
File created C:\Windows\SysWOW64\yomu.exe C:\Windows\SysWOW64\dhwr.exe N/A
File opened for modification C:\Windows\SysWOW64\vcjq.exe C:\Windows\SysWOW64\rqsy.exe N/A
File created C:\Windows\SysWOW64\ikqr.exe C:\Windows\SysWOW64\vfxi.exe N/A
File opened for modification C:\Windows\SysWOW64\gffn.exe C:\Windows\SysWOW64\shwd.exe N/A
File created C:\Windows\SysWOW64\gbzu.exe C:\Windows\SysWOW64\rwqh.exe N/A
File created C:\Windows\SysWOW64\ypro.exe C:\Windows\SysWOW64\ywqv.exe N/A
File created C:\Windows\SysWOW64\temi.exe C:\Windows\SysWOW64\msgd.exe N/A
File created C:\Windows\SysWOW64\mnni.exe C:\Windows\SysWOW64\fcnl.exe N/A
File opened for modification C:\Windows\SysWOW64\ikqr.exe C:\Windows\SysWOW64\vfxi.exe N/A
File opened for modification C:\Windows\SysWOW64\lvdf.exe C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\mlpq.exe C:\Windows\SysWOW64\uiaf.exe N/A
File opened for modification C:\Windows\SysWOW64\ltww.exe C:\Windows\SysWOW64\rvgb.exe N/A
File opened for modification C:\Windows\SysWOW64\ujnh.exe C:\Windows\SysWOW64\ilnu.exe N/A
File opened for modification C:\Windows\SysWOW64\lqmf.exe C:\Windows\SysWOW64\ujnh.exe N/A
File created C:\Windows\SysWOW64\kclk.exe C:\Windows\SysWOW64\phgu.exe N/A
File opened for modification C:\Windows\SysWOW64\msgd.exe C:\Windows\SysWOW64\cabn.exe N/A
File created C:\Windows\SysWOW64\gffn.exe C:\Windows\SysWOW64\shwd.exe N/A
File created C:\Windows\SysWOW64\ojlw.exe C:\Windows\SysWOW64\tcvc.exe N/A
File opened for modification C:\Windows\SysWOW64\muuh.exe C:\Windows\SysWOW64\ufvs.exe N/A
File created C:\Windows\SysWOW64\fiqi.exe C:\Windows\SysWOW64\aghd.exe N/A
File created C:\Windows\SysWOW64\rvgb.exe C:\Windows\SysWOW64\advy.exe N/A
File created C:\Windows\SysWOW64\yksr.exe C:\Windows\SysWOW64\ltww.exe N/A
File opened for modification C:\Windows\SysWOW64\liyp.exe C:\Windows\SysWOW64\wlpx.exe N/A
File opened for modification C:\Windows\SysWOW64\wmdl.exe C:\Windows\SysWOW64\qeli.exe N/A
File opened for modification C:\Windows\SysWOW64\iutm.exe C:\Windows\SysWOW64\ycgw.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1288 set thread context of 2800 N/A C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe
PID 2980 set thread context of 2620 N/A C:\Windows\SysWOW64\lvdf.exe C:\Windows\SysWOW64\lvdf.exe
PID 2896 set thread context of 2668 N/A C:\Windows\SysWOW64\ihad.exe C:\Windows\SysWOW64\ihad.exe
PID 2888 set thread context of 1236 N/A C:\Windows\SysWOW64\qeli.exe C:\Windows\SysWOW64\qeli.exe
PID 1520 set thread context of 2116 N/A C:\Windows\SysWOW64\wmdl.exe C:\Windows\SysWOW64\wmdl.exe
PID 2076 set thread context of 1052 N/A C:\Windows\SysWOW64\yodt.exe C:\Windows\SysWOW64\yodt.exe
PID 3064 set thread context of 288 N/A C:\Windows\SysWOW64\zfsb.exe C:\Windows\SysWOW64\zfsb.exe
PID 2788 set thread context of 792 N/A C:\Windows\SysWOW64\juue.exe C:\Windows\SysWOW64\juue.exe
PID 2368 set thread context of 2028 N/A C:\Windows\SysWOW64\ycgw.exe C:\Windows\SysWOW64\ycgw.exe
PID 3024 set thread context of 2716 N/A C:\Windows\SysWOW64\iutm.exe C:\Windows\SysWOW64\iutm.exe
PID 2464 set thread context of 2504 N/A C:\Windows\SysWOW64\klim.exe C:\Windows\SysWOW64\klim.exe
PID 344 set thread context of 1956 N/A C:\Windows\SysWOW64\tcvc.exe C:\Windows\SysWOW64\tcvc.exe
PID 1636 set thread context of 2092 N/A C:\Windows\SysWOW64\ojlw.exe C:\Windows\SysWOW64\ojlw.exe
PID 1952 set thread context of 992 N/A C:\Windows\SysWOW64\plme.exe C:\Windows\SysWOW64\plme.exe
PID 560 set thread context of 2152 N/A C:\Windows\SysWOW64\ufvs.exe C:\Windows\SysWOW64\ufvs.exe
PID 960 set thread context of 1680 N/A C:\Windows\SysWOW64\muuh.exe C:\Windows\SysWOW64\muuh.exe
PID 2956 set thread context of 2988 N/A C:\Windows\SysWOW64\dauf.exe C:\Windows\SysWOW64\dauf.exe
PID 2316 set thread context of 1512 N/A C:\Windows\SysWOW64\sqdx.exe C:\Windows\SysWOW64\sqdx.exe
PID 2816 set thread context of 2624 N/A C:\Windows\SysWOW64\cabn.exe C:\Windows\SysWOW64\cabn.exe
PID 2496 set thread context of 2692 N/A C:\Windows\SysWOW64\msgd.exe C:\Windows\SysWOW64\msgd.exe
PID 2620 set thread context of 332 N/A C:\Windows\SysWOW64\temi.exe C:\Windows\SysWOW64\temi.exe
PID 1752 set thread context of 1536 N/A C:\Windows\SysWOW64\fyti.exe C:\Windows\SysWOW64\fyti.exe
PID 2888 set thread context of 2704 N/A C:\Windows\SysWOW64\shwd.exe C:\Windows\SysWOW64\shwd.exe
PID 1172 set thread context of 1952 N/A C:\Windows\SysWOW64\gffn.exe C:\Windows\SysWOW64\gffn.exe
PID 1364 set thread context of 900 N/A C:\Windows\SysWOW64\aghd.exe C:\Windows\SysWOW64\aghd.exe
PID 1624 set thread context of 956 N/A C:\Windows\SysWOW64\fiqi.exe C:\Windows\SysWOW64\fiqi.exe
PID 2868 set thread context of 2240 N/A C:\Windows\SysWOW64\advy.exe C:\Windows\SysWOW64\advy.exe
PID 1584 set thread context of 1148 N/A C:\Windows\SysWOW64\rvgb.exe C:\Windows\SysWOW64\rvgb.exe
PID 2648 set thread context of 2816 N/A C:\Windows\SysWOW64\ltww.exe C:\Windows\SysWOW64\ltww.exe
PID 2980 set thread context of 2580 N/A C:\Windows\SysWOW64\yksr.exe C:\Windows\SysWOW64\yksr.exe
PID 1720 set thread context of 2216 N/A C:\Windows\SysWOW64\kxhr.exe C:\Windows\SysWOW64\kxhr.exe
PID 2872 set thread context of 332 N/A C:\Windows\SysWOW64\zfbr.exe C:\Windows\SysWOW64\zfbr.exe
PID 2100 set thread context of 1688 N/A C:\Windows\SysWOW64\orzw.exe C:\Windows\SysWOW64\orzw.exe
PID 1880 set thread context of 696 N/A C:\Windows\SysWOW64\gbjz.exe C:\Windows\SysWOW64\gbjz.exe
PID 3044 set thread context of 1364 N/A C:\Windows\SysWOW64\dvfm.exe C:\Windows\SysWOW64\dvfm.exe
PID 1032 set thread context of 2380 N/A C:\Windows\SysWOW64\ebjh.exe C:\Windows\SysWOW64\ebjh.exe
PID 1792 set thread context of 2168 N/A C:\Windows\SysWOW64\rwqh.exe C:\Windows\SysWOW64\rwqh.exe
PID 2700 set thread context of 2308 N/A C:\Windows\SysWOW64\gbzu.exe C:\Windows\SysWOW64\gbzu.exe
PID 2672 set thread context of 1672 N/A C:\Windows\SysWOW64\knou.exe C:\Windows\SysWOW64\knou.exe
PID 1604 set thread context of 1796 N/A C:\Windows\SysWOW64\ilnu.exe C:\Windows\SysWOW64\ilnu.exe
PID 2496 set thread context of 2200 N/A C:\Windows\SysWOW64\ujnh.exe C:\Windows\SysWOW64\ujnh.exe
PID 1752 set thread context of 1972 N/A C:\Windows\SysWOW64\lqmf.exe C:\Windows\SysWOW64\lqmf.exe
PID 2896 set thread context of 332 N/A C:\Windows\SysWOW64\lbzx.exe C:\Windows\SysWOW64\lbzx.exe
PID 1136 set thread context of 584 N/A C:\Windows\SysWOW64\uiaf.exe C:\Windows\SysWOW64\uiaf.exe
PID 2392 set thread context of 1572 N/A C:\Windows\SysWOW64\mlpq.exe C:\Windows\SysWOW64\mlpq.exe
PID 1044 set thread context of 1048 N/A C:\Windows\SysWOW64\jbvq.exe C:\Windows\SysWOW64\jbvq.exe
PID 956 set thread context of 572 N/A C:\Windows\SysWOW64\qjsa.exe C:\Windows\SysWOW64\qjsa.exe
PID 2548 set thread context of 2632 N/A C:\Windows\SysWOW64\ldxq.exe C:\Windows\SysWOW64\ldxq.exe
PID 2264 set thread context of 2644 N/A C:\Windows\SysWOW64\fcnl.exe C:\Windows\SysWOW64\fcnl.exe
PID 2224 set thread context of 2716 N/A C:\Windows\SysWOW64\mnni.exe C:\Windows\SysWOW64\mnni.exe
PID 1892 set thread context of 2884 N/A C:\Windows\SysWOW64\ywqv.exe C:\Windows\SysWOW64\ywqv.exe
PID 1588 set thread context of 2828 N/A C:\Windows\SysWOW64\ypro.exe C:\Windows\SysWOW64\ypro.exe
PID 2836 set thread context of 2844 N/A C:\Windows\SysWOW64\psny.exe C:\Windows\SysWOW64\psny.exe
PID 2116 set thread context of 1804 N/A C:\Windows\SysWOW64\zvet.exe C:\Windows\SysWOW64\zvet.exe
PID 1812 set thread context of 2152 N/A C:\Windows\SysWOW64\rvpr.exe C:\Windows\SysWOW64\rvpr.exe
PID 920 set thread context of 2024 N/A C:\Windows\SysWOW64\dhwr.exe C:\Windows\SysWOW64\dhwr.exe
PID 2956 set thread context of 352 N/A C:\Windows\SysWOW64\yomu.exe C:\Windows\SysWOW64\yomu.exe
PID 2664 set thread context of 952 N/A C:\Windows\SysWOW64\cxqh.exe C:\Windows\SysWOW64\cxqh.exe
PID 2892 set thread context of 2476 N/A C:\Windows\SysWOW64\lagj.exe C:\Windows\SysWOW64\eesg.exe
PID 2980 set thread context of 2772 N/A C:\Windows\SysWOW64\ttou.exe C:\Windows\SysWOW64\ttou.exe
PID 2712 set thread context of 1568 N/A C:\Windows\SysWOW64\dkbk.exe C:\Windows\SysWOW64\dkbk.exe
PID 2776 set thread context of 1532 N/A C:\Windows\SysWOW64\rajc.exe C:\Windows\SysWOW64\rajc.exe
PID 784 set thread context of 336 N/A C:\Windows\SysWOW64\jdym.exe C:\Windows\SysWOW64\jdym.exe
PID 1396 set thread context of 2144 N/A C:\Windows\SysWOW64\ythx.exe C:\Windows\SysWOW64\ythx.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\yodt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\psny.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\hbpl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\rqsy.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\pxog.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\temi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\fyti.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\advy.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\yksr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\dvfm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\ujnh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\yomu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\lagj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\zfsb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\muuh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\gffn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\cstw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\jcmh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\jcmh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\advy.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\liyp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\pxog.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\usly.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\dvfm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\mlpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\iyfq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\sqdx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\ypro.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\dhwr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\ythx.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\wlpx.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\fyti.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\dvfm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\yomu.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\rajc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\vcjq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\juue.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\temi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\zvet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\vfxi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\advy.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\ltww.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\fcnl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\lqmf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\phgu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\cxqh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\vcjq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\ikqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\lvdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\zvet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\rvpr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\zvet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\ttou.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\rqsy.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\jcmh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\juue.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\ycgw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\fcnl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\rvgb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\ebjh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\iyfq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\jdym.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\wlpx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\hhlg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1288 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe
PID 1288 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe
PID 1288 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe
PID 1288 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe
PID 1288 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe
PID 1288 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe
PID 2800 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe C:\Windows\SysWOW64\lvdf.exe
PID 2800 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe C:\Windows\SysWOW64\lvdf.exe
PID 2800 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe C:\Windows\SysWOW64\lvdf.exe
PID 2800 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe C:\Windows\SysWOW64\lvdf.exe
PID 2980 wrote to memory of 2620 N/A C:\Windows\SysWOW64\lvdf.exe C:\Windows\SysWOW64\lvdf.exe
PID 2980 wrote to memory of 2620 N/A C:\Windows\SysWOW64\lvdf.exe C:\Windows\SysWOW64\lvdf.exe
PID 2980 wrote to memory of 2620 N/A C:\Windows\SysWOW64\lvdf.exe C:\Windows\SysWOW64\lvdf.exe
PID 2980 wrote to memory of 2620 N/A C:\Windows\SysWOW64\lvdf.exe C:\Windows\SysWOW64\lvdf.exe
PID 2980 wrote to memory of 2620 N/A C:\Windows\SysWOW64\lvdf.exe C:\Windows\SysWOW64\lvdf.exe
PID 2980 wrote to memory of 2620 N/A C:\Windows\SysWOW64\lvdf.exe C:\Windows\SysWOW64\lvdf.exe
PID 2620 wrote to memory of 2896 N/A C:\Windows\SysWOW64\lvdf.exe C:\Windows\SysWOW64\ihad.exe
PID 2620 wrote to memory of 2896 N/A C:\Windows\SysWOW64\lvdf.exe C:\Windows\SysWOW64\ihad.exe
PID 2620 wrote to memory of 2896 N/A C:\Windows\SysWOW64\lvdf.exe C:\Windows\SysWOW64\ihad.exe
PID 2620 wrote to memory of 2896 N/A C:\Windows\SysWOW64\lvdf.exe C:\Windows\SysWOW64\ihad.exe
PID 2896 wrote to memory of 2668 N/A C:\Windows\SysWOW64\ihad.exe C:\Windows\SysWOW64\ihad.exe
PID 2896 wrote to memory of 2668 N/A C:\Windows\SysWOW64\ihad.exe C:\Windows\SysWOW64\ihad.exe
PID 2896 wrote to memory of 2668 N/A C:\Windows\SysWOW64\ihad.exe C:\Windows\SysWOW64\ihad.exe
PID 2896 wrote to memory of 2668 N/A C:\Windows\SysWOW64\ihad.exe C:\Windows\SysWOW64\ihad.exe
PID 2896 wrote to memory of 2668 N/A C:\Windows\SysWOW64\ihad.exe C:\Windows\SysWOW64\ihad.exe
PID 2896 wrote to memory of 2668 N/A C:\Windows\SysWOW64\ihad.exe C:\Windows\SysWOW64\ihad.exe
PID 2668 wrote to memory of 2888 N/A C:\Windows\SysWOW64\ihad.exe C:\Windows\SysWOW64\qeli.exe
PID 2668 wrote to memory of 2888 N/A C:\Windows\SysWOW64\ihad.exe C:\Windows\SysWOW64\qeli.exe
PID 2668 wrote to memory of 2888 N/A C:\Windows\SysWOW64\ihad.exe C:\Windows\SysWOW64\qeli.exe
PID 2668 wrote to memory of 2888 N/A C:\Windows\SysWOW64\ihad.exe C:\Windows\SysWOW64\qeli.exe
PID 2888 wrote to memory of 1236 N/A C:\Windows\SysWOW64\qeli.exe C:\Windows\SysWOW64\qeli.exe
PID 2888 wrote to memory of 1236 N/A C:\Windows\SysWOW64\qeli.exe C:\Windows\SysWOW64\qeli.exe
PID 2888 wrote to memory of 1236 N/A C:\Windows\SysWOW64\qeli.exe C:\Windows\SysWOW64\qeli.exe
PID 2888 wrote to memory of 1236 N/A C:\Windows\SysWOW64\qeli.exe C:\Windows\SysWOW64\qeli.exe
PID 2888 wrote to memory of 1236 N/A C:\Windows\SysWOW64\qeli.exe C:\Windows\SysWOW64\qeli.exe
PID 2888 wrote to memory of 1236 N/A C:\Windows\SysWOW64\qeli.exe C:\Windows\SysWOW64\qeli.exe
PID 1236 wrote to memory of 1520 N/A C:\Windows\SysWOW64\qeli.exe C:\Windows\SysWOW64\wmdl.exe
PID 1236 wrote to memory of 1520 N/A C:\Windows\SysWOW64\qeli.exe C:\Windows\SysWOW64\wmdl.exe
PID 1236 wrote to memory of 1520 N/A C:\Windows\SysWOW64\qeli.exe C:\Windows\SysWOW64\wmdl.exe
PID 1236 wrote to memory of 1520 N/A C:\Windows\SysWOW64\qeli.exe C:\Windows\SysWOW64\wmdl.exe
PID 1520 wrote to memory of 2116 N/A C:\Windows\SysWOW64\wmdl.exe C:\Windows\SysWOW64\wmdl.exe
PID 1520 wrote to memory of 2116 N/A C:\Windows\SysWOW64\wmdl.exe C:\Windows\SysWOW64\wmdl.exe
PID 1520 wrote to memory of 2116 N/A C:\Windows\SysWOW64\wmdl.exe C:\Windows\SysWOW64\wmdl.exe
PID 1520 wrote to memory of 2116 N/A C:\Windows\SysWOW64\wmdl.exe C:\Windows\SysWOW64\wmdl.exe
PID 1520 wrote to memory of 2116 N/A C:\Windows\SysWOW64\wmdl.exe C:\Windows\SysWOW64\wmdl.exe
PID 1520 wrote to memory of 2116 N/A C:\Windows\SysWOW64\wmdl.exe C:\Windows\SysWOW64\wmdl.exe
PID 2116 wrote to memory of 2076 N/A C:\Windows\SysWOW64\wmdl.exe C:\Windows\SysWOW64\yodt.exe
PID 2116 wrote to memory of 2076 N/A C:\Windows\SysWOW64\wmdl.exe C:\Windows\SysWOW64\yodt.exe
PID 2116 wrote to memory of 2076 N/A C:\Windows\SysWOW64\wmdl.exe C:\Windows\SysWOW64\yodt.exe
PID 2116 wrote to memory of 2076 N/A C:\Windows\SysWOW64\wmdl.exe C:\Windows\SysWOW64\yodt.exe
PID 2076 wrote to memory of 1052 N/A C:\Windows\SysWOW64\yodt.exe C:\Windows\SysWOW64\yodt.exe
PID 2076 wrote to memory of 1052 N/A C:\Windows\SysWOW64\yodt.exe C:\Windows\SysWOW64\yodt.exe
PID 2076 wrote to memory of 1052 N/A C:\Windows\SysWOW64\yodt.exe C:\Windows\SysWOW64\yodt.exe
PID 2076 wrote to memory of 1052 N/A C:\Windows\SysWOW64\yodt.exe C:\Windows\SysWOW64\yodt.exe
PID 2076 wrote to memory of 1052 N/A C:\Windows\SysWOW64\yodt.exe C:\Windows\SysWOW64\yodt.exe
PID 2076 wrote to memory of 1052 N/A C:\Windows\SysWOW64\yodt.exe C:\Windows\SysWOW64\yodt.exe
PID 1052 wrote to memory of 3064 N/A C:\Windows\SysWOW64\yodt.exe C:\Windows\SysWOW64\zfsb.exe
PID 1052 wrote to memory of 3064 N/A C:\Windows\SysWOW64\yodt.exe C:\Windows\SysWOW64\zfsb.exe
PID 1052 wrote to memory of 3064 N/A C:\Windows\SysWOW64\yodt.exe C:\Windows\SysWOW64\zfsb.exe
PID 1052 wrote to memory of 3064 N/A C:\Windows\SysWOW64\yodt.exe C:\Windows\SysWOW64\zfsb.exe
PID 3064 wrote to memory of 288 N/A C:\Windows\SysWOW64\zfsb.exe C:\Windows\SysWOW64\zfsb.exe
PID 3064 wrote to memory of 288 N/A C:\Windows\SysWOW64\zfsb.exe C:\Windows\SysWOW64\zfsb.exe
PID 3064 wrote to memory of 288 N/A C:\Windows\SysWOW64\zfsb.exe C:\Windows\SysWOW64\zfsb.exe
PID 3064 wrote to memory of 288 N/A C:\Windows\SysWOW64\zfsb.exe C:\Windows\SysWOW64\zfsb.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe

C:\Windows\SysWOW64\lvdf.exe

C:\Windows\system32\lvdf.exe 500 "C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe"

C:\Windows\SysWOW64\lvdf.exe

C:\Windows\SysWOW64\lvdf.exe

C:\Windows\SysWOW64\ihad.exe

C:\Windows\system32\ihad.exe 456 "C:\Windows\SysWOW64\lvdf.exe"

C:\Windows\SysWOW64\ihad.exe

C:\Windows\SysWOW64\ihad.exe

C:\Windows\SysWOW64\qeli.exe

C:\Windows\system32\qeli.exe 456 "C:\Windows\SysWOW64\ihad.exe"

C:\Windows\SysWOW64\qeli.exe

C:\Windows\SysWOW64\qeli.exe

C:\Windows\SysWOW64\wmdl.exe

C:\Windows\system32\wmdl.exe 456 "C:\Windows\SysWOW64\qeli.exe"

C:\Windows\SysWOW64\wmdl.exe

C:\Windows\SysWOW64\wmdl.exe

C:\Windows\SysWOW64\yodt.exe

C:\Windows\system32\yodt.exe 432 "C:\Windows\SysWOW64\wmdl.exe"

C:\Windows\SysWOW64\yodt.exe

C:\Windows\SysWOW64\yodt.exe

C:\Windows\SysWOW64\zfsb.exe

C:\Windows\system32\zfsb.exe 456 "C:\Windows\SysWOW64\yodt.exe"

C:\Windows\SysWOW64\zfsb.exe

C:\Windows\SysWOW64\zfsb.exe

C:\Windows\SysWOW64\juue.exe

C:\Windows\system32\juue.exe 460 "C:\Windows\SysWOW64\zfsb.exe"

C:\Windows\SysWOW64\juue.exe

C:\Windows\SysWOW64\juue.exe

C:\Windows\SysWOW64\ycgw.exe

C:\Windows\system32\ycgw.exe 460 "C:\Windows\SysWOW64\juue.exe"

C:\Windows\SysWOW64\ycgw.exe

C:\Windows\SysWOW64\ycgw.exe

C:\Windows\SysWOW64\iutm.exe

C:\Windows\system32\iutm.exe 460 "C:\Windows\SysWOW64\ycgw.exe"

C:\Windows\SysWOW64\iutm.exe

C:\Windows\SysWOW64\iutm.exe

C:\Windows\SysWOW64\klim.exe

C:\Windows\system32\klim.exe 480 "C:\Windows\SysWOW64\iutm.exe"

C:\Windows\SysWOW64\klim.exe

C:\Windows\SysWOW64\klim.exe

C:\Windows\SysWOW64\tcvc.exe

C:\Windows\system32\tcvc.exe 460 "C:\Windows\SysWOW64\klim.exe"

C:\Windows\SysWOW64\tcvc.exe

C:\Windows\SysWOW64\tcvc.exe

C:\Windows\SysWOW64\ojlw.exe

C:\Windows\system32\ojlw.exe 480 "C:\Windows\SysWOW64\tcvc.exe"

C:\Windows\SysWOW64\ojlw.exe

C:\Windows\SysWOW64\ojlw.exe

C:\Windows\SysWOW64\plme.exe

C:\Windows\system32\plme.exe 472 "C:\Windows\SysWOW64\ojlw.exe"

C:\Windows\SysWOW64\plme.exe

C:\Windows\SysWOW64\plme.exe

C:\Windows\SysWOW64\ufvs.exe

C:\Windows\system32\ufvs.exe 480 "C:\Windows\SysWOW64\plme.exe"

C:\Windows\SysWOW64\ufvs.exe

C:\Windows\SysWOW64\ufvs.exe

C:\Windows\SysWOW64\muuh.exe

C:\Windows\system32\muuh.exe 536 "C:\Windows\SysWOW64\ufvs.exe"

C:\Windows\SysWOW64\muuh.exe

C:\Windows\SysWOW64\muuh.exe

C:\Windows\SysWOW64\dauf.exe

C:\Windows\system32\dauf.exe 468 "C:\Windows\SysWOW64\muuh.exe"

C:\Windows\SysWOW64\dauf.exe

C:\Windows\SysWOW64\dauf.exe

C:\Windows\SysWOW64\sqdx.exe

C:\Windows\system32\sqdx.exe 468 "C:\Windows\SysWOW64\dauf.exe"

C:\Windows\SysWOW64\sqdx.exe

C:\Windows\SysWOW64\sqdx.exe

C:\Windows\SysWOW64\cabn.exe

C:\Windows\system32\cabn.exe 460 "C:\Windows\SysWOW64\sqdx.exe"

C:\Windows\SysWOW64\cabn.exe

C:\Windows\SysWOW64\cabn.exe

C:\Windows\SysWOW64\msgd.exe

C:\Windows\system32\msgd.exe 472 "C:\Windows\SysWOW64\cabn.exe"

C:\Windows\SysWOW64\msgd.exe

C:\Windows\SysWOW64\msgd.exe

C:\Windows\SysWOW64\temi.exe

C:\Windows\system32\temi.exe 464 "C:\Windows\SysWOW64\msgd.exe"

