Malware Analysis Report

2025-01-03 08:03

Sample ID 240421-nypa1aae52
Target ff353dc46aaaeb657fc490c0697b2ceb_JaffaCakes118
SHA256 61ffa4beb7f207c23c2584827c2c6c94d6e46e209fd47b736d5536adee897348
Tags
metasploit backdoor evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

61ffa4beb7f207c23c2584827c2c6c94d6e46e209fd47b736d5536adee897348

Threat Level: Known bad

The file ff353dc46aaaeb657fc490c0697b2ceb_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor evasion trojan

MetaSploit

Identifies Wine through registry keys

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-21 11:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-21 11:48

Reported

2024-04-21 11:51

Platform

win7-20240221-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ff353dc46aaaeb657fc490c0697b2ceb_JaffaCakes118.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vwvot.exe N/A
N/A N/A C:\Windows\SysWOW64\oolcf.exe N/A
N/A N/A C:\Windows\SysWOW64\tlomm.exe N/A
N/A N/A C:\Windows\SysWOW64\ukbsd.exe N/A
N/A N/A C:\Windows\SysWOW64\akyul.exe N/A
N/A N/A C:\Windows\SysWOW64\fitnz.exe N/A
N/A N/A C:\Windows\SysWOW64\rchve.exe N/A
N/A N/A C:\Windows\SysWOW64\tqlit.exe N/A
N/A N/A C:\Windows\SysWOW64\sykfm.exe N/A
N/A N/A C:\Windows\SysWOW64\hntyt.exe N/A
N/A N/A C:\Windows\SysWOW64\rbcau.exe N/A
N/A N/A C:\Windows\SysWOW64\vyxtq.exe N/A
N/A N/A C:\Windows\SysWOW64\pazth.exe N/A
N/A N/A C:\Windows\SysWOW64\tgslj.exe N/A
N/A N/A C:\Windows\SysWOW64\vmegy.exe N/A
N/A N/A C:\Windows\SysWOW64\plvtv.exe N/A
N/A N/A C:\Windows\SysWOW64\otujo.exe N/A
N/A N/A C:\Windows\SysWOW64\nedmc.exe N/A
N/A N/A C:\Windows\SysWOW64\hrihl.exe N/A
N/A N/A C:\Windows\SysWOW64\zuwrn.exe N/A
N/A N/A C:\Windows\SysWOW64\bwxzz.exe N/A
N/A N/A C:\Windows\SysWOW64\dgopr.exe N/A
N/A N/A C:\Windows\SysWOW64\itixk.exe N/A
N/A N/A C:\Windows\SysWOW64\urakt.exe N/A
N/A N/A C:\Windows\SysWOW64\ugypk.exe N/A
N/A N/A C:\Windows\SysWOW64\gpbku.exe N/A
N/A N/A C:\Windows\SysWOW64\gtnhr.exe N/A
N/A N/A C:\Windows\SysWOW64\sfuix.exe N/A
N/A N/A C:\Windows\SysWOW64\cyknj.exe N/A
N/A N/A C:\Windows\SysWOW64\jygxq.exe N/A
N/A N/A C:\Windows\SysWOW64\oolsm.exe N/A
N/A N/A C:\Windows\SysWOW64\tudsu.exe N/A
N/A N/A C:\Windows\SysWOW64\vpgvp.exe N/A
N/A N/A C:\Windows\SysWOW64\pkllh.exe N/A
N/A N/A C:\Windows\SysWOW64\mlvyk.exe N/A
N/A N/A C:\Windows\SysWOW64\jbdqx.exe N/A
N/A N/A C:\Windows\SysWOW64\nnujy.exe N/A
N/A N/A C:\Windows\SysWOW64\pmjei.exe N/A
N/A N/A C:\Windows\SysWOW64\ypiyp.exe N/A
N/A N/A C:\Windows\SysWOW64\idjbz.exe N/A
N/A N/A C:\Windows\SysWOW64\poigw.exe N/A
N/A N/A C:\Windows\SysWOW64\hkfjr.exe N/A
N/A N/A C:\Windows\SysWOW64\mtnea.exe N/A
N/A N/A C:\Windows\SysWOW64\owgmu.exe N/A
N/A N/A C:\Windows\SysWOW64\qkshj.exe N/A
N/A N/A C:\Windows\SysWOW64\uhmzw.exe N/A
N/A N/A C:\Windows\SysWOW64\balet.exe N/A
N/A N/A C:\Windows\SysWOW64\sajcf.exe N/A
N/A N/A C:\Windows\SysWOW64\zifnt.exe N/A
N/A N/A C:\Windows\SysWOW64\efifg.exe N/A
N/A N/A C:\Windows\SysWOW64\dqjiu.exe N/A
N/A N/A C:\Windows\SysWOW64\vqvft.exe N/A
N/A N/A C:\Windows\SysWOW64\hkbnh.exe N/A
N/A N/A C:\Windows\SysWOW64\oojlq.exe N/A
N/A N/A C:\Windows\SysWOW64\oswng.exe N/A
N/A N/A C:\Windows\SysWOW64\aqoao.exe N/A
N/A N/A C:\Windows\SysWOW64\evrbc.exe N/A
N/A N/A C:\Windows\SysWOW64\jpagm.exe N/A
N/A N/A C:\Windows\SysWOW64\ahlrt.exe N/A
N/A N/A C:\Windows\SysWOW64\nqoee.exe N/A
N/A N/A C:\Windows\SysWOW64\kkkzu.exe N/A
N/A N/A C:\Windows\SysWOW64\oieri.exe N/A
N/A N/A C:\Windows\SysWOW64\gaptp.exe N/A
N/A N/A C:\Windows\SysWOW64\suwbu.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\itixk.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\rtfpu.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\knvuj.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\rhcni.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\ukbsd.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\rchve.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\vpgvp.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\ypiyp.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\eqemy.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\ridut.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\poigw.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\kznzb.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\qgnlj.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\gnuqb.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\oswng.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\oieri.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\ajqpw.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\qypvg.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\evrbc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\swjvw.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\snxrj.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\trkwl.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\tqtmg.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\tgslj.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\ofyik.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\nedmc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\mtnea.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\jrvcz.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\rnsnj.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\oolcf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\ahlrt.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\eijbh.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\mgywh.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\smezq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\balet.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\mjwzw.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\betae.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\iztkq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\pljlm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\vwvot.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\oolsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\efifg.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\nfbmi.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\mbreh.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\glemp.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\vqodk.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\cbypm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\dgopr.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\yfkgc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\kvnry.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\qtniy.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\htfow.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\jbdqx.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\lnevv.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\vmegy.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\gpbku.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\aqoao.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\gahzk.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\xswnm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\pxchw.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\hqlqx.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\vyxtq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\jygxq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\dqjiu.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff353dc46aaaeb657fc490c0697b2ceb_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff353dc46aaaeb657fc490c0697b2ceb_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\vwvot.exe N/A
