Malware Analysis Report

2024-10-18 21:34

Sample ID 240623-pr8lqszgrg
Target 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118
SHA256 ec530b5f552febe9631fb4d1fd90e74ef21be4093eb9cde42657bf2dfeb6a486
Tags
metasploit backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ec530b5f552febe9631fb4d1fd90e74ef21be4093eb9cde42657bf2dfeb6a486

Threat Level: Known bad

The file 06026e4203f13fffe9d741a6872a75ae_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor trojan

MetaSploit

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-23 12:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-23 12:34

Reported

2024-06-23 12:37

Platform

win7-20240508-en

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\bynbkf.exe N/A
N/A N/A C:\Windows\SysWOW64\bynbkf.exe N/A
N/A N/A C:\Windows\SysWOW64\sywbda.exe N/A
N/A N/A C:\Windows\SysWOW64\sywbda.exe N/A
N/A N/A C:\Windows\SysWOW64\yquelx.exe N/A
N/A N/A C:\Windows\SysWOW64\yquelx.exe N/A
N/A N/A C:\Windows\SysWOW64\xumzbr.exe N/A
N/A N/A C:\Windows\SysWOW64\xumzbr.exe N/A
N/A N/A C:\Windows\SysWOW64\hapmfl.exe N/A
N/A N/A C:\Windows\SysWOW64\hapmfl.exe N/A
N/A N/A C:\Windows\SysWOW64\qtdudr.exe N/A
N/A N/A C:\Windows\SysWOW64\qtdudr.exe N/A
N/A N/A C:\Windows\SysWOW64\wliptf.exe N/A
N/A N/A C:\Windows\SysWOW64\wliptf.exe N/A
N/A N/A C:\Windows\SysWOW64\defscc.exe N/A
N/A N/A C:\Windows\SysWOW64\defscc.exe N/A
N/A N/A C:\Windows\SysWOW64\nkifxe.exe N/A
N/A N/A C:\Windows\SysWOW64\nkifxe.exe N/A
N/A N/A C:\Windows\SysWOW64\lacvdw.exe N/A
N/A N/A C:\Windows\SysWOW64\lacvdw.exe N/A
N/A N/A C:\Windows\SysWOW64\ddzyht.exe N/A
N/A N/A C:\Windows\SysWOW64\ddzyht.exe N/A
N/A N/A C:\Windows\SysWOW64\udzgfc.exe N/A
N/A N/A C:\Windows\SysWOW64\udzgfc.exe N/A
N/A N/A C:\Windows\SysWOW64\iljigt.exe N/A
N/A N/A C:\Windows\SysWOW64\iljigt.exe N/A
N/A N/A C:\Windows\SysWOW64\cjivdl.exe N/A
N/A N/A C:\Windows\SysWOW64\cjivdl.exe N/A
N/A N/A C:\Windows\SysWOW64\wazjzw.exe N/A
N/A N/A C:\Windows\SysWOW64\wazjzw.exe N/A
N/A N/A C:\Windows\SysWOW64\nwodvs.exe N/A
N/A N/A C:\Windows\SysWOW64\nwodvs.exe N/A
N/A N/A C:\Windows\SysWOW64\famgrx.exe N/A
N/A N/A C:\Windows\SysWOW64\famgrx.exe N/A
N/A N/A C:\Windows\SysWOW64\thvjaw.exe N/A
N/A N/A C:\Windows\SysWOW64\thvjaw.exe N/A
N/A N/A C:\Windows\SysWOW64\hmchxj.exe N/A
N/A N/A C:\Windows\SysWOW64\hmchxj.exe N/A
N/A N/A C:\Windows\SysWOW64\zeoxqk.exe N/A
N/A N/A C:\Windows\SysWOW64\zeoxqk.exe N/A
N/A N/A C:\Windows\SysWOW64\fmfzrj.exe N/A
N/A N/A C:\Windows\SysWOW64\fmfzrj.exe N/A
N/A N/A C:\Windows\SysWOW64\zzlalp.exe N/A
N/A N/A C:\Windows\SysWOW64\zzlalp.exe N/A
N/A N/A C:\Windows\SysWOW64\qkxuuc.exe N/A
N/A N/A C:\Windows\SysWOW64\qkxuuc.exe N/A
N/A N/A C:\Windows\SysWOW64\kxlvgi.exe N/A
N/A N/A C:\Windows\SysWOW64\kxlvgi.exe N/A
N/A N/A C:\Windows\SysWOW64\ctaykf.exe N/A
N/A N/A C:\Windows\SysWOW64\ctaykf.exe N/A
N/A N/A C:\Windows\SysWOW64\taifjn.exe N/A
N/A N/A C:\Windows\SysWOW64\taifjn.exe N/A
N/A N/A C:\Windows\SysWOW64\hisijn.exe N/A
N/A N/A C:\Windows\SysWOW64\hisijn.exe N/A
N/A N/A C:\Windows\SysWOW64\wxcgbz.exe N/A
N/A N/A C:\Windows\SysWOW64\wxcgbz.exe N/A
N/A N/A C:\Windows\SysWOW64\krxvnv.exe N/A
N/A N/A C:\Windows\SysWOW64\krxvnv.exe N/A
N/A N/A C:\Windows\SysWOW64\cjjlgw.exe N/A
N/A N/A C:\Windows\SysWOW64\cjjlgw.exe N/A
N/A N/A C:\Windows\SysWOW64\rnqjdr.exe N/A
N/A N/A C:\Windows\SysWOW64\rnqjdr.exe N/A
N/A N/A C:\Windows\SysWOW64\ajnezn.exe N/A
N/A N/A C:\Windows\SysWOW64\ajnezn.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\bynbkf.exe N/A
N/A N/A C:\Windows\SysWOW64\bynbkf.exe N/A
N/A N/A C:\Windows\SysWOW64\bynbkf.exe N/A
N/A N/A C:\Windows\SysWOW64\bynbkf.exe N/A
N/A N/A C:\Windows\SysWOW64\sywbda.exe N/A
N/A N/A C:\Windows\SysWOW64\sywbda.exe N/A
N/A N/A C:\Windows\SysWOW64\sywbda.exe N/A
N/A N/A C:\Windows\SysWOW64\sywbda.exe N/A
N/A N/A C:\Windows\SysWOW64\yquelx.exe N/A
N/A N/A C:\Windows\SysWOW64\yquelx.exe N/A
N/A N/A C:\Windows\SysWOW64\yquelx.exe N/A
N/A N/A C:\Windows\SysWOW64\yquelx.exe N/A
N/A N/A C:\Windows\SysWOW64\xumzbr.exe N/A
N/A N/A C:\Windows\SysWOW64\xumzbr.exe N/A
N/A N/A C:\Windows\SysWOW64\xumzbr.exe N/A
N/A N/A C:\Windows\SysWOW64\xumzbr.exe N/A
N/A N/A C:\Windows\SysWOW64\hapmfl.exe N/A
N/A N/A C:\Windows\SysWOW64\hapmfl.exe N/A
N/A N/A C:\Windows\SysWOW64\hapmfl.exe N/A
N/A N/A C:\Windows\SysWOW64\hapmfl.exe N/A
N/A N/A C:\Windows\SysWOW64\qtdudr.exe N/A
N/A N/A C:\Windows\SysWOW64\qtdudr.exe N/A
N/A N/A C:\Windows\SysWOW64\qtdudr.exe N/A
N/A N/A C:\Windows\SysWOW64\qtdudr.exe N/A
N/A N/A C:\Windows\SysWOW64\wliptf.exe N/A
N/A N/A C:\Windows\SysWOW64\wliptf.exe N/A
N/A N/A C:\Windows\SysWOW64\wliptf.exe N/A
N/A N/A C:\Windows\SysWOW64\wliptf.exe N/A
N/A N/A C:\Windows\SysWOW64\defscc.exe N/A
N/A N/A C:\Windows\SysWOW64\defscc.exe N/A
N/A N/A C:\Windows\SysWOW64\defscc.exe N/A
N/A N/A C:\Windows\SysWOW64\defscc.exe N/A
N/A N/A C:\Windows\SysWOW64\nkifxe.exe N/A
N/A N/A C:\Windows\SysWOW64\nkifxe.exe N/A
N/A N/A C:\Windows\SysWOW64\nkifxe.exe N/A
N/A N/A C:\Windows\SysWOW64\nkifxe.exe N/A
N/A N/A C:\Windows\SysWOW64\lacvdw.exe N/A
N/A N/A C:\Windows\SysWOW64\lacvdw.exe N/A
N/A N/A C:\Windows\SysWOW64\lacvdw.exe N/A
N/A N/A C:\Windows\SysWOW64\lacvdw.exe N/A
N/A N/A C:\Windows\SysWOW64\ddzyht.exe N/A
N/A N/A C:\Windows\SysWOW64\ddzyht.exe N/A
N/A N/A C:\Windows\SysWOW64\ddzyht.exe N/A
N/A N/A C:\Windows\SysWOW64\ddzyht.exe N/A
N/A N/A C:\Windows\SysWOW64\udzgfc.exe N/A
N/A N/A C:\Windows\SysWOW64\udzgfc.exe N/A
N/A N/A C:\Windows\SysWOW64\udzgfc.exe N/A
N/A N/A C:\Windows\SysWOW64\udzgfc.exe N/A
N/A N/A C:\Windows\SysWOW64\iljigt.exe N/A
N/A N/A C:\Windows\SysWOW64\iljigt.exe N/A
N/A N/A C:\Windows\SysWOW64\iljigt.exe N/A
N/A N/A C:\Windows\SysWOW64\iljigt.exe N/A
N/A N/A C:\Windows\SysWOW64\cjivdl.exe N/A
N/A N/A C:\Windows\SysWOW64\cjivdl.exe N/A
N/A N/A C:\Windows\SysWOW64\cjivdl.exe N/A
N/A N/A C:\Windows\SysWOW64\cjivdl.exe N/A
N/A N/A C:\Windows\SysWOW64\wazjzw.exe N/A
N/A N/A C:\Windows\SysWOW64\wazjzw.exe N/A
N/A N/A C:\Windows\SysWOW64\wazjzw.exe N/A
N/A N/A C:\Windows\SysWOW64\wazjzw.exe N/A
N/A N/A C:\Windows\SysWOW64\nwodvs.exe N/A
N/A N/A C:\Windows\SysWOW64\nwodvs.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\qtdudr.exe C:\Windows\SysWOW64\hapmfl.exe N/A
File opened for modification C:\Windows\SysWOW64\nkifxe.exe C:\Windows\SysWOW64\defscc.exe N/A
File opened for modification C:\Windows\SysWOW64\cjivdl.exe C:\Windows\SysWOW64\iljigt.exe N/A
File opened for modification C:\Windows\SysWOW64\xjvtgd.exe C:\Windows\SysWOW64\gjnlhu.exe N/A
File created C:\Windows\SysWOW64\oivbfe.exe C:\Windows\SysWOW64\xjvtgd.exe N/A
File created C:\Windows\SysWOW64\gdsqxz.exe C:\Windows\SysWOW64\rvaoxa.exe N/A
File opened for modification C:\Windows\SysWOW64\hmelbw.exe C:\Windows\SysWOW64\qbtqzj.exe N/A
File created C:\Windows\SysWOW64\eqnfas.exe C:\Windows\SysWOW64\njfptr.exe N/A
File created C:\Windows\SysWOW64\mgqdtd.exe C:\Windows\SysWOW64\uktixz.exe N/A
File created C:\Windows\SysWOW64\lacvdw.exe C:\Windows\SysWOW64\nkifxe.exe N/A
File opened for modification C:\Windows\SysWOW64\ajnezn.exe C:\Windows\SysWOW64\rnqjdr.exe N/A
File opened for modification C:\Windows\SysWOW64\qmrgtw.exe C:\Windows\SysWOW64\zmqzuv.exe N/A
File created C:\Windows\SysWOW64\bfaccn.exe C:\Windows\SysWOW64\hkmuqh.exe N/A
File opened for modification C:\Windows\SysWOW64\igzzer.exe C:\Windows\SysWOW64\uvectn.exe N/A
File opened for modification C:\Windows\SysWOW64\gjnlhu.exe C:\Windows\SysWOW64\pcmdjt.exe N/A
File created C:\Windows\SysWOW64\txrggy.exe C:\Windows\SysWOW64\ccudkc.exe N/A
File opened for modification C:\Windows\SysWOW64\lcbdth.exe C:\Windows\SysWOW64\bkpnap.exe N/A
File opened for modification C:\Windows\SysWOW64\bqhbaj.exe C:\Windows\SysWOW64\napqzj.exe N/A
File opened for modification C:\Windows\SysWOW64\nqgmva.exe C:\Windows\SysWOW64\yqlbaj.exe N/A
File created C:\Windows\SysWOW64\htlboq.exe C:\Windows\SysWOW64\qbztvy.exe N/A
File created C:\Windows\SysWOW64\udzgfc.exe C:\Windows\SysWOW64\ddzyht.exe N/A
File created C:\Windows\SysWOW64\uffrah.exe C:\Windows\SysWOW64\djiwwk.exe N/A
File created C:\Windows\SysWOW64\nmkakc.exe C:\Windows\SysWOW64\tyxaqw.exe N/A
File created C:\Windows\SysWOW64\kvtcky.exe C:\Windows\SysWOW64\qmrgtw.exe N/A
File opened for modification C:\Windows\SysWOW64\viligj.exe C:\Windows\SysWOW64\hmelbw.exe N/A
File opened for modification C:\Windows\SysWOW64\eqnfas.exe C:\Windows\SysWOW64\njfptr.exe N/A
File opened for modification C:\Windows\SysWOW64\dkfgpa.exe C:\Windows\SysWOW64\mgqdtd.exe N/A
File opened for modification C:\Windows\SysWOW64\cwyhpi.exe C:\Windows\SysWOW64\lxyzqh.exe N/A
File created C:\Windows\SysWOW64\xhvczi.exe C:\Windows\SysWOW64\igzzer.exe N/A
File created C:\Windows\SysWOW64\oeoazx.exe C:\Windows\SysWOW64\xirxdt.exe N/A
File opened for modification C:\Windows\SysWOW64\defscc.exe C:\Windows\SysWOW64\wliptf.exe N/A
File created C:\Windows\SysWOW64\vpgvpn.exe C:\Windows\SysWOW64\dtjalj.exe N/A
File created C:\Windows\SysWOW64\fpwjdm.exe C:\Windows\SysWOW64\oivbfe.exe N/A
File created C:\Windows\SysWOW64\qbztvy.exe C:\Windows\SysWOW64\khedru.exe N/A
File opened for modification C:\Windows\SysWOW64\xirxdt.exe C:\Windows\SysWOW64\jwwhsx.exe N/A
File opened for modification C:\Windows\SysWOW64\rnqjdr.exe C:\Windows\SysWOW64\cjjlgw.exe N/A
File created C:\Windows\SysWOW64\gnukdr.exe C:\Windows\SysWOW64\oviukr.exe N/A
File opened for modification C:\Windows\SysWOW64\ccudkc.exe C:\Windows\SysWOW64\nmkakc.exe N/A
File opened for modification C:\Windows\SysWOW64\bkpnap.exe C:\Windows\SysWOW64\nfqyuu.exe N/A
File created C:\Windows\SysWOW64\zmqzuv.exe C:\Windows\SysWOW64\ibfeti.exe N/A
File opened for modification C:\Windows\SysWOW64\jqlmis.exe C:\Windows\SysWOW64\tfrrhf.exe N/A
File opened for modification C:\Windows\SysWOW64\rurvpi.exe C:\Windows\SysWOW64\xloixy.exe N/A
File opened for modification C:\Windows\SysWOW64\hisijn.exe C:\Windows\SysWOW64\taifjn.exe N/A
File created C:\Windows\SysWOW64\zckjxs.exe C:\Windows\SysWOW64\fpwjdm.exe N/A
File opened for modification C:\Windows\SysWOW64\omvsur.exe C:\Windows\SysWOW64\zplvcf.exe N/A
File created C:\Windows\SysWOW64\jwwhsx.exe C:\Windows\SysWOW64\obqhyj.exe N/A
File created C:\Windows\SysWOW64\gcjgph.exe C:\Windows\SysWOW64\rurvpi.exe N/A
File created C:\Windows\SysWOW64\fjmddl.exe C:\Windows\SysWOW64\oyaibf.exe N/A
File created C:\Windows\SysWOW64\wcnuvk.exe C:\Windows\SysWOW64\fdmmxb.exe N/A
File opened for modification C:\Windows\SysWOW64\uhqodu.exe C:\Windows\SysWOW64\gdsqxz.exe N/A
File created C:\Windows\SysWOW64\qjcmva.exe C:\Windows\SysWOW64\bqhbaj.exe N/A
File opened for modification C:\Windows\SysWOW64\hapmfl.exe C:\Windows\SysWOW64\xumzbr.exe N/A
File created C:\Windows\SysWOW64\cjivdl.exe C:\Windows\SysWOW64\iljigt.exe N/A
File created C:\Windows\SysWOW64\jmjhrq.exe C:\Windows\SysWOW64\ueswrr.exe N/A
File created C:\Windows\SysWOW64\apirdu.exe C:\Windows\SysWOW64\uhqodu.exe N/A
File created C:\Windows\SysWOW64\ybkawz.exe C:\Windows\SysWOW64\ktsxwz.exe N/A
File created C:\Windows\SysWOW64\bcckjg.exe C:\Windows\SysWOW64\kvtcky.exe N/A
File created C:\Windows\SysWOW64\pkmmjg.exe C:\Windows\SysWOW64\bcckjg.exe N/A
File created C:\Windows\SysWOW64\xirxdt.exe C:\Windows\SysWOW64\jwwhsx.exe N/A
File created C:\Windows\SysWOW64\ajjhha.exe C:\Windows\SysWOW64\otibfk.exe N/A
File opened for modification C:\Windows\SysWOW64\mnpcxj.exe C:\Windows\SysWOW64\xjjezo.exe N/A
File created C:\Windows\SysWOW64\duxcth.exe C:\Windows\SysWOW64\muouuz.exe N/A
File opened for modification C:\Windows\SysWOW64\txrggy.exe C:\Windows\SysWOW64\ccudkc.exe N/A
File created C:\Windows\SysWOW64\nqgmva.exe C:\Windows\SysWOW64\yqlbaj.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2180 set thread context of 848 N/A C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe
PID 2132 set thread context of 2796 N/A C:\Windows\SysWOW64\bynbkf.exe C:\Windows\SysWOW64\bynbkf.exe
PID 2540 set thread context of 2528 N/A C:\Windows\SysWOW64\sywbda.exe C:\Windows\SysWOW64\sywbda.exe
PID 1728 set thread context of 2880 N/A C:\Windows\SysWOW64\yquelx.exe C:\Windows\SysWOW64\yquelx.exe
