Analysis Overview
SHA256
61ffa4beb7f207c23c2584827c2c6c94d6e46e209fd47b736d5536adee897348
Threat Level: Known bad
The file ff353dc46aaaeb657fc490c0697b2ceb_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
MetaSploit
Identifies Wine through registry keys
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-21 11:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-21 11:48
Reported
2024-04-21 11:51
Platform
win7-20240221-en
Max time kernel
150s
Max time network
123s
Command Line
Signatures
MetaSploit
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\itixk.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\rtfpu.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\knvuj.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\rhcni.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\ukbsd.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\rchve.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\vpgvp.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\ypiyp.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\eqemy.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\ridut.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\poigw.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\kznzb.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\qgnlj.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\gnuqb.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\oswng.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\oieri.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\ajqpw.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\qypvg.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\evrbc.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\swjvw.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\snxrj.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\trkwl.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\tqtmg.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\tgslj.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\ofyik.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\nedmc.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\mtnea.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\jrvcz.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\rnsnj.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\oolcf.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\ahlrt.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\eijbh.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\mgywh.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\smezq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\balet.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\mjwzw.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\betae.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\iztkq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\pljlm.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\vwvot.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\oolsm.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\efifg.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\nfbmi.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\mbreh.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\glemp.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\vqodk.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\cbypm.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\dgopr.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\yfkgc.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\kvnry.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\qtniy.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\htfow.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\jbdqx.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\lnevv.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\vmegy.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\gpbku.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\aqoao.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\gahzk.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\xswnm.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\pxchw.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\hqlqx.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\vyxtq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\jygxq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\dqjiu.exe | N/A |
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\oolcf.exe | C:\Windows\SysWOW64\vwvot.exe | N/A |
| File created | C:\Windows\SysWOW64\tlomm.exe | C:\Windows\SysWOW64\oolcf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bkyjh.exe | C:\Windows\SysWOW64\evrjo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\trkwl.exe | C:\Windows\SysWOW64\knvuj.exe | N/A |
| File created | C:\Windows\SysWOW64\urakt.exe | C:\Windows\SysWOW64\itixk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bkvge.exe | C:\Windows\SysWOW64\rxivj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wznkw.exe | C:\Windows\SysWOW64\xhesc.exe | N/A |