C:\Windows\SysWOW64\temi.exe

C:\Windows\SysWOW64\temi.exe

C:\Windows\SysWOW64\fyti.exe

C:\Windows\system32\fyti.exe 464 "C:\Windows\SysWOW64\temi.exe"

C:\Windows\SysWOW64\fyti.exe

C:\Windows\SysWOW64\fyti.exe

C:\Windows\SysWOW64\shwd.exe

C:\Windows\system32\shwd.exe 456 "C:\Windows\SysWOW64\fyti.exe"

C:\Windows\SysWOW64\shwd.exe

C:\Windows\SysWOW64\shwd.exe

C:\Windows\SysWOW64\gffn.exe

C:\Windows\system32\gffn.exe 468 "C:\Windows\SysWOW64\shwd.exe"

C:\Windows\SysWOW64\gffn.exe

C:\Windows\SysWOW64\gffn.exe

C:\Windows\SysWOW64\aghd.exe

C:\Windows\system32\aghd.exe 456 "C:\Windows\SysWOW64\gffn.exe"

C:\Windows\SysWOW64\aghd.exe

C:\Windows\SysWOW64\aghd.exe

C:\Windows\SysWOW64\fiqi.exe

C:\Windows\system32\fiqi.exe 464 "C:\Windows\SysWOW64\aghd.exe"

C:\Windows\SysWOW64\fiqi.exe

C:\Windows\SysWOW64\fiqi.exe

C:\Windows\SysWOW64\advy.exe

C:\Windows\system32\advy.exe 468 "C:\Windows\SysWOW64\fiqi.exe"

C:\Windows\SysWOW64\advy.exe

C:\Windows\SysWOW64\advy.exe

C:\Windows\SysWOW64\rvgb.exe

C:\Windows\system32\rvgb.exe 468 "C:\Windows\SysWOW64\advy.exe"

C:\Windows\SysWOW64\rvgb.exe

C:\Windows\SysWOW64\rvgb.exe

C:\Windows\SysWOW64\ltww.exe

C:\Windows\system32\ltww.exe 464 "C:\Windows\SysWOW64\rvgb.exe"

C:\Windows\SysWOW64\ltww.exe

C:\Windows\SysWOW64\ltww.exe

C:\Windows\SysWOW64\yksr.exe

C:\Windows\system32\yksr.exe 504 "C:\Windows\SysWOW64\ltww.exe"

C:\Windows\SysWOW64\yksr.exe

C:\Windows\SysWOW64\yksr.exe

C:\Windows\SysWOW64\kxhr.exe

C:\Windows\system32\kxhr.exe 500 "C:\Windows\SysWOW64\yksr.exe"

C:\Windows\SysWOW64\kxhr.exe

C:\Windows\SysWOW64\kxhr.exe

C:\Windows\SysWOW64\zfbr.exe

C:\Windows\system32\zfbr.exe 480 "C:\Windows\SysWOW64\kxhr.exe"

C:\Windows\SysWOW64\zfbr.exe

C:\Windows\SysWOW64\zfbr.exe

C:\Windows\SysWOW64\orzw.exe

C:\Windows\system32\orzw.exe 476 "C:\Windows\SysWOW64\zfbr.exe"

C:\Windows\SysWOW64\orzw.exe

C:\Windows\SysWOW64\orzw.exe

C:\Windows\SysWOW64\gbjz.exe

C:\Windows\system32\gbjz.exe 464 "C:\Windows\SysWOW64\orzw.exe"

C:\Windows\SysWOW64\gbjz.exe

C:\Windows\SysWOW64\gbjz.exe

C:\Windows\SysWOW64\dvfm.exe

C:\Windows\system32\dvfm.exe 460 "C:\Windows\SysWOW64\gbjz.exe"

C:\Windows\SysWOW64\dvfm.exe

C:\Windows\SysWOW64\dvfm.exe

C:\Windows\SysWOW64\ebjh.exe

C:\Windows\system32\ebjh.exe 468 "C:\Windows\SysWOW64\dvfm.exe"

C:\Windows\SysWOW64\ebjh.exe

C:\Windows\SysWOW64\ebjh.exe

C:\Windows\SysWOW64\rwqh.exe

C:\Windows\system32\rwqh.exe 480 "C:\Windows\SysWOW64\ebjh.exe"

C:\Windows\SysWOW64\rwqh.exe

C:\Windows\SysWOW64\rwqh.exe

C:\Windows\SysWOW64\gbzu.exe

C:\Windows\system32\gbzu.exe 464 "C:\Windows\SysWOW64\rwqh.exe"

C:\Windows\SysWOW64\gbzu.exe

C:\Windows\SysWOW64\gbzu.exe

C:\Windows\SysWOW64\knou.exe

C:\Windows\system32\knou.exe 456 "C:\Windows\SysWOW64\gbzu.exe"

C:\Windows\SysWOW64\knou.exe

C:\Windows\SysWOW64\knou.exe

C:\Windows\SysWOW64\ilnu.exe

C:\Windows\system32\ilnu.exe 464 "C:\Windows\SysWOW64\knou.exe"

C:\Windows\SysWOW64\ilnu.exe

C:\Windows\SysWOW64\ilnu.exe

C:\Windows\SysWOW64\ujnh.exe

C:\Windows\system32\ujnh.exe 468 "C:\Windows\SysWOW64\ilnu.exe"

C:\Windows\SysWOW64\ujnh.exe

C:\Windows\SysWOW64\ujnh.exe

C:\Windows\SysWOW64\lqmf.exe

C:\Windows\system32\lqmf.exe 476 "C:\Windows\SysWOW64\ujnh.exe"

C:\Windows\SysWOW64\lqmf.exe

C:\Windows\SysWOW64\lqmf.exe

C:\Windows\SysWOW64\lbzx.exe

C:\Windows\system32\lbzx.exe 476 "C:\Windows\SysWOW64\lqmf.exe"

C:\Windows\SysWOW64\lbzx.exe

C:\Windows\SysWOW64\lbzx.exe

C:\Windows\SysWOW64\uiaf.exe

C:\Windows\system32\uiaf.exe 492 "C:\Windows\SysWOW64\lbzx.exe"

C:\Windows\SysWOW64\uiaf.exe

C:\Windows\SysWOW64\uiaf.exe

C:\Windows\SysWOW64\mlpq.exe

C:\Windows\system32\mlpq.exe 464 "C:\Windows\SysWOW64\uiaf.exe"

C:\Windows\SysWOW64\mlpq.exe

C:\Windows\SysWOW64\mlpq.exe

C:\Windows\SysWOW64\jbvq.exe

C:\Windows\system32\jbvq.exe 472 "C:\Windows\SysWOW64\mlpq.exe"

C:\Windows\SysWOW64\jbvq.exe

C:\Windows\SysWOW64\jbvq.exe

C:\Windows\SysWOW64\qjsa.exe

C:\Windows\system32\qjsa.exe 460 "C:\Windows\SysWOW64\jbvq.exe"

C:\Windows\SysWOW64\qjsa.exe

C:\Windows\SysWOW64\qjsa.exe

C:\Windows\SysWOW64\ldxq.exe

C:\Windows\system32\ldxq.exe 460 "C:\Windows\SysWOW64\qjsa.exe"

C:\Windows\SysWOW64\ldxq.exe

C:\Windows\SysWOW64\ldxq.exe

C:\Windows\SysWOW64\fcnl.exe

C:\Windows\system32\fcnl.exe 468 "C:\Windows\SysWOW64\ldxq.exe"

C:\Windows\SysWOW64\fcnl.exe

C:\Windows\SysWOW64\fcnl.exe

C:\Windows\SysWOW64\mnni.exe

C:\Windows\system32\mnni.exe 464 "C:\Windows\SysWOW64\fcnl.exe"

C:\Windows\SysWOW64\mnni.exe

C:\Windows\SysWOW64\mnni.exe

C:\Windows\SysWOW64\ywqv.exe

C:\Windows\system32\ywqv.exe 456 "C:\Windows\SysWOW64\mnni.exe"

C:\Windows\SysWOW64\ywqv.exe

C:\Windows\SysWOW64\ywqv.exe

C:\Windows\SysWOW64\ypro.exe

C:\Windows\system32\ypro.exe 480 "C:\Windows\SysWOW64\ywqv.exe"

C:\Windows\SysWOW64\ypro.exe

C:\Windows\SysWOW64\ypro.exe

C:\Windows\SysWOW64\psny.exe

C:\Windows\system32\psny.exe 464 "C:\Windows\SysWOW64\ypro.exe"

C:\Windows\SysWOW64\psny.exe

C:\Windows\SysWOW64\psny.exe

C:\Windows\SysWOW64\zvet.exe

C:\Windows\system32\zvet.exe 468 "C:\Windows\SysWOW64\psny.exe"

C:\Windows\SysWOW64\zvet.exe

C:\Windows\SysWOW64\zvet.exe

C:\Windows\SysWOW64\rvpr.exe

C:\Windows\system32\rvpr.exe 472 "C:\Windows\SysWOW64\zvet.exe"

C:\Windows\SysWOW64\rvpr.exe

C:\Windows\SysWOW64\rvpr.exe

C:\Windows\SysWOW64\dhwr.exe

C:\Windows\system32\dhwr.exe 472 "C:\Windows\SysWOW64\rvpr.exe"

C:\Windows\SysWOW64\dhwr.exe

C:\Windows\SysWOW64\dhwr.exe

C:\Windows\SysWOW64\yomu.exe

C:\Windows\system32\yomu.exe 460 "C:\Windows\SysWOW64\dhwr.exe"

C:\Windows\SysWOW64\yomu.exe

C:\Windows\SysWOW64\yomu.exe

C:\Windows\SysWOW64\cxqh.exe

C:\Windows\system32\cxqh.exe 460 "C:\Windows\SysWOW64\yomu.exe"

C:\Windows\SysWOW64\cxqh.exe

C:\Windows\SysWOW64\cxqh.exe

C:\Windows\SysWOW64\lagj.exe

C:\Windows\system32\lagj.exe 476 "C:\Windows\SysWOW64\cxqh.exe"

C:\Windows\SysWOW64\lagj.exe

C:\Windows\SysWOW64\lagj.exe

C:\Windows\SysWOW64\ttou.exe

C:\Windows\system32\ttou.exe 460 "C:\Windows\SysWOW64\lagj.exe"

C:\Windows\SysWOW64\ttou.exe

C:\Windows\SysWOW64\ttou.exe

C:\Windows\SysWOW64\dkbk.exe

C:\Windows\system32\dkbk.exe 464 "C:\Windows\SysWOW64\ttou.exe"

C:\Windows\SysWOW64\dkbk.exe

C:\Windows\SysWOW64\dkbk.exe

C:\Windows\SysWOW64\rajc.exe

C:\Windows\system32\rajc.exe 464 "C:\Windows\SysWOW64\dkbk.exe"

C:\Windows\SysWOW64\rajc.exe

C:\Windows\SysWOW64\rajc.exe

C:\Windows\SysWOW64\jdym.exe

C:\Windows\system32\jdym.exe 468 "C:\Windows\SysWOW64\rajc.exe"

C:\Windows\SysWOW64\jdym.exe

C:\Windows\SysWOW64\jdym.exe

C:\Windows\SysWOW64\ythx.exe

C:\Windows\system32\ythx.exe 472 "C:\Windows\SysWOW64\jdym.exe"

C:\Windows\SysWOW64\ythx.exe

C:\Windows\SysWOW64\ythx.exe

C:\Windows\SysWOW64\phgu.exe

C:\Windows\system32\phgu.exe 472 "C:\Windows\SysWOW64\ythx.exe"

C:\Windows\SysWOW64\phgu.exe

C:\Windows\SysWOW64\phgu.exe

C:\Windows\SysWOW64\kclk.exe

C:\Windows\system32\kclk.exe 480 "C:\Windows\SysWOW64\phgu.exe"

C:\Windows\SysWOW64\kclk.exe

C:\Windows\SysWOW64\kclk.exe

C:\Windows\SysWOW64\wlpx.exe

C:\Windows\system32\wlpx.exe 476 "C:\Windows\SysWOW64\kclk.exe"

C:\Windows\SysWOW64\wlpx.exe

C:\Windows\SysWOW64\wlpx.exe

C:\Windows\SysWOW64\liyp.exe

C:\Windows\system32\liyp.exe 456 "C:\Windows\SysWOW64\wlpx.exe"

C:\Windows\SysWOW64\liyp.exe

C:\Windows\SysWOW64\liyp.exe

C:\Windows\SysWOW64\iyfq.exe

C:\Windows\system32\iyfq.exe 460 "C:\Windows\SysWOW64\liyp.exe"

C:\Windows\SysWOW64\iyfq.exe

C:\Windows\SysWOW64\iyfq.exe

C:\Windows\SysWOW64\sykf.exe

C:\Windows\system32\sykf.exe 476 "C:\Windows\SysWOW64\iyfq.exe"

C:\Windows\SysWOW64\sykf.exe

C:\Windows\SysWOW64\sykf.exe

C:\Windows\SysWOW64\hbpl.exe

C:\Windows\system32\hbpl.exe 468 "C:\Windows\SysWOW64\sykf.exe"

C:\Windows\SysWOW64\hbpl.exe

C:\Windows\SysWOW64\hbpl.exe

C:\Windows\SysWOW64\usly.exe

C:\Windows\system32\usly.exe 460 "C:\Windows\SysWOW64\hbpl.exe"