PID 308 set thread context of 652 N/A C:\Windows\SysWOW64\xumzbr.exe C:\Windows\SysWOW64\xumzbr.exe
PID 2836 set thread context of 620 N/A C:\Windows\SysWOW64\hapmfl.exe C:\Windows\SysWOW64\hapmfl.exe
PID 2064 set thread context of 2916 N/A C:\Windows\SysWOW64\qtdudr.exe C:\Windows\SysWOW64\qtdudr.exe
PID 708 set thread context of 1816 N/A C:\Windows\SysWOW64\wliptf.exe C:\Windows\SysWOW64\wliptf.exe
PID 2460 set thread context of 1316 N/A C:\Windows\SysWOW64\defscc.exe C:\Windows\SysWOW64\defscc.exe
PID 928 set thread context of 1844 N/A C:\Windows\SysWOW64\nkifxe.exe C:\Windows\SysWOW64\nkifxe.exe
PID 1500 set thread context of 1588 N/A C:\Windows\SysWOW64\lacvdw.exe C:\Windows\SysWOW64\lacvdw.exe
PID 1644 set thread context of 2960 N/A C:\Windows\SysWOW64\ddzyht.exe C:\Windows\SysWOW64\ddzyht.exe
PID 2904 set thread context of 2752 N/A C:\Windows\SysWOW64\udzgfc.exe C:\Windows\SysWOW64\udzgfc.exe
PID 2560 set thread context of 3000 N/A C:\Windows\SysWOW64\iljigt.exe C:\Windows\SysWOW64\iljigt.exe
PID 2868 set thread context of 2980 N/A C:\Windows\SysWOW64\cjivdl.exe C:\Windows\SysWOW64\cjivdl.exe
PID 288 set thread context of 1804 N/A C:\Windows\SysWOW64\wazjzw.exe C:\Windows\SysWOW64\wazjzw.exe
PID 1080 set thread context of 316 N/A C:\Windows\SysWOW64\nwodvs.exe C:\Windows\SysWOW64\nwodvs.exe
PID 2008 set thread context of 2264 N/A C:\Windows\SysWOW64\famgrx.exe C:\Windows\SysWOW64\famgrx.exe
PID 2296 set thread context of 664 N/A C:\Windows\SysWOW64\thvjaw.exe C:\Windows\SysWOW64\thvjaw.exe
PID 1132 set thread context of 1076 N/A C:\Windows\SysWOW64\hmchxj.exe C:\Windows\SysWOW64\hmchxj.exe
PID 1768 set thread context of 1536 N/A C:\Windows\SysWOW64\zeoxqk.exe C:\Windows\SysWOW64\zeoxqk.exe
PID 1300 set thread context of 900 N/A C:\Windows\SysWOW64\fmfzrj.exe C:\Windows\SysWOW64\fmfzrj.exe
PID 1792 set thread context of 1992 N/A C:\Windows\SysWOW64\zzlalp.exe C:\Windows\SysWOW64\zzlalp.exe
PID 3056 set thread context of 2664 N/A C:\Windows\SysWOW64\qkxuuc.exe C:\Windows\SysWOW64\qkxuuc.exe
PID 2776 set thread context of 2636 N/A C:\Windows\SysWOW64\kxlvgi.exe C:\Windows\SysWOW64\kxlvgi.exe
PID 2672 set thread context of 2828 N/A C:\Windows\SysWOW64\ctaykf.exe C:\Windows\SysWOW64\ctaykf.exe
PID 2548 set thread context of 2208 N/A C:\Windows\SysWOW64\taifjn.exe C:\Windows\SysWOW64\taifjn.exe
PID 1860 set thread context of 2236 N/A C:\Windows\SysWOW64\hisijn.exe C:\Windows\SysWOW64\hisijn.exe
PID 2172 set thread context of 2504 N/A C:\Windows\SysWOW64\wxcgbz.exe C:\Windows\SysWOW64\wxcgbz.exe
PID 1304 set thread context of 2100 N/A C:\Windows\SysWOW64\krxvnv.exe C:\Windows\SysWOW64\krxvnv.exe
PID 2696 set thread context of 2228 N/A C:\Windows\SysWOW64\cjjlgw.exe C:\Windows\SysWOW64\cjjlgw.exe
PID 584 set thread context of 2928 N/A C:\Windows\SysWOW64\rnqjdr.exe C:\Windows\SysWOW64\rnqjdr.exe
PID 2032 set thread context of 1328 N/A C:\Windows\SysWOW64\ajnezn.exe C:\Windows\SysWOW64\ajnezn.exe
PID 2900 set thread context of 2460 N/A C:\Windows\SysWOW64\oviukr.exe C:\Windows\SysWOW64\oviukr.exe
PID 2012 set thread context of 2128 N/A C:\Windows\SysWOW64\gnukdr.exe C:\Windows\SysWOW64\gnukdr.exe
PID 2188 set thread context of 2952 N/A C:\Windows\SysWOW64\xjjezo.exe C:\Windows\SysWOW64\xjjezo.exe
PID 3064 set thread context of 1740 N/A C:\Windows\SysWOW64\mnpcxj.exe C:\Windows\SysWOW64\mnpcxj.exe
PID 2684 set thread context of 2680 N/A C:\Windows\SysWOW64\adhffi.exe C:\Windows\SysWOW64\adhffi.exe
PID 2872 set thread context of 2020 N/A C:\Windows\SysWOW64\rzwibf.exe C:\Windows\SysWOW64\rzwibf.exe
PID 1520 set thread context of 1860 N/A C:\Windows\SysWOW64\jutdxj.exe C:\Windows\SysWOW64\jutdxj.exe
PID 2492 set thread context of 2852 N/A C:\Windows\SysWOW64\xgosif.exe C:\Windows\SysWOW64\xgosif.exe
PID 844 set thread context of 2008 N/A C:\Windows\SysWOW64\oyaibf.exe C:\Windows\SysWOW64\oyaibf.exe
PID 2740 set thread context of 2296 N/A C:\Windows\SysWOW64\fjmddl.exe C:\Windows\SysWOW64\fjmddl.exe
PID 1096 set thread context of 908 N/A C:\Windows\SysWOW64\ztpquu.exe C:\Windows\SysWOW64\ztpquu.exe
PID 1140 set thread context of 768 N/A C:\Windows\SysWOW64\djiwwk.exe C:\Windows\SysWOW64\djiwwk.exe
PID 572 set thread context of 1820 N/A C:\Windows\SysWOW64\uffrah.exe C:\Windows\SysWOW64\uffrah.exe
PID 1972 set thread context of 2756 N/A C:\Windows\SysWOW64\oalzmv.exe C:\Windows\SysWOW64\oalzmv.exe
PID 1780 set thread context of 2624 N/A C:\Windows\SysWOW64\gzthtw.exe C:\Windows\SysWOW64\gzthtw.exe
PID 2792 set thread context of 2132 N/A C:\Windows\SysWOW64\ueswrr.exe C:\Windows\SysWOW64\ueswrr.exe
PID 2524 set thread context of 2872 N/A C:\Windows\SysWOW64\jmjhrq.exe C:\Windows\SysWOW64\jmjhrq.exe
PID 2712 set thread context of 1040 N/A C:\Windows\SysWOW64\vvomwy.exe C:\Windows\SysWOW64\vvomwy.exe
PID 1584 set thread context of 2736 N/A C:\Windows\SysWOW64\muouuz.exe C:\Windows\SysWOW64\muouuz.exe
PID 1184 set thread context of 2924 N/A C:\Windows\SysWOW64\duxcth.exe C:\Windows\SysWOW64\duxcth.exe
PID 1296 set thread context of 2268 N/A C:\Windows\SysWOW64\uxmfpe.exe C:\Windows\SysWOW64\uxmfpe.exe
PID 2084 set thread context of 776 N/A C:\Windows\SysWOW64\dtjalj.exe C:\Windows\SysWOW64\dtjalj.exe
PID 2376 set thread context of 1708 N/A C:\Windows\SysWOW64\vpgvpn.exe C:\Windows\SysWOW64\vpgvpn.exe
PID 1732 set thread context of 1692 N/A C:\Windows\SysWOW64\pcmdjt.exe C:\Windows\SysWOW64\pcmdjt.exe
PID 2312 set thread context of 1828 N/A C:\Windows\SysWOW64\gjnlhu.exe C:\Windows\SysWOW64\gjnlhu.exe
PID 2892 set thread context of 2240 N/A C:\Windows\SysWOW64\xjvtgd.exe C:\Windows\SysWOW64\xjvtgd.exe
PID 3064 set thread context of 2788 N/A C:\Windows\SysWOW64\oivbfe.exe C:\Windows\SysWOW64\oivbfe.exe
PID 2524 set thread context of 2984 N/A C:\Windows\SysWOW64\fpwjdm.exe C:\Windows\SysWOW64\fpwjdm.exe
PID 2500 set thread context of 2964 N/A C:\Windows\SysWOW64\zckjxs.exe C:\Windows\SysWOW64\zckjxs.exe
PID 1080 set thread context of 2028 N/A C:\Windows\SysWOW64\rkkzwt.exe C:\Windows\SysWOW64\rkkzwt.exe
PID 2104 set thread context of 532 N/A C:\Windows\SysWOW64\lxyzqh.exe C:\Windows\SysWOW64\lxyzqh.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2180 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe
PID 2180 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe
PID 2180 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe
PID 2180 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe
PID 2180 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe
PID 2180 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe
PID 2180 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe
PID 2180 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe
PID 2180 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe
PID 2180 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe
PID 848 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe C:\Windows\SysWOW64\bynbkf.exe
PID 848 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe C:\Windows\SysWOW64\bynbkf.exe
PID 848 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe C:\Windows\SysWOW64\bynbkf.exe
PID 848 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe C:\Windows\SysWOW64\bynbkf.exe
PID 2132 wrote to memory of 2796 N/A C:\Windows\SysWOW64\bynbkf.exe C:\Windows\SysWOW64\bynbkf.exe
PID 2132 wrote to memory of 2796 N/A C:\Windows\SysWOW64\bynbkf.exe C:\Windows\SysWOW64\bynbkf.exe
PID 2132 wrote to memory of 2796 N/A C:\Windows\SysWOW64\bynbkf.exe C:\Windows\SysWOW64\bynbkf.exe
PID 2132 wrote to memory of 2796 N/A C:\Windows\SysWOW64\bynbkf.exe C:\Windows\SysWOW64\bynbkf.exe
PID 2132 wrote to memory of 2796 N/A C:\Windows\SysWOW64\bynbkf.exe C:\Windows\SysWOW64\bynbkf.exe
PID 2132 wrote to memory of 2796 N/A C:\Windows\SysWOW64\bynbkf.exe C:\Windows\SysWOW64\bynbkf.exe
PID 2132 wrote to memory of 2796 N/A C:\Windows\SysWOW64\bynbkf.exe C:\Windows\SysWOW64\bynbkf.exe
PID 2132 wrote to memory of 2796 N/A C:\Windows\SysWOW64\bynbkf.exe C:\Windows\SysWOW64\bynbkf.exe
PID 2132 wrote to memory of 2796 N/A C:\Windows\SysWOW64\bynbkf.exe C:\Windows\SysWOW64\bynbkf.exe
PID 2132 wrote to memory of 2796 N/A C:\Windows\SysWOW64\bynbkf.exe C:\Windows\SysWOW64\bynbkf.exe
PID 2796 wrote to memory of 2540 N/A C:\Windows\SysWOW64\bynbkf.exe C:\Windows\SysWOW64\sywbda.exe
PID 2796 wrote to memory of 2540 N/A C:\Windows\SysWOW64\bynbkf.exe C:\Windows\SysWOW64\sywbda.exe
PID 2796 wrote to memory of 2540 N/A C:\Windows\SysWOW64\bynbkf.exe C:\Windows\SysWOW64\sywbda.exe
PID 2796 wrote to memory of 2540 N/A C:\Windows\SysWOW64\bynbkf.exe C:\Windows\SysWOW64\sywbda.exe
PID 2540 wrote to memory of 2528 N/A C:\Windows\SysWOW64\sywbda.exe C:\Windows\SysWOW64\sywbda.exe
PID 2540 wrote to memory of 2528 N/A C:\Windows\SysWOW64\sywbda.exe C:\Windows\SysWOW64\sywbda.exe
PID 2540 wrote to memory of 2528 N/A C:\Windows\SysWOW64\sywbda.exe C:\Windows\SysWOW64\sywbda.exe
PID 2540 wrote to memory of 2528 N/A C:\Windows\SysWOW64\sywbda.exe C:\Windows\SysWOW64\sywbda.exe
PID 2540 wrote to memory of 2528 N/A C:\Windows\SysWOW64\sywbda.exe C:\Windows\SysWOW64\sywbda.exe
PID 2540 wrote to memory of 2528 N/A C:\Windows\SysWOW64\sywbda.exe C:\Windows\SysWOW64\sywbda.exe
PID 2540 wrote to memory of 2528 N/A C:\Windows\SysWOW64\sywbda.exe C:\Windows\SysWOW64\sywbda.exe
PID 2540 wrote to memory of 2528 N/A C:\Windows\SysWOW64\sywbda.exe C:\Windows\SysWOW64\sywbda.exe
PID 2540 wrote to memory of 2528 N/A C:\Windows\SysWOW64\sywbda.exe C:\Windows\SysWOW64\sywbda.exe
PID 2540 wrote to memory of 2528 N/A C:\Windows\SysWOW64\sywbda.exe C:\Windows\SysWOW64\sywbda.exe
PID 2528 wrote to memory of 1728 N/A C:\Windows\SysWOW64\sywbda.exe C:\Windows\SysWOW64\yquelx.exe
PID 2528 wrote to memory of 1728 N/A C:\Windows\SysWOW64\sywbda.exe C:\Windows\SysWOW64\yquelx.exe
PID 2528 wrote to memory of 1728 N/A C:\Windows\SysWOW64\sywbda.exe C:\Windows\SysWOW64\yquelx.exe
PID 2528 wrote to memory of 1728 N/A C:\Windows\SysWOW64\sywbda.exe C:\Windows\SysWOW64\yquelx.exe
PID 1728 wrote to memory of 2880 N/A C:\Windows\SysWOW64\yquelx.exe C:\Windows\SysWOW64\yquelx.exe
PID 1728 wrote to memory of 2880 N/A C:\Windows\SysWOW64\yquelx.exe C:\Windows\SysWOW64\yquelx.exe
PID 1728 wrote to memory of 2880 N/A C:\Windows\SysWOW64\yquelx.exe C:\Windows\SysWOW64\yquelx.exe
PID 1728 wrote to memory of 2880 N/A C:\Windows\SysWOW64\yquelx.exe C:\Windows\SysWOW64\yquelx.exe
PID 1728 wrote to memory of 2880 N/A C:\Windows\SysWOW64\yquelx.exe C:\Windows\SysWOW64\yquelx.exe
PID 1728 wrote to memory of 2880 N/A C:\Windows\SysWOW64\yquelx.exe C:\Windows\SysWOW64\yquelx.exe
PID 1728 wrote to memory of 2880 N/A C:\Windows\SysWOW64\yquelx.exe C:\Windows\SysWOW64\yquelx.exe
PID 1728 wrote to memory of 2880 N/A C:\Windows\SysWOW64\yquelx.exe C:\Windows\SysWOW64\yquelx.exe
PID 1728 wrote to memory of 2880 N/A C:\Windows\SysWOW64\yquelx.exe C:\Windows\SysWOW64\yquelx.exe
PID 1728 wrote to memory of 2880 N/A C:\Windows\SysWOW64\yquelx.exe C:\Windows\SysWOW64\yquelx.exe
PID 2880 wrote to memory of 308 N/A C:\Windows\SysWOW64\yquelx.exe C:\Windows\SysWOW64\xumzbr.exe
PID 2880 wrote to memory of 308 N/A C:\Windows\SysWOW64\yquelx.exe C:\Windows\SysWOW64\xumzbr.exe
PID 2880 wrote to memory of 308 N/A C:\Windows\SysWOW64\yquelx.exe C:\Windows\SysWOW64\xumzbr.exe
PID 2880 wrote to memory of 308 N/A C:\Windows\SysWOW64\yquelx.exe C:\Windows\SysWOW64\xumzbr.exe
PID 308 wrote to memory of 652 N/A C:\Windows\SysWOW64\xumzbr.exe C:\Windows\SysWOW64\xumzbr.exe
PID 308 wrote to memory of 652 N/A C:\Windows\SysWOW64\xumzbr.exe C:\Windows\SysWOW64\xumzbr.exe
PID 308 wrote to memory of 652 N/A C:\Windows\SysWOW64\xumzbr.exe C:\Windows\SysWOW64\xumzbr.exe
PID 308 wrote to memory of 652 N/A C:\Windows\SysWOW64\xumzbr.exe C:\Windows\SysWOW64\xumzbr.exe
PID 308 wrote to memory of 652 N/A C:\Windows\SysWOW64\xumzbr.exe C:\Windows\SysWOW64\xumzbr.exe
PID 308 wrote to memory of 652 N/A C:\Windows\SysWOW64\xumzbr.exe C:\Windows\SysWOW64\xumzbr.exe
PID 308 wrote to memory of 652 N/A C:\Windows\SysWOW64\xumzbr.exe C:\Windows\SysWOW64\xumzbr.exe
PID 308 wrote to memory of 652 N/A C:\Windows\SysWOW64\xumzbr.exe C:\Windows\SysWOW64\xumzbr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe"