| File created | C:\Windows\SysWOW64\zspxt.exe | C:\Windows\SysWOW64\sstnf.exe | N/A |
| File created | C:\Windows\SysWOW64\vopbw.exe | C:\Windows\SysWOW64\dltqu.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vbwzk.exe | C:\Windows\SysWOW64\nuagp.exe | N/A |
| File created | C:\Windows\SysWOW64\nznvt.exe | C:\Windows\SysWOW64\arnsm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fckvy.exe | C:\Windows\SysWOW64\klisb.exe | N/A |
| File created | C:\Windows\SysWOW64\nfbmi.exe | C:\Windows\SysWOW64\ipfam.exe | N/A |
| File created | C:\Windows\SysWOW64\xohoo.exe | C:\Windows\SysWOW64\gahzk.exe | N/A |
| File created | C:\Windows\SysWOW64\dxmrh.exe | C:\Windows\SysWOW64\qorwe.exe | N/A |
| File created | C:\Windows\SysWOW64\knvuj.exe | C:\Windows\SysWOW64\krjoe.exe | N/A |
| File created | C:\Windows\SysWOW64\dqjiu.exe | C:\Windows\SysWOW64\efifg.exe | N/A |
| File created | C:\Windows\SysWOW64\lfpxq.exe | C:\Windows\SysWOW64\cfcie.exe | N/A |
| File created | C:\Windows\SysWOW64\qbndz.exe | C:\Windows\SysWOW64\lafir.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vmegy.exe | C:\Windows\SysWOW64\tgslj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\hkfjr.exe | C:\Windows\SysWOW64\poigw.exe | N/A |
| File created | C:\Windows\SysWOW64\balet.exe | C:\Windows\SysWOW64\uhmzw.exe | N/A |
| File created | C:\Windows\SysWOW64\zifnt.exe | C:\Windows\SysWOW64\sajcf.exe | N/A |
| File created | C:\Windows\SysWOW64\xowwx.exe | C:\Windows\SysWOW64\avmjb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rchve.exe | C:\Windows\SysWOW64\fitnz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\xhesc.exe | C:\Windows\SysWOW64\uaxpm.exe | N/A |
| File created | C:\Windows\SysWOW64\krjoe.exe | C:\Windows\SysWOW64\vfejb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\nuagp.exe | C:\Windows\SysWOW64\obzov.exe | N/A |
| File created | C:\Windows\SysWOW64\smezq.exe | C:\Windows\SysWOW64\ciefu.exe | N/A |
| File created | C:\Windows\SysWOW64\vmegy.exe | C:\Windows\SysWOW64\tgslj.exe | N/A |
| File created | C:\Windows\SysWOW64\mbreh.exe | C:\Windows\SysWOW64\exprx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\cbypm.exe | C:\Windows\SysWOW64\dxmrh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mgywh.exe | C:\Windows\SysWOW64\htfow.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tqlit.exe | C:\Windows\SysWOW64\rchve.exe | N/A |
| File created | C:\Windows\SysWOW64\hhspt.exe | C:\Windows\SysWOW64\suwbu.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\smezq.exe | C:\Windows\SysWOW64\ciefu.exe | N/A |
| File created | C:\Windows\SysWOW64\arnsm.exe | C:\Windows\SysWOW64\jlemi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gahzk.exe | C:\Windows\SysWOW64\mbreh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vfejb.exe | C:\Windows\SysWOW64\vqodk.exe | N/A |
| File created | C:\Windows\SysWOW64\cyknj.exe | C:\Windows\SysWOW64\sfuix.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dlfpo.exe | C:\Windows\SysWOW64\mjwzw.exe | N/A |
| File created | C:\Windows\SysWOW64\kznzb.exe | C:\Windows\SysWOW64\amyzo.exe | N/A |
| File created | C:\Windows\SysWOW64\scjap.exe | C:\Windows\SysWOW64\iztkq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\lafir.exe | C:\Windows\SysWOW64\rnsnj.exe | N/A |
| File created | C:\Windows\SysWOW64\amyzo.exe | C:\Windows\SysWOW64\dxhqw.exe | N/A |
| File created | C:\Windows\SysWOW64\nyyto.exe | C:\Windows\SysWOW64\wgvig.exe | N/A |
| File created | C:\Windows\SysWOW64\qzlgr.exe | C:\Windows\SysWOW64\optrz.exe | N/A |
| File created | C:\Windows\SysWOW64\gaptp.exe | C:\Windows\SysWOW64\oieri.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\lpycn.exe | C:\Windows\SysWOW64\rfeup.exe | N/A |
| File created | C:\Windows\SysWOW64\rmqhz.exe | C:\Windows\SysWOW64\glemp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\qgwam.exe | C:\Windows\SysWOW64\buzvi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vopbw.exe | C:\Windows\SysWOW64\dltqu.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\evrjo.exe | C:\Windows\SysWOW64\vopbw.exe | N/A |
| File created | C:\Windows\SysWOW64\plvtv.exe | C:\Windows\SysWOW64\vmegy.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\urakt.exe | C:\Windows\SysWOW64\itixk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\qkshj.exe | C:\Windows\SysWOW64\owgmu.exe | N/A |
| File created | C:\Windows\SysWOW64\xobam.exe | C:\Windows\SysWOW64\duwkm.exe | N/A |
| File created | C:\Windows\SysWOW64\itepb.exe | C:\Windows\SysWOW64\imhrk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\oswng.exe | C:\Windows\SysWOW64\oojlq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\nkdgq.exe | C:\Windows\SysWOW64\thlye.exe | N/A |
| File created | C:\Windows\SysWOW64\uhmzw.exe | C:\Windows\SysWOW64\qkshj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ipfam.exe | C:\Windows\SysWOW64\drakg.exe | N/A |