N/A N/A C:\Windows\SysWOW64\vwvot.exe N/A
N/A N/A C:\Windows\SysWOW64\oolcf.exe N/A
N/A N/A C:\Windows\SysWOW64\oolcf.exe N/A
N/A N/A C:\Windows\SysWOW64\tlomm.exe N/A
N/A N/A C:\Windows\SysWOW64\tlomm.exe N/A
N/A N/A C:\Windows\SysWOW64\ukbsd.exe N/A
N/A N/A C:\Windows\SysWOW64\ukbsd.exe N/A
N/A N/A C:\Windows\SysWOW64\akyul.exe N/A
N/A N/A C:\Windows\SysWOW64\akyul.exe N/A
N/A N/A C:\Windows\SysWOW64\fitnz.exe N/A
N/A N/A C:\Windows\SysWOW64\fitnz.exe N/A
N/A N/A C:\Windows\SysWOW64\rchve.exe N/A
N/A N/A C:\Windows\SysWOW64\rchve.exe N/A
N/A N/A C:\Windows\SysWOW64\tqlit.exe N/A
N/A N/A C:\Windows\SysWOW64\tqlit.exe N/A
N/A N/A C:\Windows\SysWOW64\sykfm.exe N/A
N/A N/A C:\Windows\SysWOW64\sykfm.exe N/A
N/A N/A C:\Windows\SysWOW64\hntyt.exe N/A
N/A N/A C:\Windows\SysWOW64\hntyt.exe N/A
N/A N/A C:\Windows\SysWOW64\rbcau.exe N/A
N/A N/A C:\Windows\SysWOW64\rbcau.exe N/A
N/A N/A C:\Windows\SysWOW64\vyxtq.exe N/A
N/A N/A C:\Windows\SysWOW64\vyxtq.exe N/A
N/A N/A C:\Windows\SysWOW64\pazth.exe N/A
N/A N/A C:\Windows\SysWOW64\pazth.exe N/A
N/A N/A C:\Windows\SysWOW64\tgslj.exe N/A
N/A N/A C:\Windows\SysWOW64\tgslj.exe N/A
N/A N/A C:\Windows\SysWOW64\vmegy.exe N/A
N/A N/A C:\Windows\SysWOW64\vmegy.exe N/A
N/A N/A C:\Windows\SysWOW64\plvtv.exe N/A
N/A N/A C:\Windows\SysWOW64\plvtv.exe N/A
N/A N/A C:\Windows\SysWOW64\otujo.exe N/A
N/A N/A C:\Windows\SysWOW64\otujo.exe N/A
N/A N/A C:\Windows\SysWOW64\nedmc.exe N/A
N/A N/A C:\Windows\SysWOW64\nedmc.exe N/A
N/A N/A C:\Windows\SysWOW64\hrihl.exe N/A
N/A N/A C:\Windows\SysWOW64\hrihl.exe N/A
N/A N/A C:\Windows\SysWOW64\zuwrn.exe N/A
N/A N/A C:\Windows\SysWOW64\zuwrn.exe N/A
N/A N/A C:\Windows\SysWOW64\bwxzz.exe N/A
N/A N/A C:\Windows\SysWOW64\bwxzz.exe N/A
N/A N/A C:\Windows\SysWOW64\dgopr.exe N/A
N/A N/A C:\Windows\SysWOW64\dgopr.exe N/A
N/A N/A C:\Windows\SysWOW64\itixk.exe N/A
N/A N/A C:\Windows\SysWOW64\itixk.exe N/A
N/A N/A C:\Windows\SysWOW64\urakt.exe N/A
N/A N/A C:\Windows\SysWOW64\urakt.exe N/A
N/A N/A C:\Windows\SysWOW64\ugypk.exe N/A
N/A N/A C:\Windows\SysWOW64\ugypk.exe N/A
N/A N/A C:\Windows\SysWOW64\gpbku.exe N/A
N/A N/A C:\Windows\SysWOW64\gpbku.exe N/A
N/A N/A C:\Windows\SysWOW64\gtnhr.exe N/A
N/A N/A C:\Windows\SysWOW64\gtnhr.exe N/A
N/A N/A C:\Windows\SysWOW64\sfuix.exe N/A
N/A N/A C:\Windows\SysWOW64\sfuix.exe N/A
N/A N/A C:\Windows\SysWOW64\cyknj.exe N/A
N/A N/A C:\Windows\SysWOW64\cyknj.exe N/A
N/A N/A C:\Windows\SysWOW64\jygxq.exe N/A
N/A N/A C:\Windows\SysWOW64\jygxq.exe N/A
N/A N/A C:\Windows\SysWOW64\oolsm.exe N/A
N/A N/A C:\Windows\SysWOW64\oolsm.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\oolcf.exe C:\Windows\SysWOW64\vwvot.exe N/A
File created C:\Windows\SysWOW64\tlomm.exe C:\Windows\SysWOW64\oolcf.exe N/A
File opened for modification C:\Windows\SysWOW64\bkyjh.exe C:\Windows\SysWOW64\evrjo.exe N/A
File opened for modification C:\Windows\SysWOW64\trkwl.exe C:\Windows\SysWOW64\knvuj.exe N/A
File created C:\Windows\SysWOW64\urakt.exe C:\Windows\SysWOW64\itixk.exe N/A
File opened for modification C:\Windows\SysWOW64\bkvge.exe C:\Windows\SysWOW64\rxivj.exe N/A
File opened for modification C:\Windows\SysWOW64\wznkw.exe C:\Windows\SysWOW64\xhesc.exe N/A
File created C:\Windows\SysWOW64\zspxt.exe C:\Windows\SysWOW64\sstnf.exe N/A
File created C:\Windows\SysWOW64\vopbw.exe C:\Windows\SysWOW64\dltqu.exe N/A
File opened for modification C:\Windows\SysWOW64\vbwzk.exe C:\Windows\SysWOW64\nuagp.exe N/A
File created C:\Windows\SysWOW64\nznvt.exe C:\Windows\SysWOW64\arnsm.exe N/A
File opened for modification C:\Windows\SysWOW64\fckvy.exe C:\Windows\SysWOW64\klisb.exe N/A
File created C:\Windows\SysWOW64\nfbmi.exe C:\Windows\SysWOW64\ipfam.exe N/A
File created C:\Windows\SysWOW64\xohoo.exe C:\Windows\SysWOW64\gahzk.exe N/A
File created C:\Windows\SysWOW64\dxmrh.exe C:\Windows\SysWOW64\qorwe.exe N/A
File created C:\Windows\SysWOW64\knvuj.exe C:\Windows\SysWOW64\krjoe.exe N/A
File created C:\Windows\SysWOW64\dqjiu.exe C:\Windows\SysWOW64\efifg.exe N/A
File created C:\Windows\SysWOW64\lfpxq.exe C:\Windows\SysWOW64\cfcie.exe N/A
File created C:\Windows\SysWOW64\qbndz.exe C:\Windows\SysWOW64\lafir.exe N/A
File opened for modification C:\Windows\SysWOW64\vmegy.exe C:\Windows\SysWOW64\tgslj.exe N/A
File opened for modification C:\Windows\SysWOW64\hkfjr.exe C:\Windows\SysWOW64\poigw.exe N/A
File created C:\Windows\SysWOW64\balet.exe C:\Windows\SysWOW64\uhmzw.exe N/A
File created C:\Windows\SysWOW64\zifnt.exe C:\Windows\SysWOW64\sajcf.exe N/A
File created C:\Windows\SysWOW64\xowwx.exe C:\Windows\SysWOW64\avmjb.exe N/A
File opened for modification C:\Windows\SysWOW64\rchve.exe C:\Windows\SysWOW64\fitnz.exe N/A
File opened for modification C:\Windows\SysWOW64\xhesc.exe C:\Windows\SysWOW64\uaxpm.exe N/A
File created C:\Windows\SysWOW64\krjoe.exe C:\Windows\SysWOW64\vfejb.exe N/A
File opened for modification C:\Windows\SysWOW64\nuagp.exe C:\Windows\SysWOW64\obzov.exe N/A
File created C:\Windows\SysWOW64\smezq.exe C:\Windows\SysWOW64\ciefu.exe N/A
File created C:\Windows\SysWOW64\vmegy.exe C:\Windows\SysWOW64\tgslj.exe N/A
File created C:\Windows\SysWOW64\mbreh.exe C:\Windows\SysWOW64\exprx.exe N/A
File opened for modification C:\Windows\SysWOW64\cbypm.exe C:\Windows\SysWOW64\dxmrh.exe N/A
File opened for modification C:\Windows\SysWOW64\mgywh.exe C:\Windows\SysWOW64\htfow.exe N/A
File opened for modification C:\Windows\SysWOW64\tqlit.exe C:\Windows\SysWOW64\rchve.exe N/A
File created C:\Windows\SysWOW64\hhspt.exe C:\Windows\SysWOW64\suwbu.exe N/A
File opened for modification C:\Windows\SysWOW64\smezq.exe C:\Windows\SysWOW64\ciefu.exe N/A
File created C:\Windows\SysWOW64\arnsm.exe C:\Windows\SysWOW64\jlemi.exe N/A
File opened for modification C:\Windows\SysWOW64\gahzk.exe C:\Windows\SysWOW64\mbreh.exe N/A
File opened for modification C:\Windows\SysWOW64\vfejb.exe C:\Windows\SysWOW64\vqodk.exe N/A
File created C:\Windows\SysWOW64\cyknj.exe C:\Windows\SysWOW64\sfuix.exe N/A
File opened for modification C:\Windows\SysWOW64\dlfpo.exe C:\Windows\SysWOW64\mjwzw.exe N/A
File created C:\Windows\SysWOW64\kznzb.exe C:\Windows\SysWOW64\amyzo.exe N/A
File created C:\Windows\SysWOW64\scjap.exe C:\Windows\SysWOW64\iztkq.exe N/A
File opened for modification C:\Windows\SysWOW64\lafir.exe C:\Windows\SysWOW64\rnsnj.exe N/A
File created C:\Windows\SysWOW64\amyzo.exe C:\Windows\SysWOW64\dxhqw.exe N/A
File created C:\Windows\SysWOW64\nyyto.exe C:\Windows\SysWOW64\wgvig.exe N/A
File created C:\Windows\SysWOW64\qzlgr.exe C:\Windows\SysWOW64\optrz.exe N/A
File created C:\Windows\SysWOW64\gaptp.exe C:\Windows\SysWOW64\oieri.exe N/A
File opened for modification C:\Windows\SysWOW64\lpycn.exe C:\Windows\SysWOW64\rfeup.exe N/A
File created C:\Windows\SysWOW64\rmqhz.exe C:\Windows\SysWOW64\glemp.exe N/A
File opened for modification C:\Windows\SysWOW64\qgwam.exe C:\Windows\SysWOW64\buzvi.exe N/A
File opened for modification C:\Windows\SysWOW64\vopbw.exe C:\Windows\SysWOW64\dltqu.exe N/A
File opened for modification C:\Windows\SysWOW64\evrjo.exe C:\Windows\SysWOW64\vopbw.exe N/A
File created C:\Windows\SysWOW64\plvtv.exe C:\Windows\SysWOW64\vmegy.exe N/A
File opened for modification C:\Windows\SysWOW64\urakt.exe C:\Windows\SysWOW64\itixk.exe N/A