C:\Windows\SysWOW64\bynbkf.exe

C:\Windows\system32\bynbkf.exe 488 "C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe"

C:\Windows\SysWOW64\bynbkf.exe

C:\Windows\system32\bynbkf.exe 488 "C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe"

C:\Windows\SysWOW64\sywbda.exe

C:\Windows\system32\sywbda.exe 452 "C:\Windows\SysWOW64\bynbkf.exe"

C:\Windows\SysWOW64\sywbda.exe

C:\Windows\system32\sywbda.exe 452 "C:\Windows\SysWOW64\bynbkf.exe"

C:\Windows\SysWOW64\yquelx.exe

C:\Windows\system32\yquelx.exe 452 "C:\Windows\SysWOW64\sywbda.exe"

C:\Windows\SysWOW64\yquelx.exe

C:\Windows\system32\yquelx.exe 452 "C:\Windows\SysWOW64\sywbda.exe"

C:\Windows\SysWOW64\xumzbr.exe

C:\Windows\system32\xumzbr.exe 452 "C:\Windows\SysWOW64\yquelx.exe"

C:\Windows\SysWOW64\xumzbr.exe

C:\Windows\system32\xumzbr.exe 452 "C:\Windows\SysWOW64\yquelx.exe"

C:\Windows\SysWOW64\hapmfl.exe

C:\Windows\system32\hapmfl.exe 452 "C:\Windows\SysWOW64\xumzbr.exe"

C:\Windows\SysWOW64\hapmfl.exe

C:\Windows\system32\hapmfl.exe 452 "C:\Windows\SysWOW64\xumzbr.exe"

C:\Windows\SysWOW64\qtdudr.exe

C:\Windows\system32\qtdudr.exe 452 "C:\Windows\SysWOW64\hapmfl.exe"

C:\Windows\SysWOW64\qtdudr.exe

C:\Windows\system32\qtdudr.exe 452 "C:\Windows\SysWOW64\hapmfl.exe"

C:\Windows\SysWOW64\wliptf.exe

C:\Windows\system32\wliptf.exe 452 "C:\Windows\SysWOW64\qtdudr.exe"

C:\Windows\SysWOW64\wliptf.exe

C:\Windows\system32\wliptf.exe 452 "C:\Windows\SysWOW64\qtdudr.exe"

C:\Windows\SysWOW64\defscc.exe

C:\Windows\system32\defscc.exe 452 "C:\Windows\SysWOW64\wliptf.exe"

C:\Windows\SysWOW64\defscc.exe

C:\Windows\system32\defscc.exe 452 "C:\Windows\SysWOW64\wliptf.exe"

C:\Windows\SysWOW64\nkifxe.exe

C:\Windows\system32\nkifxe.exe 452 "C:\Windows\SysWOW64\defscc.exe"

C:\Windows\SysWOW64\nkifxe.exe

C:\Windows\system32\nkifxe.exe 452 "C:\Windows\SysWOW64\defscc.exe"

C:\Windows\SysWOW64\lacvdw.exe

C:\Windows\system32\lacvdw.exe 452 "C:\Windows\SysWOW64\nkifxe.exe"

C:\Windows\SysWOW64\lacvdw.exe

C:\Windows\system32\lacvdw.exe 452 "C:\Windows\SysWOW64\nkifxe.exe"

C:\Windows\SysWOW64\ddzyht.exe

C:\Windows\system32\ddzyht.exe 452 "C:\Windows\SysWOW64\lacvdw.exe"

C:\Windows\SysWOW64\ddzyht.exe

C:\Windows\system32\ddzyht.exe 452 "C:\Windows\SysWOW64\lacvdw.exe"

C:\Windows\SysWOW64\udzgfc.exe

C:\Windows\system32\udzgfc.exe 452 "C:\Windows\SysWOW64\ddzyht.exe"

C:\Windows\SysWOW64\udzgfc.exe

C:\Windows\system32\udzgfc.exe 452 "C:\Windows\SysWOW64\ddzyht.exe"

C:\Windows\SysWOW64\iljigt.exe

C:\Windows\system32\iljigt.exe 452 "C:\Windows\SysWOW64\udzgfc.exe"

C:\Windows\SysWOW64\iljigt.exe

C:\Windows\system32\iljigt.exe 452 "C:\Windows\SysWOW64\udzgfc.exe"

C:\Windows\SysWOW64\cjivdl.exe

C:\Windows\system32\cjivdl.exe 452 "C:\Windows\SysWOW64\iljigt.exe"

C:\Windows\SysWOW64\cjivdl.exe

C:\Windows\system32\cjivdl.exe 452 "C:\Windows\SysWOW64\iljigt.exe"

C:\Windows\SysWOW64\wazjzw.exe

C:\Windows\system32\wazjzw.exe 452 "C:\Windows\SysWOW64\cjivdl.exe"

C:\Windows\SysWOW64\wazjzw.exe

C:\Windows\system32\wazjzw.exe 452 "C:\Windows\SysWOW64\cjivdl.exe"

C:\Windows\SysWOW64\nwodvs.exe

C:\Windows\system32\nwodvs.exe 452 "C:\Windows\SysWOW64\wazjzw.exe"

C:\Windows\SysWOW64\nwodvs.exe

C:\Windows\system32\nwodvs.exe 452 "C:\Windows\SysWOW64\wazjzw.exe"

C:\Windows\SysWOW64\famgrx.exe

C:\Windows\system32\famgrx.exe 452 "C:\Windows\SysWOW64\nwodvs.exe"

C:\Windows\SysWOW64\famgrx.exe

C:\Windows\system32\famgrx.exe 452 "C:\Windows\SysWOW64\nwodvs.exe"

C:\Windows\SysWOW64\thvjaw.exe

C:\Windows\system32\thvjaw.exe 452 "C:\Windows\SysWOW64\famgrx.exe"

C:\Windows\SysWOW64\thvjaw.exe

C:\Windows\system32\thvjaw.exe 452 "C:\Windows\SysWOW64\famgrx.exe"

C:\Windows\SysWOW64\hmchxj.exe

C:\Windows\system32\hmchxj.exe 452 "C:\Windows\SysWOW64\thvjaw.exe"

C:\Windows\SysWOW64\hmchxj.exe

C:\Windows\system32\hmchxj.exe 452 "C:\Windows\SysWOW64\thvjaw.exe"

C:\Windows\SysWOW64\zeoxqk.exe

C:\Windows\system32\zeoxqk.exe 452 "C:\Windows\SysWOW64\hmchxj.exe"

C:\Windows\SysWOW64\zeoxqk.exe

C:\Windows\system32\zeoxqk.exe 452 "C:\Windows\SysWOW64\hmchxj.exe"

C:\Windows\SysWOW64\fmfzrj.exe

C:\Windows\system32\fmfzrj.exe 452 "C:\Windows\SysWOW64\zeoxqk.exe"

C:\Windows\SysWOW64\fmfzrj.exe

C:\Windows\system32\fmfzrj.exe 452 "C:\Windows\SysWOW64\zeoxqk.exe"

C:\Windows\SysWOW64\zzlalp.exe

C:\Windows\system32\zzlalp.exe 452 "C:\Windows\SysWOW64\fmfzrj.exe"

C:\Windows\SysWOW64\zzlalp.exe

C:\Windows\system32\zzlalp.exe 452 "C:\Windows\SysWOW64\fmfzrj.exe"

C:\Windows\SysWOW64\qkxuuc.exe

C:\Windows\system32\qkxuuc.exe 452 "C:\Windows\SysWOW64\zzlalp.exe"

C:\Windows\SysWOW64\qkxuuc.exe

C:\Windows\system32\qkxuuc.exe 452 "C:\Windows\SysWOW64\zzlalp.exe"

C:\Windows\SysWOW64\kxlvgi.exe

C:\Windows\system32\kxlvgi.exe 452 "C:\Windows\SysWOW64\qkxuuc.exe"

C:\Windows\SysWOW64\kxlvgi.exe

C:\Windows\system32\kxlvgi.exe 452 "C:\Windows\SysWOW64\qkxuuc.exe"

C:\Windows\SysWOW64\ctaykf.exe

C:\Windows\system32\ctaykf.exe 452 "C:\Windows\SysWOW64\kxlvgi.exe"

C:\Windows\SysWOW64\ctaykf.exe

C:\Windows\system32\ctaykf.exe 452 "C:\Windows\SysWOW64\kxlvgi.exe"

C:\Windows\SysWOW64\taifjn.exe

C:\Windows\system32\taifjn.exe 452 "C:\Windows\SysWOW64\ctaykf.exe"

C:\Windows\SysWOW64\taifjn.exe

C:\Windows\system32\taifjn.exe 452 "C:\Windows\SysWOW64\ctaykf.exe"

C:\Windows\SysWOW64\hisijn.exe

C:\Windows\system32\hisijn.exe 452 "C:\Windows\SysWOW64\taifjn.exe"

C:\Windows\SysWOW64\hisijn.exe

C:\Windows\system32\hisijn.exe 452 "C:\Windows\SysWOW64\taifjn.exe"

C:\Windows\SysWOW64\wxcgbz.exe

C:\Windows\system32\wxcgbz.exe 452 "C:\Windows\SysWOW64\hisijn.exe"

C:\Windows\SysWOW64\wxcgbz.exe

C:\Windows\system32\wxcgbz.exe 452 "C:\Windows\SysWOW64\hisijn.exe"

C:\Windows\SysWOW64\krxvnv.exe

C:\Windows\system32\krxvnv.exe 452 "C:\Windows\SysWOW64\wxcgbz.exe"

C:\Windows\SysWOW64\krxvnv.exe

C:\Windows\system32\krxvnv.exe 452 "C:\Windows\SysWOW64\wxcgbz.exe"

C:\Windows\SysWOW64\cjjlgw.exe

C:\Windows\system32\cjjlgw.exe 452 "C:\Windows\SysWOW64\krxvnv.exe"

C:\Windows\SysWOW64\cjjlgw.exe

C:\Windows\system32\cjjlgw.exe 452 "C:\Windows\SysWOW64\krxvnv.exe"

C:\Windows\SysWOW64\rnqjdr.exe

C:\Windows\system32\rnqjdr.exe 452 "C:\Windows\SysWOW64\cjjlgw.exe"

C:\Windows\SysWOW64\rnqjdr.exe

C:\Windows\system32\rnqjdr.exe 452 "C:\Windows\SysWOW64\cjjlgw.exe"

C:\Windows\SysWOW64\ajnezn.exe

C:\Windows\system32\ajnezn.exe 452 "C:\Windows\SysWOW64\rnqjdr.exe"

C:\Windows\SysWOW64\ajnezn.exe

C:\Windows\system32\ajnezn.exe 452 "C:\Windows\SysWOW64\rnqjdr.exe"

C:\Windows\SysWOW64\oviukr.exe

C:\Windows\system32\oviukr.exe 452 "C:\Windows\SysWOW64\ajnezn.exe"

C:\Windows\SysWOW64\oviukr.exe

C:\Windows\system32\oviukr.exe 452 "C:\Windows\SysWOW64\ajnezn.exe"

C:\Windows\SysWOW64\gnukdr.exe

C:\Windows\system32\gnukdr.exe 480 "C:\Windows\SysWOW64\oviukr.exe"

C:\Windows\SysWOW64\gnukdr.exe

C:\Windows\system32\gnukdr.exe 480 "C:\Windows\SysWOW64\oviukr.exe"

C:\Windows\SysWOW64\xjjezo.exe

C:\Windows\system32\xjjezo.exe 452 "C:\Windows\SysWOW64\gnukdr.exe"

C:\Windows\SysWOW64\xjjezo.exe

C:\Windows\system32\xjjezo.exe 452 "C:\Windows\SysWOW64\gnukdr.exe"

C:\Windows\SysWOW64\mnpcxj.exe

C:\Windows\system32\mnpcxj.exe 452 "C:\Windows\SysWOW64\xjjezo.exe"

C:\Windows\SysWOW64\mnpcxj.exe

C:\Windows\system32\mnpcxj.exe 452 "C:\Windows\SysWOW64\xjjezo.exe"

C:\Windows\SysWOW64\adhffi.exe

C:\Windows\system32\adhffi.exe 452 "C:\Windows\SysWOW64\mnpcxj.exe"

C:\Windows\SysWOW64\adhffi.exe

C:\Windows\system32\adhffi.exe 452 "C:\Windows\SysWOW64\mnpcxj.exe"

C:\Windows\SysWOW64\rzwibf.exe

C:\Windows\system32\rzwibf.exe 452 "C:\Windows\SysWOW64\adhffi.exe"

C:\Windows\SysWOW64\rzwibf.exe

C:\Windows\system32\rzwibf.exe 452 "C:\Windows\SysWOW64\adhffi.exe"

C:\Windows\SysWOW64\jutdxj.exe

C:\Windows\system32\jutdxj.exe 452 "C:\Windows\SysWOW64\rzwibf.exe"

C:\Windows\SysWOW64\jutdxj.exe

C:\Windows\system32\jutdxj.exe 452 "C:\Windows\SysWOW64\rzwibf.exe"

C:\Windows\SysWOW64\xgosif.exe

C:\Windows\system32\xgosif.exe 452 "C:\Windows\SysWOW64\jutdxj.exe"

C:\Windows\SysWOW64\xgosif.exe

C:\Windows\system32\xgosif.exe 452 "C:\Windows\SysWOW64\jutdxj.exe"

C:\Windows\SysWOW64\oyaibf.exe

C:\Windows\system32\oyaibf.exe 452 "C:\Windows\SysWOW64\xgosif.exe"

C:\Windows\SysWOW64\oyaibf.exe

C:\Windows\system32\oyaibf.exe 452 "C:\Windows\SysWOW64\xgosif.exe"

C:\Windows\SysWOW64\fjmddl.exe

C:\Windows\system32\fjmddl.exe 452 "C:\Windows\SysWOW64\oyaibf.exe"

C:\Windows\SysWOW64\fjmddl.exe

C:\Windows\system32\fjmddl.exe 452 "C:\Windows\SysWOW64\oyaibf.exe"

C:\Windows\SysWOW64\ztpquu.exe

C:\Windows\system32\ztpquu.exe 452 "C:\Windows\SysWOW64\fjmddl.exe"

C:\Windows\SysWOW64\ztpquu.exe

C:\Windows\system32\ztpquu.exe 452 "C:\Windows\SysWOW64\fjmddl.exe"

C:\Windows\SysWOW64\djiwwk.exe

C:\Windows\system32\djiwwk.exe 452 "C:\Windows\SysWOW64\ztpquu.exe"

C:\Windows\SysWOW64\djiwwk.exe

C:\Windows\system32\djiwwk.exe 452 "C:\Windows\SysWOW64\ztpquu.exe"

C:\Windows\SysWOW64\uffrah.exe

C:\Windows\system32\uffrah.exe 452 "C:\Windows\SysWOW64\djiwwk.exe"

C:\Windows\SysWOW64\uffrah.exe

C:\Windows\system32\uffrah.exe 452 "C:\Windows\SysWOW64\djiwwk.exe"

C:\Windows\SysWOW64\oalzmv.exe

C:\Windows\system32\oalzmv.exe 452 "C:\Windows\SysWOW64\uffrah.exe"

C:\Windows\SysWOW64\oalzmv.exe

C:\Windows\system32\oalzmv.exe 452 "C:\Windows\SysWOW64\uffrah.exe"

C:\Windows\SysWOW64\gzthtw.exe

C:\Windows\system32\gzthtw.exe 452 "C:\Windows\SysWOW64\oalzmv.exe"

C:\Windows\SysWOW64\gzthtw.exe

C:\Windows\system32\gzthtw.exe 452 "C:\Windows\SysWOW64\oalzmv.exe"

C:\Windows\SysWOW64\ueswrr.exe

C:\Windows\system32\ueswrr.exe 452 "C:\Windows\SysWOW64\gzthtw.exe"

C:\Windows\SysWOW64\ueswrr.exe

C:\Windows\system32\ueswrr.exe 452 "C:\Windows\SysWOW64\gzthtw.exe"

C:\Windows\SysWOW64\jmjhrq.exe

C:\Windows\system32\jmjhrq.exe 452 "C:\Windows\SysWOW64\ueswrr.exe"

C:\Windows\SysWOW64\jmjhrq.exe

C:\Windows\system32\jmjhrq.exe 452 "C:\Windows\SysWOW64\ueswrr.exe"

C:\Windows\SysWOW64\vvomwy.exe

C:\Windows\system32\vvomwy.exe 452 "C:\Windows\SysWOW64\jmjhrq.exe"

C:\Windows\SysWOW64\vvomwy.exe

C:\Windows\system32\vvomwy.exe 452 "C:\Windows\SysWOW64\jmjhrq.exe"

C:\Windows\SysWOW64\muouuz.exe

C:\Windows\system32\muouuz.exe 452 "C:\Windows\SysWOW64\vvomwy.exe"

C:\Windows\SysWOW64\muouuz.exe

C:\Windows\system32\muouuz.exe 452 "C:\Windows\SysWOW64\vvomwy.exe"

C:\Windows\SysWOW64\duxcth.exe

C:\Windows\system32\duxcth.exe 452 "C:\Windows\SysWOW64\muouuz.exe"

C:\Windows\SysWOW64\duxcth.exe

C:\Windows\system32\duxcth.exe 452 "C:\Windows\SysWOW64\muouuz.exe"

C:\Windows\SysWOW64\uxmfpe.exe

C:\Windows\system32\uxmfpe.exe 452 "C:\Windows\SysWOW64\duxcth.exe"

C:\Windows\SysWOW64\uxmfpe.exe

C:\Windows\system32\uxmfpe.exe 452 "C:\Windows\SysWOW64\duxcth.exe"

C:\Windows\SysWOW64\dtjalj.exe

C:\Windows\system32\dtjalj.exe 452 "C:\Windows\SysWOW64\uxmfpe.exe"

C:\Windows\SysWOW64\dtjalj.exe

C:\Windows\system32\dtjalj.exe 452 "C:\Windows\SysWOW64\uxmfpe.exe"