| File created | C:\Windows\SysWOW64\trkwl.exe | C:\Windows\SysWOW64\knvuj.exe | N/A |
| File created | C:\Windows\SysWOW64\tqtmg.exe | C:\Windows\SysWOW64\gdbwa.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ff353dc46aaaeb657fc490c0697b2ceb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ff353dc46aaaeb657fc490c0697b2ceb_JaffaCakes118.exe"
C:\Windows\SysWOW64\vwvot.exe
C:\Windows\system32\vwvot.exe 636 "C:\Users\Admin\AppData\Local\Temp\ff353dc46aaaeb657fc490c0697b2ceb_JaffaCakes118.exe"
C:\Windows\SysWOW64\oolcf.exe
C:\Windows\system32\oolcf.exe 616 "C:\Windows\SysWOW64\vwvot.exe"
C:\Windows\SysWOW64\tlomm.exe
C:\Windows\system32\tlomm.exe 612 "C:\Windows\SysWOW64\oolcf.exe"
C:\Windows\SysWOW64\ukbsd.exe
C:\Windows\system32\ukbsd.exe 652 "C:\Windows\SysWOW64\tlomm.exe"
C:\Windows\SysWOW64\akyul.exe
C:\Windows\system32\akyul.exe 624 "C:\Windows\SysWOW64\ukbsd.exe"
C:\Windows\SysWOW64\fitnz.exe
C:\Windows\system32\fitnz.exe 620 "C:\Windows\SysWOW64\akyul.exe"
C:\Windows\SysWOW64\rchve.exe
C:\Windows\system32\rchve.exe 632 "C:\Windows\SysWOW64\fitnz.exe"
C:\Windows\SysWOW64\tqlit.exe
C:\Windows\system32\tqlit.exe 628 "C:\Windows\SysWOW64\rchve.exe"
C:\Windows\SysWOW64\sykfm.exe
C:\Windows\system32\sykfm.exe 660 "C:\Windows\SysWOW64\tqlit.exe"
C:\Windows\SysWOW64\hntyt.exe
C:\Windows\system32\hntyt.exe 640 "C:\Windows\SysWOW64\sykfm.exe"
C:\Windows\SysWOW64\rbcau.exe
C:\Windows\system32\rbcau.exe 664 "C:\Windows\SysWOW64\hntyt.exe"
C:\Windows\SysWOW64\vyxtq.exe
C:\Windows\system32\vyxtq.exe 684 "C:\Windows\SysWOW64\rbcau.exe"
C:\Windows\SysWOW64\pazth.exe
C:\Windows\system32\pazth.exe 656 "C:\Windows\SysWOW64\vyxtq.exe"
C:\Windows\SysWOW64\tgslj.exe
C:\Windows\system32\tgslj.exe 668 "C:\Windows\SysWOW64\pazth.exe"
C:\Windows\SysWOW64\vmegy.exe
C:\Windows\system32\vmegy.exe 672 "C:\Windows\SysWOW64\tgslj.exe"
C:\Windows\SysWOW64\plvtv.exe
C:\Windows\system32\plvtv.exe 676 "C:\Windows\SysWOW64\vmegy.exe"
C:\Windows\SysWOW64\otujo.exe
C:\Windows\system32\otujo.exe 732 "C:\Windows\SysWOW64\plvtv.exe"
C:\Windows\SysWOW64\nedmc.exe
C:\Windows\system32\nedmc.exe 644 "C:\Windows\SysWOW64\otujo.exe"
C:\Windows\SysWOW64\hrihl.exe
C:\Windows\system32\hrihl.exe 680 "C:\Windows\SysWOW64\nedmc.exe"
C:\Windows\SysWOW64\zuwrn.exe
C:\Windows\system32\zuwrn.exe 696 "C:\Windows\SysWOW64\hrihl.exe"
C:\Windows\SysWOW64\bwxzz.exe
C:\Windows\system32\bwxzz.exe 700 "C:\Windows\SysWOW64\zuwrn.exe"
C:\Windows\SysWOW64\dgopr.exe
C:\Windows\system32\dgopr.exe 716 "C:\Windows\SysWOW64\bwxzz.exe"
C:\Windows\SysWOW64\itixk.exe
C:\Windows\system32\itixk.exe 736 "C:\Windows\SysWOW64\dgopr.exe"
C:\Windows\SysWOW64\urakt.exe
C:\Windows\system32\urakt.exe 720 "C:\Windows\SysWOW64\itixk.exe"
C:\Windows\SysWOW64\ugypk.exe
C:\Windows\system32\ugypk.exe 788 "C:\Windows\SysWOW64\urakt.exe"
C:\Windows\SysWOW64\gpbku.exe
C:\Windows\system32\gpbku.exe 648 "C:\Windows\SysWOW64\ugypk.exe"
C:\Windows\SysWOW64\gtnhr.exe
C:\Windows\system32\gtnhr.exe 740 "C:\Windows\SysWOW64\gpbku.exe"
C:\Windows\SysWOW64\sfuix.exe
C:\Windows\system32\sfuix.exe 688 "C:\Windows\SysWOW64\gtnhr.exe"
C:\Windows\SysWOW64\cyknj.exe
C:\Windows\system32\cyknj.exe 748 "C:\Windows\SysWOW64\sfuix.exe"
C:\Windows\SysWOW64\jygxq.exe
C:\Windows\system32\jygxq.exe 692 "C:\Windows\SysWOW64\cyknj.exe"
C:\Windows\SysWOW64\oolsm.exe
C:\Windows\system32\oolsm.exe 760 "C:\Windows\SysWOW64\jygxq.exe"
C:\Windows\SysWOW64\tudsu.exe
C:\Windows\system32\tudsu.exe 712 "C:\Windows\SysWOW64\oolsm.exe"
C:\Windows\SysWOW64\vpgvp.exe
C:\Windows\system32\vpgvp.exe 820 "C:\Windows\SysWOW64\tudsu.exe"
C:\Windows\SysWOW64\pkllh.exe
C:\Windows\system32\pkllh.exe 784 "C:\Windows\SysWOW64\vpgvp.exe"
C:\Windows\SysWOW64\mlvyk.exe
C:\Windows\system32\mlvyk.exe 772 "C:\Windows\SysWOW64\pkllh.exe"
C:\Windows\SysWOW64\jbdqx.exe
C:\Windows\system32\jbdqx.exe 768 "C:\Windows\SysWOW64\mlvyk.exe"
C:\Windows\SysWOW64\nnujy.exe
C:\Windows\system32\nnujy.exe 708 "C:\Windows\SysWOW64\jbdqx.exe"
C:\Windows\SysWOW64\pmjei.exe
C:\Windows\system32\pmjei.exe 724 "C:\Windows\SysWOW64\nnujy.exe"
C:\Windows\SysWOW64\ypiyp.exe
C:\Windows\system32\ypiyp.exe 728 "C:\Windows\SysWOW64\pmjei.exe"
C:\Windows\SysWOW64\idjbz.exe
C:\Windows\system32\idjbz.exe 744 "C:\Windows\SysWOW64\ypiyp.exe"
C:\Windows\SysWOW64\poigw.exe
C:\Windows\system32\poigw.exe 796 "C:\Windows\SysWOW64\idjbz.exe"
C:\Windows\SysWOW64\hkfjr.exe
C:\Windows\system32\hkfjr.exe 804 "C:\Windows\SysWOW64\poigw.exe"
C:\Windows\SysWOW64\mtnea.exe
C:\Windows\system32\mtnea.exe 752 "C:\Windows\SysWOW64\hkfjr.exe"
C:\Windows\SysWOW64\owgmu.exe
C:\Windows\system32\owgmu.exe 704 "C:\Windows\SysWOW64\mtnea.exe"
C:\Windows\SysWOW64\qkshj.exe
C:\Windows\system32\qkshj.exe 812 "C:\Windows\SysWOW64\owgmu.exe"
C:\Windows\SysWOW64\uhmzw.exe
C:\Windows\system32\uhmzw.exe 756 "C:\Windows\SysWOW64\qkshj.exe"