File opened for modification C:\Windows\SysWOW64\qkshj.exe C:\Windows\SysWOW64\owgmu.exe N/A
File created C:\Windows\SysWOW64\xobam.exe C:\Windows\SysWOW64\duwkm.exe N/A
File created C:\Windows\SysWOW64\itepb.exe C:\Windows\SysWOW64\imhrk.exe N/A
File opened for modification C:\Windows\SysWOW64\oswng.exe C:\Windows\SysWOW64\oojlq.exe N/A
File opened for modification C:\Windows\SysWOW64\nkdgq.exe C:\Windows\SysWOW64\thlye.exe N/A
File created C:\Windows\SysWOW64\uhmzw.exe C:\Windows\SysWOW64\qkshj.exe N/A
File opened for modification C:\Windows\SysWOW64\ipfam.exe C:\Windows\SysWOW64\drakg.exe N/A
File created C:\Windows\SysWOW64\trkwl.exe C:\Windows\SysWOW64\knvuj.exe N/A
File created C:\Windows\SysWOW64\tqtmg.exe C:\Windows\SysWOW64\gdbwa.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2344 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\ff353dc46aaaeb657fc490c0697b2ceb_JaffaCakes118.exe C:\Windows\SysWOW64\vwvot.exe
PID 2344 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\ff353dc46aaaeb657fc490c0697b2ceb_JaffaCakes118.exe C:\Windows\SysWOW64\vwvot.exe
PID 2344 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\ff353dc46aaaeb657fc490c0697b2ceb_JaffaCakes118.exe C:\Windows\SysWOW64\vwvot.exe
PID 2344 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\ff353dc46aaaeb657fc490c0697b2ceb_JaffaCakes118.exe C:\Windows\SysWOW64\vwvot.exe
PID 2540 wrote to memory of 2356 N/A C:\Windows\SysWOW64\vwvot.exe C:\Windows\SysWOW64\oolcf.exe
PID 2540 wrote to memory of 2356 N/A C:\Windows\SysWOW64\vwvot.exe C:\Windows\SysWOW64\oolcf.exe
PID 2540 wrote to memory of 2356 N/A C:\Windows\SysWOW64\vwvot.exe C:\Windows\SysWOW64\oolcf.exe
PID 2540 wrote to memory of 2356 N/A C:\Windows\SysWOW64\vwvot.exe C:\Windows\SysWOW64\oolcf.exe
PID 2356 wrote to memory of 2204 N/A C:\Windows\SysWOW64\oolcf.exe C:\Windows\SysWOW64\tlomm.exe
PID 2356 wrote to memory of 2204 N/A C:\Windows\SysWOW64\oolcf.exe C:\Windows\SysWOW64\tlomm.exe
PID 2356 wrote to memory of 2204 N/A C:\Windows\SysWOW64\oolcf.exe C:\Windows\SysWOW64\tlomm.exe
PID 2356 wrote to memory of 2204 N/A C:\Windows\SysWOW64\oolcf.exe C:\Windows\SysWOW64\tlomm.exe
PID 2204 wrote to memory of 488 N/A C:\Windows\SysWOW64\tlomm.exe C:\Windows\SysWOW64\ukbsd.exe
PID 2204 wrote to memory of 488 N/A C:\Windows\SysWOW64\tlomm.exe C:\Windows\SysWOW64\ukbsd.exe
PID 2204 wrote to memory of 488 N/A C:\Windows\SysWOW64\tlomm.exe C:\Windows\SysWOW64\ukbsd.exe
PID 2204 wrote to memory of 488 N/A C:\Windows\SysWOW64\tlomm.exe C:\Windows\SysWOW64\ukbsd.exe
PID 488 wrote to memory of 3064 N/A C:\Windows\SysWOW64\ukbsd.exe C:\Windows\SysWOW64\akyul.exe
PID 488 wrote to memory of 3064 N/A C:\Windows\SysWOW64\ukbsd.exe C:\Windows\SysWOW64\akyul.exe
PID 488 wrote to memory of 3064 N/A C:\Windows\SysWOW64\ukbsd.exe C:\Windows\SysWOW64\akyul.exe
PID 488 wrote to memory of 3064 N/A C:\Windows\SysWOW64\ukbsd.exe C:\Windows\SysWOW64\akyul.exe
PID 3064 wrote to memory of 892 N/A C:\Windows\SysWOW64\akyul.exe C:\Windows\SysWOW64\fitnz.exe
PID 3064 wrote to memory of 892 N/A C:\Windows\SysWOW64\akyul.exe C:\Windows\SysWOW64\fitnz.exe
PID 3064 wrote to memory of 892 N/A C:\Windows\SysWOW64\akyul.exe C:\Windows\SysWOW64\fitnz.exe
PID 3064 wrote to memory of 892 N/A C:\Windows\SysWOW64\akyul.exe C:\Windows\SysWOW64\fitnz.exe
PID 892 wrote to memory of 1568 N/A C:\Windows\SysWOW64\fitnz.exe C:\Windows\SysWOW64\rchve.exe
PID 892 wrote to memory of 1568 N/A C:\Windows\SysWOW64\fitnz.exe C:\Windows\SysWOW64\rchve.exe
PID 892 wrote to memory of 1568 N/A C:\Windows\SysWOW64\fitnz.exe C:\Windows\SysWOW64\rchve.exe
PID 892 wrote to memory of 1568 N/A C:\Windows\SysWOW64\fitnz.exe C:\Windows\SysWOW64\rchve.exe
PID 1568 wrote to memory of 1152 N/A C:\Windows\SysWOW64\rchve.exe C:\Windows\SysWOW64\tqlit.exe
PID 1568 wrote to memory of 1152 N/A C:\Windows\SysWOW64\rchve.exe C:\Windows\SysWOW64\tqlit.exe
PID 1568 wrote to memory of 1152 N/A C:\Windows\SysWOW64\rchve.exe C:\Windows\SysWOW64\tqlit.exe
PID 1568 wrote to memory of 1152 N/A C:\Windows\SysWOW64\rchve.exe C:\Windows\SysWOW64\tqlit.exe
PID 1152 wrote to memory of 2416 N/A C:\Windows\SysWOW64\tqlit.exe C:\Windows\SysWOW64\sykfm.exe
PID 1152 wrote to memory of 2416 N/A C:\Windows\SysWOW64\tqlit.exe C:\Windows\SysWOW64\sykfm.exe
PID 1152 wrote to memory of 2416 N/A C:\Windows\SysWOW64\tqlit.exe C:\Windows\SysWOW64\sykfm.exe
PID 1152 wrote to memory of 2416 N/A C:\Windows\SysWOW64\tqlit.exe C:\Windows\SysWOW64\sykfm.exe
PID 2416 wrote to memory of 1276 N/A C:\Windows\SysWOW64\sykfm.exe C:\Windows\SysWOW64\hntyt.exe
PID 2416 wrote to memory of 1276 N/A C:\Windows\SysWOW64\sykfm.exe C:\Windows\SysWOW64\hntyt.exe
PID 2416 wrote to memory of 1276 N/A C:\Windows\SysWOW64\sykfm.exe C:\Windows\SysWOW64\hntyt.exe
PID 2416 wrote to memory of 1276 N/A C:\Windows\SysWOW64\sykfm.exe C:\Windows\SysWOW64\hntyt.exe
PID 1276 wrote to memory of 1964 N/A C:\Windows\SysWOW64\hntyt.exe C:\Windows\SysWOW64\rbcau.exe
PID 1276 wrote to memory of 1964 N/A C:\Windows\SysWOW64\hntyt.exe C:\Windows\SysWOW64\rbcau.exe
PID 1276 wrote to memory of 1964 N/A C:\Windows\SysWOW64\hntyt.exe C:\Windows\SysWOW64\rbcau.exe
PID 1276 wrote to memory of 1964 N/A C:\Windows\SysWOW64\hntyt.exe C:\Windows\SysWOW64\rbcau.exe
PID 1964 wrote to memory of 2812 N/A C:\Windows\SysWOW64\rbcau.exe C:\Windows\SysWOW64\vyxtq.exe
PID 1964 wrote to memory of 2812 N/A C:\Windows\SysWOW64\rbcau.exe C:\Windows\SysWOW64\vyxtq.exe
PID 1964 wrote to memory of 2812 N/A C:\Windows\SysWOW64\rbcau.exe C:\Windows\SysWOW64\vyxtq.exe
PID 1964 wrote to memory of 2812 N/A C:\Windows\SysWOW64\rbcau.exe C:\Windows\SysWOW64\vyxtq.exe
PID 2812 wrote to memory of 948 N/A C:\Windows\SysWOW64\vyxtq.exe C:\Windows\SysWOW64\pazth.exe
PID 2812 wrote to memory of 948 N/A C:\Windows\SysWOW64\vyxtq.exe C:\Windows\SysWOW64\pazth.exe
PID 2812 wrote to memory of 948 N/A C:\Windows\SysWOW64\vyxtq.exe C:\Windows\SysWOW64\pazth.exe
PID 2812 wrote to memory of 948 N/A C:\Windows\SysWOW64\vyxtq.exe C:\Windows\SysWOW64\pazth.exe
PID 948 wrote to memory of 2548 N/A C:\Windows\SysWOW64\pazth.exe C:\Windows\SysWOW64\tgslj.exe
PID 948 wrote to memory of 2548 N/A C:\Windows\SysWOW64\pazth.exe C:\Windows\SysWOW64\tgslj.exe
PID 948 wrote to memory of 2548 N/A C:\Windows\SysWOW64\pazth.exe C:\Windows\SysWOW64\tgslj.exe
PID 948 wrote to memory of 2548 N/A C:\Windows\SysWOW64\pazth.exe C:\Windows\SysWOW64\tgslj.exe
PID 2548 wrote to memory of 1612 N/A C:\Windows\SysWOW64\tgslj.exe C:\Windows\SysWOW64\vmegy.exe
PID 2548 wrote to memory of 1612 N/A C:\Windows\SysWOW64\tgslj.exe C:\Windows\SysWOW64\vmegy.exe
PID 2548 wrote to memory of 1612 N/A C:\Windows\SysWOW64\tgslj.exe C:\Windows\SysWOW64\vmegy.exe
PID 2548 wrote to memory of 1612 N/A C:\Windows\SysWOW64\tgslj.exe C:\Windows\SysWOW64\vmegy.exe
PID 1612 wrote to memory of 2944 N/A C:\Windows\SysWOW64\vmegy.exe C:\Windows\SysWOW64\plvtv.exe
PID 1612 wrote to memory of 2944 N/A C:\Windows\SysWOW64\vmegy.exe C:\Windows\SysWOW64\plvtv.exe
PID 1612 wrote to memory of 2944 N/A C:\Windows\SysWOW64\vmegy.exe C:\Windows\SysWOW64\plvtv.exe
PID 1612 wrote to memory of 2944 N/A C:\Windows\SysWOW64\vmegy.exe C:\Windows\SysWOW64\plvtv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ff353dc46aaaeb657fc490c0697b2ceb_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ff353dc46aaaeb657fc490c0697b2ceb_JaffaCakes118.exe"