C:\Windows\SysWOW64\vpgvpn.exe

C:\Windows\system32\vpgvpn.exe 452 "C:\Windows\SysWOW64\dtjalj.exe"

C:\Windows\SysWOW64\vpgvpn.exe

C:\Windows\system32\vpgvpn.exe 452 "C:\Windows\SysWOW64\dtjalj.exe"

C:\Windows\SysWOW64\pcmdjt.exe

C:\Windows\system32\pcmdjt.exe 452 "C:\Windows\SysWOW64\vpgvpn.exe"

C:\Windows\SysWOW64\pcmdjt.exe

C:\Windows\system32\pcmdjt.exe 452 "C:\Windows\SysWOW64\vpgvpn.exe"

C:\Windows\SysWOW64\gjnlhu.exe

C:\Windows\system32\gjnlhu.exe 452 "C:\Windows\SysWOW64\pcmdjt.exe"

C:\Windows\SysWOW64\gjnlhu.exe

C:\Windows\system32\gjnlhu.exe 452 "C:\Windows\SysWOW64\pcmdjt.exe"

C:\Windows\SysWOW64\xjvtgd.exe

C:\Windows\system32\xjvtgd.exe 452 "C:\Windows\SysWOW64\gjnlhu.exe"

C:\Windows\SysWOW64\xjvtgd.exe

C:\Windows\system32\xjvtgd.exe 452 "C:\Windows\SysWOW64\gjnlhu.exe"

C:\Windows\SysWOW64\oivbfe.exe

C:\Windows\system32\oivbfe.exe 452 "C:\Windows\SysWOW64\xjvtgd.exe"

C:\Windows\SysWOW64\oivbfe.exe

C:\Windows\system32\oivbfe.exe 452 "C:\Windows\SysWOW64\xjvtgd.exe"

C:\Windows\SysWOW64\fpwjdm.exe

C:\Windows\system32\fpwjdm.exe 452 "C:\Windows\SysWOW64\oivbfe.exe"

C:\Windows\SysWOW64\fpwjdm.exe

C:\Windows\system32\fpwjdm.exe 452 "C:\Windows\SysWOW64\oivbfe.exe"

C:\Windows\SysWOW64\zckjxs.exe

C:\Windows\system32\zckjxs.exe 452 "C:\Windows\SysWOW64\fpwjdm.exe"

C:\Windows\SysWOW64\zckjxs.exe

C:\Windows\system32\zckjxs.exe 452 "C:\Windows\SysWOW64\fpwjdm.exe"

C:\Windows\SysWOW64\rkkzwt.exe

C:\Windows\system32\rkkzwt.exe 452 "C:\Windows\SysWOW64\zckjxs.exe"

C:\Windows\SysWOW64\rkkzwt.exe

C:\Windows\system32\rkkzwt.exe 452 "C:\Windows\SysWOW64\zckjxs.exe"

C:\Windows\SysWOW64\lxyzqh.exe

C:\Windows\system32\lxyzqh.exe 452 "C:\Windows\SysWOW64\rkkzwt.exe"

C:\Windows\SysWOW64\lxyzqh.exe

C:\Windows\system32\lxyzqh.exe 452 "C:\Windows\SysWOW64\rkkzwt.exe"

C:\Windows\SysWOW64\cwyhpi.exe

C:\Windows\system32\cwyhpi.exe 452 "C:\Windows\SysWOW64\lxyzqh.exe"

C:\Windows\SysWOW64\cwyhpi.exe

C:\Windows\system32\cwyhpi.exe 452 "C:\Windows\SysWOW64\lxyzqh.exe"

C:\Windows\SysWOW64\qbffud.exe

C:\Windows\system32\qbffud.exe 452 "C:\Windows\SysWOW64\cwyhpi.exe"

C:\Windows\SysWOW64\qbffud.exe

C:\Windows\system32\qbffud.exe 452 "C:\Windows\SysWOW64\cwyhpi.exe"

C:\Windows\SysWOW64\cwlfoj.exe

C:\Windows\system32\cwlfoj.exe 452 "C:\Windows\SysWOW64\qbffud.exe"

C:\Windows\SysWOW64\cwlfoj.exe

C:\Windows\system32\cwlfoj.exe 452 "C:\Windows\SysWOW64\qbffud.exe"

C:\Windows\SysWOW64\tyxaqw.exe

C:\Windows\system32\tyxaqw.exe 452 "C:\Windows\SysWOW64\cwlfoj.exe"

C:\Windows\SysWOW64\tyxaqw.exe

C:\Windows\system32\tyxaqw.exe 452 "C:\Windows\SysWOW64\cwlfoj.exe"

C:\Windows\SysWOW64\nmkakc.exe

C:\Windows\system32\nmkakc.exe 452 "C:\Windows\SysWOW64\tyxaqw.exe"

C:\Windows\SysWOW64\nmkakc.exe

C:\Windows\system32\nmkakc.exe 452 "C:\Windows\SysWOW64\tyxaqw.exe"

C:\Windows\SysWOW64\ccudkc.exe

C:\Windows\system32\ccudkc.exe 452 "C:\Windows\SysWOW64\nmkakc.exe"

C:\Windows\SysWOW64\ccudkc.exe

C:\Windows\system32\ccudkc.exe 452 "C:\Windows\SysWOW64\nmkakc.exe"

C:\Windows\SysWOW64\txrggy.exe

C:\Windows\system32\txrggy.exe 452 "C:\Windows\SysWOW64\ccudkc.exe"

C:\Windows\SysWOW64\txrggy.exe

C:\Windows\system32\txrggy.exe 452 "C:\Windows\SysWOW64\ccudkc.exe"

C:\Windows\SysWOW64\hfjipy.exe

C:\Windows\system32\hfjipy.exe 452 "C:\Windows\SysWOW64\txrggy.exe"

C:\Windows\SysWOW64\hfjipy.exe

C:\Windows\system32\hfjipy.exe 452 "C:\Windows\SysWOW64\txrggy.exe"

C:\Windows\SysWOW64\wkigmt.exe

C:\Windows\system32\wkigmt.exe 452 "C:\Windows\SysWOW64\hfjipy.exe"

C:\Windows\SysWOW64\wkigmt.exe

C:\Windows\system32\wkigmt.exe 452 "C:\Windows\SysWOW64\hfjipy.exe"

C:\Windows\SysWOW64\qxvggz.exe

C:\Windows\system32\qxvggz.exe 452 "C:\Windows\SysWOW64\wkigmt.exe"

C:\Windows\SysWOW64\qxvggz.exe

C:\Windows\system32\qxvggz.exe 452 "C:\Windows\SysWOW64\wkigmt.exe"

C:\Windows\SysWOW64\hblbcd.exe

C:\Windows\system32\hblbcd.exe 452 "C:\Windows\SysWOW64\qxvggz.exe"

C:\Windows\SysWOW64\hblbcd.exe

C:\Windows\system32\hblbcd.exe 452 "C:\Windows\SysWOW64\qxvggz.exe"

C:\Windows\SysWOW64\wicmdv.exe

C:\Windows\system32\wicmdv.exe 452 "C:\Windows\SysWOW64\hblbcd.exe"

C:\Windows\SysWOW64\wicmdv.exe

C:\Windows\system32\wicmdv.exe 452 "C:\Windows\SysWOW64\hblbcd.exe"

C:\Windows\SysWOW64\knjbiq.exe

C:\Windows\system32\knjbiq.exe 452 "C:\Windows\SysWOW64\wicmdv.exe"

C:\Windows\SysWOW64\knjbiq.exe

C:\Windows\system32\knjbiq.exe 452 "C:\Windows\SysWOW64\wicmdv.exe"

C:\Windows\SysWOW64\ufnrbq.exe

C:\Windows\system32\ufnrbq.exe 452 "C:\Windows\SysWOW64\knjbiq.exe"

C:\Windows\SysWOW64\ufnrbq.exe

C:\Windows\system32\ufnrbq.exe 452 "C:\Windows\SysWOW64\knjbiq.exe"

C:\Windows\SysWOW64\levzar.exe

C:\Windows\system32\levzar.exe 452 "C:\Windows\SysWOW64\ufnrbq.exe"

C:\Windows\SysWOW64\levzar.exe

C:\Windows\system32\levzar.exe 452 "C:\Windows\SysWOW64\ufnrbq.exe"

C:\Windows\SysWOW64\fdmmxb.exe

C:\Windows\system32\fdmmxb.exe 452 "C:\Windows\SysWOW64\levzar.exe"

C:\Windows\SysWOW64\fdmmxb.exe

C:\Windows\system32\fdmmxb.exe 452 "C:\Windows\SysWOW64\levzar.exe"

C:\Windows\SysWOW64\wcnuvk.exe

C:\Windows\system32\wcnuvk.exe 452 "C:\Windows\SysWOW64\fdmmxb.exe"

C:\Windows\SysWOW64\wcnuvk.exe

C:\Windows\system32\wcnuvk.exe 452 "C:\Windows\SysWOW64\fdmmxb.exe"

C:\Windows\SysWOW64\kkefwk.exe

C:\Windows\system32\kkefwk.exe 452 "C:\Windows\SysWOW64\wcnuvk.exe"

C:\Windows\SysWOW64\kkefwk.exe

C:\Windows\system32\kkefwk.exe 452 "C:\Windows\SysWOW64\wcnuvk.exe"

C:\Windows\SysWOW64\zplvcf.exe

C:\Windows\system32\zplvcf.exe 452 "C:\Windows\SysWOW64\kkefwk.exe"

C:\Windows\SysWOW64\zplvcf.exe

C:\Windows\system32\zplvcf.exe 452 "C:\Windows\SysWOW64\kkefwk.exe"

C:\Windows\SysWOW64\omvsur.exe

C:\Windows\system32\omvsur.exe 452 "C:\Windows\SysWOW64\zplvcf.exe"

C:\Windows\SysWOW64\omvsur.exe

C:\Windows\system32\omvsur.exe 452 "C:\Windows\SysWOW64\zplvcf.exe"

C:\Windows\SysWOW64\acoyeh.exe

C:\Windows\system32\acoyeh.exe 452 "C:\Windows\SysWOW64\omvsur.exe"

C:\Windows\SysWOW64\acoyeh.exe

C:\Windows\system32\acoyeh.exe 452 "C:\Windows\SysWOW64\omvsur.exe"

C:\Windows\SysWOW64\rvaoxa.exe

C:\Windows\system32\rvaoxa.exe 452 "C:\Windows\SysWOW64\acoyeh.exe"

C:\Windows\SysWOW64\rvaoxa.exe

C:\Windows\system32\rvaoxa.exe 452 "C:\Windows\SysWOW64\acoyeh.exe"

C:\Windows\SysWOW64\gdsqxz.exe

C:\Windows\system32\gdsqxz.exe 452 "C:\Windows\SysWOW64\rvaoxa.exe"

C:\Windows\SysWOW64\gdsqxz.exe

C:\Windows\system32\gdsqxz.exe 452 "C:\Windows\SysWOW64\rvaoxa.exe"

C:\Windows\SysWOW64\uhqodu.exe

C:\Windows\system32\uhqodu.exe 452 "C:\Windows\SysWOW64\gdsqxz.exe"

C:\Windows\SysWOW64\uhqodu.exe

C:\Windows\system32\uhqodu.exe 452 "C:\Windows\SysWOW64\gdsqxz.exe"

C:\Windows\SysWOW64\apirdu.exe

C:\Windows\system32\apirdu.exe 452 "C:\Windows\SysWOW64\uhqodu.exe"

C:\Windows\SysWOW64\apirdu.exe

C:\Windows\system32\apirdu.exe 452 "C:\Windows\SysWOW64\uhqodu.exe"

C:\Windows\SysWOW64\vzkmvv.exe

C:\Windows\system32\vzkmvv.exe 452 "C:\Windows\SysWOW64\apirdu.exe"

C:\Windows\SysWOW64\vzkmvv.exe

C:\Windows\system32\vzkmvv.exe 452 "C:\Windows\SysWOW64\apirdu.exe"

C:\Windows\SysWOW64\jdjbsq.exe

C:\Windows\system32\jdjbsq.exe 452 "C:\Windows\SysWOW64\vzkmvv.exe"

C:\Windows\SysWOW64\jdjbsq.exe

C:\Windows\system32\jdjbsq.exe 452 "C:\Windows\SysWOW64\vzkmvv.exe"

C:\Windows\SysWOW64\bcrjrr.exe

C:\Windows\system32\bcrjrr.exe 452 "C:\Windows\SysWOW64\jdjbsq.exe"

C:\Windows\SysWOW64\bcrjrr.exe

C:\Windows\system32\bcrjrr.exe 452 "C:\Windows\SysWOW64\jdjbsq.exe"

C:\Windows\SysWOW64\phqhxm.exe

C:\Windows\system32\phqhxm.exe 452 "C:\Windows\SysWOW64\bcrjrr.exe"

C:\Windows\SysWOW64\phqhxm.exe

C:\Windows\system32\phqhxm.exe 452 "C:\Windows\SysWOW64\bcrjrr.exe"

C:\Windows\SysWOW64\goypvn.exe

C:\Windows\system32\goypvn.exe 452 "C:\Windows\SysWOW64\phqhxm.exe"

C:\Windows\SysWOW64\goypvn.exe

C:\Windows\system32\goypvn.exe 452 "C:\Windows\SysWOW64\phqhxm.exe"

C:\Windows\SysWOW64\vsxnti.exe

C:\Windows\system32\vsxnti.exe 452 "C:\Windows\SysWOW64\goypvn.exe"

C:\Windows\SysWOW64\vsxnti.exe

C:\Windows\system32\vsxnti.exe 452 "C:\Windows\SysWOW64\goypvn.exe"

C:\Windows\SysWOW64\ktsxwz.exe

C:\Windows\system32\ktsxwz.exe 452 "C:\Windows\SysWOW64\vsxnti.exe"

C:\Windows\SysWOW64\ktsxwz.exe

C:\Windows\system32\ktsxwz.exe 452 "C:\Windows\SysWOW64\vsxnti.exe"

C:\Windows\SysWOW64\ybkawz.exe

C:\Windows\system32\ybkawz.exe 452 "C:\Windows\SysWOW64\ktsxwz.exe"

C:\Windows\SysWOW64\ybkawz.exe

C:\Windows\system32\ybkawz.exe 452 "C:\Windows\SysWOW64\ktsxwz.exe"

C:\Windows\SysWOW64\nfqyuu.exe

C:\Windows\system32\nfqyuu.exe 452 "C:\Windows\SysWOW64\ybkawz.exe"

C:\Windows\SysWOW64\nfqyuu.exe

C:\Windows\system32\nfqyuu.exe 452 "C:\Windows\SysWOW64\ybkawz.exe"

C:\Windows\SysWOW64\bkpnap.exe

C:\Windows\system32\bkpnap.exe 452 "C:\Windows\SysWOW64\nfqyuu.exe"

C:\Windows\SysWOW64\bkpnap.exe

C:\Windows\system32\bkpnap.exe 452 "C:\Windows\SysWOW64\nfqyuu.exe"

C:\Windows\SysWOW64\lcbdth.exe

C:\Windows\system32\lcbdth.exe 452 "C:\Windows\SysWOW64\bkpnap.exe"

C:\Windows\SysWOW64\lcbdth.exe

C:\Windows\system32\lcbdth.exe 452 "C:\Windows\SysWOW64\bkpnap.exe"

C:\Windows\SysWOW64\zksgth.exe

C:\Windows\system32\zksgth.exe 452 "C:\Windows\SysWOW64\lcbdth.exe"

C:\Windows\SysWOW64\zksgth.exe

C:\Windows\system32\zksgth.exe 452 "C:\Windows\SysWOW64\lcbdth.exe"

C:\Windows\SysWOW64\qgijpl.exe

C:\Windows\system32\qgijpl.exe 452 "C:\Windows\SysWOW64\zksgth.exe"

C:\Windows\SysWOW64\qgijpl.exe

C:\Windows\system32\qgijpl.exe 452 "C:\Windows\SysWOW64\zksgth.exe"

C:\Windows\SysWOW64\ibfeti.exe

C:\Windows\system32\ibfeti.exe 452 "C:\Windows\SysWOW64\qgijpl.exe"

C:\Windows\SysWOW64\ibfeti.exe

C:\Windows\system32\ibfeti.exe 452 "C:\Windows\SysWOW64\qgijpl.exe"

C:\Windows\SysWOW64\zmqzuv.exe

C:\Windows\system32\zmqzuv.exe 452 "C:\Windows\SysWOW64\ibfeti.exe"

C:\Windows\SysWOW64\zmqzuv.exe

C:\Windows\system32\zmqzuv.exe 452 "C:\Windows\SysWOW64\ibfeti.exe"

C:\Windows\SysWOW64\qmrgtw.exe

C:\Windows\system32\qmrgtw.exe 452 "C:\Windows\SysWOW64\zmqzuv.exe"

C:\Windows\SysWOW64\qmrgtw.exe

C:\Windows\system32\qmrgtw.exe 452 "C:\Windows\SysWOW64\zmqzuv.exe"

C:\Windows\SysWOW64\kvtcky.exe

C:\Windows\system32\kvtcky.exe 452 "C:\Windows\SysWOW64\qmrgtw.exe"

C:\Windows\SysWOW64\kvtcky.exe

C:\Windows\system32\kvtcky.exe 452 "C:\Windows\SysWOW64\qmrgtw.exe"

C:\Windows\SysWOW64\bcckjg.exe

C:\Windows\system32\bcckjg.exe 452 "C:\Windows\SysWOW64\kvtcky.exe"

C:\Windows\SysWOW64\bcckjg.exe

C:\Windows\system32\bcckjg.exe 452 "C:\Windows\SysWOW64\kvtcky.exe"

C:\Windows\SysWOW64\pkmmjg.exe

C:\Windows\system32\pkmmjg.exe 452 "C:\Windows\SysWOW64\bcckjg.exe"

C:\Windows\SysWOW64\pkmmjg.exe

C:\Windows\system32\pkmmjg.exe 452 "C:\Windows\SysWOW64\bcckjg.exe"