C:\Windows\SysWOW64\balet.exe
C:\Windows\system32\balet.exe 776 "C:\Windows\SysWOW64\uhmzw.exe"
C:\Windows\SysWOW64\sajcf.exe
C:\Windows\system32\sajcf.exe 764 "C:\Windows\SysWOW64\balet.exe"
C:\Windows\SysWOW64\zifnt.exe
C:\Windows\system32\zifnt.exe 792 "C:\Windows\SysWOW64\sajcf.exe"
C:\Windows\SysWOW64\efifg.exe
C:\Windows\system32\efifg.exe 800 "C:\Windows\SysWOW64\zifnt.exe"
C:\Windows\SysWOW64\dqjiu.exe
C:\Windows\system32\dqjiu.exe 808 "C:\Windows\SysWOW64\efifg.exe"
C:\Windows\SysWOW64\vqvft.exe
C:\Windows\system32\vqvft.exe 780 "C:\Windows\SysWOW64\dqjiu.exe"
C:\Windows\SysWOW64\hkbnh.exe
C:\Windows\system32\hkbnh.exe 824 "C:\Windows\SysWOW64\vqvft.exe"
C:\Windows\SysWOW64\oojlq.exe
C:\Windows\system32\oojlq.exe 816 "C:\Windows\SysWOW64\hkbnh.exe"
C:\Windows\SysWOW64\oswng.exe
C:\Windows\system32\oswng.exe 900 "C:\Windows\SysWOW64\oojlq.exe"
C:\Windows\SysWOW64\aqoao.exe
C:\Windows\system32\aqoao.exe 912 "C:\Windows\SysWOW64\oswng.exe"
C:\Windows\SysWOW64\evrbc.exe
C:\Windows\system32\evrbc.exe 856 "C:\Windows\SysWOW64\aqoao.exe"
C:\Windows\SysWOW64\jpagm.exe
C:\Windows\system32\jpagm.exe 828 "C:\Windows\SysWOW64\evrbc.exe"
C:\Windows\SysWOW64\ahlrt.exe
C:\Windows\system32\ahlrt.exe 844 "C:\Windows\SysWOW64\jpagm.exe"
C:\Windows\SysWOW64\nqoee.exe
C:\Windows\system32\nqoee.exe 832 "C:\Windows\SysWOW64\ahlrt.exe"
C:\Windows\SysWOW64\kkkzu.exe
C:\Windows\system32\kkkzu.exe 860 "C:\Windows\SysWOW64\nqoee.exe"
C:\Windows\SysWOW64\oieri.exe
C:\Windows\system32\oieri.exe 836 "C:\Windows\SysWOW64\kkkzu.exe"
C:\Windows\SysWOW64\gaptp.exe
C:\Windows\system32\gaptp.exe 848 "C:\Windows\SysWOW64\oieri.exe"
C:\Windows\SysWOW64\suwbu.exe
C:\Windows\system32\suwbu.exe 840 "C:\Windows\SysWOW64\gaptp.exe"
C:\Windows\SysWOW64\hhspt.exe
C:\Windows\system32\hhspt.exe 864 "C:\Windows\SysWOW64\suwbu.exe"
C:\Windows\SysWOW64\glemp.exe
C:\Windows\system32\glemp.exe 852 "C:\Windows\SysWOW64\hhspt.exe"
C:\Windows\SysWOW64\rmqhz.exe
C:\Windows\system32\rmqhz.exe 920 "C:\Windows\SysWOW64\glemp.exe"
C:\Windows\SysWOW64\lnevv.exe
C:\Windows\system32\lnevv.exe 868 "C:\Windows\SysWOW64\rmqhz.exe"
C:\Windows\SysWOW64\bxpyk.exe
C:\Windows\system32\bxpyk.exe 872 "C:\Windows\SysWOW64\lnevv.exe"
C:\Windows\SysWOW64\grswb.exe
C:\Windows\system32\grswb.exe 876 "C:\Windows\SysWOW64\bxpyk.exe"
C:\Windows\SysWOW64\mjwzw.exe
C:\Windows\system32\mjwzw.exe 884 "C:\Windows\SysWOW64\grswb.exe"
C:\Windows\SysWOW64\dlfpo.exe
C:\Windows\system32\dlfpo.exe 880 "C:\Windows\SysWOW64\mjwzw.exe"
C:\Windows\SysWOW64\lcpxo.exe
C:\Windows\system32\lcpxo.exe 892 "C:\Windows\SysWOW64\dlfpo.exe"
C:\Windows\SysWOW64\tcygu.exe
C:\Windows\system32\tcygu.exe 888 "C:\Windows\SysWOW64\lcpxo.exe"
C:\Windows\SysWOW64\kikbp.exe
C:\Windows\system32\kikbp.exe 904 "C:\Windows\SysWOW64\tcygu.exe"
C:\Windows\SysWOW64\kvtck.exe
C:\Windows\system32\kvtck.exe 896 "C:\Windows\SysWOW64\kikbp.exe"
C:\Windows\SysWOW64\rqphg.exe
C:\Windows\system32\rqphg.exe 908 "C:\Windows\SysWOW64\kvtck.exe"
C:\Windows\SysWOW64\rxivj.exe
C:\Windows\system32\rxivj.exe 916 "C:\Windows\SysWOW64\rqphg.exe"
C:\Windows\SysWOW64\bkvge.exe
C:\Windows\system32\bkvge.exe 928 "C:\Windows\SysWOW64\rxivj.exe"
C:\Windows\SysWOW64\gglow.exe
C:\Windows\system32\gglow.exe 924 "C:\Windows\SysWOW64\bkvge.exe"
C:\Windows\SysWOW64\jlemi.exe
C:\Windows\system32\jlemi.exe 936 "C:\Windows\SysWOW64\gglow.exe"
C:\Windows\SysWOW64\arnsm.exe
C:\Windows\system32\arnsm.exe 932 "C:\Windows\SysWOW64\jlemi.exe"
C:\Windows\SysWOW64\nznvt.exe
C:\Windows\system32\nznvt.exe 944 "C:\Windows\SysWOW64\arnsm.exe"
C:\Windows\SysWOW64\betae.exe
C:\Windows\system32\betae.exe 940 "C:\Windows\SysWOW64\nznvt.exe"
C:\Windows\SysWOW64\dxhqw.exe
C:\Windows\system32\dxhqw.exe 952 "C:\Windows\SysWOW64\betae.exe"
C:\Windows\SysWOW64\amyzo.exe
C:\Windows\system32\amyzo.exe 948 "C:\Windows\SysWOW64\dxhqw.exe"
C:\Windows\SysWOW64\kznzb.exe
C:\Windows\system32\kznzb.exe 960 "C:\Windows\SysWOW64\amyzo.exe"
C:\Windows\SysWOW64\eqemy.exe
C:\Windows\system32\eqemy.exe 964 "C:\Windows\SysWOW64\kznzb.exe"
C:\Windows\SysWOW64\eqnfa.exe
C:\Windows\system32\eqnfa.exe 968 "C:\Windows\SysWOW64\eqemy.exe"
C:\Windows\SysWOW64\iztkq.exe
C:\Windows\system32\iztkq.exe 996 "C:\Windows\SysWOW64\eqnfa.exe"
C:\Windows\SysWOW64\scjap.exe
C:\Windows\system32\scjap.exe 972 "C:\Windows\SysWOW64\iztkq.exe"
C:\Windows\SysWOW64\uaxpm.exe
C:\Windows\system32\uaxpm.exe 976 "C:\Windows\SysWOW64\scjap.exe"
C:\Windows\SysWOW64\xhesc.exe
C:\Windows\system32\xhesc.exe 980 "C:\Windows\SysWOW64\uaxpm.exe"
C:\Windows\SysWOW64\wznkw.exe
C:\Windows\system32\wznkw.exe 1020 "C:\Windows\SysWOW64\xhesc.exe"
C:\Windows\SysWOW64\vhcvd.exe
C:\Windows\system32\vhcvd.exe 1056 "C:\Windows\SysWOW64\wznkw.exe"
C:\Windows\SysWOW64\swjvw.exe
C:\Windows\system32\swjvw.exe 1016 "C:\Windows\SysWOW64\vhcvd.exe"
C:\Windows\SysWOW64\klisb.exe
C:\Windows\system32\klisb.exe 984 "C:\Windows\SysWOW64\swjvw.exe"