C:\Windows\SysWOW64\usly.exe

C:\Windows\SysWOW64\usly.exe

C:\Windows\SysWOW64\rqsy.exe

C:\Windows\system32\rqsy.exe 456 "C:\Windows\SysWOW64\usly.exe"

C:\Windows\SysWOW64\rqsy.exe

C:\Windows\SysWOW64\rqsy.exe

C:\Windows\SysWOW64\vcjq.exe

C:\Windows\system32\vcjq.exe 468 "C:\Windows\SysWOW64\rqsy.exe"

C:\Windows\SysWOW64\vcjq.exe

C:\Windows\SysWOW64\vcjq.exe

C:\Windows\SysWOW64\pxog.exe

C:\Windows\system32\pxog.exe 472 "C:\Windows\SysWOW64\vcjq.exe"

C:\Windows\SysWOW64\pxog.exe

C:\Windows\SysWOW64\pxog.exe

C:\Windows\SysWOW64\cstw.exe

C:\Windows\system32\cstw.exe 488 "C:\Windows\SysWOW64\pxog.exe"

C:\Windows\SysWOW64\cstw.exe

C:\Windows\SysWOW64\cstw.exe

C:\Windows\SysWOW64\vfxi.exe

C:\Windows\system32\vfxi.exe 464 "C:\Windows\SysWOW64\cstw.exe"

C:\Windows\SysWOW64\vfxi.exe

C:\Windows\SysWOW64\vfxi.exe

C:\Windows\SysWOW64\ikqr.exe

C:\Windows\system32\ikqr.exe 460 "C:\Windows\SysWOW64\vfxi.exe"

C:\Windows\SysWOW64\ikqr.exe

C:\Windows\SysWOW64\ikqr.exe

C:\Windows\SysWOW64\hhlg.exe

C:\Windows\system32\hhlg.exe 456 "C:\Windows\SysWOW64\ikqr.exe"

C:\Windows\SysWOW64\hhlg.exe

C:\Windows\SysWOW64\hhlg.exe

C:\Windows\SysWOW64\eesg.exe

C:\Windows\system32\eesg.exe 472 "C:\Windows\SysWOW64\hhlg.exe"

C:\Windows\SysWOW64\eesg.exe

C:\Windows\SysWOW64\eesg.exe

C:\Windows\SysWOW64\jcmh.exe

C:\Windows\system32\jcmh.exe 468 "C:\Windows\SysWOW64\eesg.exe"

C:\Windows\SysWOW64\jcmh.exe

C:\Windows\SysWOW64\jcmh.exe

C:\Windows\SysWOW64\vwth.exe

C:\Windows\system32\vwth.exe 460 "C:\Windows\SysWOW64\jcmh.exe"

C:\Windows\SysWOW64\vwth.exe

C:\Windows\SysWOW64\vwth.exe

C:\Windows\SysWOW64\prgo.exe

C:\Windows\system32\prgo.exe 484 "C:\Windows\SysWOW64\vwth.exe"

C:\Windows\SysWOW64\prgo.exe

C:\Windows\SysWOW64\prgo.exe

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /F /T /R

C:\Windows\SysWOW64\hggm.exe

C:\Windows\system32\hggm.exe 476 "C:\Windows\SysWOW64\prgo.exe"

C:\Windows\SysWOW64\hggm.exe

C:\Windows\SysWOW64\hggm.exe

C:\Windows\SysWOW64\jiyu.exe

C:\Windows\system32\jiyu.exe 468 "C:\Windows\SysWOW64\hggm.exe"

C:\Windows\SysWOW64\jiyu.exe

C:\Windows\SysWOW64\jiyu.exe

C:\Windows\SysWOW64\ibhm.exe

C:\Windows\system32\ibhm.exe 472 "C:\Windows\SysWOW64\jiyu.exe"

C:\Windows\SysWOW64\ibhm.exe

C:\Windows\SysWOW64\ibhm.exe

C:\Windows\SysWOW64\xqqx.exe

C:\Windows\system32\xqqx.exe 480 "C:\Windows\SysWOW64\ibhm.exe"

C:\Windows\SysWOW64\xqqx.exe

C:\Windows\SysWOW64\xqqx.exe

C:\Windows\SysWOW64\mycx.exe

C:\Windows\system32\mycx.exe 484 "C:\Windows\SysWOW64\xqqx.exe"

C:\Windows\SysWOW64\mycx.exe

C:\Windows\SysWOW64\mycx.exe

C:\Windows\SysWOW64\efcn.exe

C:\Windows\system32\efcn.exe 460 "C:\Windows\SysWOW64\mycx.exe"

C:\Windows\SysWOW64\efcn.exe

C:\Windows\SysWOW64\efcn.exe

C:\Windows\SysWOW64\town.exe

C:\Windows\system32\town.exe 460 "C:\Windows\SysWOW64\efcn.exe"

C:\Windows\SysWOW64\town.exe

C:\Windows\SysWOW64\town.exe

C:\Windows\SysWOW64\arwc.exe

C:\Windows\system32\arwc.exe 460 "C:\Windows\SysWOW64\town.exe"

C:\Windows\SysWOW64\arwc.exe

C:\Windows\SysWOW64\arwc.exe

C:\Windows\SysWOW64\hkev.exe

C:\Windows\system32\hkev.exe 480 "C:\Windows\SysWOW64\arwc.exe"

C:\Windows\SysWOW64\hkev.exe

C:\Windows\SysWOW64\hkev.exe

C:\Windows\SysWOW64\zosf.exe

C:\Windows\system32\zosf.exe 464 "C:\Windows\SysWOW64\hkev.exe"

C:\Windows\SysWOW64\zosf.exe

C:\Windows\SysWOW64\zosf.exe

C:\Windows\SysWOW64\ghmd.exe

C:\Windows\system32\ghmd.exe 456 "C:\Windows\SysWOW64\zosf.exe"

C:\Windows\SysWOW64\ghmd.exe

C:\Windows\SysWOW64\ghmd.exe

C:\Windows\SysWOW64\iyda.exe

C:\Windows\system32\iyda.exe 460 "C:\Windows\SysWOW64\ghmd.exe"

C:\Windows\SysWOW64\iyda.exe

C:\Windows\SysWOW64\iyda.exe

C:\Windows\SysWOW64\pzal.exe

C:\Windows\system32\pzal.exe 460 "C:\Windows\SysWOW64\iyda.exe"

C:\Windows\SysWOW64\pzal.exe

C:\Windows\SysWOW64\pzal.exe

C:\Windows\SysWOW64\kqcg.exe

C:\Windows\system32\kqcg.exe 456 "C:\Windows\SysWOW64\pzal.exe"

C:\Windows\SysWOW64\kqcg.exe

C:\Windows\SysWOW64\kqcg.exe

C:\Windows\SysWOW64\eokj.exe

C:\Windows\system32\eokj.exe 464 "C:\Windows\SysWOW64\kqcg.exe"

C:\Windows\SysWOW64\eokj.exe

C:\Windows\SysWOW64\eokj.exe

C:\Windows\SysWOW64\tapo.exe

C:\Windows\system32\tapo.exe 460 "C:\Windows\SysWOW64\eokj.exe"

C:\Windows\SysWOW64\tapo.exe

C:\Windows\SysWOW64\tapo.exe

C:\Windows\SysWOW64\votb.exe

C:\Windows\system32\votb.exe 464 "C:\Windows\SysWOW64\tapo.exe"

C:\Windows\SysWOW64\votb.exe

C:\Windows\SysWOW64\votb.exe

C:\Windows\SysWOW64\ejre.exe

C:\Windows\system32\ejre.exe 468 "C:\Windows\SysWOW64\votb.exe"

C:\Windows\SysWOW64\ejre.exe

C:\Windows\SysWOW64\ejre.exe

C:\Windows\SysWOW64\qdye.exe

C:\Windows\system32\qdye.exe 468 "C:\Windows\SysWOW64\ejre.exe"

C:\Windows\SysWOW64\qdye.exe

C:\Windows\SysWOW64\qdye.exe

C:\Windows\SysWOW64\bopt.exe

C:\Windows\system32\bopt.exe 456 "C:\Windows\SysWOW64\qdye.exe"

C:\Windows\SysWOW64\bopt.exe

C:\Windows\SysWOW64\bopt.exe

C:\Windows\SysWOW64\vqqj.exe

C:\Windows\system32\vqqj.exe 468 "C:\Windows\SysWOW64\bopt.exe"

C:\Windows\SysWOW64\vqqj.exe

C:\Windows\SysWOW64\vqqj.exe

C:\Windows\SysWOW64\xltm.exe

C:\Windows\system32\xltm.exe 484 "C:\Windows\SysWOW64\vqqj.exe"

C:\Windows\SysWOW64\xltm.exe

C:\Windows\SysWOW64\xltm.exe

C:\Windows\SysWOW64\hzvp.exe

C:\Windows\system32\hzvp.exe 468 "C:\Windows\SysWOW64\xltm.exe"

C:\Windows\SysWOW64\hzvp.exe

C:\Windows\SysWOW64\hzvp.exe

C:\Windows\SysWOW64\gvhm.exe

C:\Windows\system32\gvhm.exe 476 "C:\Windows\SysWOW64\hzvp.exe"

C:\Windows\SysWOW64\gvhm.exe

C:\Windows\SysWOW64\gvhm.exe

Network

N/A

Files

memory/1288-1-0x0000000000250000-0x0000000000280000-memory.dmp

memory/1288-0-0x0000000013140000-0x000000001318E000-memory.dmp

memory/1288-4-0x00000000021A0000-0x00000000021A1000-memory.dmp

memory/1288-5-0x0000000002190000-0x0000000002191000-memory.dmp

memory/1288-3-0x0000000000240000-0x0000000000244000-memory.dmp

memory/1288-7-0x0000000002100000-0x0000000002101000-memory.dmp

memory/1288-11-0x0000000002170000-0x0000000002171000-memory.dmp

memory/1288-9-0x00000000020F0000-0x00000000020F1000-memory.dmp

memory/1288-2-0x0000000000590000-0x0000000000591000-memory.dmp

memory/1288-12-0x0000000002140000-0x0000000002141000-memory.dmp

memory/2800-13-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/1288-15-0x0000000002130000-0x0000000002131000-memory.dmp

memory/2800-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2800-21-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/1288-20-0x00000000021A0000-0x00000000021A1000-memory.dmp

memory/2800-27-0x0000000013140000-0x000000001318E000-memory.dmp

memory/1288-26-0x0000000000250000-0x0000000000280000-memory.dmp

memory/2800-29-0x0000000000020000-0x000000000002F000-memory.dmp

memory/2800-28-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/2800-25-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/1288-23-0x0000000013140000-0x000000001318E000-memory.dmp

memory/1288-22-0x0000000002180000-0x0000000002181000-memory.dmp

memory/1288-18-0x0000000002290000-0x00000000022DE000-memory.dmp

memory/1288-16-0x00000000020D0000-0x00000000020D1000-memory.dmp

\Windows\SysWOW64\lvdf.exe

MD5 e3606fe661cb86e3fe8843d598d9ac13
SHA1 7c63a823717d43257e641bd42d37ed5b415308f7
SHA256 dcfac4cd97fab0cf3a91febe447faad646115d46429349af1b80452dd446498a
SHA512 d57b158fc275400506ddb655c48d5fa6a24a8304ca7ca194ec4f74581c9a5998f88f3c24347dcaaab6c2e724580e69770fb2a722cdd2353459699526f5bb8344

memory/2800-40-0x00000000025B0000-0x00000000025FE000-memory.dmp

memory/2980-41-0x0000000013140000-0x000000001318E000-memory.dmp

memory/2980-44-0x0000000000320000-0x0000000000350000-memory.dmp

memory/2980-46-0x00000000002C0000-0x00000000002C4000-memory.dmp

memory/2800-52-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/2980-51-0x0000000001E80000-0x0000000001E81000-memory.dmp

memory/2980-54-0x0000000001DF0000-0x0000000001DF1000-memory.dmp

memory/2980-56-0x0000000001E30000-0x0000000001E31000-memory.dmp

memory/2980-58-0x0000000001CB0000-0x0000000001CB1000-memory.dmp

memory/2980-60-0x0000000001EA0000-0x0000000001EA1000-memory.dmp

memory/2980-61-0x0000000001E90000-0x0000000001E91000-memory.dmp

memory/2800-50-0x0000000000020000-0x000000000002F000-memory.dmp

memory/2980-48-0x0000000001E70000-0x0000000001E71000-memory.dmp

memory/2980-65-0x0000000013140000-0x000000001318E000-memory.dmp

memory/2620-69-0x0000000000020000-0x000000000002F000-memory.dmp

memory/2620-68-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/2620-79-0x0000000002540000-0x000000000258E000-memory.dmp

memory/2896-80-0x0000000013140000-0x000000001318E000-memory.dmp

memory/2896-83-0x00000000002C0000-0x00000000002C4000-memory.dmp

memory/2896-85-0x0000000002180000-0x0000000002181000-memory.dmp

memory/2896-90-0x0000000001CD0000-0x0000000001CD1000-memory.dmp

memory/2620-92-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/2896-94-0x0000000000300000-0x0000000000330000-memory.dmp