C:\Windows\SysWOW64\hkmuqh.exe

C:\Windows\system32\hkmuqh.exe 452 "C:\Windows\SysWOW64\pkmmjg.exe"

C:\Windows\SysWOW64\hkmuqh.exe

C:\Windows\system32\hkmuqh.exe 452 "C:\Windows\SysWOW64\pkmmjg.exe"

C:\Windows\SysWOW64\bfaccn.exe

C:\Windows\system32\bfaccn.exe 452 "C:\Windows\SysWOW64\hkmuqh.exe"

C:\Windows\SysWOW64\bfaccn.exe

C:\Windows\system32\bfaccn.exe 452 "C:\Windows\SysWOW64\hkmuqh.exe"

C:\Windows\SysWOW64\kbpxgr.exe

C:\Windows\system32\kbpxgr.exe 452 "C:\Windows\SysWOW64\bfaccn.exe"

C:\Windows\SysWOW64\kbpxgr.exe

C:\Windows\system32\kbpxgr.exe 452 "C:\Windows\SysWOW64\bfaccn.exe"

C:\Windows\SysWOW64\wrqdih.exe

C:\Windows\system32\wrqdih.exe 452 "C:\Windows\SysWOW64\kbpxgr.exe"

C:\Windows\SysWOW64\wrqdih.exe

C:\Windows\system32\wrqdih.exe 452 "C:\Windows\SysWOW64\kbpxgr.exe"

C:\Windows\SysWOW64\qbtqzj.exe

C:\Windows\system32\qbtqzj.exe 452 "C:\Windows\SysWOW64\wrqdih.exe"

C:\Windows\SysWOW64\qbtqzj.exe

C:\Windows\system32\qbtqzj.exe 452 "C:\Windows\SysWOW64\wrqdih.exe"

C:\Windows\SysWOW64\hmelbw.exe

C:\Windows\system32\hmelbw.exe 452 "C:\Windows\SysWOW64\qbtqzj.exe"

C:\Windows\SysWOW64\hmelbw.exe

C:\Windows\system32\hmelbw.exe 452 "C:\Windows\SysWOW64\qbtqzj.exe"

C:\Windows\SysWOW64\viligj.exe

C:\Windows\system32\viligj.exe 452 "C:\Windows\SysWOW64\hmelbw.exe"

C:\Windows\SysWOW64\viligj.exe

C:\Windows\system32\viligj.exe 452 "C:\Windows\SysWOW64\hmelbw.exe"

C:\Windows\SysWOW64\napqzj.exe

C:\Windows\system32\napqzj.exe 452 "C:\Windows\SysWOW64\viligj.exe"

C:\Windows\SysWOW64\napqzj.exe

C:\Windows\system32\napqzj.exe 452 "C:\Windows\SysWOW64\viligj.exe"

C:\Windows\SysWOW64\bqhbaj.exe

C:\Windows\system32\bqhbaj.exe 452 "C:\Windows\SysWOW64\napqzj.exe"

C:\Windows\SysWOW64\bqhbaj.exe

C:\Windows\system32\bqhbaj.exe 452 "C:\Windows\SysWOW64\napqzj.exe"

C:\Windows\SysWOW64\qjcmva.exe

C:\Windows\system32\qjcmva.exe 452 "C:\Windows\SysWOW64\bqhbaj.exe"

C:\Windows\SysWOW64\qjcmva.exe

C:\Windows\system32\qjcmva.exe 452 "C:\Windows\SysWOW64\bqhbaj.exe"

C:\Windows\SysWOW64\huozef.exe

C:\Windows\system32\huozef.exe 452 "C:\Windows\SysWOW64\qjcmva.exe"

C:\Windows\SysWOW64\huozef.exe

C:\Windows\system32\huozef.exe 452 "C:\Windows\SysWOW64\qjcmva.exe"

C:\Windows\SysWOW64\yqlbaj.exe

C:\Windows\system32\yqlbaj.exe 452 "C:\Windows\SysWOW64\huozef.exe"

C:\Windows\SysWOW64\yqlbaj.exe

C:\Windows\system32\yqlbaj.exe 452 "C:\Windows\SysWOW64\huozef.exe"

C:\Windows\SysWOW64\nqgmva.exe

C:\Windows\system32\nqgmva.exe 452 "C:\Windows\SysWOW64\yqlbaj.exe"

C:\Windows\SysWOW64\nqgmva.exe

C:\Windows\system32\nqgmva.exe 452 "C:\Windows\SysWOW64\yqlbaj.exe"

C:\Windows\SysWOW64\uvectn.exe

C:\Windows\system32\uvectn.exe 452 "C:\Windows\SysWOW64\nqgmva.exe"

C:\Windows\SysWOW64\uvectn.exe

C:\Windows\system32\uvectn.exe 452 "C:\Windows\SysWOW64\nqgmva.exe"

C:\Windows\SysWOW64\igzzer.exe

C:\Windows\system32\igzzer.exe 452 "C:\Windows\SysWOW64\uvectn.exe"

C:\Windows\SysWOW64\igzzer.exe

C:\Windows\system32\igzzer.exe 452 "C:\Windows\SysWOW64\uvectn.exe"

C:\Windows\SysWOW64\xhvczi.exe

C:\Windows\system32\xhvczi.exe 452 "C:\Windows\SysWOW64\igzzer.exe"

C:\Windows\SysWOW64\xhvczi.exe

C:\Windows\system32\xhvczi.exe 452 "C:\Windows\SysWOW64\igzzer.exe"

C:\Windows\SysWOW64\odsfvn.exe

C:\Windows\system32\odsfvn.exe 452 "C:\Windows\SysWOW64\xhvczi.exe"

C:\Windows\SysWOW64\odsfvn.exe

C:\Windows\system32\odsfvn.exe 452 "C:\Windows\SysWOW64\xhvczi.exe"

C:\Windows\SysWOW64\clkide.exe

C:\Windows\system32\clkide.exe 452 "C:\Windows\SysWOW64\odsfvn.exe"

C:\Windows\SysWOW64\clkide.exe

C:\Windows\system32\clkide.exe 452 "C:\Windows\SysWOW64\odsfvn.exe"

C:\Windows\SysWOW64\uozlzj.exe

C:\Windows\system32\uozlzj.exe 452 "C:\Windows\SysWOW64\clkide.exe"

C:\Windows\SysWOW64\uozlzj.exe

C:\Windows\system32\uozlzj.exe 452 "C:\Windows\SysWOW64\clkide.exe"

C:\Windows\SysWOW64\loztyj.exe

C:\Windows\system32\loztyj.exe 452 "C:\Windows\SysWOW64\uozlzj.exe"

C:\Windows\SysWOW64\loztyj.exe

C:\Windows\system32\loztyj.exe 452 "C:\Windows\SysWOW64\uozlzj.exe"

C:\Windows\SysWOW64\fxcgpt.exe

C:\Windows\system32\fxcgpt.exe 452 "C:\Windows\SysWOW64\loztyj.exe"

C:\Windows\SysWOW64\fxcgpt.exe

C:\Windows\system32\fxcgpt.exe 452 "C:\Windows\SysWOW64\loztyj.exe"

C:\Windows\SysWOW64\winbqy.exe

C:\Windows\system32\winbqy.exe 452 "C:\Windows\SysWOW64\fxcgpt.exe"

C:\Windows\SysWOW64\winbqy.exe

C:\Windows\system32\winbqy.exe 452 "C:\Windows\SysWOW64\fxcgpt.exe"

C:\Windows\SysWOW64\nhwjph.exe

C:\Windows\system32\nhwjph.exe 452 "C:\Windows\SysWOW64\winbqy.exe"

C:\Windows\SysWOW64\nhwjph.exe

C:\Windows\system32\nhwjph.exe 452 "C:\Windows\SysWOW64\winbqy.exe"

C:\Windows\SysWOW64\hgnwmr.exe

C:\Windows\system32\hgnwmr.exe 452 "C:\Windows\SysWOW64\nhwjph.exe"

C:\Windows\SysWOW64\hgnwmr.exe

C:\Windows\system32\hgnwmr.exe 452 "C:\Windows\SysWOW64\nhwjph.exe"

C:\Windows\SysWOW64\txejjc.exe

C:\Windows\system32\txejjc.exe 452 "C:\Windows\SysWOW64\hgnwmr.exe"

C:\Windows\SysWOW64\txejjc.exe

C:\Windows\system32\txejjc.exe 452 "C:\Windows\SysWOW64\hgnwmr.exe"

C:\Windows\SysWOW64\ktbmey.exe

C:\Windows\system32\ktbmey.exe 452 "C:\Windows\SysWOW64\txejjc.exe"

C:\Windows\SysWOW64\ktbmey.exe

C:\Windows\system32\ktbmey.exe 452 "C:\Windows\SysWOW64\txejjc.exe"

C:\Windows\SysWOW64\bacudh.exe

C:\Windows\system32\bacudh.exe 452 "C:\Windows\SysWOW64\ktbmey.exe"

C:\Windows\SysWOW64\bacudh.exe

C:\Windows\system32\bacudh.exe 452 "C:\Windows\SysWOW64\ktbmey.exe"

C:\Windows\SysWOW64\vnquxn.exe

C:\Windows\system32\vnquxn.exe 452 "C:\Windows\SysWOW64\bacudh.exe"

C:\Windows\SysWOW64\vnquxn.exe

C:\Windows\system32\vnquxn.exe 452 "C:\Windows\SysWOW64\bacudh.exe"

C:\Windows\SysWOW64\njfptr.exe

C:\Windows\system32\njfptr.exe 452 "C:\Windows\SysWOW64\vnquxn.exe"

C:\Windows\SysWOW64\njfptr.exe

C:\Windows\system32\njfptr.exe 452 "C:\Windows\SysWOW64\vnquxn.exe"

C:\Windows\SysWOW64\eqnfas.exe

C:\Windows\system32\eqnfas.exe 452 "C:\Windows\SysWOW64\njfptr.exe"

C:\Windows\SysWOW64\eqnfas.exe

C:\Windows\system32\eqnfas.exe 452 "C:\Windows\SysWOW64\njfptr.exe"

C:\Windows\SysWOW64\vmcavx.exe

C:\Windows\system32\vmcavx.exe 452 "C:\Windows\SysWOW64\eqnfas.exe"

C:\Windows\SysWOW64\vmcavx.exe

C:\Windows\system32\vmcavx.exe 452 "C:\Windows\SysWOW64\eqnfas.exe"

C:\Windows\SysWOW64\niavrt.exe

C:\Windows\system32\niavrt.exe 452 "C:\Windows\SysWOW64\vmcavx.exe"

C:\Windows\SysWOW64\niavrt.exe

C:\Windows\system32\niavrt.exe 452 "C:\Windows\SysWOW64\vmcavx.exe"

C:\Windows\SysWOW64\bmgspp.exe

C:\Windows\system32\bmgspp.exe 452 "C:\Windows\SysWOW64\niavrt.exe"

C:\Windows\SysWOW64\bmgspp.exe

C:\Windows\system32\bmgspp.exe 452 "C:\Windows\SysWOW64\niavrt.exe"

C:\Windows\SysWOW64\pxbias.exe

C:\Windows\system32\pxbias.exe 452 "C:\Windows\SysWOW64\bmgspp.exe"

C:\Windows\SysWOW64\pxbias.exe

C:\Windows\system32\pxbias.exe 452 "C:\Windows\SysWOW64\bmgspp.exe"

C:\Windows\SysWOW64\khedru.exe

C:\Windows\system32\khedru.exe 452 "C:\Windows\SysWOW64\pxbias.exe"

C:\Windows\SysWOW64\khedru.exe

C:\Windows\system32\khedru.exe 452 "C:\Windows\SysWOW64\pxbias.exe"

C:\Windows\SysWOW64\qbztvy.exe

C:\Windows\system32\qbztvy.exe 452 "C:\Windows\SysWOW64\khedru.exe"

C:\Windows\SysWOW64\qbztvy.exe

C:\Windows\system32\qbztvy.exe 452 "C:\Windows\SysWOW64\khedru.exe"

C:\Windows\SysWOW64\htlboq.exe

C:\Windows\system32\htlboq.exe 452 "C:\Windows\SysWOW64\qbztvy.exe"

C:\Windows\SysWOW64\htlboq.exe

C:\Windows\system32\htlboq.exe 452 "C:\Windows\SysWOW64\qbztvy.exe"

C:\Windows\SysWOW64\ysljmz.exe

C:\Windows\system32\ysljmz.exe 452 "C:\Windows\SysWOW64\htlboq.exe"

C:\Windows\SysWOW64\ysljmz.exe

C:\Windows\system32\ysljmz.exe 452 "C:\Windows\SysWOW64\htlboq.exe"

C:\Windows\SysWOW64\tfrrhf.exe

C:\Windows\system32\tfrrhf.exe 452 "C:\Windows\SysWOW64\ysljmz.exe"

C:\Windows\SysWOW64\tfrrhf.exe

C:\Windows\system32\tfrrhf.exe 452 "C:\Windows\SysWOW64\ysljmz.exe"

C:\Windows\SysWOW64\jqlmis.exe

C:\Windows\system32\jqlmis.exe 452 "C:\Windows\SysWOW64\tfrrhf.exe"

C:\Windows\SysWOW64\jqlmis.exe

C:\Windows\system32\jqlmis.exe 452 "C:\Windows\SysWOW64\tfrrhf.exe"

C:\Windows\SysWOW64\bmaheo.exe

C:\Windows\system32\bmaheo.exe 452 "C:\Windows\SysWOW64\jqlmis.exe"

C:\Windows\SysWOW64\bmaheo.exe

C:\Windows\system32\bmaheo.exe 452 "C:\Windows\SysWOW64\jqlmis.exe"

C:\Windows\SysWOW64\vhohyu.exe

C:\Windows\system32\vhohyu.exe 452 "C:\Windows\SysWOW64\bmaheo.exe"

C:\Windows\SysWOW64\vhohyu.exe

C:\Windows\system32\vhohyu.exe 452 "C:\Windows\SysWOW64\bmaheo.exe"

C:\Windows\SysWOW64\obqhyj.exe

C:\Windows\system32\obqhyj.exe 452 "C:\Windows\SysWOW64\vhohyu.exe"

C:\Windows\SysWOW64\obqhyj.exe

C:\Windows\system32\obqhyj.exe 452 "C:\Windows\SysWOW64\vhohyu.exe"

C:\Windows\SysWOW64\jwwhsx.exe

C:\Windows\system32\jwwhsx.exe 452 "C:\Windows\SysWOW64\obqhyj.exe"

C:\Windows\SysWOW64\jwwhsx.exe

C:\Windows\system32\jwwhsx.exe 452 "C:\Windows\SysWOW64\obqhyj.exe"

C:\Windows\SysWOW64\xirxdt.exe

C:\Windows\system32\xirxdt.exe 452 "C:\Windows\SysWOW64\jwwhsx.exe"

C:\Windows\SysWOW64\xirxdt.exe

C:\Windows\system32\xirxdt.exe 452 "C:\Windows\SysWOW64\jwwhsx.exe"

C:\Windows\SysWOW64\oeoazx.exe

C:\Windows\system32\oeoazx.exe 452 "C:\Windows\SysWOW64\xirxdt.exe"

C:\Windows\SysWOW64\oeoazx.exe

C:\Windows\system32\oeoazx.exe 452 "C:\Windows\SysWOW64\xirxdt.exe"

C:\Windows\SysWOW64\xloixy.exe

C:\Windows\system32\xloixy.exe 452 "C:\Windows\SysWOW64\oeoazx.exe"

C:\Windows\SysWOW64\xloixy.exe

C:\Windows\system32\xloixy.exe 452 "C:\Windows\SysWOW64\oeoazx.exe"

C:\Windows\SysWOW64\rurvpi.exe

C:\Windows\system32\rurvpi.exe 452 "C:\Windows\SysWOW64\xloixy.exe"

C:\Windows\SysWOW64\rurvpi.exe

C:\Windows\system32\rurvpi.exe 452 "C:\Windows\SysWOW64\xloixy.exe"

C:\Windows\SysWOW64\gcjgph.exe

C:\Windows\system32\gcjgph.exe 452 "C:\Windows\SysWOW64\rurvpi.exe"

C:\Windows\SysWOW64\gcjgph.exe

C:\Windows\system32\gcjgph.exe 452 "C:\Windows\SysWOW64\rurvpi.exe"

C:\Windows\SysWOW64\uktixz.exe

C:\Windows\system32\uktixz.exe 452 "C:\Windows\SysWOW64\gcjgph.exe"

C:\Windows\SysWOW64\uktixz.exe

C:\Windows\system32\uktixz.exe 452 "C:\Windows\SysWOW64\gcjgph.exe"

C:\Windows\SysWOW64\mgqdtd.exe

C:\Windows\system32\mgqdtd.exe 452 "C:\Windows\SysWOW64\uktixz.exe"

C:\Windows\SysWOW64\mgqdtd.exe

C:\Windows\system32\mgqdtd.exe 452 "C:\Windows\SysWOW64\uktixz.exe"

C:\Windows\SysWOW64\dkfgpa.exe

C:\Windows\system32\dkfgpa.exe 452 "C:\Windows\SysWOW64\mgqdtd.exe"

C:\Windows\SysWOW64\dkfgpa.exe

C:\Windows\system32\dkfgpa.exe 452 "C:\Windows\SysWOW64\mgqdtd.exe"

C:\Windows\SysWOW64\xxtgjo.exe

C:\Windows\system32\xxtgjo.exe 452 "C:\Windows\SysWOW64\dkfgpa.exe"

C:\Windows\SysWOW64\xxtgjo.exe

C:\Windows\system32\xxtgjo.exe 452 "C:\Windows\SysWOW64\dkfgpa.exe"

C:\Windows\SysWOW64\otibfk.exe

C:\Windows\system32\otibfk.exe 452 "C:\Windows\SysWOW64\xxtgjo.exe"

C:\Windows\SysWOW64\otibfk.exe

C:\Windows\system32\otibfk.exe 452 "C:\Windows\SysWOW64\xxtgjo.exe"