C:\Windows\SysWOW64\fckvy.exe
C:\Windows\system32\fckvy.exe 956 "C:\Windows\SysWOW64\klisb.exe"
C:\Windows\SysWOW64\ustgf.exe
C:\Windows\system32\ustgf.exe 988 "C:\Windows\SysWOW64\fckvy.exe"
C:\Windows\SysWOW64\wgvig.exe
C:\Windows\system32\wgvig.exe 992 "C:\Windows\SysWOW64\ustgf.exe"
C:\Windows\SysWOW64\nyyto.exe
C:\Windows\system32\nyyto.exe 1004 "C:\Windows\SysWOW64\wgvig.exe"
C:\Windows\SysWOW64\htlbo.exe
C:\Windows\system32\htlbo.exe 1000 "C:\Windows\SysWOW64\nyyto.exe"
C:\Windows\SysWOW64\eijbh.exe
C:\Windows\system32\eijbh.exe 1008 "C:\Windows\SysWOW64\htlbo.exe"
C:\Windows\SysWOW64\optrz.exe
C:\Windows\system32\optrz.exe 1012 "C:\Windows\SysWOW64\eijbh.exe"
C:\Windows\SysWOW64\qzlgr.exe
C:\Windows\system32\qzlgr.exe 1028 "C:\Windows\SysWOW64\optrz.exe"
C:\Windows\SysWOW64\avmjb.exe
C:\Windows\system32\avmjb.exe 1032 "C:\Windows\SysWOW64\qzlgr.exe"
C:\Windows\SysWOW64\xowwx.exe
C:\Windows\system32\xowwx.exe 1036 "C:\Windows\SysWOW64\avmjb.exe"
C:\Windows\SysWOW64\mwrox.exe
C:\Windows\system32\mwrox.exe 1044 "C:\Windows\SysWOW64\xowwx.exe"
C:\Windows\SysWOW64\rnwjt.exe
C:\Windows\system32\rnwjt.exe 1084 "C:\Windows\SysWOW64\mwrox.exe"
C:\Windows\SysWOW64\nogwx.exe
C:\Windows\system32\nogwx.exe 1040 "C:\Windows\SysWOW64\rnwjt.exe"
C:\Windows\SysWOW64\quuzn.exe
C:\Windows\system32\quuzn.exe 1076 "C:\Windows\SysWOW64\nogwx.exe"
C:\Windows\SysWOW64\pqgej.exe
C:\Windows\system32\pqgej.exe 1048 "C:\Windows\SysWOW64\quuzn.exe"
C:\Windows\SysWOW64\pjhpd.exe
C:\Windows\system32\pjhpd.exe 1068 "C:\Windows\SysWOW64\pqgej.exe"
C:\Windows\SysWOW64\gxhmi.exe
C:\Windows\system32\gxhmi.exe 1052 "C:\Windows\SysWOW64\pjhpd.exe"
C:\Windows\SysWOW64\lcaub.exe
C:\Windows\system32\lcaub.exe 1100 "C:\Windows\SysWOW64\gxhmi.exe"
C:\Windows\SysWOW64\drakg.exe
C:\Windows\system32\drakg.exe 1060 "C:\Windows\SysWOW64\lcaub.exe"
C:\Windows\SysWOW64\ipfam.exe
C:\Windows\system32\ipfam.exe 1152 "C:\Windows\SysWOW64\drakg.exe"
C:\Windows\SysWOW64\nfbmi.exe
C:\Windows\system32\nfbmi.exe 1112 "C:\Windows\SysWOW64\ipfam.exe"
C:\Windows\SysWOW64\fiqxj.exe
C:\Windows\system32\fiqxj.exe 1072 "C:\Windows\SysWOW64\nfbmi.exe"
C:\Windows\SysWOW64\eekug.exe
C:\Windows\system32\eekug.exe 1140 "C:\Windows\SysWOW64\fiqxj.exe"
C:\Windows\SysWOW64\jrvcz.exe
C:\Windows\system32\jrvcz.exe 1148 "C:\Windows\SysWOW64\eekug.exe"
C:\Windows\SysWOW64\gsopd.exe
C:\Windows\system32\gsopd.exe 1128 "C:\Windows\SysWOW64\jrvcz.exe"
C:\Windows\SysWOW64\duwkm.exe
C:\Windows\system32\duwkm.exe 1116 "C:\Windows\SysWOW64\gsopd.exe"
C:\Windows\SysWOW64\xobam.exe
C:\Windows\system32\xobam.exe 1064 "C:\Windows\SysWOW64\duwkm.exe"
C:\Windows\SysWOW64\cfgni.exe
C:\Windows\system32\cfgni.exe 1120 "C:\Windows\SysWOW64\xobam.exe"
C:\Windows\SysWOW64\rnsnj.exe
C:\Windows\system32\rnsnj.exe 1080 "C:\Windows\SysWOW64\cfgni.exe"
C:\Windows\SysWOW64\lafir.exe
C:\Windows\system32\lafir.exe 1136 "C:\Windows\SysWOW64\rnsnj.exe"
C:\Windows\SysWOW64\qbndz.exe
C:\Windows\system32\qbndz.exe 1092 "C:\Windows\SysWOW64\lafir.exe"
C:\Windows\SysWOW64\kidyc.exe
C:\Windows\system32\kidyc.exe 1192 "C:\Windows\SysWOW64\qbndz.exe"
C:\Windows\SysWOW64\nsvnu.exe
C:\Windows\system32\nsvnu.exe 1096 "C:\Windows\SysWOW64\kidyc.exe"
C:\Windows\SysWOW64\hqlqx.exe
C:\Windows\system32\hqlqx.exe 1104 "C:\Windows\SysWOW64\nsvnu.exe"
C:\Windows\SysWOW64\ofyik.exe
C:\Windows\system32\ofyik.exe 1088 "C:\Windows\SysWOW64\hqlqx.exe"
C:\Windows\SysWOW64\yfkgc.exe
C:\Windows\system32\yfkgc.exe 1212 "C:\Windows\SysWOW64\ofyik.exe"
C:\Windows\SysWOW64\nqilg.exe
C:\Windows\system32\nqilg.exe 1108 "C:\Windows\SysWOW64\yfkgc.exe"
C:\Windows\SysWOW64\ilnbg.exe
C:\Windows\system32\ilnbg.exe 1144 "C:\Windows\SysWOW64\nqilg.exe"
C:\Windows\SysWOW64\kvnry.exe
C:\Windows\system32\kvnry.exe 1124 "C:\Windows\SysWOW64\ilnbg.exe"
C:\Windows\SysWOW64\pljlm.exe
C:\Windows\system32\pljlm.exe 1180 "C:\Windows\SysWOW64\kvnry.exe"
C:\Windows\SysWOW64\exprx.exe
C:\Windows\system32\exprx.exe 1176 "C:\Windows\SysWOW64\pljlm.exe"
C:\Windows\SysWOW64\mbreh.exe
C:\Windows\system32\mbreh.exe 1200 "C:\Windows\SysWOW64\exprx.exe"
C:\Windows\SysWOW64\gahzk.exe
C:\Windows\system32\gahzk.exe 1132 "C:\Windows\SysWOW64\mbreh.exe"
C:\Windows\SysWOW64\xohoo.exe
C:\Windows\system32\xohoo.exe 1196 "C:\Windows\SysWOW64\gahzk.exe"
C:\Windows\SysWOW64\snxrj.exe
C:\Windows\system32\snxrj.exe 1156 "C:\Windows\SysWOW64\xohoo.exe"
C:\Windows\SysWOW64\bekhw.exe
C:\Windows\system32\bekhw.exe 1164 "C:\Windows\SysWOW64\snxrj.exe"
C:\Windows\SysWOW64\imhrk.exe
C:\Windows\system32\imhrk.exe 1160 "C:\Windows\SysWOW64\bekhw.exe"
C:\Windows\SysWOW64\itepb.exe
C:\Windows\system32\itepb.exe 1172 "C:\Windows\SysWOW64\imhrk.exe"
C:\Windows\SysWOW64\ktjfn.exe
C:\Windows\system32\ktjfn.exe 1168 "C:\Windows\SysWOW64\itepb.exe"
C:\Windows\SysWOW64\rtfpu.exe
C:\Windows\system32\rtfpu.exe 1188 "C:\Windows\SysWOW64\ktjfn.exe"
C:\Windows\SysWOW64\ridut.exe