C:\Windows\SysWOW64\vwvot.exe

C:\Windows\system32\vwvot.exe 636 "C:\Users\Admin\AppData\Local\Temp\ff353dc46aaaeb657fc490c0697b2ceb_JaffaCakes118.exe"

C:\Windows\SysWOW64\oolcf.exe

C:\Windows\system32\oolcf.exe 616 "C:\Windows\SysWOW64\vwvot.exe"

C:\Windows\SysWOW64\tlomm.exe

C:\Windows\system32\tlomm.exe 612 "C:\Windows\SysWOW64\oolcf.exe"

C:\Windows\SysWOW64\ukbsd.exe

C:\Windows\system32\ukbsd.exe 652 "C:\Windows\SysWOW64\tlomm.exe"

C:\Windows\SysWOW64\akyul.exe

C:\Windows\system32\akyul.exe 624 "C:\Windows\SysWOW64\ukbsd.exe"

C:\Windows\SysWOW64\fitnz.exe

C:\Windows\system32\fitnz.exe 620 "C:\Windows\SysWOW64\akyul.exe"

C:\Windows\SysWOW64\rchve.exe

C:\Windows\system32\rchve.exe 632 "C:\Windows\SysWOW64\fitnz.exe"

C:\Windows\SysWOW64\tqlit.exe

C:\Windows\system32\tqlit.exe 628 "C:\Windows\SysWOW64\rchve.exe"

C:\Windows\SysWOW64\sykfm.exe

C:\Windows\system32\sykfm.exe 660 "C:\Windows\SysWOW64\tqlit.exe"

C:\Windows\SysWOW64\hntyt.exe

C:\Windows\system32\hntyt.exe 640 "C:\Windows\SysWOW64\sykfm.exe"

C:\Windows\SysWOW64\rbcau.exe

C:\Windows\system32\rbcau.exe 664 "C:\Windows\SysWOW64\hntyt.exe"

C:\Windows\SysWOW64\vyxtq.exe

C:\Windows\system32\vyxtq.exe 684 "C:\Windows\SysWOW64\rbcau.exe"

C:\Windows\SysWOW64\pazth.exe

C:\Windows\system32\pazth.exe 656 "C:\Windows\SysWOW64\vyxtq.exe"

C:\Windows\SysWOW64\tgslj.exe

C:\Windows\system32\tgslj.exe 668 "C:\Windows\SysWOW64\pazth.exe"

C:\Windows\SysWOW64\vmegy.exe

C:\Windows\system32\vmegy.exe 672 "C:\Windows\SysWOW64\tgslj.exe"

C:\Windows\SysWOW64\plvtv.exe

C:\Windows\system32\plvtv.exe 676 "C:\Windows\SysWOW64\vmegy.exe"

C:\Windows\SysWOW64\otujo.exe

C:\Windows\system32\otujo.exe 732 "C:\Windows\SysWOW64\plvtv.exe"

C:\Windows\SysWOW64\nedmc.exe

C:\Windows\system32\nedmc.exe 644 "C:\Windows\SysWOW64\otujo.exe"

C:\Windows\SysWOW64\hrihl.exe

C:\Windows\system32\hrihl.exe 680 "C:\Windows\SysWOW64\nedmc.exe"

C:\Windows\SysWOW64\zuwrn.exe

C:\Windows\system32\zuwrn.exe 696 "C:\Windows\SysWOW64\hrihl.exe"

C:\Windows\SysWOW64\bwxzz.exe

C:\Windows\system32\bwxzz.exe 700 "C:\Windows\SysWOW64\zuwrn.exe"

C:\Windows\SysWOW64\dgopr.exe

C:\Windows\system32\dgopr.exe 716 "C:\Windows\SysWOW64\bwxzz.exe"

C:\Windows\SysWOW64\itixk.exe

C:\Windows\system32\itixk.exe 736 "C:\Windows\SysWOW64\dgopr.exe"

C:\Windows\SysWOW64\urakt.exe

C:\Windows\system32\urakt.exe 720 "C:\Windows\SysWOW64\itixk.exe"

C:\Windows\SysWOW64\ugypk.exe

C:\Windows\system32\ugypk.exe 788 "C:\Windows\SysWOW64\urakt.exe"

C:\Windows\SysWOW64\gpbku.exe

C:\Windows\system32\gpbku.exe 648 "C:\Windows\SysWOW64\ugypk.exe"

C:\Windows\SysWOW64\gtnhr.exe

C:\Windows\system32\gtnhr.exe 740 "C:\Windows\SysWOW64\gpbku.exe"

C:\Windows\SysWOW64\sfuix.exe

C:\Windows\system32\sfuix.exe 688 "C:\Windows\SysWOW64\gtnhr.exe"

C:\Windows\SysWOW64\cyknj.exe

C:\Windows\system32\cyknj.exe 748 "C:\Windows\SysWOW64\sfuix.exe"

C:\Windows\SysWOW64\jygxq.exe

C:\Windows\system32\jygxq.exe 692 "C:\Windows\SysWOW64\cyknj.exe"

C:\Windows\SysWOW64\oolsm.exe

C:\Windows\system32\oolsm.exe 760 "C:\Windows\SysWOW64\jygxq.exe"

C:\Windows\SysWOW64\tudsu.exe

C:\Windows\system32\tudsu.exe 712 "C:\Windows\SysWOW64\oolsm.exe"

C:\Windows\SysWOW64\vpgvp.exe

C:\Windows\system32\vpgvp.exe 820 "C:\Windows\SysWOW64\tudsu.exe"

C:\Windows\SysWOW64\pkllh.exe

C:\Windows\system32\pkllh.exe 784 "C:\Windows\SysWOW64\vpgvp.exe"

C:\Windows\SysWOW64\mlvyk.exe

C:\Windows\system32\mlvyk.exe 772 "C:\Windows\SysWOW64\pkllh.exe"

C:\Windows\SysWOW64\jbdqx.exe

C:\Windows\system32\jbdqx.exe 768 "C:\Windows\SysWOW64\mlvyk.exe"