C:\Windows\SysWOW64\ajjhha.exe

C:\Windows\system32\ajjhha.exe 452 "C:\Windows\SysWOW64\otibfk.exe"

C:\Windows\SysWOW64\ajjhha.exe

C:\Windows\system32\ajjhha.exe 452 "C:\Windows\SysWOW64\otibfk.exe"

C:\Windows\SysWOW64\rfgblf.exe

C:\Windows\system32\rfgblf.exe 452 "C:\Windows\SysWOW64\ajjhha.exe"

Network

N/A

Files

memory/848-4-0x0000000000400000-0x000000000050D000-memory.dmp

memory/848-2-0x0000000000400000-0x000000000050D000-memory.dmp

memory/848-12-0x0000000000400000-0x000000000050D000-memory.dmp

memory/848-10-0x0000000000400000-0x000000000050D000-memory.dmp

memory/848-15-0x0000000000400000-0x000000000050D000-memory.dmp

memory/848-8-0x0000000000400000-0x000000000050D000-memory.dmp

memory/848-6-0x0000000000400000-0x000000000050D000-memory.dmp

memory/848-0-0x0000000000400000-0x000000000050D000-memory.dmp

memory/848-14-0x0000000000400000-0x000000000050D000-memory.dmp

\Windows\SysWOW64\bynbkf.exe

MD5 06026e4203f13fffe9d741a6872a75ae
SHA1 4bd5ff87c0efda2cafd1cb3254f46955d52a12ec
SHA256 ec530b5f552febe9631fb4d1fd90e74ef21be4093eb9cde42657bf2dfeb6a486
SHA512 37e9d3bf7a38fc16b323c49034f0c754dcd09d2c6c6679b4226bf9d8a659867b2ca27a8d2798f3e0a0ef1f3641761664a6d6b9a6a69ed84b4d2881a8324d3962

memory/848-28-0x0000000000400000-0x000000000050D000-memory.dmp

memory/2796-48-0x0000000000400000-0x000000000050D000-memory.dmp

memory/2528-77-0x0000000000400000-0x000000000050D000-memory.dmp

memory/2880-114-0x0000000000400000-0x000000000050D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-23 12:34

Reported

2024-06-23 12:37

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\fahfmz.exe N/A
N/A N/A C:\Windows\SysWOW64\fahfmz.exe N/A
N/A N/A C:\Windows\SysWOW64\svpkly.exe N/A
N/A N/A C:\Windows\SysWOW64\svpkly.exe N/A
N/A N/A C:\Windows\SysWOW64\ftugqn.exe N/A
N/A N/A C:\Windows\SysWOW64\ftugqn.exe N/A
N/A N/A C:\Windows\SysWOW64\ftrwqx.exe N/A
N/A N/A C:\Windows\SysWOW64\ftrwqx.exe N/A
N/A N/A C:\Windows\SysWOW64\sdhezr.exe N/A
N/A N/A C:\Windows\SysWOW64\sdhezr.exe N/A
N/A N/A C:\Windows\SysWOW64\kdlhje.exe N/A
N/A N/A C:\Windows\SysWOW64\kdlhje.exe N/A
N/A N/A C:\Windows\SysWOW64\alhnei.exe N/A
N/A N/A C:\Windows\SysWOW64\alhnei.exe N/A
N/A N/A C:\Windows\SysWOW64\puctqm.exe N/A
N/A N/A C:\Windows\SysWOW64\puctqm.exe N/A
N/A N/A C:\Windows\SysWOW64\hxajee.exe N/A
N/A N/A C:\Windows\SysWOW64\hxajee.exe N/A
N/A N/A C:\Windows\SysWOW64\zmamur.exe N/A
N/A N/A C:\Windows\SysWOW64\zmamur.exe N/A
N/A N/A C:\Windows\SysWOW64\udvudo.exe N/A
N/A N/A C:\Windows\SysWOW64\udvudo.exe N/A
N/A N/A C:\Windows\SysWOW64\motkqg.exe N/A
N/A N/A C:\Windows\SysWOW64\motkqg.exe N/A
N/A N/A C:\Windows\SysWOW64\evtngb.exe N/A
N/A N/A C:\Windows\SysWOW64\evtngb.exe N/A
N/A N/A C:\Windows\SysWOW64\wgjdul.exe N/A
N/A N/A C:\Windows\SysWOW64\wgjdul.exe N/A
N/A N/A C:\Windows\SysWOW64\hgvgey.exe N/A
N/A N/A C:\Windows\SysWOW64\hgvgey.exe N/A
N/A N/A C:\Windows\SysWOW64\zdwemh.exe N/A
N/A N/A C:\Windows\SysWOW64\zdwemh.exe N/A
N/A N/A C:\Windows\SysWOW64\osgceu.exe N/A
N/A N/A C:\Windows\SysWOW64\osgceu.exe N/A
N/A N/A C:\Windows\SysWOW64\hopamd.exe N/A
N/A N/A C:\Windows\SysWOW64\hopamd.exe N/A
N/A N/A C:\Windows\SysWOW64\zreqzu.exe N/A
N/A N/A C:\Windows\SysWOW64\zreqzu.exe N/A
N/A N/A C:\Windows\SysWOW64\rgftqq.exe N/A
N/A N/A C:\Windows\SysWOW64\rgftqq.exe N/A
N/A N/A C:\Windows\SysWOW64\kdgryz.exe N/A
N/A N/A C:\Windows\SysWOW64\kdgryz.exe N/A
N/A N/A C:\Windows\SysWOW64\efmmjs.exe N/A
N/A N/A C:\Windows\SysWOW64\efmmjs.exe N/A
N/A N/A C:\Windows\SysWOW64\wmuhzo.exe N/A
N/A N/A C:\Windows\SysWOW64\wmuhzo.exe N/A
N/A N/A C:\Windows\SysWOW64\rpaclh.exe N/A
N/A N/A C:\Windows\SysWOW64\rpaclh.exe N/A
N/A N/A C:\Windows\SysWOW64\evskrm.exe N/A
N/A N/A C:\Windows\SysWOW64\evskrm.exe N/A
N/A N/A C:\Windows\SysWOW64\zqygdf.exe N/A
N/A N/A C:\Windows\SysWOW64\zqygdf.exe N/A
N/A N/A C:\Windows\SysWOW64\usmbpg.exe N/A
N/A N/A C:\Windows\SysWOW64\usmbpg.exe N/A
N/A N/A C:\Windows\SysWOW64\onswaz.exe N/A
N/A N/A C:\Windows\SysWOW64\onswaz.exe N/A
N/A N/A C:\Windows\SysWOW64\gctzqv.exe N/A
N/A N/A C:\Windows\SysWOW64\gctzqv.exe N/A
N/A N/A C:\Windows\SysWOW64\yfqpem.exe N/A
N/A N/A C:\Windows\SysWOW64\yfqpem.exe N/A
N/A N/A C:\Windows\SysWOW64\telxfb.exe N/A
N/A N/A C:\Windows\SysWOW64\telxfb.exe N/A
N/A N/A C:\Windows\SysWOW64\miinst.exe N/A
N/A N/A C:\Windows\SysWOW64\miinst.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\zreqzu.exe C:\Windows\SysWOW64\hopamd.exe N/A
File created C:\Windows\SysWOW64\efmmjs.exe C:\Windows\SysWOW64\kdgryz.exe N/A
File opened for modification C:\Windows\SysWOW64\schpwp.exe C:\Windows\SysWOW64\ywipij.exe N/A
File created C:\Windows\SysWOW64\uzgjjx.exe C:\Windows\SysWOW64\bzugyk.exe N/A
File created C:\Windows\SysWOW64\oxjknf.exe C:\Windows\SysWOW64\wmuuzw.exe N/A
File created C:\Windows\SysWOW64\hcufmy.exe C:\Windows\SysWOW64\nwdxfs.exe N/A
File created C:\Windows\SysWOW64\kgshic.exe C:\Windows\SysWOW64\pdelwb.exe N/A
File opened for modification C:\Windows\SysWOW64\udvudo.exe C:\Windows\SysWOW64\zmamur.exe N/A
File opened for modification C:\Windows\SysWOW64\motkqg.exe C:\Windows\SysWOW64\udvudo.exe N/A
File created C:\Windows\SysWOW64\gctzqv.exe C:\Windows\SysWOW64\onswaz.exe N/A
File opened for modification C:\Windows\SysWOW64\yomzrl.exe C:\Windows\SysWOW64\gkojeu.exe N/A
File created C:\Windows\SysWOW64\djlfix.exe C:\Windows\SysWOW64\lgnpvf.exe N/A
File created C:\Windows\SysWOW64\edypcy.exe C:\Windows\SysWOW64\ududrk.exe N/A
File created C:\Windows\SysWOW64\hrxynm.exe C:\Windows\SysWOW64\poziac.exe N/A
File created C:\Windows\SysWOW64\kdlhje.exe C:\Windows\SysWOW64\sdhezr.exe N/A
File opened for modification C:\Windows\SysWOW64\ztoyep.exe C:\Windows\SysWOW64\hqrirx.exe N/A
File created C:\Windows\SysWOW64\faycmd.exe C:\Windows\SysWOW64\kgshic.exe N/A
File opened for modification C:\Windows\SysWOW64\msbirp.exe C:\Windows\SysWOW64\uolsex.exe N/A
File opened for modification C:\Windows\SysWOW64\kkjmhz.exe C:\Windows\SysWOW64\szmwui.exe N/A
File created C:\Windows\SysWOW64\eandbh.exe C:\Windows\SysWOW64\indidp.exe N/A
File created C:\Windows\SysWOW64\izgjnv.exe C:\Windows\SysWOW64\nxswcu.exe N/A
File opened for modification C:\Windows\SysWOW64\ejbzmy.exe C:\Windows\SysWOW64\mkpwck.exe N/A
File opened for modification C:\Windows\SysWOW64\iekzmw.exe C:\Windows\SysWOW64\qpkwwa.exe N/A
File created C:\Windows\SysWOW64\pdelwb.exe C:\Windows\SysWOW64\uiyqli.exe N/A
File opened for modification C:\Windows\SysWOW64\optgqm.exe C:\Windows\SysWOW64\zzjjyz.exe N/A
File opened for modification C:\Windows\SysWOW64\wmuhzo.exe C:\Windows\SysWOW64\efmmjs.exe N/A
File created C:\Windows\SysWOW64\nulmqp.exe C:\Windows\SysWOW64\adrvha.exe N/A
File created C:\Windows\SysWOW64\smkuvk.exe C:\Windows\SysWOW64\xvhmun.exe N/A
File opened for modification C:\Windows\SysWOW64\eiqlee.exe C:\Windows\SysWOW64\mtpioi.exe N/A
File created C:\Windows\SysWOW64\bzugyk.exe C:\Windows\SysWOW64\jzqvnx.exe N/A
File created C:\Windows\SysWOW64\ovntvf.exe C:\Windows\SysWOW64\qmcfoh.exe N/A
File created C:\Windows\SysWOW64\ftrwqx.exe C:\Windows\SysWOW64\ftugqn.exe N/A
File created C:\Windows\SysWOW64\wmpwgx.exe C:\Windows\SysWOW64\emctvk.exe N/A
File opened for modification C:\Windows\SysWOW64\iyvytq.exe C:\Windows\SysWOW64\nwhdhx.exe N/A
File created C:\Windows\SysWOW64\indidp.exe C:\Windows\SysWOW64\qjgsqx.exe N/A
File opened for modification C:\Windows\SysWOW64\gkojeu.exe C:\Windows\SysWOW64\miinst.exe N/A
File opened for modification C:\Windows\SysWOW64\feybuq.exe C:\Windows\SysWOW64\pvdvhm.exe N/A
File created C:\Windows\SysWOW64\krjnco.exe C:\Windows\SysWOW64\sotxox.exe N/A
File opened for modification C:\Windows\SysWOW64\nwdxfs.exe C:\Windows\SysWOW64\stxbuz.exe N/A
File created C:\Windows\SysWOW64\uysgot.exe C:\Windows\SysWOW64\zemlla.exe N/A
File opened for modification C:\Windows\SysWOW64\kdgryz.exe C:\Windows\SysWOW64\rgftqq.exe N/A
File opened for modification C:\Windows\SysWOW64\onswaz.exe C:\Windows\SysWOW64\usmbpg.exe N/A
File opened for modification C:\Windows\SysWOW64\vssnuf.exe C:\Windows\SysWOW64\gvipcs.exe N/A
File created C:\Windows\SysWOW64\jqvwic.exe C:\Windows\SysWOW64\bparwy.exe N/A
File opened for modification C:\Windows\SysWOW64\bxhztp.exe C:\Windows\SysWOW64\jqvwic.exe N/A
File created C:\Windows\SysWOW64\tqrhlm.exe C:\Windows\SysWOW64\bbreuq.exe N/A
File created C:\Windows\SysWOW64\hxajee.exe C:\Windows\SysWOW64\puctqm.exe N/A
File opened for modification C:\Windows\SysWOW64\lnqikx.exe C:\Windows\SysWOW64\tnefaj.exe N/A
File created C:\Windows\SysWOW64\gvipcs.exe C:\Windows\SysWOW64\lhqmwa.exe N/A
File opened for modification C:\Windows\SysWOW64\jgahox.exe C:\Windows\SysWOW64\tuuozp.exe N/A
File opened for modification C:\Windows\SysWOW64\hrxynm.exe C:\Windows\SysWOW64\poziac.exe N/A
File created C:\Windows\SysWOW64\iyvytq.exe C:\Windows\SysWOW64\nwhdhx.exe N/A
File created C:\Windows\SysWOW64\pwwuyd.exe C:\Windows\SysWOW64\xszekm.exe N/A
File opened for modification C:\Windows\SysWOW64\eandbh.exe C:\Windows\SysWOW64\indidp.exe N/A
File opened for modification C:\Windows\SysWOW64\svpkly.exe C:\Windows\SysWOW64\fahfmz.exe N/A
File opened for modification C:\Windows\SysWOW64\nrevjw.exe C:\Windows\SysWOW64\sppaxv.exe N/A
File created C:\Windows\SysWOW64\aiwcwt.exe C:\Windows\SysWOW64\ffqhts.exe N/A
File created C:\Windows\SysWOW64\ztoyep.exe C:\Windows\SysWOW64\hqrirx.exe N/A
File opened for modification C:\Windows\SysWOW64\zzjjyz.exe C:\Windows\SysWOW64\hrxynm.exe N/A
File opened for modification C:\Windows\SysWOW64\jpstsv.exe C:\Windows\SysWOW64\oyxljy.exe N/A
File created C:\Windows\SysWOW64\adrvha.exe C:\Windows\SysWOW64\ficavz.exe N/A
File created C:\Windows\SysWOW64\ffqhts.exe C:\Windows\SysWOW64\kkjmhz.exe N/A
File opened for modification C:\Windows\SysWOW64\dvnhnl.exe C:\Windows\SysWOW64\iekzmw.exe N/A
File opened for modification C:\Windows\SysWOW64\qmcfoh.exe C:\Windows\SysWOW64\yytcyl.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2000 set thread context of 4884 N/A C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe
PID 4876 set thread context of 3896 N/A C:\Windows\SysWOW64\fahfmz.exe C:\Windows\SysWOW64\fahfmz.exe
PID 4508 set thread context of 4628 N/A C:\Windows\SysWOW64\svpkly.exe C:\Windows\SysWOW64\svpkly.exe
PID 976 set thread context of 2924 N/A C:\Windows\SysWOW64\ftugqn.exe C:\Windows\SysWOW64\ftugqn.exe
PID 3248 set thread context of 4688 N/A C:\Windows\SysWOW64\ftrwqx.exe C:\Windows\SysWOW64\ftrwqx.exe
PID 4624 set thread context of 2032 N/A C:\Windows\SysWOW64\sdhezr.exe C:\Windows\SysWOW64\sdhezr.exe
PID 4204 set thread context of 4272 N/A C:\Windows\SysWOW64\kdlhje.exe C:\Windows\SysWOW64\kdlhje.exe
PID 2704 set thread context of 4284 N/A C:\Windows\SysWOW64\alhnei.exe C:\Windows\SysWOW64\alhnei.exe
PID 4556 set thread context of 1076 N/A C:\Windows\SysWOW64\puctqm.exe C:\Windows\SysWOW64\puctqm.exe
PID 2784 set thread context of 2728 N/A C:\Windows\SysWOW64\hxajee.exe C:\Windows\SysWOW64\hxajee.exe
PID 4600 set thread context of 4320 N/A C:\Windows\SysWOW64\zmamur.exe C:\Windows\SysWOW64\zmamur.exe
PID 4768 set thread context of 316 N/A C:\Windows\SysWOW64\udvudo.exe C:\Windows\SysWOW64\udvudo.exe
PID 4616 set thread context of 1128 N/A C:\Windows\SysWOW64\motkqg.exe C:\Windows\SysWOW64\motkqg.exe
PID 4116 set thread context of 4632 N/A C:\Windows\SysWOW64\evtngb.exe C:\Windows\SysWOW64\evtngb.exe
PID 1340 set thread context of 412 N/A C:\Windows\SysWOW64\wgjdul.exe C:\Windows\SysWOW64\wgjdul.exe
PID 2704 set thread context of 3196 N/A C:\Windows\SysWOW64\hgvgey.exe C:\Windows\SysWOW64\hgvgey.exe
PID 1936 set thread context of 3120 N/A C:\Windows\SysWOW64\zdwemh.exe C:\Windows\SysWOW64\zdwemh.exe
PID 5064 set thread context of 2996 N/A C:\Windows\SysWOW64\osgceu.exe C:\Windows\SysWOW64\osgceu.exe
PID 1956 set thread context of 3492 N/A C:\Windows\SysWOW64\hopamd.exe C:\Windows\SysWOW64\hopamd.exe
PID 3124 set thread context of 3360 N/A C:\Windows\SysWOW64\zreqzu.exe C:\Windows\SysWOW64\zreqzu.exe
PID 3248 set thread context of 4176 N/A C:\Windows\SysWOW64\rgftqq.exe C:\Windows\SysWOW64\rgftqq.exe
PID 2164 set thread context of 1340 N/A C:\Windows\SysWOW64\kdgryz.exe C:\Windows\SysWOW64\kdgryz.exe
PID 3832 set thread context of 2176 N/A C:\Windows\SysWOW64\efmmjs.exe C:\Windows\SysWOW64\efmmjs.exe
PID 2000 set thread context of 3548 N/A C:\Windows\SysWOW64\wmuhzo.exe C:\Windows\SysWOW64\wmuhzo.exe
PID 1084 set thread context of 5056 N/A C:\Windows\SysWOW64\rpaclh.exe C:\Windows\SysWOW64\rpaclh.exe
PID 2104 set thread context of 1696 N/A C:\Windows\SysWOW64\evskrm.exe C:\Windows\SysWOW64\evskrm.exe
PID 5044 set thread context of 1092 N/A C:\Windows\SysWOW64\zqygdf.exe C:\Windows\SysWOW64\zqygdf.exe
PID 872 set thread context of 472 N/A C:\Windows\SysWOW64\usmbpg.exe C:\Windows\SysWOW64\usmbpg.exe
PID 804 set thread context of 1108 N/A C:\Windows\SysWOW64\onswaz.exe C:\Windows\SysWOW64\onswaz.exe
PID 3248 set thread context of 4428 N/A C:\Windows\SysWOW64\gctzqv.exe C:\Windows\SysWOW64\gctzqv.exe
PID 4204 set thread context of 2240 N/A C:\Windows\SysWOW64\yfqpem.exe C:\Windows\SysWOW64\yfqpem.exe
PID 1540 set thread context of 4844 N/A C:\Windows\SysWOW64\telxfb.exe C:\Windows\SysWOW64\telxfb.exe
PID 2584 set thread context of 4088 N/A C:\Windows\SysWOW64\miinst.exe C:\Windows\SysWOW64\miinst.exe
PID 2784 set thread context of 4948 N/A C:\Windows\SysWOW64\gkojeu.exe C:\Windows\SysWOW64\gkojeu.exe
PID 5044 set thread context of 4404 N/A C:\Windows\SysWOW64\yomzrl.exe C:\Windows\SysWOW64\yomzrl.exe
PID 1788 set thread context of 2308 N/A C:\Windows\SysWOW64\owzemp.exe C:\Windows\SysWOW64\owzemp.exe
PID 3592 set thread context of 4440 N/A C:\Windows\SysWOW64\tnefaj.exe C:\Windows\SysWOW64\tnefaj.exe
PID 4500 set thread context of 4476 N/A C:\Windows\SysWOW64\lnqikx.exe C:\Windows\SysWOW64\lnqikx.exe
PID 2228 set thread context of 4376 N/A C:\Windows\SysWOW64\emctvk.exe C:\Windows\SysWOW64\emctvk.exe
PID 3692 set thread context of 4804 N/A C:\Windows\SysWOW64\wmpwgx.exe C:\Windows\SysWOW64\wmpwgx.exe
PID 4488 set thread context of 5012 N/A C:\Windows\SysWOW64\lgnpvf.exe C:\Windows\SysWOW64\lgnpvf.exe
PID 3628 set thread context of 5044 N/A C:\Windows\SysWOW64\djlfix.exe C:\Windows\SysWOW64\djlfix.exe
PID 1816 set thread context of 2208 N/A C:\Windows\SysWOW64\vnavwp.exe C:\Windows\SysWOW64\vnavwp.exe
PID 1836 set thread context of 4260 N/A C:\Windows\SysWOW64\oyxljy.exe C:\Windows\SysWOW64\oyxljy.exe
PID 3624 set thread context of 2756 N/A C:\Windows\SysWOW64\jpstsv.exe C:\Windows\SysWOW64\jpstsv.exe
PID 2464 set thread context of 2416 N/A C:\Windows\SysWOW64\bsqjfm.exe C:\Windows\SysWOW64\bsqjfm.exe
PID 3080 set thread context of 3168 N/A C:\Windows\SysWOW64\lhqmwa.exe C:\Windows\SysWOW64\lhqmwa.exe
PID 3632 set thread context of 2452 N/A C:\Windows\SysWOW64\gvipcs.exe C:\Windows\SysWOW64\gvipcs.exe
PID 4256 set thread context of 4912 N/A C:\Windows\SysWOW64\vssnuf.exe C:\Windows\SysWOW64\vssnuf.exe
PID 3784 set thread context of 1336 N/A C:\Windows\SysWOW64\nwhdhx.exe C:\Windows\SysWOW64\nwhdhx.exe
PID 2816 set thread context of 4012 N/A C:\Windows\SysWOW64\iyvytq.exe C:\Windows\SysWOW64\iyvytq.exe
PID 4532 set thread context of 2116 N/A C:\Windows\SysWOW64\dtbteq.exe C:\Windows\SysWOW64\dtbteq.exe
PID 1856 set thread context of 3624 N/A C:\Windows\SysWOW64\ywipij.exe C:\Windows\SysWOW64\ywipij.exe
PID 4556 set thread context of 3984 N/A C:\Windows\SysWOW64\schpwp.exe C:\Windows\SysWOW64\schpwp.exe
PID 3684 set thread context of 2892 N/A C:\Windows\SysWOW64\kfwnkg.exe C:\Windows\SysWOW64\kfwnkg.exe
PID 4984 set thread context of 3348 N/A C:\Windows\SysWOW64\ficavz.exe C:\Windows\SysWOW64\ficavz.exe
PID 1016 set thread context of 2380 N/A C:\Windows\SysWOW64\adrvha.exe C:\Windows\SysWOW64\adrvha.exe
PID 1136 set thread context of 2704 N/A C:\Windows\SysWOW64\nulmqp.exe C:\Windows\SysWOW64\nulmqp.exe
PID 3784 set thread context of 2312 N/A C:\Windows\SysWOW64\ffjcdg.exe C:\Windows\SysWOW64\ffjcdg.exe
PID 2816 set thread context of 1308 N/A C:\Windows\SysWOW64\xmjftc.exe C:\Windows\SysWOW64\xmjftc.exe
PID 3832 set thread context of 3720 N/A C:\Windows\SysWOW64\sppaxv.exe C:\Windows\SysWOW64\sppaxv.exe
PID 2040 set thread context of 4480 N/A C:\Windows\SysWOW64\nrevjw.exe C:\Windows\SysWOW64\nrevjw.exe
PID 1936 set thread context of 4896 N/A C:\Windows\SysWOW64\imkiup.exe C:\Windows\SysWOW64\imkiup.exe
PID 2248 set thread context of 864 N/A C:\Windows\SysWOW64\csbrju.exe C:\Windows\SysWOW64\csbrju.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2000 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe
PID 2000 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe
PID 2000 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe
PID 2000 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe
PID 2000 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe
PID 2000 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe
PID 2000 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe
PID 2000 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe
PID 2000 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe
PID 4884 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe C:\Windows\SysWOW64\fahfmz.exe
PID 4884 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe C:\Windows\SysWOW64\fahfmz.exe
PID 4884 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe C:\Windows\SysWOW64\fahfmz.exe
PID 4876 wrote to memory of 3896 N/A C:\Windows\SysWOW64\fahfmz.exe C:\Windows\SysWOW64\fahfmz.exe
PID 4876 wrote to memory of 3896 N/A C:\Windows\SysWOW64\fahfmz.exe C:\Windows\SysWOW64\fahfmz.exe
PID 4876 wrote to memory of 3896 N/A C:\Windows\SysWOW64\fahfmz.exe C:\Windows\SysWOW64\fahfmz.exe
PID 4876 wrote to memory of 3896 N/A C:\Windows\SysWOW64\fahfmz.exe C:\Windows\SysWOW64\fahfmz.exe
PID 4876 wrote to memory of 3896 N/A C:\Windows\SysWOW64\fahfmz.exe C:\Windows\SysWOW64\fahfmz.exe
PID 4876 wrote to memory of 3896 N/A C:\Windows\SysWOW64\fahfmz.exe C:\Windows\SysWOW64\fahfmz.exe
PID 4876 wrote to memory of 3896 N/A C:\Windows\SysWOW64\fahfmz.exe C:\Windows\SysWOW64\fahfmz.exe
PID 4876 wrote to memory of 3896 N/A C:\Windows\SysWOW64\fahfmz.exe C:\Windows\SysWOW64\fahfmz.exe
PID 4876 wrote to memory of 3896 N/A C:\Windows\SysWOW64\fahfmz.exe C:\Windows\SysWOW64\fahfmz.exe
PID 3896 wrote to memory of 4508 N/A C:\Windows\SysWOW64\fahfmz.exe C:\Windows\SysWOW64\svpkly.exe
PID 3896 wrote to memory of 4508 N/A C:\Windows\SysWOW64\fahfmz.exe C:\Windows\SysWOW64\svpkly.exe
PID 3896 wrote to memory of 4508 N/A C:\Windows\SysWOW64\fahfmz.exe C:\Windows\SysWOW64\svpkly.exe
PID 4508 wrote to memory of 4628 N/A C:\Windows\SysWOW64\svpkly.exe C:\Windows\SysWOW64\svpkly.exe
PID 4508 wrote to memory of 4628 N/A C:\Windows\SysWOW64\svpkly.exe C:\Windows\SysWOW64\svpkly.exe
PID 4508 wrote to memory of 4628 N/A C:\Windows\SysWOW64\svpkly.exe C:\Windows\SysWOW64\svpkly.exe
PID 4508 wrote to memory of 4628 N/A C:\Windows\SysWOW64\svpkly.exe C:\Windows\SysWOW64\svpkly.exe
PID 4508 wrote to memory of 4628 N/A C:\Windows\SysWOW64\svpkly.exe C:\Windows\SysWOW64\svpkly.exe
PID 4508 wrote to memory of 4628 N/A C:\Windows\SysWOW64\svpkly.exe C:\Windows\SysWOW64\svpkly.exe
PID 4508 wrote to memory of 4628 N/A C:\Windows\SysWOW64\svpkly.exe C:\Windows\SysWOW64\svpkly.exe
PID 4508 wrote to memory of 4628 N/A C:\Windows\SysWOW64\svpkly.exe C:\Windows\SysWOW64\svpkly.exe
PID 4508 wrote to memory of 4628 N/A C:\Windows\SysWOW64\svpkly.exe C:\Windows\SysWOW64\svpkly.exe
PID 4628 wrote to memory of 976 N/A C:\Windows\SysWOW64\svpkly.exe C:\Windows\SysWOW64\ftugqn.exe
PID 4628 wrote to memory of 976 N/A C:\Windows\SysWOW64\svpkly.exe C:\Windows\SysWOW64\ftugqn.exe
PID 4628 wrote to memory of 976 N/A C:\Windows\SysWOW64\svpkly.exe C:\Windows\SysWOW64\ftugqn.exe
PID 976 wrote to memory of 2924 N/A C:\Windows\SysWOW64\ftugqn.exe C:\Windows\SysWOW64\ftugqn.exe
PID 976 wrote to memory of 2924 N/A C:\Windows\SysWOW64\ftugqn.exe C:\Windows\SysWOW64\ftugqn.exe
PID 976 wrote to memory of 2924 N/A C:\Windows\SysWOW64\ftugqn.exe C:\Windows\SysWOW64\ftugqn.exe
PID 976 wrote to memory of 2924 N/A C:\Windows\SysWOW64\ftugqn.exe C:\Windows\SysWOW64\ftugqn.exe
PID 976 wrote to memory of 2924 N/A C:\Windows\SysWOW64\ftugqn.exe C:\Windows\SysWOW64\ftugqn.exe
PID 976 wrote to memory of 2924 N/A C:\Windows\SysWOW64\ftugqn.exe C:\Windows\SysWOW64\ftugqn.exe
PID 976 wrote to memory of 2924 N/A C:\Windows\SysWOW64\ftugqn.exe C:\Windows\SysWOW64\ftugqn.exe
PID 976 wrote to memory of 2924 N/A C:\Windows\SysWOW64\ftugqn.exe C:\Windows\SysWOW64\ftugqn.exe
PID 976 wrote to memory of 2924 N/A C:\Windows\SysWOW64\ftugqn.exe C:\Windows\SysWOW64\ftugqn.exe
PID 2924 wrote to memory of 3248 N/A C:\Windows\SysWOW64\ftugqn.exe C:\Windows\SysWOW64\ftrwqx.exe
PID 2924 wrote to memory of 3248 N/A C:\Windows\SysWOW64\ftugqn.exe C:\Windows\SysWOW64\ftrwqx.exe
PID 2924 wrote to memory of 3248 N/A C:\Windows\SysWOW64\ftugqn.exe C:\Windows\SysWOW64\ftrwqx.exe
PID 3248 wrote to memory of 4688 N/A C:\Windows\SysWOW64\ftrwqx.exe C:\Windows\SysWOW64\ftrwqx.exe
PID 3248 wrote to memory of 4688 N/A C:\Windows\SysWOW64\ftrwqx.exe C:\Windows\SysWOW64\ftrwqx.exe
PID 3248 wrote to memory of 4688 N/A C:\Windows\SysWOW64\ftrwqx.exe C:\Windows\SysWOW64\ftrwqx.exe
PID 3248 wrote to memory of 4688 N/A C:\Windows\SysWOW64\ftrwqx.exe C:\Windows\SysWOW64\ftrwqx.exe
PID 3248 wrote to memory of 4688 N/A C:\Windows\SysWOW64\ftrwqx.exe C:\Windows\SysWOW64\ftrwqx.exe
PID 3248 wrote to memory of 4688 N/A C:\Windows\SysWOW64\ftrwqx.exe C:\Windows\SysWOW64\ftrwqx.exe
PID 3248 wrote to memory of 4688 N/A C:\Windows\SysWOW64\ftrwqx.exe C:\Windows\SysWOW64\ftrwqx.exe
PID 3248 wrote to memory of 4688 N/A C:\Windows\SysWOW64\ftrwqx.exe C:\Windows\SysWOW64\ftrwqx.exe
PID 3248 wrote to memory of 4688 N/A C:\Windows\SysWOW64\ftrwqx.exe C:\Windows\SysWOW64\ftrwqx.exe
PID 4688 wrote to memory of 4624 N/A C:\Windows\SysWOW64\ftrwqx.exe C:\Windows\SysWOW64\sdhezr.exe
PID 4688 wrote to memory of 4624 N/A C:\Windows\SysWOW64\ftrwqx.exe C:\Windows\SysWOW64\sdhezr.exe
PID 4688 wrote to memory of 4624 N/A C:\Windows\SysWOW64\ftrwqx.exe C:\Windows\SysWOW64\sdhezr.exe
PID 4624 wrote to memory of 2032 N/A C:\Windows\SysWOW64\sdhezr.exe C:\Windows\SysWOW64\sdhezr.exe
PID 4624 wrote to memory of 2032 N/A C:\Windows\SysWOW64\sdhezr.exe C:\Windows\SysWOW64\sdhezr.exe
PID 4624 wrote to memory of 2032 N/A C:\Windows\SysWOW64\sdhezr.exe C:\Windows\SysWOW64\sdhezr.exe
PID 4624 wrote to memory of 2032 N/A C:\Windows\SysWOW64\sdhezr.exe C:\Windows\SysWOW64\sdhezr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe"