C:\Windows\system32\ridut.exe 1184 "C:\Windows\SysWOW64\rtfpu.exe"
C:\Windows\SysWOW64\kvipt.exe
C:\Windows\system32\kvipt.exe 1208 "C:\Windows\SysWOW64\ridut.exe"
C:\Windows\SysWOW64\sstnf.exe
C:\Windows\system32\sstnf.exe 1204 "C:\Windows\SysWOW64\kvipt.exe"
C:\Windows\SysWOW64\zspxt.exe
C:\Windows\system32\zspxt.exe 1220 "C:\Windows\SysWOW64\sstnf.exe"
C:\Windows\SysWOW64\bcpnl.exe
C:\Windows\system32\bcpnl.exe 1216 "C:\Windows\SysWOW64\zspxt.exe"
C:\Windows\SysWOW64\bresd.exe
C:\Windows\system32\bresd.exe 1232 "C:\Windows\SysWOW64\bcpnl.exe"
C:\Windows\SysWOW64\qgnlj.exe
C:\Windows\system32\qgnlj.exe 1224 "C:\Windows\SysWOW64\bresd.exe"
C:\Windows\SysWOW64\whkvx.exe
C:\Windows\system32\whkvx.exe 1248 "C:\Windows\SysWOW64\qgnlj.exe"
C:\Windows\SysWOW64\xswnm.exe
C:\Windows\system32\xswnm.exe 1228 "C:\Windows\SysWOW64\whkvx.exe"
C:\Windows\SysWOW64\gnuqb.exe
C:\Windows\system32\gnuqb.exe 1244 "C:\Windows\SysWOW64\xswnm.exe"
C:\Windows\SysWOW64\dltqu.exe
C:\Windows\system32\dltqu.exe 1236 "C:\Windows\SysWOW64\gnuqb.exe"
C:\Windows\SysWOW64\vopbw.exe
C:\Windows\system32\vopbw.exe 1264 "C:\Windows\SysWOW64\dltqu.exe"
C:\Windows\SysWOW64\evrjo.exe
C:\Windows\system32\evrjo.exe 1240 "C:\Windows\SysWOW64\vopbw.exe"
C:\Windows\SysWOW64\bkyjh.exe
C:\Windows\system32\bkyjh.exe 1268 "C:\Windows\SysWOW64\evrjo.exe"
C:\Windows\SysWOW64\vqodk.exe
C:\Windows\system32\vqodk.exe 1292 "C:\Windows\SysWOW64\bkyjh.exe"
C:\Windows\SysWOW64\vfejb.exe
C:\Windows\system32\vfejb.exe 1260 "C:\Windows\SysWOW64\vqodk.exe"
C:\Windows\SysWOW64\krjoe.exe
C:\Windows\system32\krjoe.exe 1252 "C:\Windows\SysWOW64\vfejb.exe"
C:\Windows\SysWOW64\knvuj.exe
C:\Windows\system32\knvuj.exe 1256 "C:\Windows\SysWOW64\krjoe.exe"
C:\Windows\SysWOW64\trkwl.exe
C:\Windows\system32\trkwl.exe 1276 "C:\Windows\SysWOW64\knvuj.exe"
C:\Windows\SysWOW64\qorwe.exe
C:\Windows\system32\qorwe.exe 1280 "C:\Windows\SysWOW64\trkwl.exe"
C:\Windows\SysWOW64\dxmrh.exe
C:\Windows\system32\dxmrh.exe 1284 "C:\Windows\SysWOW64\qorwe.exe"
C:\Windows\SysWOW64\cbypm.exe
C:\Windows\system32\cbypm.exe 1288 "C:\Windows\SysWOW64\dxmrh.exe"
C:\Windows\SysWOW64\rfeup.exe
C:\Windows\system32\rfeup.exe 1272 "C:\Windows\SysWOW64\cbypm.exe"
C:\Windows\SysWOW64\lpycn.exe
C:\Windows\system32\lpycn.exe 1308 "C:\Windows\SysWOW64\rfeup.exe"
C:\Windows\SysWOW64\wzwzu.exe
C:\Windows\system32\wzwzu.exe 1320 "C:\Windows\SysWOW64\lpycn.exe"
C:\Windows\SysWOW64\cdwpl.exe
C:\Windows\system32\cdwpl.exe 1300 "C:\Windows\SysWOW64\wzwzu.exe"
C:\Windows\SysWOW64\udhnk.exe
C:\Windows\system32\udhnk.exe 1296 "C:\Windows\SysWOW64\cdwpl.exe"
C:\Windows\SysWOW64\rhcni.exe
C:\Windows\system32\rhcni.exe 1316 "C:\Windows\SysWOW64\udhnk.exe"
C:\Windows\SysWOW64\tsdvv.exe
C:\Windows\system32\tsdvv.exe 1304 "C:\Windows\SysWOW64\rhcni.exe"
C:\Windows\SysWOW64\qtniy.exe
C:\Windows\system32\qtniy.exe 1312 "C:\Windows\SysWOW64\tsdvv.exe"
C:\Windows\SysWOW64\cfcie.exe
C:\Windows\system32\cfcie.exe 1328 "C:\Windows\SysWOW64\qtniy.exe"
C:\Windows\SysWOW64\lfpxq.exe
C:\Windows\system32\lfpxq.exe 1332 "C:\Windows\SysWOW64\cfcie.exe"
C:\Windows\SysWOW64\ykhgq.exe
C:\Windows\system32\ykhgq.exe 1324 "C:\Windows\SysWOW64\lfpxq.exe"
C:\Windows\SysWOW64\buzvi.exe
C:\Windows\system32\buzvi.exe 1344 "C:\Windows\SysWOW64\ykhgq.exe"
C:\Windows\SysWOW64\qgwam.exe
C:\Windows\system32\qgwam.exe 1340 "C:\Windows\SysWOW64\buzvi.exe"
C:\Windows\SysWOW64\mlsbt.exe
C:\Windows\system32\mlsbt.exe 1356 "C:\Windows\SysWOW64\qgwam.exe"
C:\Windows\SysWOW64\thlye.exe
C:\Windows\system32\thlye.exe 1336 "C:\Windows\SysWOW64\mlsbt.exe"
C:\Windows\SysWOW64\nkdgq.exe
C:\Windows\system32\nkdgq.exe 1360 "C:\Windows\SysWOW64\thlye.exe"
C:\Windows\SysWOW64\htfow.exe
C:\Windows\system32\htfow.exe 1352 "C:\Windows\SysWOW64\nkdgq.exe"
C:\Windows\SysWOW64\mgywh.exe
C:\Windows\system32\mgywh.exe 1364 "C:\Windows\SysWOW64\htfow.exe"
C:\Windows\SysWOW64\ybfwv.exe
C:\Windows\system32\ybfwv.exe 1388 "C:\Windows\SysWOW64\mgywh.exe"
C:\Windows\SysWOW64\obzov.exe
C:\Windows\system32\obzov.exe 1372 "C:\Windows\SysWOW64\ybfwv.exe"
C:\Windows\SysWOW64\nuagp.exe
C:\Windows\system32\nuagp.exe 1348 "C:\Windows\SysWOW64\obzov.exe"
C:\Windows\SysWOW64\vbwzk.exe
C:\Windows\system32\vbwzk.exe 1376 "C:\Windows\SysWOW64\nuagp.exe"
C:\Windows\SysWOW64\pimbe.exe
C:\Windows\system32\pimbe.exe 1380 "C:\Windows\SysWOW64\vbwzk.exe"
C:\Windows\SysWOW64\pxchw.exe
C:\Windows\system32\pxchw.exe 1384 "C:\Windows\SysWOW64\pimbe.exe"
C:\Windows\SysWOW64\gdbwa.exe
C:\Windows\system32\gdbwa.exe 1368 "C:\Windows\SysWOW64\pxchw.exe"
C:\Windows\SysWOW64\tqtmg.exe
C:\Windows\system32\tqtmg.exe 1396 "C:\Windows\SysWOW64\gdbwa.exe"
C:\Windows\SysWOW64\digct.exe
C:\Windows\system32\digct.exe 1392 "C:\Windows\SysWOW64\tqtmg.exe"
C:\Windows\SysWOW64\ajqpw.exe
C:\Windows\system32\ajqpw.exe 1404 "C:\Windows\SysWOW64\digct.exe"
C:\Windows\SysWOW64\ciefu.exe
C:\Windows\system32\ciefu.exe 1408 "C:\Windows\SysWOW64\ajqpw.exe"