C:\Windows\SysWOW64\nnujy.exe

C:\Windows\system32\nnujy.exe 708 "C:\Windows\SysWOW64\jbdqx.exe"

C:\Windows\SysWOW64\pmjei.exe

C:\Windows\system32\pmjei.exe 724 "C:\Windows\SysWOW64\nnujy.exe"

C:\Windows\SysWOW64\ypiyp.exe

C:\Windows\system32\ypiyp.exe 728 "C:\Windows\SysWOW64\pmjei.exe"

C:\Windows\SysWOW64\idjbz.exe

C:\Windows\system32\idjbz.exe 744 "C:\Windows\SysWOW64\ypiyp.exe"

C:\Windows\SysWOW64\poigw.exe

C:\Windows\system32\poigw.exe 796 "C:\Windows\SysWOW64\idjbz.exe"

C:\Windows\SysWOW64\hkfjr.exe

C:\Windows\system32\hkfjr.exe 804 "C:\Windows\SysWOW64\poigw.exe"

C:\Windows\SysWOW64\mtnea.exe

C:\Windows\system32\mtnea.exe 752 "C:\Windows\SysWOW64\hkfjr.exe"

C:\Windows\SysWOW64\owgmu.exe

C:\Windows\system32\owgmu.exe 704 "C:\Windows\SysWOW64\mtnea.exe"

C:\Windows\SysWOW64\qkshj.exe

C:\Windows\system32\qkshj.exe 812 "C:\Windows\SysWOW64\owgmu.exe"

C:\Windows\SysWOW64\uhmzw.exe

C:\Windows\system32\uhmzw.exe 756 "C:\Windows\SysWOW64\qkshj.exe"

C:\Windows\SysWOW64\balet.exe

C:\Windows\system32\balet.exe 776 "C:\Windows\SysWOW64\uhmzw.exe"

C:\Windows\SysWOW64\sajcf.exe

C:\Windows\system32\sajcf.exe 764 "C:\Windows\SysWOW64\balet.exe"

C:\Windows\SysWOW64\zifnt.exe

C:\Windows\system32\zifnt.exe 792 "C:\Windows\SysWOW64\sajcf.exe"

C:\Windows\SysWOW64\efifg.exe

C:\Windows\system32\efifg.exe 800 "C:\Windows\SysWOW64\zifnt.exe"

C:\Windows\SysWOW64\dqjiu.exe

C:\Windows\system32\dqjiu.exe 808 "C:\Windows\SysWOW64\efifg.exe"

C:\Windows\SysWOW64\vqvft.exe

C:\Windows\system32\vqvft.exe 780 "C:\Windows\SysWOW64\dqjiu.exe"

C:\Windows\SysWOW64\hkbnh.exe

C:\Windows\system32\hkbnh.exe 824 "C:\Windows\SysWOW64\vqvft.exe"

C:\Windows\SysWOW64\oojlq.exe

C:\Windows\system32\oojlq.exe 816 "C:\Windows\SysWOW64\hkbnh.exe"

C:\Windows\SysWOW64\oswng.exe

C:\Windows\system32\oswng.exe 900 "C:\Windows\SysWOW64\oojlq.exe"

C:\Windows\SysWOW64\aqoao.exe

C:\Windows\system32\aqoao.exe 912 "C:\Windows\SysWOW64\oswng.exe"

C:\Windows\SysWOW64\evrbc.exe

C:\Windows\system32\evrbc.exe 856 "C:\Windows\SysWOW64\aqoao.exe"

C:\Windows\SysWOW64\jpagm.exe

C:\Windows\system32\jpagm.exe 828 "C:\Windows\SysWOW64\evrbc.exe"

C:\Windows\SysWOW64\ahlrt.exe

C:\Windows\system32\ahlrt.exe 844 "C:\Windows\SysWOW64\jpagm.exe"

C:\Windows\SysWOW64\nqoee.exe

C:\Windows\system32\nqoee.exe 832 "C:\Windows\SysWOW64\ahlrt.exe"

C:\Windows\SysWOW64\kkkzu.exe

C:\Windows\system32\kkkzu.exe 860 "C:\Windows\SysWOW64\nqoee.exe"

C:\Windows\SysWOW64\oieri.exe

C:\Windows\system32\oieri.exe 836 "C:\Windows\SysWOW64\kkkzu.exe"

C:\Windows\SysWOW64\gaptp.exe

C:\Windows\system32\gaptp.exe 848 "C:\Windows\SysWOW64\oieri.exe"

C:\Windows\SysWOW64\suwbu.exe

C:\Windows\system32\suwbu.exe 840 "C:\Windows\SysWOW64\gaptp.exe"

C:\Windows\SysWOW64\hhspt.exe

C:\Windows\system32\hhspt.exe 864 "C:\Windows\SysWOW64\suwbu.exe"

C:\Windows\SysWOW64\glemp.exe

C:\Windows\system32\glemp.exe 852 "C:\Windows\SysWOW64\hhspt.exe"

C:\Windows\SysWOW64\rmqhz.exe

C:\Windows\system32\rmqhz.exe 920 "C:\Windows\SysWOW64\glemp.exe"

C:\Windows\SysWOW64\lnevv.exe

C:\Windows\system32\lnevv.exe 868 "C:\Windows\SysWOW64\rmqhz.exe"

C:\Windows\SysWOW64\bxpyk.exe

C:\Windows\system32\bxpyk.exe 872 "C:\Windows\SysWOW64\lnevv.exe"

C:\Windows\SysWOW64\grswb.exe

C:\Windows\system32\grswb.exe 876 "C:\Windows\SysWOW64\bxpyk.exe"

C:\Windows\SysWOW64\mjwzw.exe

C:\Windows\system32\mjwzw.exe 884 "C:\Windows\SysWOW64\grswb.exe"

C:\Windows\SysWOW64\dlfpo.exe

C:\Windows\system32\dlfpo.exe 880 "C:\Windows\SysWOW64\mjwzw.exe"

C:\Windows\SysWOW64\lcpxo.exe

C:\Windows\system32\lcpxo.exe 892 "C:\Windows\SysWOW64\dlfpo.exe"

C:\Windows\SysWOW64\tcygu.exe

C:\Windows\system32\tcygu.exe 888 "C:\Windows\SysWOW64\lcpxo.exe"

C:\Windows\SysWOW64\kikbp.exe

C:\Windows\system32\kikbp.exe 904 "C:\Windows\SysWOW64\tcygu.exe"

C:\Windows\SysWOW64\kvtck.exe

C:\Windows\system32\kvtck.exe 896 "C:\Windows\SysWOW64\kikbp.exe"

C:\Windows\SysWOW64\rqphg.exe

C:\Windows\system32\rqphg.exe 908 "C:\Windows\SysWOW64\kvtck.exe"

C:\Windows\SysWOW64\rxivj.exe

C:\Windows\system32\rxivj.exe 916 "C:\Windows\SysWOW64\rqphg.exe"

C:\Windows\SysWOW64\bkvge.exe

C:\Windows\system32\bkvge.exe 928 "C:\Windows\SysWOW64\rxivj.exe"

C:\Windows\SysWOW64\gglow.exe

C:\Windows\system32\gglow.exe 924 "C:\Windows\SysWOW64\bkvge.exe"

C:\Windows\SysWOW64\jlemi.exe

C:\Windows\system32\jlemi.exe 936 "C:\Windows\SysWOW64\gglow.exe"

C:\Windows\SysWOW64\arnsm.exe

C:\Windows\system32\arnsm.exe 932 "C:\Windows\SysWOW64\jlemi.exe"

C:\Windows\SysWOW64\nznvt.exe

C:\Windows\system32\nznvt.exe 944 "C:\Windows\SysWOW64\arnsm.exe"

C:\Windows\SysWOW64\betae.exe

C:\Windows\system32\betae.exe 940 "C:\Windows\SysWOW64\nznvt.exe"

C:\Windows\SysWOW64\dxhqw.exe

C:\Windows\system32\dxhqw.exe 952 "C:\Windows\SysWOW64\betae.exe"

C:\Windows\SysWOW64\amyzo.exe

C:\Windows\system32\amyzo.exe 948 "C:\Windows\SysWOW64\dxhqw.exe"

C:\Windows\SysWOW64\kznzb.exe

C:\Windows\system32\kznzb.exe 960 "C:\Windows\SysWOW64\amyzo.exe"

C:\Windows\SysWOW64\eqemy.exe

C:\Windows\system32\eqemy.exe 964 "C:\Windows\SysWOW64\kznzb.exe"

C:\Windows\SysWOW64\eqnfa.exe

C:\Windows\system32\eqnfa.exe 968 "C:\Windows\SysWOW64\eqemy.exe"

C:\Windows\SysWOW64\iztkq.exe

C:\Windows\system32\iztkq.exe 996 "C:\Windows\SysWOW64\eqnfa.exe"