C:\Windows\SysWOW64\fahfmz.exe

C:\Windows\system32\fahfmz.exe 1000 "C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe"

C:\Windows\SysWOW64\fahfmz.exe

C:\Windows\system32\fahfmz.exe 1000 "C:\Users\Admin\AppData\Local\Temp\06026e4203f13fffe9d741a6872a75ae_JaffaCakes118.exe"

C:\Windows\SysWOW64\svpkly.exe

C:\Windows\system32\svpkly.exe 1160 "C:\Windows\SysWOW64\fahfmz.exe"

C:\Windows\SysWOW64\svpkly.exe

C:\Windows\system32\svpkly.exe 1160 "C:\Windows\SysWOW64\fahfmz.exe"

C:\Windows\SysWOW64\ftugqn.exe

C:\Windows\system32\ftugqn.exe 1004 "C:\Windows\SysWOW64\svpkly.exe"

C:\Windows\SysWOW64\ftugqn.exe

C:\Windows\system32\ftugqn.exe 1004 "C:\Windows\SysWOW64\svpkly.exe"

C:\Windows\SysWOW64\ftrwqx.exe

C:\Windows\system32\ftrwqx.exe 992 "C:\Windows\SysWOW64\ftugqn.exe"

C:\Windows\SysWOW64\ftrwqx.exe

C:\Windows\system32\ftrwqx.exe 992 "C:\Windows\SysWOW64\ftugqn.exe"

C:\Windows\SysWOW64\sdhezr.exe

C:\Windows\system32\sdhezr.exe 1000 "C:\Windows\SysWOW64\ftrwqx.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4088,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=4412 /prefetch:8

C:\Windows\SysWOW64\sdhezr.exe

C:\Windows\system32\sdhezr.exe 1000 "C:\Windows\SysWOW64\ftrwqx.exe"

C:\Windows\SysWOW64\kdlhje.exe

C:\Windows\system32\kdlhje.exe 1000 "C:\Windows\SysWOW64\sdhezr.exe"

C:\Windows\SysWOW64\kdlhje.exe

C:\Windows\system32\kdlhje.exe 1000 "C:\Windows\SysWOW64\sdhezr.exe"

C:\Windows\SysWOW64\alhnei.exe

C:\Windows\system32\alhnei.exe 1000 "C:\Windows\SysWOW64\kdlhje.exe"

C:\Windows\SysWOW64\alhnei.exe

C:\Windows\system32\alhnei.exe 1000 "C:\Windows\SysWOW64\kdlhje.exe"

C:\Windows\SysWOW64\puctqm.exe

C:\Windows\system32\puctqm.exe 1004 "C:\Windows\SysWOW64\alhnei.exe"

C:\Windows\SysWOW64\puctqm.exe

C:\Windows\system32\puctqm.exe 1004 "C:\Windows\SysWOW64\alhnei.exe"

C:\Windows\SysWOW64\hxajee.exe

C:\Windows\system32\hxajee.exe 1008 "C:\Windows\SysWOW64\puctqm.exe"