C:\Windows\SysWOW64\smezq.exe
C:\Windows\system32\smezq.exe 1400 "C:\Windows\SysWOW64\ciefu.exe"
C:\Windows\SysWOW64\rqqxv.exe
C:\Windows\system32\rqqxv.exe 1412 "C:\Windows\SysWOW64\smezq.exe"
C:\Windows\SysWOW64\zubke.exe
C:\Windows\system32\zubke.exe 1416 "C:\Windows\SysWOW64\rqqxv.exe"
C:\Windows\SysWOW64\qypvg.exe
C:\Windows\system32\qypvg.exe 1420 "C:\Windows\SysWOW64\zubke.exe"
C:\Windows\SysWOW64\aamxb.exe
C:\Windows\system32\aamxb.exe 1452 "C:\Windows\SysWOW64\qypvg.exe"
C:\Windows\SysWOW64\pqvpi.exe
C:\Windows\system32\pqvpi.exe 1456 "C:\Windows\SysWOW64\aamxb.exe"
C:\Windows\SysWOW64\xqupp.exe
C:\Windows\system32\xqupp.exe 1432 "C:\Windows\SysWOW64\pqvpi.exe"
C:\Windows\SysWOW64\raoxu.exe
C:\Windows\system32\raoxu.exe 1424 "C:\Windows\SysWOW64\xqupp.exe"
Network
Files
memory/2344-0-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/2344-1-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/2344-3-0x0000000003DB0000-0x0000000003DB1000-memory.dmp
memory/2344-2-0x0000000003DA0000-0x0000000003DA2000-memory.dmp
memory/2344-4-0x0000000003CE0000-0x0000000003CE1000-memory.dmp
memory/2344-6-0x0000000003DC0000-0x0000000003DC1000-memory.dmp
memory/2344-5-0x0000000003D50000-0x0000000003D51000-memory.dmp
memory/2344-7-0x0000000001F00000-0x0000000001F01000-memory.dmp
memory/2344-8-0x0000000003D10000-0x0000000003D11000-memory.dmp
memory/2344-9-0x0000000001EF0000-0x0000000001EF1000-memory.dmp
memory/2344-10-0x0000000003CA0000-0x0000000003CA1000-memory.dmp
memory/2344-14-0x0000000003CB0000-0x0000000003CB1000-memory.dmp
memory/2344-15-0x0000000003D80000-0x0000000003D82000-memory.dmp
memory/2344-17-0x0000000003CC0000-0x0000000003CC1000-memory.dmp
memory/2344-16-0x0000000003D90000-0x0000000003D91000-memory.dmp
memory/2344-18-0x0000000003D70000-0x0000000003D71000-memory.dmp
\Windows\SysWOW64\vwvot.exe
| MD5 | ff353dc46aaaeb657fc490c0697b2ceb |
| SHA1 | 7ec9b7f9589f6313d86ed69669b908e4c2b49fd0 |
| SHA256 | 61ffa4beb7f207c23c2584827c2c6c94d6e46e209fd47b736d5536adee897348 |
| SHA512 | c18612e4ccd5c9fc40d3198cb05d900538920f83e13e9d519a906867a9c737027c9700dd6c5495d7574138996fe1380e290ab29521bbfe608534d7864f9d81cf |
memory/2344-20-0x0000000004A50000-0x0000000004C27000-memory.dmp
memory/2540-27-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/2344-28-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/2540-30-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/2540-33-0x0000000003DE0000-0x0000000003DE2000-memory.dmp
memory/2540-35-0x0000000003CE0000-0x0000000003CE1000-memory.dmp
memory/2540-34-0x0000000003DF0000-0x0000000003DF1000-memory.dmp
memory/2540-36-0x0000000003D50000-0x0000000003D51000-memory.dmp
memory/2540-37-0x0000000003E00000-0x0000000003E01000-memory.dmp
memory/2540-38-0x0000000003C90000-0x0000000003C91000-memory.dmp
memory/2540-40-0x0000000003C80000-0x0000000003C81000-memory.dmp
memory/2540-39-0x0000000003D10000-0x0000000003D11000-memory.dmp
memory/2540-41-0x0000000003D00000-0x0000000003D01000-memory.dmp
memory/2540-50-0x0000000003CB0000-0x0000000003CB1000-memory.dmp
memory/2540-48-0x0000000003CA0000-0x0000000003CA1000-memory.dmp
memory/2540-51-0x0000000003DD0000-0x0000000003DD1000-memory.dmp
memory/2540-53-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/2540-52-0x0000000003D80000-0x0000000003D82000-memory.dmp
memory/2356-55-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/2540-54-0x0000000003CC0000-0x0000000003CC1000-memory.dmp
memory/2356-59-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/2356-61-0x0000000003E00000-0x0000000003E01000-memory.dmp
memory/2356-64-0x0000000003E10000-0x0000000003E11000-memory.dmp
memory/2356-63-0x0000000003DA0000-0x0000000003DA1000-memory.dmp
memory/2356-67-0x0000000000910000-0x0000000000911000-memory.dmp
memory/2356-62-0x0000000003CE0000-0x0000000003CE1000-memory.dmp
memory/2356-60-0x0000000003DF0000-0x0000000003DF2000-memory.dmp
memory/2356-74-0x0000000003D00000-0x0000000003D01000-memory.dmp
memory/2356-73-0x0000000003D10000-0x0000000003D11000-memory.dmp
memory/2356-76-0x0000000002210000-0x0000000002211000-memory.dmp
memory/2356-75-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/2204-77-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/2204-78-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/2204-79-0x0000000003DE0000-0x0000000003DE2000-memory.dmp
memory/2204-83-0x0000000003DF0000-0x0000000003DF1000-memory.dmp
memory/2204-84-0x0000000003CE0000-0x0000000003CE1000-memory.dmp
memory/2204-86-0x0000000003E00000-0x0000000003E01000-memory.dmp
memory/2204-85-0x0000000003D90000-0x0000000003D91000-memory.dmp
memory/2204-88-0x0000000003D50000-0x0000000003D51000-memory.dmp
memory/2204-89-0x0000000000A70000-0x0000000000A71000-memory.dmp
memory/2204-87-0x0000000003C90000-0x0000000003C91000-memory.dmp
memory/2204-90-0x0000000003CA0000-0x0000000003CA1000-memory.dmp
memory/2204-91-0x0000000003CB0000-0x0000000003CB1000-memory.dmp