C:\Windows\SysWOW64\scjap.exe

C:\Windows\system32\scjap.exe 972 "C:\Windows\SysWOW64\iztkq.exe"

C:\Windows\SysWOW64\uaxpm.exe

C:\Windows\system32\uaxpm.exe 976 "C:\Windows\SysWOW64\scjap.exe"

C:\Windows\SysWOW64\xhesc.exe

C:\Windows\system32\xhesc.exe 980 "C:\Windows\SysWOW64\uaxpm.exe"

C:\Windows\SysWOW64\wznkw.exe

C:\Windows\system32\wznkw.exe 1020 "C:\Windows\SysWOW64\xhesc.exe"

C:\Windows\SysWOW64\vhcvd.exe

C:\Windows\system32\vhcvd.exe 1056 "C:\Windows\SysWOW64\wznkw.exe"

C:\Windows\SysWOW64\swjvw.exe

C:\Windows\system32\swjvw.exe 1016 "C:\Windows\SysWOW64\vhcvd.exe"

C:\Windows\SysWOW64\klisb.exe

C:\Windows\system32\klisb.exe 984 "C:\Windows\SysWOW64\swjvw.exe"

C:\Windows\SysWOW64\fckvy.exe

C:\Windows\system32\fckvy.exe 956 "C:\Windows\SysWOW64\klisb.exe"

C:\Windows\SysWOW64\ustgf.exe

C:\Windows\system32\ustgf.exe 988 "C:\Windows\SysWOW64\fckvy.exe"

C:\Windows\SysWOW64\wgvig.exe

C:\Windows\system32\wgvig.exe 992 "C:\Windows\SysWOW64\ustgf.exe"

C:\Windows\SysWOW64\nyyto.exe

C:\Windows\system32\nyyto.exe 1004 "C:\Windows\SysWOW64\wgvig.exe"

C:\Windows\SysWOW64\htlbo.exe

C:\Windows\system32\htlbo.exe 1000 "C:\Windows\SysWOW64\nyyto.exe"

C:\Windows\SysWOW64\eijbh.exe

C:\Windows\system32\eijbh.exe 1008 "C:\Windows\SysWOW64\htlbo.exe"

C:\Windows\SysWOW64\optrz.exe

C:\Windows\system32\optrz.exe 1012 "C:\Windows\SysWOW64\eijbh.exe"

C:\Windows\SysWOW64\qzlgr.exe

C:\Windows\system32\qzlgr.exe 1028 "C:\Windows\SysWOW64\optrz.exe"

C:\Windows\SysWOW64\avmjb.exe

C:\Windows\system32\avmjb.exe 1032 "C:\Windows\SysWOW64\qzlgr.exe"

C:\Windows\SysWOW64\xowwx.exe

C:\Windows\system32\xowwx.exe 1036 "C:\Windows\SysWOW64\avmjb.exe"

C:\Windows\SysWOW64\mwrox.exe

C:\Windows\system32\mwrox.exe 1044 "C:\Windows\SysWOW64\xowwx.exe"

C:\Windows\SysWOW64\rnwjt.exe

C:\Windows\system32\rnwjt.exe 1084 "C:\Windows\SysWOW64\mwrox.exe"

C:\Windows\SysWOW64\nogwx.exe

C:\Windows\system32\nogwx.exe 1040 "C:\Windows\SysWOW64\rnwjt.exe"

C:\Windows\SysWOW64\quuzn.exe

C:\Windows\system32\quuzn.exe 1076 "C:\Windows\SysWOW64\nogwx.exe"

C:\Windows\SysWOW64\pqgej.exe

C:\Windows\system32\pqgej.exe 1048 "C:\Windows\SysWOW64\quuzn.exe"

C:\Windows\SysWOW64\pjhpd.exe

C:\Windows\system32\pjhpd.exe 1068 "C:\Windows\SysWOW64\pqgej.exe"

C:\Windows\SysWOW64\gxhmi.exe

C:\Windows\system32\gxhmi.exe 1052 "C:\Windows\SysWOW64\pjhpd.exe"

C:\Windows\SysWOW64\lcaub.exe

C:\Windows\system32\lcaub.exe 1100 "C:\Windows\SysWOW64\gxhmi.exe"

C:\Windows\SysWOW64\drakg.exe

C:\Windows\system32\drakg.exe 1060 "C:\Windows\SysWOW64\lcaub.exe"

C:\Windows\SysWOW64\ipfam.exe

C:\Windows\system32\ipfam.exe 1152 "C:\Windows\SysWOW64\drakg.exe"

C:\Windows\SysWOW64\nfbmi.exe

C:\Windows\system32\nfbmi.exe 1112 "C:\Windows\SysWOW64\ipfam.exe"

C:\Windows\SysWOW64\fiqxj.exe

C:\Windows\system32\fiqxj.exe 1072 "C:\Windows\SysWOW64\nfbmi.exe"

C:\Windows\SysWOW64\eekug.exe

C:\Windows\system32\eekug.exe 1140 "C:\Windows\SysWOW64\fiqxj.exe"

C:\Windows\SysWOW64\jrvcz.exe

C:\Windows\system32\jrvcz.exe 1148 "C:\Windows\SysWOW64\eekug.exe"

C:\Windows\SysWOW64\gsopd.exe

C:\Windows\system32\gsopd.exe 1128 "C:\Windows\SysWOW64\jrvcz.exe"

C:\Windows\SysWOW64\duwkm.exe

C:\Windows\system32\duwkm.exe 1116 "C:\Windows\SysWOW64\gsopd.exe"

C:\Windows\SysWOW64\xobam.exe

C:\Windows\system32\xobam.exe 1064 "C:\Windows\SysWOW64\duwkm.exe"

C:\Windows\SysWOW64\cfgni.exe

C:\Windows\system32\cfgni.exe 1120 "C:\Windows\SysWOW64\xobam.exe"

C:\Windows\SysWOW64\rnsnj.exe

C:\Windows\system32\rnsnj.exe 1080 "C:\Windows\SysWOW64\cfgni.exe"

C:\Windows\SysWOW64\lafir.exe

C:\Windows\system32\lafir.exe 1136 "C:\Windows\SysWOW64\rnsnj.exe"

C:\Windows\SysWOW64\qbndz.exe

C:\Windows\system32\qbndz.exe 1092 "C:\Windows\SysWOW64\lafir.exe"

C:\Windows\SysWOW64\kidyc.exe

C:\Windows\system32\kidyc.exe 1192 "C:\Windows\SysWOW64\qbndz.exe"

C:\Windows\SysWOW64\nsvnu.exe

C:\Windows\system32\nsvnu.exe 1096 "C:\Windows\SysWOW64\kidyc.exe"

C:\Windows\SysWOW64\hqlqx.exe

C:\Windows\system32\hqlqx.exe 1104 "C:\Windows\SysWOW64\nsvnu.exe"

C:\Windows\SysWOW64\ofyik.exe

C:\Windows\system32\ofyik.exe 1088 "C:\Windows\SysWOW64\hqlqx.exe"

C:\Windows\SysWOW64\yfkgc.exe

C:\Windows\system32\yfkgc.exe 1212 "C:\Windows\SysWOW64\ofyik.exe"

C:\Windows\SysWOW64\nqilg.exe

C:\Windows\system32\nqilg.exe 1108 "C:\Windows\SysWOW64\yfkgc.exe"

C:\Windows\SysWOW64\ilnbg.exe

C:\Windows\system32\ilnbg.exe 1144 "C:\Windows\SysWOW64\nqilg.exe"

C:\Windows\SysWOW64\kvnry.exe

C:\Windows\system32\kvnry.exe 1124 "C:\Windows\SysWOW64\ilnbg.exe"

C:\Windows\SysWOW64\pljlm.exe

C:\Windows\system32\pljlm.exe 1180 "C:\Windows\SysWOW64\kvnry.exe"

C:\Windows\SysWOW64\exprx.exe

C:\Windows\system32\exprx.exe 1176 "C:\Windows\SysWOW64\pljlm.exe"

C:\Windows\SysWOW64\mbreh.exe

C:\Windows\system32\mbreh.exe 1200 "C:\Windows\SysWOW64\exprx.exe"

C:\Windows\SysWOW64\gahzk.exe

C:\Windows\system32\gahzk.exe 1132 "C:\Windows\SysWOW64\mbreh.exe"

C:\Windows\SysWOW64\xohoo.exe

C:\Windows\system32\xohoo.exe 1196 "C:\Windows\SysWOW64\gahzk.exe"

C:\Windows\SysWOW64\snxrj.exe

C:\Windows\system32\snxrj.exe 1156 "C:\Windows\SysWOW64\xohoo.exe"

C:\Windows\SysWOW64\bekhw.exe

C:\Windows\system32\bekhw.exe 1164 "C:\Windows\SysWOW64\snxrj.exe"