memory/2896-95-0x0000000001CB0000-0x0000000001CB1000-memory.dmp

memory/2896-97-0x00000000021B0000-0x00000000021B1000-memory.dmp

memory/2896-91-0x0000000002140000-0x0000000002141000-memory.dmp

memory/2620-89-0x0000000000020000-0x000000000002F000-memory.dmp

memory/2896-87-0x0000000002190000-0x0000000002191000-memory.dmp

memory/2896-101-0x0000000013140000-0x000000001318E000-memory.dmp

memory/2668-104-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/2668-105-0x0000000000020000-0x000000000002F000-memory.dmp

memory/2668-115-0x0000000002610000-0x000000000265E000-memory.dmp

memory/2668-116-0x0000000002610000-0x000000000265E000-memory.dmp

memory/2888-119-0x0000000013140000-0x000000001318E000-memory.dmp

memory/2888-121-0x0000000000240000-0x0000000000244000-memory.dmp

memory/2668-126-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/2888-127-0x0000000000700000-0x0000000000701000-memory.dmp

memory/2888-124-0x00000000006F0000-0x00000000006F1000-memory.dmp

memory/2888-130-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2888-131-0x0000000000420000-0x0000000000421000-memory.dmp

memory/2888-136-0x0000000000250000-0x0000000000280000-memory.dmp

memory/2888-140-0x0000000001DC0000-0x0000000001DC1000-memory.dmp

memory/2888-133-0x0000000000380000-0x0000000000381000-memory.dmp

memory/2668-123-0x0000000000020000-0x000000000002F000-memory.dmp

memory/2888-138-0x0000000013140000-0x000000001318E000-memory.dmp

memory/1236-143-0x0000000000020000-0x000000000002F000-memory.dmp

memory/1236-142-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/1236-153-0x0000000000D30000-0x0000000000D7E000-memory.dmp

memory/1520-157-0x0000000013140000-0x000000001318E000-memory.dmp

memory/1236-154-0x0000000000D30000-0x0000000000D7E000-memory.dmp

memory/1520-159-0x0000000000240000-0x0000000000244000-memory.dmp

memory/1520-164-0x0000000001DA0000-0x0000000001DA1000-memory.dmp

memory/1236-166-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/1520-167-0x00000000005C0000-0x00000000005C1000-memory.dmp

memory/1520-165-0x0000000000330000-0x0000000000331000-memory.dmp

memory/1236-163-0x0000000000020000-0x000000000002F000-memory.dmp

memory/1520-161-0x0000000000600000-0x0000000000601000-memory.dmp

memory/1520-176-0x0000000013140000-0x000000001318E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 21:57