memory/2204-93-0x0000000003DC0000-0x0000000003DC2000-memory.dmp
memory/2204-92-0x0000000003DD0000-0x0000000003DD1000-memory.dmp
memory/2204-94-0x0000000003CC0000-0x0000000003CC1000-memory.dmp
memory/2204-95-0x0000000003CD0000-0x0000000003CD1000-memory.dmp
memory/2204-102-0x0000000003DB0000-0x0000000003DB1000-memory.dmp
memory/488-105-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/2204-104-0x00000000047E0000-0x00000000049B7000-memory.dmp
memory/2204-106-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/488-110-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/488-133-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/3064-162-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/892-179-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/1568-210-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/1152-237-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/2416-265-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/1276-291-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/1964-303-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/2812-314-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/948-325-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/2548-336-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/1612-347-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/2944-355-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/604-392-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/2256-399-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/2032-449-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/1364-474-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/692-498-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/3028-518-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/2388-541-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/1732-567-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/2084-594-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/944-617-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/2584-646-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/2308-652-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/2424-659-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/2228-668-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/2736-673-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/2852-680-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/2324-687-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/1608-694-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/2784-701-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/2952-708-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/2568-715-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/1524-722-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/1644-729-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/2368-736-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/2544-743-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/1272-750-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/1332-757-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/2248-764-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/2028-771-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/2260-778-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/2760-785-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/1648-792-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/1840-799-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/2704-806-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/428-813-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/1720-820-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/1484-827-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/900-834-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/1788-841-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/2072-848-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/932-855-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/2132-862-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/1328-869-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/2024-876-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/2728-883-0x0000000000400000-0x00000000005D7000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-21 11:48
Reported
2024-04-21 11:51
Platform
win10v2004-20240412-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\ff353dc46aaaeb657fc490c0697b2ceb_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ff353dc46aaaeb657fc490c0697b2ceb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ff353dc46aaaeb657fc490c0697b2ceb_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.250.30.184.in-addr.arpa | udp |
| NL | 23.62.61.168:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.173.246.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/5080-0-0x0000000000400000-0x00000000005D7000-memory.dmp
memory/5080-1-0x0000000000400000-0x00000000005D7000-memory.dmp