C:\Windows\SysWOW64\imhrk.exe

C:\Windows\system32\imhrk.exe 1160 "C:\Windows\SysWOW64\bekhw.exe"

C:\Windows\SysWOW64\itepb.exe

C:\Windows\system32\itepb.exe 1172 "C:\Windows\SysWOW64\imhrk.exe"

C:\Windows\SysWOW64\ktjfn.exe

C:\Windows\system32\ktjfn.exe 1168 "C:\Windows\SysWOW64\itepb.exe"

C:\Windows\SysWOW64\rtfpu.exe

C:\Windows\system32\rtfpu.exe 1188 "C:\Windows\SysWOW64\ktjfn.exe"

C:\Windows\SysWOW64\ridut.exe

C:\Windows\system32\ridut.exe 1184 "C:\Windows\SysWOW64\rtfpu.exe"

C:\Windows\SysWOW64\kvipt.exe

C:\Windows\system32\kvipt.exe 1208 "C:\Windows\SysWOW64\ridut.exe"

C:\Windows\SysWOW64\sstnf.exe

C:\Windows\system32\sstnf.exe 1204 "C:\Windows\SysWOW64\kvipt.exe"

C:\Windows\SysWOW64\zspxt.exe

C:\Windows\system32\zspxt.exe 1220 "C:\Windows\SysWOW64\sstnf.exe"

C:\Windows\SysWOW64\bcpnl.exe

C:\Windows\system32\bcpnl.exe 1216 "C:\Windows\SysWOW64\zspxt.exe"

C:\Windows\SysWOW64\bresd.exe

C:\Windows\system32\bresd.exe 1232 "C:\Windows\SysWOW64\bcpnl.exe"

C:\Windows\SysWOW64\qgnlj.exe

C:\Windows\system32\qgnlj.exe 1224 "C:\Windows\SysWOW64\bresd.exe"

C:\Windows\SysWOW64\whkvx.exe

C:\Windows\system32\whkvx.exe 1248 "C:\Windows\SysWOW64\qgnlj.exe"

C:\Windows\SysWOW64\xswnm.exe

C:\Windows\system32\xswnm.exe 1228 "C:\Windows\SysWOW64\whkvx.exe"

C:\Windows\SysWOW64\gnuqb.exe

C:\Windows\system32\gnuqb.exe 1244 "C:\Windows\SysWOW64\xswnm.exe"

C:\Windows\SysWOW64\dltqu.exe

C:\Windows\system32\dltqu.exe 1236 "C:\Windows\SysWOW64\gnuqb.exe"

C:\Windows\SysWOW64\vopbw.exe

C:\Windows\system32\vopbw.exe 1264 "C:\Windows\SysWOW64\dltqu.exe"

C:\Windows\SysWOW64\evrjo.exe

C:\Windows\system32\evrjo.exe 1240 "C:\Windows\SysWOW64\vopbw.exe"

C:\Windows\SysWOW64\bkyjh.exe

C:\Windows\system32\bkyjh.exe 1268 "C:\Windows\SysWOW64\evrjo.exe"

C:\Windows\SysWOW64\vqodk.exe

C:\Windows\system32\vqodk.exe 1292 "C:\Windows\SysWOW64\bkyjh.exe"

C:\Windows\SysWOW64\vfejb.exe

C:\Windows\system32\vfejb.exe 1260 "C:\Windows\SysWOW64\vqodk.exe"

C:\Windows\SysWOW64\krjoe.exe

C:\Windows\system32\krjoe.exe 1252 "C:\Windows\SysWOW64\vfejb.exe"

C:\Windows\SysWOW64\knvuj.exe

C:\Windows\system32\knvuj.exe 1256 "C:\Windows\SysWOW64\krjoe.exe"

C:\Windows\SysWOW64\trkwl.exe

C:\Windows\system32\trkwl.exe 1276 "C:\Windows\SysWOW64\knvuj.exe"

C:\Windows\SysWOW64\qorwe.exe

C:\Windows\system32\qorwe.exe 1280 "C:\Windows\SysWOW64\trkwl.exe"

C:\Windows\SysWOW64\dxmrh.exe

C:\Windows\system32\dxmrh.exe 1284 "C:\Windows\SysWOW64\qorwe.exe"

C:\Windows\SysWOW64\cbypm.exe

C:\Windows\system32\cbypm.exe 1288 "C:\Windows\SysWOW64\dxmrh.exe"

C:\Windows\SysWOW64\rfeup.exe

C:\Windows\system32\rfeup.exe 1272 "C:\Windows\SysWOW64\cbypm.exe"

C:\Windows\SysWOW64\lpycn.exe

C:\Windows\system32\lpycn.exe 1308 "C:\Windows\SysWOW64\rfeup.exe"

C:\Windows\SysWOW64\wzwzu.exe

C:\Windows\system32\wzwzu.exe 1320 "C:\Windows\SysWOW64\lpycn.exe"

C:\Windows\SysWOW64\cdwpl.exe

C:\Windows\system32\cdwpl.exe 1300 "C:\Windows\SysWOW64\wzwzu.exe"

C:\Windows\SysWOW64\udhnk.exe

C:\Windows\system32\udhnk.exe 1296 "C:\Windows\SysWOW64\cdwpl.exe"

C:\Windows\SysWOW64\rhcni.exe

C:\Windows\system32\rhcni.exe 1316 "C:\Windows\SysWOW64\udhnk.exe"

C:\Windows\SysWOW64\tsdvv.exe

C:\Windows\system32\tsdvv.exe 1304 "C:\Windows\SysWOW64\rhcni.exe"

C:\Windows\SysWOW64\qtniy.exe

C:\Windows\system32\qtniy.exe 1312 "C:\Windows\SysWOW64\tsdvv.exe"

C:\Windows\SysWOW64\cfcie.exe

C:\Windows\system32\cfcie.exe 1328 "C:\Windows\SysWOW64\qtniy.exe"

C:\Windows\SysWOW64\lfpxq.exe

C:\Windows\system32\lfpxq.exe 1332 "C:\Windows\SysWOW64\cfcie.exe"

C:\Windows\SysWOW64\ykhgq.exe

C:\Windows\system32\ykhgq.exe 1324 "C:\Windows\SysWOW64\lfpxq.exe"

C:\Windows\SysWOW64\buzvi.exe

C:\Windows\system32\buzvi.exe 1344 "C:\Windows\SysWOW64\ykhgq.exe"

C:\Windows\SysWOW64\qgwam.exe

C:\Windows\system32\qgwam.exe 1340 "C:\Windows\SysWOW64\buzvi.exe"

C:\Windows\SysWOW64\mlsbt.exe

C:\Windows\system32\mlsbt.exe 1356 "C:\Windows\SysWOW64\qgwam.exe"

C:\Windows\SysWOW64\thlye.exe

C:\Windows\system32\thlye.exe 1336 "C:\Windows\SysWOW64\mlsbt.exe"

C:\Windows\SysWOW64\nkdgq.exe

C:\Windows\system32\nkdgq.exe 1360 "C:\Windows\SysWOW64\thlye.exe"

C:\Windows\SysWOW64\htfow.exe

C:\Windows\system32\htfow.exe 1352 "C:\Windows\SysWOW64\nkdgq.exe"

C:\Windows\SysWOW64\mgywh.exe

C:\Windows\system32\mgywh.exe 1364 "C:\Windows\SysWOW64\htfow.exe"

C:\Windows\SysWOW64\ybfwv.exe

C:\Windows\system32\ybfwv.exe 1388 "C:\Windows\SysWOW64\mgywh.exe"

C:\Windows\SysWOW64\obzov.exe

C:\Windows\system32\obzov.exe 1372 "C:\Windows\SysWOW64\ybfwv.exe"

C:\Windows\SysWOW64\nuagp.exe

C:\Windows\system32\nuagp.exe 1348 "C:\Windows\SysWOW64\obzov.exe"

C:\Windows\SysWOW64\vbwzk.exe

C:\Windows\system32\vbwzk.exe 1376 "C:\Windows\SysWOW64\nuagp.exe"

C:\Windows\SysWOW64\pimbe.exe

C:\Windows\system32\pimbe.exe 1380 "C:\Windows\SysWOW64\vbwzk.exe"

C:\Windows\SysWOW64\pxchw.exe

C:\Windows\system32\pxchw.exe 1384 "C:\Windows\SysWOW64\pimbe.exe"

C:\Windows\SysWOW64\gdbwa.exe

C:\Windows\system32\gdbwa.exe 1368 "C:\Windows\SysWOW64\pxchw.exe"

C:\Windows\SysWOW64\tqtmg.exe

C:\Windows\system32\tqtmg.exe 1396 "C:\Windows\SysWOW64\gdbwa.exe"

C:\Windows\SysWOW64\digct.exe

C:\Windows\system32\digct.exe 1392 "C:\Windows\SysWOW64\tqtmg.exe"