Reported

2024-04-06 21:59

Platform

win10v2004-20240226-en

Max time kernel

21s

Max time network

25s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\hxet.exe N/A
N/A N/A C:\Windows\SysWOW64\hxet.exe N/A
N/A N/A C:\Windows\SysWOW64\wrct.exe N/A
N/A N/A C:\Windows\SysWOW64\wrct.exe N/A
N/A N/A C:\Windows\SysWOW64\wgsz.exe N/A
N/A N/A C:\Windows\SysWOW64\wgsz.exe N/A
N/A N/A C:\Windows\SysWOW64\zmgj.exe N/A
N/A N/A C:\Windows\SysWOW64\zmgj.exe N/A
N/A N/A C:\Windows\SysWOW64\ragu.exe N/A
N/A N/A C:\Windows\SysWOW64\ragu.exe N/A
N/A N/A C:\Windows\SysWOW64\jxge.exe N/A
N/A N/A C:\Windows\SysWOW64\jxge.exe N/A
N/A N/A C:\Windows\SysWOW64\hfqn.exe N/A
N/A N/A C:\Windows\SysWOW64\hfqn.exe N/A
N/A N/A C:\Windows\SysWOW64\mhyh.exe N/A
N/A N/A C:\Windows\SysWOW64\mhyh.exe N/A
N/A N/A C:\Windows\SysWOW64\pnns.exe N/A
N/A N/A C:\Windows\SysWOW64\pnns.exe N/A
N/A N/A C:\Windows\SysWOW64\mwxs.exe N/A
N/A N/A C:\Windows\SysWOW64\mwxs.exe N/A
N/A N/A C:\Windows\SysWOW64\jxhf.exe N/A
N/A N/A C:\Windows\SysWOW64\jxhf.exe N/A
N/A N/A C:\Windows\SysWOW64\jtfg.exe N/A
N/A N/A C:\Windows\SysWOW64\jtfg.exe N/A
N/A N/A C:\Windows\SysWOW64\wzvb.exe N/A
N/A N/A C:\Windows\SysWOW64\wzvb.exe N/A
N/A N/A C:\Windows\SysWOW64\zcyy.exe N/A
N/A N/A C:\Windows\SysWOW64\zcyy.exe N/A
N/A N/A C:\Windows\SysWOW64\txdg.exe N/A
N/A N/A C:\Windows\SysWOW64\txdg.exe N/A
N/A N/A C:\Windows\SysWOW64\olue.exe N/A
N/A N/A C:\Windows\SysWOW64\olue.exe N/A
N/A N/A C:\Windows\SysWOW64\jfzm.exe N/A
N/A N/A C:\Windows\SysWOW64\jfzm.exe N/A
N/A N/A C:\Windows\SysWOW64\rvnz.exe N/A
N/A N/A C:\Windows\SysWOW64\rvnz.exe N/A
N/A N/A C:\Windows\SysWOW64\jybk.exe N/A
N/A N/A C:\Windows\SysWOW64\jybk.exe N/A
N/A N/A C:\Windows\SysWOW64\osvn.exe N/A
N/A N/A C:\Windows\SysWOW64\osvn.exe N/A
N/A N/A C:\Windows\SysWOW64\mmqa.exe N/A
N/A N/A C:\Windows\SysWOW64\mmqa.exe N/A
N/A N/A C:\Windows\SysWOW64\otfk.exe N/A
N/A N/A C:\Windows\SysWOW64\otfk.exe N/A
N/A N/A C:\Windows\SysWOW64\owrd.exe N/A
N/A N/A C:\Windows\SysWOW64\owrd.exe N/A
N/A N/A C:\Windows\SysWOW64\rdxf.exe N/A
N/A N/A C:\Windows\SysWOW64\rdxf.exe N/A
N/A N/A C:\Windows\SysWOW64\zdwg.exe N/A
N/A N/A C:\Windows\SysWOW64\zdwg.exe N/A
N/A N/A C:\Windows\SysWOW64\zhiy.exe N/A
N/A N/A C:\Windows\SysWOW64\zhiy.exe N/A
N/A N/A C:\Windows\SysWOW64\eqrb.exe N/A
N/A N/A C:\Windows\SysWOW64\eqrb.exe N/A
N/A N/A C:\Windows\SysWOW64\efoy.exe N/A
N/A N/A C:\Windows\SysWOW64\efoy.exe N/A
N/A N/A C:\Windows\SysWOW64\zlfo.exe N/A
N/A N/A C:\Windows\SysWOW64\zlfo.exe N/A
N/A N/A C:\Windows\SysWOW64\eunr.exe N/A
N/A N/A C:\Windows\SysWOW64\eunr.exe N/A
N/A N/A C:\Windows\SysWOW64\ysdm.exe N/A
N/A N/A C:\Windows\SysWOW64\ysdm.exe N/A
N/A N/A C:\Windows\SysWOW64\wbom.exe N/A
N/A N/A C:\Windows\SysWOW64\wbom.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\jxhf.exe C:\Windows\SysWOW64\mwxs.exe N/A
File opened for modification C:\Windows\SysWOW64\wzvb.exe C:\Windows\SysWOW64\jtfg.exe N/A
File opened for modification C:\Windows\SysWOW64\dklq.exe C:\Windows\SysWOW64\lvwk.exe N/A
File opened for modification C:\Windows\SysWOW64\jxge.exe C:\Windows\SysWOW64\ragu.exe N/A
File created C:\Windows\SysWOW64\wzvb.exe C:\Windows\SysWOW64\jtfg.exe N/A
File created C:\Windows\SysWOW64\osvn.exe C:\Windows\SysWOW64\jybk.exe N/A
File opened for modification C:\Windows\SysWOW64\bwqq.exe C:\Windows\SysWOW64\dkuv.exe N/A
File created C:\Windows\SysWOW64\blgv.exe C:\Windows\SysWOW64\bwqq.exe N/A
File opened for modification C:\Windows\SysWOW64\yiob.exe C:\Windows\SysWOW64\dojl.exe N/A
File opened for modification C:\Windows\SysWOW64\gjwh.exe C:\Windows\SysWOW64\blrz.exe N/A
File created C:\Windows\SysWOW64\hxet.exe C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\wgsz.exe C:\Windows\SysWOW64\wrct.exe N/A
File created C:\Windows\SysWOW64\eunr.exe C:\Windows\SysWOW64\zlfo.exe N/A
File created C:\Windows\SysWOW64\dwsm.exe C:\Windows\SysWOW64\ddrc.exe N/A
File opened for modification C:\Windows\SysWOW64\olue.exe C:\Windows\SysWOW64\txdg.exe N/A
File created C:\Windows\SysWOW64\jxge.exe C:\Windows\SysWOW64\ragu.exe N/A
File opened for modification C:\Windows\SysWOW64\txdg.exe C:\Windows\SysWOW64\zcyy.exe N/A
File created C:\Windows\SysWOW64\wbom.exe C:\Windows\SysWOW64\ysdm.exe N/A
File created C:\Windows\SysWOW64\mhyh.exe C:\Windows\SysWOW64\hfqn.exe N/A
File created C:\Windows\SysWOW64\efoy.exe C:\Windows\SysWOW64\eqrb.exe N/A
File created C:\Windows\SysWOW64\otfk.exe C:\Windows\SysWOW64\mmqa.exe N/A
File opened for modification C:\Windows\SysWOW64\rdxf.exe C:\Windows\SysWOW64\owrd.exe N/A
File opened for modification C:\Windows\SysWOW64\jtfg.exe C:\Windows\SysWOW64\jxhf.exe N/A
File created C:\Windows\SysWOW64\jybk.exe C:\Windows\SysWOW64\rvnz.exe N/A
File opened for modification C:\Windows\SysWOW64\mmqa.exe C:\Windows\SysWOW64\osvn.exe N/A
File opened for modification C:\Windows\SysWOW64\ysdm.exe C:\Windows\SysWOW64\eunr.exe N/A
File created C:\Windows\SysWOW64\ddrc.exe C:\Windows\SysWOW64\gjwh.exe N/A
File created C:\Windows\SysWOW64\daoc.exe C:\Windows\SysWOW64\dlrx.exe N/A
File opened for modification C:\Windows\SysWOW64\ddbv.exe C:\Windows\SysWOW64\daoc.exe N/A
File opened for modification C:\Windows\SysWOW64\hxet.exe C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\pnns.exe C:\Windows\SysWOW64\mhyh.exe N/A
File opened for modification C:\Windows\SysWOW64\osvn.exe C:\Windows\SysWOW64\jybk.exe N/A
File opened for modification C:\Windows\SysWOW64\qshp.exe C:\Windows\SysWOW64\wbom.exe N/A
File opened for modification C:\Windows\SysWOW64\lvwk.exe C:\Windows\SysWOW64\lgyf.exe N/A
File opened for modification C:\Windows\SysWOW64\hfqn.exe C:\Windows\SysWOW64\jxge.exe N/A
File created C:\Windows\SysWOW64\zcyy.exe C:\Windows\SysWOW64\wzvb.exe N/A
File opened for modification C:\Windows\SysWOW64\lgyf.exe C:\Windows\SysWOW64\qshp.exe N/A
File opened for modification C:\Windows\SysWOW64\zmgj.exe C:\Windows\SysWOW64\wgsz.exe N/A
File opened for modification C:\Windows\SysWOW64\mwxs.exe C:\Windows\SysWOW64\pnns.exe N/A
File created C:\Windows\SysWOW64\owrd.exe C:\Windows\SysWOW64\otfk.exe N/A
File opened for modification C:\Windows\SysWOW64\wbom.exe C:\Windows\SysWOW64\ysdm.exe N/A
File created C:\Windows\SysWOW64\qshp.exe C:\Windows\SysWOW64\wbom.exe N/A
File created C:\Windows\SysWOW64\yiob.exe C:\Windows\SysWOW64\dojl.exe N/A
File created C:\Windows\SysWOW64\blrz.exe C:\Windows\SysWOW64\yiob.exe N/A
File opened for modification C:\Windows\SysWOW64\blrz.exe C:\Windows\SysWOW64\yiob.exe N/A
File opened for modification C:\Windows\SysWOW64\mhyh.exe C:\Windows\SysWOW64\hfqn.exe N/A
File created C:\Windows\SysWOW64\txdg.exe C:\Windows\SysWOW64\zcyy.exe N/A
File opened for modification C:\Windows\SysWOW64\dlrx.exe C:\Windows\SysWOW64\gcgx.exe N/A
File created C:\Windows\SysWOW64\mwxs.exe C:\Windows\SysWOW64\pnns.exe N/A
File opened for modification C:\Windows\SysWOW64\zcyy.exe C:\Windows\SysWOW64\wzvb.exe N/A
File created C:\Windows\SysWOW64\rvnz.exe C:\Windows\SysWOW64\jfzm.exe N/A
File opened for modification C:\Windows\SysWOW64\owrd.exe C:\Windows\SysWOW64\otfk.exe N/A
File created C:\Windows\SysWOW64\zhiy.exe C:\Windows\SysWOW64\zdwg.exe N/A
File opened for modification C:\Windows\SysWOW64\eunr.exe C:\Windows\SysWOW64\zlfo.exe N/A
File created C:\Windows\SysWOW64\lgyf.exe C:\Windows\SysWOW64\qshp.exe N/A
File created C:\Windows\SysWOW64\dojl.exe C:\Windows\SysWOW64\blgv.exe N/A
File created C:\Windows\SysWOW64\dlrx.exe C:\Windows\SysWOW64\gcgx.exe N/A
File created C:\Windows\SysWOW64\pnns.exe C:\Windows\SysWOW64\mhyh.exe N/A
File created C:\Windows\SysWOW64\mmqa.exe C:\Windows\SysWOW64\osvn.exe N/A
File opened for modification C:\Windows\SysWOW64\zhiy.exe C:\Windows\SysWOW64\zdwg.exe N/A
File created C:\Windows\SysWOW64\eqrb.exe C:\Windows\SysWOW64\zhiy.exe N/A
File opened for modification C:\Windows\SysWOW64\jxhf.exe C:\Windows\SysWOW64\mwxs.exe N/A
File opened for modification C:\Windows\SysWOW64\otfk.exe C:\Windows\SysWOW64\mmqa.exe N/A
File created C:\Windows\SysWOW64\dkuv.exe C:\Windows\SysWOW64\dklq.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4752 set thread context of 3236 N/A C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe
PID 5024 set thread context of 5068 N/A C:\Windows\SysWOW64\hxet.exe C:\Windows\SysWOW64\hxet.exe
PID 5080 set thread context of 2232 N/A C:\Windows\SysWOW64\wrct.exe C:\Windows\SysWOW64\wrct.exe
PID 1644 set thread context of 3112 N/A C:\Windows\SysWOW64\wgsz.exe C:\Windows\SysWOW64\wgsz.exe
PID 4444 set thread context of 4448 N/A C:\Windows\SysWOW64\zmgj.exe C:\Windows\SysWOW64\zmgj.exe
PID 4980 set thread context of 2224 N/A C:\Windows\SysWOW64\ragu.exe C:\Windows\SysWOW64\ragu.exe
PID 2076 set thread context of 3156 N/A C:\Windows\SysWOW64\jxge.exe C:\Windows\SysWOW64\jxge.exe
PID 2836 set thread context of 4384 N/A C:\Windows\SysWOW64\hfqn.exe C:\Windows\SysWOW64\hfqn.exe
PID 4896 set thread context of 1764 N/A C:\Windows\SysWOW64\mhyh.exe C:\Windows\SysWOW64\mhyh.exe
PID 4196 set thread context of 4376 N/A C:\Windows\SysWOW64\pnns.exe C:\Windows\SysWOW64\pnns.exe
PID 4648 set thread context of 116 N/A C:\Windows\SysWOW64\mwxs.exe C:\Windows\SysWOW64\mwxs.exe
PID 4412 set thread context of 3444 N/A C:\Windows\SysWOW64\jxhf.exe C:\Windows\SysWOW64\jxhf.exe
PID 3176 set thread context of 5080 N/A C:\Windows\SysWOW64\jtfg.exe C:\Windows\SysWOW64\jtfg.exe
PID 692 set thread context of 2948 N/A C:\Windows\SysWOW64\wzvb.exe C:\Windows\SysWOW64\wzvb.exe
PID 2024 set thread context of 3940 N/A C:\Windows\SysWOW64\zcyy.exe C:\Windows\SysWOW64\zcyy.exe
PID 2336 set thread context of 4664 N/A C:\Windows\SysWOW64\txdg.exe C:\Windows\SysWOW64\txdg.exe
PID 4824 set thread context of 2348 N/A C:\Windows\SysWOW64\olue.exe C:\Windows\SysWOW64\olue.exe
PID 2836 set thread context of 2968 N/A C:\Windows\SysWOW64\jfzm.exe C:\Windows\SysWOW64\jfzm.exe
PID 4724 set thread context of 4840 N/A C:\Windows\SysWOW64\rvnz.exe C:\Windows\SysWOW64\rvnz.exe
PID 4312 set thread context of 3988 N/A C:\Windows\SysWOW64\jybk.exe C:\Windows\SysWOW64\jybk.exe
PID 4592 set thread context of 1768 N/A C:\Windows\SysWOW64\osvn.exe C:\Windows\SysWOW64\osvn.exe
PID 648 set thread context of 4192 N/A C:\Windows\SysWOW64\mmqa.exe C:\Windows\SysWOW64\mmqa.exe
PID 1032 set thread context of 2232 N/A C:\Windows\SysWOW64\otfk.exe C:\Windows\SysWOW64\otfk.exe
PID 1980 set thread context of 720 N/A C:\Windows\SysWOW64\owrd.exe C:\Windows\SysWOW64\owrd.exe
PID 2088 set thread context of 2336 N/A C:\Windows\SysWOW64\rdxf.exe C:\Windows\SysWOW64\rdxf.exe
PID 4892 set thread context of 4596 N/A C:\Windows\SysWOW64\zdwg.exe C:\Windows\SysWOW64\zdwg.exe
PID 3156 set thread context of 4992 N/A C:\Windows\SysWOW64\zhiy.exe C:\Windows\SysWOW64\zhiy.exe
PID 1568 set thread context of 2096 N/A C:\Windows\SysWOW64\eqrb.exe C:\Windows\SysWOW64\eqrb.exe
PID 4208 set thread context of 2460 N/A C:\Windows\SysWOW64\efoy.exe C:\Windows\SysWOW64\efoy.exe
PID 3016 set thread context of 4412 N/A C:\Windows\SysWOW64\zlfo.exe C:\Windows\SysWOW64\zlfo.exe
PID 4268 set thread context of 3232 N/A C:\Windows\SysWOW64\eunr.exe C:\Windows\SysWOW64\eunr.exe
PID 404 set thread context of 3248 N/A C:\Windows\SysWOW64\ysdm.exe C:\Windows\SysWOW64\ysdm.exe
PID 632 set thread context of 2384 N/A C:\Windows\SysWOW64\wbom.exe C:\Windows\SysWOW64\wbom.exe
PID 1692 set thread context of 4652 N/A C:\Windows\SysWOW64\qshp.exe C:\Windows\SysWOW64\qshp.exe
PID 456 set thread context of 4704 N/A C:\Windows\SysWOW64\lgyf.exe C:\Windows\SysWOW64\lgyf.exe
PID 2896 set thread context of 4724 N/A C:\Windows\SysWOW64\lvwk.exe C:\Windows\SysWOW64\lvwk.exe
PID 1256 set thread context of 3584 N/A C:\Windows\SysWOW64\dklq.exe C:\Windows\SysWOW64\dklq.exe
PID 3988 set thread context of 1788 N/A C:\Windows\SysWOW64\dkuv.exe C:\Windows\SysWOW64\dkuv.exe
PID 2256 set thread context of 4412 N/A C:\Windows\SysWOW64\bwqq.exe C:\Windows\SysWOW64\bwqq.exe
PID 1700 set thread context of 3232 N/A C:\Windows\SysWOW64\blgv.exe C:\Windows\SysWOW64\blgv.exe
PID 2296 set thread context of 1628 N/A C:\Windows\SysWOW64\dojl.exe C:\Windows\SysWOW64\dojl.exe
PID 2860 set thread context of 4448 N/A C:\Windows\SysWOW64\yiob.exe C:\Windows\SysWOW64\yiob.exe
PID 2936 set thread context of 4208 N/A C:\Windows\SysWOW64\blrz.exe C:\Windows\SysWOW64\blrz.exe
PID 3748 set thread context of 212 N/A C:\Windows\SysWOW64\gjwh.exe C:\Windows\SysWOW64\gjwh.exe
PID 4012 set thread context of 3068 N/A C:\Windows\SysWOW64\ddrc.exe C:\Windows\SysWOW64\ddrc.exe
PID 5060 set thread context of 2948 N/A C:\Windows\SysWOW64\dwsm.exe C:\Windows\SysWOW64\dwsm.exe
PID 3272 set thread context of 4680 N/A C:\Windows\SysWOW64\gcgx.exe C:\Windows\SysWOW64\gcgx.exe
PID 3920 set thread context of 4664 N/A C:\Windows\SysWOW64\dlrx.exe C:\Windows\SysWOW64\dlrx.exe
PID 2024 set thread context of 3216 N/A C:\Windows\SysWOW64\daoc.exe C:\Windows\SysWOW64\daoc.exe
PID 2980 set thread context of 4892 N/A C:\Windows\SysWOW64\ddbv.exe C:\Windows\SysWOW64\ddbv.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\jfzm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\otfk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\eqrb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\zlfo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\qshp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\lvwk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\gjwh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\hxet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\ragu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\mwxs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\jybk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\eunr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\jxhf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\wbom.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\dwsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\gcgx.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\wzvb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\efoy.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\bwqq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\wzvb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\mmqa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\dojl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\eunr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\wbom.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\ddrc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\mwxs.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\zcyy.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\txdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\txdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\mmqa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\zlfo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\ysdm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\dojl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\blrz.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\daoc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\daoc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\wrct.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\hfqn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\jtfg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\owrd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\zhiy.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\ddrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\zmgj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\mhyh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\pnns.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\rdxf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\zdwg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\dklq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\ddrc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\wrct.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\wgsz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\mhyh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\rdxf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\qshp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\wgsz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\zmgj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\zlfo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\eqrb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\eqrb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\eunr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\blrz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\jxge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4752 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe
PID 4752 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe
PID 4752 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe
PID 4752 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe
PID 4752 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe
PID 3236 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe C:\Windows\SysWOW64\hxet.exe
PID 3236 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe C:\Windows\SysWOW64\hxet.exe
PID 3236 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe C:\Windows\SysWOW64\hxet.exe
PID 5024 wrote to memory of 5068 N/A C:\Windows\SysWOW64\hxet.exe C:\Windows\SysWOW64\hxet.exe
PID 5024 wrote to memory of 5068 N/A C:\Windows\SysWOW64\hxet.exe C:\Windows\SysWOW64\hxet.exe
PID 5024 wrote to memory of 5068 N/A C:\Windows\SysWOW64\hxet.exe C:\Windows\SysWOW64\hxet.exe
PID 5024 wrote to memory of 5068 N/A C:\Windows\SysWOW64\hxet.exe C:\Windows\SysWOW64\hxet.exe
PID 5024 wrote to memory of 5068 N/A C:\Windows\SysWOW64\hxet.exe C:\Windows\SysWOW64\hxet.exe
PID 5068 wrote to memory of 5080 N/A C:\Windows\SysWOW64\hxet.exe C:\Windows\SysWOW64\wrct.exe
PID 5068 wrote to memory of 5080 N/A C:\Windows\SysWOW64\hxet.exe C:\Windows\SysWOW64\wrct.exe
PID 5068 wrote to memory of 5080 N/A C:\Windows\SysWOW64\hxet.exe C:\Windows\SysWOW64\wrct.exe
PID 5080 wrote to memory of 2232 N/A C:\Windows\SysWOW64\wrct.exe C:\Windows\SysWOW64\wrct.exe
PID 5080 wrote to memory of 2232 N/A C:\Windows\SysWOW64\wrct.exe C:\Windows\SysWOW64\wrct.exe
PID 5080 wrote to memory of 2232 N/A C:\Windows\SysWOW64\wrct.exe C:\Windows\SysWOW64\wrct.exe
PID 5080 wrote to memory of 2232 N/A C:\Windows\SysWOW64\wrct.exe C:\Windows\SysWOW64\wrct.exe
PID 5080 wrote to memory of 2232 N/A C:\Windows\SysWOW64\wrct.exe C:\Windows\SysWOW64\wrct.exe
PID 2232 wrote to memory of 1644 N/A C:\Windows\SysWOW64\wrct.exe C:\Windows\SysWOW64\wgsz.exe
PID 2232 wrote to memory of 1644 N/A C:\Windows\SysWOW64\wrct.exe C:\Windows\SysWOW64\wgsz.exe
PID 2232 wrote to memory of 1644 N/A C:\Windows\SysWOW64\wrct.exe C:\Windows\SysWOW64\wgsz.exe
PID 1644 wrote to memory of 3112 N/A C:\Windows\SysWOW64\wgsz.exe C:\Windows\SysWOW64\wgsz.exe
PID 1644 wrote to memory of 3112 N/A C:\Windows\SysWOW64\wgsz.exe C:\Windows\SysWOW64\wgsz.exe
PID 1644 wrote to memory of 3112 N/A C:\Windows\SysWOW64\wgsz.exe C:\Windows\SysWOW64\wgsz.exe
PID 1644 wrote to memory of 3112 N/A C:\Windows\SysWOW64\wgsz.exe C:\Windows\SysWOW64\wgsz.exe
PID 1644 wrote to memory of 3112 N/A C:\Windows\SysWOW64\wgsz.exe C:\Windows\SysWOW64\wgsz.exe
PID 3112 wrote to memory of 4444 N/A C:\Windows\SysWOW64\wgsz.exe C:\Windows\SysWOW64\zmgj.exe
PID 3112 wrote to memory of 4444 N/A C:\Windows\SysWOW64\wgsz.exe C:\Windows\SysWOW64\zmgj.exe
PID 3112 wrote to memory of 4444 N/A C:\Windows\SysWOW64\wgsz.exe C:\Windows\SysWOW64\zmgj.exe
PID 4444 wrote to memory of 4448 N/A C:\Windows\SysWOW64\zmgj.exe C:\Windows\SysWOW64\zmgj.exe
PID 4444 wrote to memory of 4448 N/A C:\Windows\SysWOW64\zmgj.exe C:\Windows\SysWOW64\zmgj.exe
PID 4444 wrote to memory of 4448 N/A C:\Windows\SysWOW64\zmgj.exe C:\Windows\SysWOW64\zmgj.exe
PID 4444 wrote to memory of 4448 N/A C:\Windows\SysWOW64\zmgj.exe C:\Windows\SysWOW64\zmgj.exe
PID 4444 wrote to memory of 4448 N/A C:\Windows\SysWOW64\zmgj.exe C:\Windows\SysWOW64\zmgj.exe
PID 4448 wrote to memory of 4980 N/A C:\Windows\SysWOW64\zmgj.exe C:\Windows\SysWOW64\ragu.exe
PID 4448 wrote to memory of 4980 N/A C:\Windows\SysWOW64\zmgj.exe C:\Windows\SysWOW64\ragu.exe
PID 4448 wrote to memory of 4980 N/A C:\Windows\SysWOW64\zmgj.exe C:\Windows\SysWOW64\ragu.exe
PID 4980 wrote to memory of 2224 N/A C:\Windows\SysWOW64\ragu.exe C:\Windows\SysWOW64\ragu.exe
PID 4980 wrote to memory of 2224 N/A C:\Windows\SysWOW64\ragu.exe C:\Windows\SysWOW64\ragu.exe
PID 4980 wrote to memory of 2224 N/A C:\Windows\SysWOW64\ragu.exe C:\Windows\SysWOW64\ragu.exe
PID 4980 wrote to memory of 2224 N/A C:\Windows\SysWOW64\ragu.exe C:\Windows\SysWOW64\ragu.exe
PID 4980 wrote to memory of 2224 N/A C:\Windows\SysWOW64\ragu.exe C:\Windows\SysWOW64\ragu.exe
PID 2224 wrote to memory of 2076 N/A C:\Windows\SysWOW64\ragu.exe C:\Windows\SysWOW64\jxge.exe
PID 2224 wrote to memory of 2076 N/A C:\Windows\SysWOW64\ragu.exe C:\Windows\SysWOW64\jxge.exe
PID 2224 wrote to memory of 2076 N/A C:\Windows\SysWOW64\ragu.exe C:\Windows\SysWOW64\jxge.exe
PID 2076 wrote to memory of 3156 N/A C:\Windows\SysWOW64\jxge.exe C:\Windows\SysWOW64\jxge.exe
PID 2076 wrote to memory of 3156 N/A C:\Windows\SysWOW64\jxge.exe C:\Windows\SysWOW64\jxge.exe
PID 2076 wrote to memory of 3156 N/A C:\Windows\SysWOW64\jxge.exe C:\Windows\SysWOW64\jxge.exe
PID 2076 wrote to memory of 3156 N/A C:\Windows\SysWOW64\jxge.exe C:\Windows\SysWOW64\jxge.exe
PID 2076 wrote to memory of 3156 N/A C:\Windows\SysWOW64\jxge.exe C:\Windows\SysWOW64\jxge.exe
PID 3156 wrote to memory of 2836 N/A C:\Windows\SysWOW64\jxge.exe C:\Windows\SysWOW64\hfqn.exe
PID 3156 wrote to memory of 2836 N/A C:\Windows\SysWOW64\jxge.exe C:\Windows\SysWOW64\hfqn.exe
PID 3156 wrote to memory of 2836 N/A C:\Windows\SysWOW64\jxge.exe C:\Windows\SysWOW64\hfqn.exe
PID 2836 wrote to memory of 4384 N/A C:\Windows\SysWOW64\hfqn.exe C:\Windows\SysWOW64\hfqn.exe
PID 2836 wrote to memory of 4384 N/A C:\Windows\SysWOW64\hfqn.exe C:\Windows\SysWOW64\hfqn.exe
PID 2836 wrote to memory of 4384 N/A C:\Windows\SysWOW64\hfqn.exe C:\Windows\SysWOW64\hfqn.exe
PID 2836 wrote to memory of 4384 N/A C:\Windows\SysWOW64\hfqn.exe C:\Windows\SysWOW64\hfqn.exe
PID 2836 wrote to memory of 4384 N/A C:\Windows\SysWOW64\hfqn.exe C:\Windows\SysWOW64\hfqn.exe
PID 4384 wrote to memory of 4896 N/A C:\Windows\SysWOW64\hfqn.exe C:\Windows\SysWOW64\mhyh.exe
PID 4384 wrote to memory of 4896 N/A C:\Windows\SysWOW64\hfqn.exe C:\Windows\SysWOW64\mhyh.exe
PID 4384 wrote to memory of 4896 N/A C:\Windows\SysWOW64\hfqn.exe C:\Windows\SysWOW64\mhyh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe

C:\Windows\SysWOW64\hxet.exe

C:\Windows\system32\hxet.exe 1004 "C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe"

C:\Windows\SysWOW64\hxet.exe

C:\Windows\SysWOW64\hxet.exe

C:\Windows\SysWOW64\wrct.exe

C:\Windows\system32\wrct.exe 1020 "C:\Windows\SysWOW64\hxet.exe"

C:\Windows\SysWOW64\wrct.exe

C:\Windows\SysWOW64\wrct.exe

C:\Windows\SysWOW64\wgsz.exe

C:\Windows\system32\wgsz.exe 1152 "C:\Windows\SysWOW64\wrct.exe"

C:\Windows\SysWOW64\wgsz.exe

C:\Windows\SysWOW64\wgsz.exe

C:\Windows\SysWOW64\zmgj.exe

C:\Windows\system32\zmgj.exe 1048 "C:\Windows\SysWOW64\wgsz.exe"

C:\Windows\SysWOW64\zmgj.exe

C:\Windows\SysWOW64\zmgj.exe

C:\Windows\SysWOW64\ragu.exe

C:\Windows\system32\ragu.exe 1156 "C:\Windows\SysWOW64\zmgj.exe"

C:\Windows\SysWOW64\ragu.exe

C:\Windows\SysWOW64\ragu.exe

C:\Windows\SysWOW64\jxge.exe

C:\Windows\system32\jxge.exe 1048 "C:\Windows\SysWOW64\ragu.exe"

C:\Windows\SysWOW64\jxge.exe

C:\Windows\SysWOW64\jxge.exe

C:\Windows\SysWOW64\hfqn.exe

C:\Windows\system32\hfqn.exe 1028 "C:\Windows\SysWOW64\jxge.exe"

C:\Windows\SysWOW64\hfqn.exe

C:\Windows\SysWOW64\hfqn.exe

C:\Windows\SysWOW64\mhyh.exe

C:\Windows\system32\mhyh.exe 1048 "C:\Windows\SysWOW64\hfqn.exe"

C:\Windows\SysWOW64\mhyh.exe

C:\Windows\SysWOW64\mhyh.exe

C:\Windows\SysWOW64\pnns.exe

C:\Windows\system32\pnns.exe 1036 "C:\Windows\SysWOW64\mhyh.exe"

C:\Windows\SysWOW64\pnns.exe

C:\Windows\SysWOW64\pnns.exe

C:\Windows\SysWOW64\mwxs.exe

C:\Windows\system32\mwxs.exe 1164 "C:\Windows\SysWOW64\pnns.exe"

C:\Windows\SysWOW64\mwxs.exe

C:\Windows\SysWOW64\mwxs.exe

C:\Windows\SysWOW64\jxhf.exe

C:\Windows\system32\jxhf.exe 1020 "C:\Windows\SysWOW64\mwxs.exe"

C:\Windows\SysWOW64\jxhf.exe

C:\Windows\SysWOW64\jxhf.exe

C:\Windows\SysWOW64\jtfg.exe

C:\Windows\system32\jtfg.exe 1028 "C:\Windows\SysWOW64\jxhf.exe"

C:\Windows\SysWOW64\jtfg.exe

C:\Windows\SysWOW64\jtfg.exe

C:\Windows\SysWOW64\wzvb.exe

C:\Windows\system32\wzvb.exe 1040 "C:\Windows\SysWOW64\jtfg.exe"

C:\Windows\SysWOW64\wzvb.exe

C:\Windows\SysWOW64\wzvb.exe

C:\Windows\SysWOW64\zcyy.exe

C:\Windows\system32\zcyy.exe 1048 "C:\Windows\SysWOW64\wzvb.exe"

C:\Windows\SysWOW64\zcyy.exe

C:\Windows\SysWOW64\zcyy.exe

C:\Windows\SysWOW64\txdg.exe

C:\Windows\system32\txdg.exe 900 "C:\Windows\SysWOW64\zcyy.exe"

C:\Windows\SysWOW64\txdg.exe

C:\Windows\SysWOW64\txdg.exe

C:\Windows\SysWOW64\olue.exe

C:\Windows\system32\olue.exe 1048 "C:\Windows\SysWOW64\txdg.exe"

C:\Windows\SysWOW64\olue.exe

C:\Windows\SysWOW64\olue.exe

C:\Windows\SysWOW64\jfzm.exe

C:\Windows\system32\jfzm.exe 1032 "C:\Windows\SysWOW64\olue.exe"

C:\Windows\SysWOW64\jfzm.exe

C:\Windows\SysWOW64\jfzm.exe

C:\Windows\SysWOW64\rvnz.exe

C:\Windows\system32\rvnz.exe 1096 "C:\Windows\SysWOW64\jfzm.exe"

C:\Windows\SysWOW64\rvnz.exe

C:\Windows\SysWOW64\rvnz.exe

C:\Windows\SysWOW64\jybk.exe

C:\Windows\system32\jybk.exe 1064 "C:\Windows\SysWOW64\rvnz.exe"

C:\Windows\SysWOW64\jybk.exe

C:\Windows\SysWOW64\jybk.exe

C:\Windows\SysWOW64\osvn.exe

C:\Windows\system32\osvn.exe 1036 "C:\Windows\SysWOW64\jybk.exe"

C:\Windows\SysWOW64\osvn.exe

C:\Windows\SysWOW64\osvn.exe

C:\Windows\SysWOW64\mmqa.exe

C:\Windows\system32\mmqa.exe 1036 "C:\Windows\SysWOW64\osvn.exe"

C:\Windows\SysWOW64\mmqa.exe

C:\Windows\SysWOW64\mmqa.exe

C:\Windows\SysWOW64\otfk.exe

C:\Windows\system32\otfk.exe 1036 "C:\Windows\SysWOW64\mmqa.exe"

C:\Windows\SysWOW64\otfk.exe

C:\Windows\SysWOW64\otfk.exe

C:\Windows\SysWOW64\owrd.exe

C:\Windows\system32\owrd.exe 1044 "C:\Windows\SysWOW64\otfk.exe"

C:\Windows\SysWOW64\owrd.exe

C:\Windows\SysWOW64\owrd.exe

C:\Windows\SysWOW64\rdxf.exe

C:\Windows\system32\rdxf.exe 1056 "C:\Windows\SysWOW64\owrd.exe"

C:\Windows\SysWOW64\rdxf.exe

C:\Windows\SysWOW64\rdxf.exe

C:\Windows\SysWOW64\zdwg.exe

C:\Windows\system32\zdwg.exe 1052 "C:\Windows\SysWOW64\rdxf.exe"

C:\Windows\SysWOW64\zdwg.exe

C:\Windows\SysWOW64\zdwg.exe

C:\Windows\SysWOW64\zhiy.exe

C:\Windows\system32\zhiy.exe 1036 "C:\Windows\SysWOW64\zdwg.exe"

C:\Windows\SysWOW64\zhiy.exe

C:\Windows\SysWOW64\zhiy.exe

C:\Windows\SysWOW64\eqrb.exe

C:\Windows\system32\eqrb.exe 1032 "C:\Windows\SysWOW64\zhiy.exe"

C:\Windows\SysWOW64\eqrb.exe

C:\Windows\SysWOW64\eqrb.exe

C:\Windows\SysWOW64\efoy.exe

C:\Windows\system32\efoy.exe 1084 "C:\Windows\SysWOW64\eqrb.exe"

C:\Windows\SysWOW64\efoy.exe

C:\Windows\SysWOW64\efoy.exe

C:\Windows\SysWOW64\zlfo.exe

C:\Windows\system32\zlfo.exe 1028 "C:\Windows\SysWOW64\efoy.exe"

C:\Windows\SysWOW64\zlfo.exe

C:\Windows\SysWOW64\zlfo.exe

C:\Windows\SysWOW64\eunr.exe

C:\Windows\system32\eunr.exe 1032 "C:\Windows\SysWOW64\zlfo.exe"

C:\Windows\SysWOW64\eunr.exe

C:\Windows\SysWOW64\eunr.exe

C:\Windows\SysWOW64\ysdm.exe

C:\Windows\system32\ysdm.exe 1160 "C:\Windows\SysWOW64\eunr.exe"

C:\Windows\SysWOW64\ysdm.exe

C:\Windows\SysWOW64\ysdm.exe

C:\Windows\SysWOW64\wbom.exe

C:\Windows\system32\wbom.exe 1052 "C:\Windows\SysWOW64\ysdm.exe"

C:\Windows\SysWOW64\wbom.exe

C:\Windows\SysWOW64\wbom.exe

C:\Windows\SysWOW64\qshp.exe

C:\Windows\system32\qshp.exe 1152 "C:\Windows\SysWOW64\wbom.exe"