C:\Windows\SysWOW64\ajqpw.exe

C:\Windows\system32\ajqpw.exe 1404 "C:\Windows\SysWOW64\digct.exe"

C:\Windows\SysWOW64\ciefu.exe

C:\Windows\system32\ciefu.exe 1408 "C:\Windows\SysWOW64\ajqpw.exe"

C:\Windows\SysWOW64\smezq.exe

C:\Windows\system32\smezq.exe 1400 "C:\Windows\SysWOW64\ciefu.exe"

C:\Windows\SysWOW64\rqqxv.exe

C:\Windows\system32\rqqxv.exe 1412 "C:\Windows\SysWOW64\smezq.exe"

C:\Windows\SysWOW64\zubke.exe

C:\Windows\system32\zubke.exe 1416 "C:\Windows\SysWOW64\rqqxv.exe"

C:\Windows\SysWOW64\qypvg.exe

C:\Windows\system32\qypvg.exe 1420 "C:\Windows\SysWOW64\zubke.exe"

C:\Windows\SysWOW64\aamxb.exe

C:\Windows\system32\aamxb.exe 1452 "C:\Windows\SysWOW64\qypvg.exe"

C:\Windows\SysWOW64\pqvpi.exe

C:\Windows\system32\pqvpi.exe 1456 "C:\Windows\SysWOW64\aamxb.exe"

C:\Windows\SysWOW64\xqupp.exe

C:\Windows\system32\xqupp.exe 1432 "C:\Windows\SysWOW64\pqvpi.exe"

C:\Windows\SysWOW64\raoxu.exe

C:\Windows\system32\raoxu.exe 1424 "C:\Windows\SysWOW64\xqupp.exe"

Network

N/A

Files

memory/2344-0-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/2344-1-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/2344-3-0x0000000003DB0000-0x0000000003DB1000-memory.dmp

memory/2344-2-0x0000000003DA0000-0x0000000003DA2000-memory.dmp

memory/2344-4-0x0000000003CE0000-0x0000000003CE1000-memory.dmp

memory/2344-6-0x0000000003DC0000-0x0000000003DC1000-memory.dmp

memory/2344-5-0x0000000003D50000-0x0000000003D51000-memory.dmp

memory/2344-7-0x0000000001F00000-0x0000000001F01000-memory.dmp

memory/2344-8-0x0000000003D10000-0x0000000003D11000-memory.dmp

memory/2344-9-0x0000000001EF0000-0x0000000001EF1000-memory.dmp

memory/2344-10-0x0000000003CA0000-0x0000000003CA1000-memory.dmp

memory/2344-14-0x0000000003CB0000-0x0000000003CB1000-memory.dmp

memory/2344-15-0x0000000003D80000-0x0000000003D82000-memory.dmp

memory/2344-17-0x0000000003CC0000-0x0000000003CC1000-memory.dmp

memory/2344-16-0x0000000003D90000-0x0000000003D91000-memory.dmp

memory/2344-18-0x0000000003D70000-0x0000000003D71000-memory.dmp

\Windows\SysWOW64\vwvot.exe

MD5 ff353dc46aaaeb657fc490c0697b2ceb
SHA1 7ec9b7f9589f6313d86ed69669b908e4c2b49fd0
SHA256 61ffa4beb7f207c23c2584827c2c6c94d6e46e209fd47b736d5536adee897348
SHA512 c18612e4ccd5c9fc40d3198cb05d900538920f83e13e9d519a906867a9c737027c9700dd6c5495d7574138996fe1380e290ab29521bbfe608534d7864f9d81cf

memory/2344-20-0x0000000004A50000-0x0000000004C27000-memory.dmp

memory/2540-27-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/2344-28-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/2540-30-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/2540-33-0x0000000003DE0000-0x0000000003DE2000-memory.dmp

memory/2540-35-0x0000000003CE0000-0x0000000003CE1000-memory.dmp

memory/2540-34-0x0000000003DF0000-0x0000000003DF1000-memory.dmp

memory/2540-36-0x0000000003D50000-0x0000000003D51000-memory.dmp

memory/2540-37-0x0000000003E00000-0x0000000003E01000-memory.dmp

memory/2540-38-0x0000000003C90000-0x0000000003C91000-memory.dmp

memory/2540-40-0x0000000003C80000-0x0000000003C81000-memory.dmp

memory/2540-39-0x0000000003D10000-0x0000000003D11000-memory.dmp

memory/2540-41-0x0000000003D00000-0x0000000003D01000-memory.dmp

memory/2540-50-0x0000000003CB0000-0x0000000003CB1000-memory.dmp

memory/2540-48-0x0000000003CA0000-0x0000000003CA1000-memory.dmp

memory/2540-51-0x0000000003DD0000-0x0000000003DD1000-memory.dmp

memory/2540-53-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/2540-52-0x0000000003D80000-0x0000000003D82000-memory.dmp

memory/2356-55-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/2540-54-0x0000000003CC0000-0x0000000003CC1000-memory.dmp

memory/2356-59-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/2356-61-0x0000000003E00000-0x0000000003E01000-memory.dmp

memory/2356-64-0x0000000003E10000-0x0000000003E11000-memory.dmp

memory/2356-63-0x0000000003DA0000-0x0000000003DA1000-memory.dmp

memory/2356-67-0x0000000000910000-0x0000000000911000-memory.dmp

memory/2356-62-0x0000000003CE0000-0x0000000003CE1000-memory.dmp

memory/2356-60-0x0000000003DF0000-0x0000000003DF2000-memory.dmp

memory/2356-74-0x0000000003D00000-0x0000000003D01000-memory.dmp

memory/2356-73-0x0000000003D10000-0x0000000003D11000-memory.dmp

memory/2356-76-0x0000000002210000-0x0000000002211000-memory.dmp

memory/2356-75-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/2204-77-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/2204-78-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/2204-79-0x0000000003DE0000-0x0000000003DE2000-memory.dmp

memory/2204-83-0x0000000003DF0000-0x0000000003DF1000-memory.dmp

memory/2204-84-0x0000000003CE0000-0x0000000003CE1000-memory.dmp

memory/2204-86-0x0000000003E00000-0x0000000003E01000-memory.dmp

memory/2204-85-0x0000000003D90000-0x0000000003D91000-memory.dmp

memory/2204-88-0x0000000003D50000-0x0000000003D51000-memory.dmp

memory/2204-89-0x0000000000A70000-0x0000000000A71000-memory.dmp

memory/2204-87-0x0000000003C90000-0x0000000003C91000-memory.dmp

memory/2204-90-0x0000000003CA0000-0x0000000003CA1000-memory.dmp

memory/2204-91-0x0000000003CB0000-0x0000000003CB1000-memory.dmp

memory/2204-93-0x0000000003DC0000-0x0000000003DC2000-memory.dmp

memory/2204-92-0x0000000003DD0000-0x0000000003DD1000-memory.dmp

memory/2204-94-0x0000000003CC0000-0x0000000003CC1000-memory.dmp

memory/2204-95-0x0000000003CD0000-0x0000000003CD1000-memory.dmp

memory/2204-102-0x0000000003DB0000-0x0000000003DB1000-memory.dmp

memory/488-105-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/2204-104-0x00000000047E0000-0x00000000049B7000-memory.dmp

memory/2204-106-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/488-110-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/488-133-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/3064-162-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/892-179-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/1568-210-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/1152-237-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/2416-265-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/1276-291-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/1964-303-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/2812-314-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/948-325-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/2548-336-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/1612-347-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/2944-355-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/604-392-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/2256-399-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/2032-449-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/1364-474-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/692-498-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/3028-518-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/2388-541-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/1732-567-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/2084-594-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/944-617-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/2584-646-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/2308-652-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/2424-659-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/2228-668-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/2736-673-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/2852-680-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/2324-687-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/1608-694-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/2784-701-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/2952-708-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/2568-715-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/1524-722-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/1644-729-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/2368-736-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/2544-743-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/1272-750-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/1332-757-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/2248-764-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/2028-771-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/2260-778-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/2760-785-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/1648-792-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/1840-799-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/2704-806-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/428-813-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/1720-820-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/1484-827-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/900-834-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/1788-841-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/2072-848-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/932-855-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/2132-862-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/1328-869-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/2024-876-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/2728-883-0x0000000000400000-0x00000000005D7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-21 11:48

Reported

2024-04-21 11:51

Platform

win10v2004-20240412-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ff353dc46aaaeb657fc490c0697b2ceb_JaffaCakes118.exe"

Signatures

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ff353dc46aaaeb657fc490c0697b2ceb_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ff353dc46aaaeb657fc490c0697b2ceb_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ff353dc46aaaeb657fc490c0697b2ceb_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 132.250.30.184.in-addr.arpa udp
NL 23.62.61.168:443 www.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 168.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 154.173.246.72.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/5080-0-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/5080-1-0x0000000000400000-0x00000000005D7000-memory.dmp