C:\Windows\SysWOW64\qshp.exe

C:\Windows\SysWOW64\qshp.exe

C:\Windows\SysWOW64\lgyf.exe

C:\Windows\system32\lgyf.exe 1056 "C:\Windows\SysWOW64\qshp.exe"

C:\Windows\SysWOW64\lgyf.exe

C:\Windows\SysWOW64\lgyf.exe

C:\Windows\SysWOW64\lvwk.exe

C:\Windows\system32\lvwk.exe 1056 "C:\Windows\SysWOW64\lgyf.exe"

C:\Windows\SysWOW64\lvwk.exe

C:\Windows\SysWOW64\lvwk.exe

C:\Windows\SysWOW64\dklq.exe

C:\Windows\system32\dklq.exe 1020 "C:\Windows\SysWOW64\lvwk.exe"

C:\Windows\SysWOW64\dklq.exe

C:\Windows\SysWOW64\dklq.exe

C:\Windows\SysWOW64\dkuv.exe

C:\Windows\system32\dkuv.exe 1032 "C:\Windows\SysWOW64\dklq.exe"

C:\Windows\SysWOW64\dkuv.exe

C:\Windows\SysWOW64\dkuv.exe

C:\Windows\SysWOW64\bwqq.exe

C:\Windows\system32\bwqq.exe 1036 "C:\Windows\SysWOW64\dkuv.exe"

C:\Windows\SysWOW64\bwqq.exe

C:\Windows\SysWOW64\bwqq.exe

C:\Windows\SysWOW64\blgv.exe

C:\Windows\system32\blgv.exe 1040 "C:\Windows\SysWOW64\bwqq.exe"

C:\Windows\SysWOW64\blgv.exe

C:\Windows\SysWOW64\blgv.exe

C:\Windows\SysWOW64\dojl.exe

C:\Windows\system32\dojl.exe 1036 "C:\Windows\SysWOW64\blgv.exe"

C:\Windows\SysWOW64\dojl.exe

C:\Windows\SysWOW64\dojl.exe

C:\Windows\SysWOW64\yiob.exe

C:\Windows\system32\yiob.exe 1044 "C:\Windows\SysWOW64\dojl.exe"

C:\Windows\SysWOW64\yiob.exe

C:\Windows\SysWOW64\yiob.exe

C:\Windows\SysWOW64\blrz.exe

C:\Windows\system32\blrz.exe 1060 "C:\Windows\SysWOW64\yiob.exe"

C:\Windows\SysWOW64\blrz.exe

C:\Windows\SysWOW64\blrz.exe

C:\Windows\SysWOW64\gjwh.exe

C:\Windows\system32\gjwh.exe 1048 "C:\Windows\SysWOW64\blrz.exe"

C:\Windows\SysWOW64\gjwh.exe

C:\Windows\SysWOW64\gjwh.exe

C:\Windows\SysWOW64\ddrc.exe

C:\Windows\system32\ddrc.exe 1048 "C:\Windows\SysWOW64\gjwh.exe"

C:\Windows\SysWOW64\ddrc.exe

C:\Windows\SysWOW64\ddrc.exe

C:\Windows\SysWOW64\dwsm.exe

C:\Windows\system32\dwsm.exe 1036 "C:\Windows\SysWOW64\ddrc.exe"

C:\Windows\SysWOW64\dwsm.exe

C:\Windows\SysWOW64\dwsm.exe

C:\Windows\SysWOW64\gcgx.exe

C:\Windows\system32\gcgx.exe 1044 "C:\Windows\SysWOW64\dwsm.exe"

C:\Windows\SysWOW64\gcgx.exe

C:\Windows\SysWOW64\gcgx.exe

C:\Windows\SysWOW64\dlrx.exe

C:\Windows\system32\dlrx.exe 1048 "C:\Windows\SysWOW64\gcgx.exe"

C:\Windows\SysWOW64\dlrx.exe

C:\Windows\SysWOW64\dlrx.exe

C:\Windows\SysWOW64\daoc.exe

C:\Windows\system32\daoc.exe 1048 "C:\Windows\SysWOW64\dlrx.exe"

C:\Windows\SysWOW64\daoc.exe

C:\Windows\SysWOW64\daoc.exe

C:\Windows\SysWOW64\ddbv.exe

C:\Windows\system32\ddbv.exe 1048 "C:\Windows\SysWOW64\daoc.exe"

C:\Windows\SysWOW64\ddbv.exe

C:\Windows\SysWOW64\ddbv.exe

C:\Windows\SysWOW64\dpfv.exe

C:\Windows\system32\dpfv.exe 1032 "C:\Windows\SysWOW64\ddbv.exe"

C:\Windows\SysWOW64\dpfv.exe

C:\Windows\SysWOW64\dpfv.exe

C:\Windows\SysWOW64\yghq.exe

C:\Windows\system32\yghq.exe 1152 "C:\Windows\SysWOW64\dpfv.exe"

C:\Windows\SysWOW64\yghq.exe

C:\Windows\SysWOW64\yghq.exe

C:\Windows\SysWOW64\gvvd.exe

C:\Windows\system32\gvvd.exe 1040 "C:\Windows\SysWOW64\yghq.exe"

C:\Windows\SysWOW64\gvvd.exe

C:\Windows\SysWOW64\gvvd.exe

C:\Windows\SysWOW64\yvgj.exe

C:\Windows\system32\yvgj.exe 1036 "C:\Windows\SysWOW64\gvvd.exe"

C:\Windows\SysWOW64\yvgj.exe

C:\Windows\SysWOW64\yvgj.exe

C:\Windows\SysWOW64\ygsb.exe

C:\Windows\system32\ygsb.exe 1036 "C:\Windows\SysWOW64\yvgj.exe"

C:\Windows\SysWOW64\ygsb.exe

C:\Windows\SysWOW64\ygsb.exe

C:\Windows\SysWOW64\yket.exe

C:\Windows\system32\yket.exe 1036 "C:\Windows\SysWOW64\ygsb.exe"

C:\Windows\SysWOW64\yket.exe

C:\Windows\SysWOW64\yket.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp

Files

memory/4752-0-0x0000000013140000-0x000000001318E000-memory.dmp

memory/4752-1-0x0000000002190000-0x00000000021C0000-memory.dmp

memory/4752-2-0x0000000002170000-0x0000000002171000-memory.dmp

memory/4752-3-0x0000000002160000-0x0000000002164000-memory.dmp

memory/4752-4-0x00000000023D0000-0x00000000023D1000-memory.dmp

memory/4752-5-0x00000000023E0000-0x00000000023E1000-memory.dmp

memory/4752-8-0x0000000002330000-0x0000000002331000-memory.dmp

memory/4752-12-0x00000000023C0000-0x00000000023C1000-memory.dmp

memory/4752-13-0x0000000002190000-0x00000000021C0000-memory.dmp

memory/4752-16-0x0000000002380000-0x0000000002381000-memory.dmp

memory/3236-18-0x0000000013140000-0x000000001318E000-memory.dmp

memory/3236-17-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/3236-15-0x0000000000020000-0x000000000002F000-memory.dmp

memory/4752-14-0x0000000002390000-0x0000000002391000-memory.dmp

memory/3236-11-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4752-10-0x0000000013140000-0x000000001318E000-memory.dmp

memory/3236-7-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4752-6-0x0000000002350000-0x0000000002351000-memory.dmp

C:\Windows\SysWOW64\hxet.exe

MD5 e3606fe661cb86e3fe8843d598d9ac13
SHA1 7c63a823717d43257e641bd42d37ed5b415308f7
SHA256 dcfac4cd97fab0cf3a91febe447faad646115d46429349af1b80452dd446498a
SHA512 d57b158fc275400506ddb655c48d5fa6a24a8304ca7ca194ec4f74581c9a5998f88f3c24347dcaaab6c2e724580e69770fb2a722cdd2353459699526f5bb8344

memory/5024-25-0x0000000013140000-0x000000001318E000-memory.dmp

memory/5024-26-0x0000000002040000-0x0000000002070000-memory.dmp

memory/5024-28-0x00000000022E0000-0x00000000022E1000-memory.dmp

memory/5024-27-0x0000000000580000-0x0000000000584000-memory.dmp

memory/5024-30-0x00000000022F0000-0x00000000022F1000-memory.dmp

memory/5024-31-0x0000000002250000-0x0000000002251000-memory.dmp

memory/5024-35-0x00000000022A0000-0x00000000022A1000-memory.dmp

memory/5024-34-0x0000000013140000-0x000000001318E000-memory.dmp

memory/5024-37-0x0000000002040000-0x0000000002070000-memory.dmp

memory/5024-38-0x0000000002220000-0x0000000002221000-memory.dmp

memory/5068-41-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/3236-42-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/5068-40-0x00000000001C0000-0x00000000001CF000-memory.dmp

memory/3236-39-0x0000000000020000-0x000000000002F000-memory.dmp

memory/5080-48-0x0000000000550000-0x0000000000580000-memory.dmp

memory/5080-51-0x00000000022E0000-0x00000000022E1000-memory.dmp

memory/5080-49-0x0000000000540000-0x0000000000544000-memory.dmp

memory/5080-54-0x0000000002250000-0x0000000002251000-memory.dmp

memory/5080-52-0x00000000022F0000-0x00000000022F1000-memory.dmp

memory/5080-56-0x0000000013140000-0x000000001318E000-memory.dmp

memory/5080-57-0x00000000022A0000-0x00000000022A1000-memory.dmp

memory/5068-62-0x00000000001C0000-0x00000000001CF000-memory.dmp

memory/5068-64-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/2232-63-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/2232-61-0x00000000001C0000-0x00000000001CF000-memory.dmp

memory/5080-60-0x0000000002310000-0x0000000002311000-memory.dmp

memory/5080-59-0x0000000000550000-0x0000000000580000-memory.dmp

memory/1644-71-0x0000000002040000-0x0000000002070000-memory.dmp

memory/1644-70-0x0000000013140000-0x000000001318E000-memory.dmp

memory/1644-74-0x0000000002190000-0x0000000002194000-memory.dmp

memory/1644-77-0x00000000022D0000-0x00000000022D1000-memory.dmp

memory/3112-80-0x00000000001C0000-0x00000000001CF000-memory.dmp

memory/1644-82-0x0000000002250000-0x0000000002251000-memory.dmp

memory/2232-83-0x00000000001C0000-0x00000000001CF000-memory.dmp

memory/1644-84-0x0000000002290000-0x0000000002291000-memory.dmp

memory/1644-81-0x0000000002040000-0x0000000002070000-memory.dmp

memory/1644-79-0x00000000022E0000-0x00000000022E1000-memory.dmp

memory/1644-78-0x0000000013140000-0x000000001318E000-memory.dmp

memory/2232-86-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/3112-85-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/5024-91-0x0000000002220000-0x0000000002221000-memory.dmp

memory/4444-93-0x0000000000470000-0x00000000004A0000-memory.dmp

memory/4444-94-0x0000000000460000-0x0000000000464000-memory.dmp

memory/4444-97-0x00000000022F0000-0x00000000022F1000-memory.dmp

memory/4444-95-0x00000000022E0000-0x00000000022E1000-memory.dmp

memory/4444-100-0x0000000013140000-0x000000001318E000-memory.dmp

memory/4444-102-0x0000000000470000-0x00000000004A0000-memory.dmp

memory/4444-101-0x0000000002260000-0x0000000002261000-memory.dmp

memory/4448-106-0x00000000001C0000-0x00000000001CF000-memory.dmp

memory/4444-104-0x00000000022A0000-0x00000000022A1000-memory.dmp

memory/3112-105-0x00000000001C0000-0x00000000001CF000-memory.dmp

memory/3112-108-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4448-107-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4980-114-0x0000000013140000-0x000000001318E000-memory.dmp

memory/4980-115-0x0000000002040000-0x0000000002070000-memory.dmp

memory/4980-116-0x0000000002020000-0x0000000002024000-memory.dmp

memory/4980-122-0x00000000022F0000-0x00000000022F1000-memory.dmp

memory/4980-121-0x0000000013140000-0x000000001318E000-memory.dmp

memory/4448-126-0x00000000001C0000-0x00000000001CF000-memory.dmp

memory/2224-128-0x00000000001C0000-0x00000000001CF000-memory.dmp

memory/4448-129-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/2224-127-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4980-125-0x0000000002300000-0x0000000002301000-memory.dmp

memory/4980-124-0x0000000002040000-0x0000000002070000-memory.dmp

memory/4980-118-0x00000000022E0000-0x00000000022E1000-memory.dmp

memory/2076-142-0x0000000013140000-0x000000001318E000-memory.dmp

memory/2224-146-0x00000000001C0000-0x00000000001CF000-memory.dmp

memory/2836-162-0x0000000013140000-0x000000001318E000-memory.dmp

memory/4384-168-0x00000000001C0000-0x00000000001CF000-memory.dmp

memory/4896-180-0x0000000013140000-0x000000001318E000-memory.dmp

memory/4384-187-0x00000000001C0000-0x00000000001CF000-memory.dmp

memory/4196-205-0x0000000013140000-0x000000001318E000-memory.dmp

memory/4376-210-0x00000000001C0000-0x00000000001CF000-memory.dmp

memory/4648-227-0x0000000013140000-0x000000001318E000-memory.dmp

memory/4376-232-0x00000000001C0000-0x00000000001CF000-memory.dmp