C:\Windows\SysWOW64\hxajee.exe

C:\Windows\system32\hxajee.exe 1008 "C:\Windows\SysWOW64\puctqm.exe"

C:\Windows\SysWOW64\zmamur.exe

C:\Windows\system32\zmamur.exe 1120 "C:\Windows\SysWOW64\hxajee.exe"

C:\Windows\SysWOW64\zmamur.exe

C:\Windows\system32\zmamur.exe 1120 "C:\Windows\SysWOW64\hxajee.exe"

C:\Windows\SysWOW64\udvudo.exe

C:\Windows\system32\udvudo.exe 992 "C:\Windows\SysWOW64\zmamur.exe"

C:\Windows\SysWOW64\udvudo.exe

C:\Windows\system32\udvudo.exe 992 "C:\Windows\SysWOW64\zmamur.exe"

C:\Windows\SysWOW64\motkqg.exe

C:\Windows\system32\motkqg.exe 1128 "C:\Windows\SysWOW64\udvudo.exe"

C:\Windows\SysWOW64\motkqg.exe

C:\Windows\system32\motkqg.exe 1128 "C:\Windows\SysWOW64\udvudo.exe"

C:\Windows\SysWOW64\evtngb.exe

C:\Windows\system32\evtngb.exe 988 "C:\Windows\SysWOW64\motkqg.exe"

C:\Windows\SysWOW64\evtngb.exe

C:\Windows\system32\evtngb.exe 988 "C:\Windows\SysWOW64\motkqg.exe"

C:\Windows\SysWOW64\wgjdul.exe

C:\Windows\system32\wgjdul.exe 992 "C:\Windows\SysWOW64\evtngb.exe"

C:\Windows\SysWOW64\wgjdul.exe

C:\Windows\system32\wgjdul.exe 992 "C:\Windows\SysWOW64\evtngb.exe"

C:\Windows\SysWOW64\hgvgey.exe

C:\Windows\system32\hgvgey.exe 996 "C:\Windows\SysWOW64\wgjdul.exe"

C:\Windows\SysWOW64\hgvgey.exe

C:\Windows\system32\hgvgey.exe 996 "C:\Windows\SysWOW64\wgjdul.exe"

C:\Windows\SysWOW64\zdwemh.exe

C:\Windows\system32\zdwemh.exe 1136 "C:\Windows\SysWOW64\hgvgey.exe"

C:\Windows\SysWOW64\zdwemh.exe

C:\Windows\system32\zdwemh.exe 1136 "C:\Windows\SysWOW64\hgvgey.exe"

C:\Windows\SysWOW64\osgceu.exe

C:\Windows\system32\osgceu.exe 968 "C:\Windows\SysWOW64\zdwemh.exe"

C:\Windows\SysWOW64\osgceu.exe

C:\Windows\system32\osgceu.exe 968 "C:\Windows\SysWOW64\zdwemh.exe"

C:\Windows\SysWOW64\hopamd.exe

C:\Windows\system32\hopamd.exe 1004 "C:\Windows\SysWOW64\osgceu.exe"

C:\Windows\SysWOW64\hopamd.exe

C:\Windows\system32\hopamd.exe 1004 "C:\Windows\SysWOW64\osgceu.exe"

C:\Windows\SysWOW64\zreqzu.exe

C:\Windows\system32\zreqzu.exe 996 "C:\Windows\SysWOW64\hopamd.exe"

C:\Windows\SysWOW64\zreqzu.exe

C:\Windows\system32\zreqzu.exe 996 "C:\Windows\SysWOW64\hopamd.exe"

C:\Windows\SysWOW64\rgftqq.exe

C:\Windows\system32\rgftqq.exe 1120 "C:\Windows\SysWOW64\zreqzu.exe"

C:\Windows\SysWOW64\rgftqq.exe

C:\Windows\system32\rgftqq.exe 1120 "C:\Windows\SysWOW64\zreqzu.exe"

C:\Windows\SysWOW64\kdgryz.exe

C:\Windows\system32\kdgryz.exe 996 "C:\Windows\SysWOW64\rgftqq.exe"

C:\Windows\SysWOW64\kdgryz.exe

C:\Windows\system32\kdgryz.exe 996 "C:\Windows\SysWOW64\rgftqq.exe"

C:\Windows\SysWOW64\efmmjs.exe

C:\Windows\system32\efmmjs.exe 1120 "C:\Windows\SysWOW64\kdgryz.exe"

C:\Windows\SysWOW64\efmmjs.exe

C:\Windows\system32\efmmjs.exe 1120 "C:\Windows\SysWOW64\kdgryz.exe"

C:\Windows\SysWOW64\wmuhzo.exe

C:\Windows\system32\wmuhzo.exe 1000 "C:\Windows\SysWOW64\efmmjs.exe"

C:\Windows\SysWOW64\wmuhzo.exe

C:\Windows\system32\wmuhzo.exe 1000 "C:\Windows\SysWOW64\efmmjs.exe"

C:\Windows\SysWOW64\rpaclh.exe

C:\Windows\system32\rpaclh.exe 988 "C:\Windows\SysWOW64\wmuhzo.exe"

C:\Windows\SysWOW64\rpaclh.exe

C:\Windows\system32\rpaclh.exe 988 "C:\Windows\SysWOW64\wmuhzo.exe"

C:\Windows\SysWOW64\evskrm.exe

C:\Windows\system32\evskrm.exe 992 "C:\Windows\SysWOW64\rpaclh.exe"

C:\Windows\SysWOW64\evskrm.exe

C:\Windows\system32\evskrm.exe 992 "C:\Windows\SysWOW64\rpaclh.exe"

C:\Windows\SysWOW64\zqygdf.exe

C:\Windows\system32\zqygdf.exe 988 "C:\Windows\SysWOW64\evskrm.exe"

C:\Windows\SysWOW64\zqygdf.exe

C:\Windows\system32\zqygdf.exe 988 "C:\Windows\SysWOW64\evskrm.exe"

C:\Windows\SysWOW64\usmbpg.exe

C:\Windows\system32\usmbpg.exe 1000 "C:\Windows\SysWOW64\zqygdf.exe"

C:\Windows\SysWOW64\usmbpg.exe

C:\Windows\system32\usmbpg.exe 1000 "C:\Windows\SysWOW64\zqygdf.exe"

C:\Windows\SysWOW64\onswaz.exe

C:\Windows\system32\onswaz.exe 1120 "C:\Windows\SysWOW64\usmbpg.exe"

C:\Windows\SysWOW64\onswaz.exe

C:\Windows\system32\onswaz.exe 1120 "C:\Windows\SysWOW64\usmbpg.exe"

C:\Windows\SysWOW64\gctzqv.exe

C:\Windows\system32\gctzqv.exe 988 "C:\Windows\SysWOW64\onswaz.exe"

C:\Windows\SysWOW64\gctzqv.exe

C:\Windows\system32\gctzqv.exe 988 "C:\Windows\SysWOW64\onswaz.exe"

C:\Windows\SysWOW64\yfqpem.exe

C:\Windows\system32\yfqpem.exe 988 "C:\Windows\SysWOW64\gctzqv.exe"

C:\Windows\SysWOW64\yfqpem.exe

C:\Windows\system32\yfqpem.exe 988 "C:\Windows\SysWOW64\gctzqv.exe"

C:\Windows\SysWOW64\telxfb.exe

C:\Windows\system32\telxfb.exe 1000 "C:\Windows\SysWOW64\yfqpem.exe"

C:\Windows\SysWOW64\telxfb.exe

C:\Windows\system32\telxfb.exe 1000 "C:\Windows\SysWOW64\yfqpem.exe"

C:\Windows\SysWOW64\miinst.exe

C:\Windows\system32\miinst.exe 1000 "C:\Windows\SysWOW64\telxfb.exe"

C:\Windows\SysWOW64\miinst.exe

C:\Windows\system32\miinst.exe 1000 "C:\Windows\SysWOW64\telxfb.exe"

C:\Windows\SysWOW64\gkojeu.exe

C:\Windows\system32\gkojeu.exe 992 "C:\Windows\SysWOW64\miinst.exe"

C:\Windows\SysWOW64\gkojeu.exe

C:\Windows\system32\gkojeu.exe 992 "C:\Windows\SysWOW64\miinst.exe"

C:\Windows\SysWOW64\yomzrl.exe

C:\Windows\system32\yomzrl.exe 988 "C:\Windows\SysWOW64\gkojeu.exe"

C:\Windows\SysWOW64\yomzrl.exe

C:\Windows\system32\yomzrl.exe 988 "C:\Windows\SysWOW64\gkojeu.exe"

C:\Windows\SysWOW64\owzemp.exe

C:\Windows\system32\owzemp.exe 1008 "C:\Windows\SysWOW64\yomzrl.exe"

C:\Windows\SysWOW64\owzemp.exe

C:\Windows\system32\owzemp.exe 1008 "C:\Windows\SysWOW64\yomzrl.exe"

C:\Windows\SysWOW64\tnefaj.exe

C:\Windows\system32\tnefaj.exe 1000 "C:\Windows\SysWOW64\owzemp.exe"

C:\Windows\SysWOW64\tnefaj.exe

C:\Windows\system32\tnefaj.exe 1000 "C:\Windows\SysWOW64\owzemp.exe"

C:\Windows\SysWOW64\lnqikx.exe

C:\Windows\system32\lnqikx.exe 988 "C:\Windows\SysWOW64\tnefaj.exe"

C:\Windows\SysWOW64\lnqikx.exe

C:\Windows\system32\lnqikx.exe 988 "C:\Windows\SysWOW64\tnefaj.exe"

C:\Windows\SysWOW64\emctvk.exe

C:\Windows\system32\emctvk.exe 1120 "C:\Windows\SysWOW64\lnqikx.exe"

C:\Windows\SysWOW64\emctvk.exe

C:\Windows\system32\emctvk.exe 1120 "C:\Windows\SysWOW64\lnqikx.exe"

C:\Windows\SysWOW64\wmpwgx.exe

C:\Windows\system32\wmpwgx.exe 1128 "C:\Windows\SysWOW64\emctvk.exe"

C:\Windows\SysWOW64\wmpwgx.exe

C:\Windows\system32\wmpwgx.exe 1128 "C:\Windows\SysWOW64\emctvk.exe"

C:\Windows\SysWOW64\lgnpvf.exe

C:\Windows\system32\lgnpvf.exe 1000 "C:\Windows\SysWOW64\wmpwgx.exe"

C:\Windows\SysWOW64\lgnpvf.exe

C:\Windows\system32\lgnpvf.exe 1000 "C:\Windows\SysWOW64\wmpwgx.exe"

C:\Windows\SysWOW64\djlfix.exe

C:\Windows\system32\djlfix.exe 1008 "C:\Windows\SysWOW64\lgnpvf.exe"

C:\Windows\SysWOW64\djlfix.exe

C:\Windows\system32\djlfix.exe 1008 "C:\Windows\SysWOW64\lgnpvf.exe"

C:\Windows\SysWOW64\vnavwp.exe

C:\Windows\system32\vnavwp.exe 1128 "C:\Windows\SysWOW64\djlfix.exe"

C:\Windows\SysWOW64\vnavwp.exe

C:\Windows\system32\vnavwp.exe 1128 "C:\Windows\SysWOW64\djlfix.exe"

C:\Windows\SysWOW64\oyxljy.exe

C:\Windows\system32\oyxljy.exe 992 "C:\Windows\SysWOW64\vnavwp.exe"

C:\Windows\SysWOW64\oyxljy.exe

C:\Windows\system32\oyxljy.exe 992 "C:\Windows\SysWOW64\vnavwp.exe"

C:\Windows\SysWOW64\jpstsv.exe

C:\Windows\system32\jpstsv.exe 1000 "C:\Windows\SysWOW64\oyxljy.exe"

C:\Windows\SysWOW64\jpstsv.exe

C:\Windows\system32\jpstsv.exe 1000 "C:\Windows\SysWOW64\oyxljy.exe"

C:\Windows\SysWOW64\bsqjfm.exe

C:\Windows\system32\bsqjfm.exe 1156 "C:\Windows\SysWOW64\jpstsv.exe"

C:\Windows\SysWOW64\bsqjfm.exe

C:\Windows\system32\bsqjfm.exe 1156 "C:\Windows\SysWOW64\jpstsv.exe"

C:\Windows\SysWOW64\lhqmwa.exe

C:\Windows\system32\lhqmwa.exe 1120 "C:\Windows\SysWOW64\bsqjfm.exe"

C:\Windows\SysWOW64\lhqmwa.exe

C:\Windows\system32\lhqmwa.exe 1120 "C:\Windows\SysWOW64\bsqjfm.exe"

C:\Windows\SysWOW64\gvipcs.exe

C:\Windows\system32\gvipcs.exe 988 "C:\Windows\SysWOW64\lhqmwa.exe"

C:\Windows\SysWOW64\gvipcs.exe

C:\Windows\system32\gvipcs.exe 988 "C:\Windows\SysWOW64\lhqmwa.exe"

C:\Windows\SysWOW64\vssnuf.exe

C:\Windows\system32\vssnuf.exe 1144 "C:\Windows\SysWOW64\gvipcs.exe"

C:\Windows\SysWOW64\vssnuf.exe

C:\Windows\system32\vssnuf.exe 1144 "C:\Windows\SysWOW64\gvipcs.exe"

C:\Windows\SysWOW64\nwhdhx.exe

C:\Windows\system32\nwhdhx.exe 1084 "C:\Windows\SysWOW64\vssnuf.exe"

C:\Windows\SysWOW64\nwhdhx.exe

C:\Windows\system32\nwhdhx.exe 1084 "C:\Windows\SysWOW64\vssnuf.exe"

C:\Windows\SysWOW64\iyvytq.exe

C:\Windows\system32\iyvytq.exe 1012 "C:\Windows\SysWOW64\nwhdhx.exe"

C:\Windows\SysWOW64\iyvytq.exe

C:\Windows\system32\iyvytq.exe 1012 "C:\Windows\SysWOW64\nwhdhx.exe"

C:\Windows\SysWOW64\dtbteq.exe

C:\Windows\system32\dtbteq.exe 992 "C:\Windows\SysWOW64\iyvytq.exe"

C:\Windows\SysWOW64\dtbteq.exe

C:\Windows\system32\dtbteq.exe 992 "C:\Windows\SysWOW64\iyvytq.exe"

C:\Windows\SysWOW64\ywipij.exe

C:\Windows\system32\ywipij.exe 1120 "C:\Windows\SysWOW64\dtbteq.exe"

C:\Windows\SysWOW64\ywipij.exe

C:\Windows\system32\ywipij.exe 1120 "C:\Windows\SysWOW64\dtbteq.exe"

C:\Windows\SysWOW64\schpwp.exe

C:\Windows\system32\schpwp.exe 988 "C:\Windows\SysWOW64\ywipij.exe"

C:\Windows\SysWOW64\schpwp.exe

C:\Windows\system32\schpwp.exe 988 "C:\Windows\SysWOW64\ywipij.exe"

C:\Windows\SysWOW64\kfwnkg.exe

C:\Windows\system32\kfwnkg.exe 1008 "C:\Windows\SysWOW64\schpwp.exe"

C:\Windows\SysWOW64\kfwnkg.exe

C:\Windows\system32\kfwnkg.exe 1008 "C:\Windows\SysWOW64\schpwp.exe"

C:\Windows\SysWOW64\ficavz.exe

C:\Windows\system32\ficavz.exe 1120 "C:\Windows\SysWOW64\kfwnkg.exe"

C:\Windows\SysWOW64\ficavz.exe

C:\Windows\system32\ficavz.exe 1120 "C:\Windows\SysWOW64\kfwnkg.exe"

C:\Windows\SysWOW64\adrvha.exe

C:\Windows\system32\adrvha.exe 1120 "C:\Windows\SysWOW64\ficavz.exe"

C:\Windows\SysWOW64\adrvha.exe

C:\Windows\system32\adrvha.exe 1120 "C:\Windows\SysWOW64\ficavz.exe"

C:\Windows\SysWOW64\nulmqp.exe

C:\Windows\system32\nulmqp.exe 1128 "C:\Windows\SysWOW64\adrvha.exe"

C:\Windows\SysWOW64\nulmqp.exe

C:\Windows\system32\nulmqp.exe 1128 "C:\Windows\SysWOW64\adrvha.exe"

C:\Windows\SysWOW64\ffjcdg.exe

C:\Windows\system32\ffjcdg.exe 1000 "C:\Windows\SysWOW64\nulmqp.exe"

C:\Windows\SysWOW64\ffjcdg.exe

C:\Windows\system32\ffjcdg.exe 1000 "C:\Windows\SysWOW64\nulmqp.exe"

C:\Windows\SysWOW64\xmjftc.exe

C:\Windows\system32\xmjftc.exe 996 "C:\Windows\SysWOW64\ffjcdg.exe"

C:\Windows\SysWOW64\xmjftc.exe

C:\Windows\system32\xmjftc.exe 996 "C:\Windows\SysWOW64\ffjcdg.exe"

C:\Windows\SysWOW64\sppaxv.exe

C:\Windows\system32\sppaxv.exe 1156 "C:\Windows\SysWOW64\xmjftc.exe"

C:\Windows\SysWOW64\sppaxv.exe

C:\Windows\system32\sppaxv.exe 1156 "C:\Windows\SysWOW64\xmjftc.exe"

C:\Windows\SysWOW64\nrevjw.exe

C:\Windows\system32\nrevjw.exe 996 "C:\Windows\SysWOW64\sppaxv.exe"

C:\Windows\SysWOW64\nrevjw.exe

C:\Windows\system32\nrevjw.exe 996 "C:\Windows\SysWOW64\sppaxv.exe"

C:\Windows\SysWOW64\imkiup.exe

C:\Windows\system32\imkiup.exe 992 "C:\Windows\SysWOW64\nrevjw.exe"

C:\Windows\SysWOW64\imkiup.exe

C:\Windows\system32\imkiup.exe 992 "C:\Windows\SysWOW64\nrevjw.exe"

C:\Windows\SysWOW64\csbrju.exe

C:\Windows\system32\csbrju.exe 988 "C:\Windows\SysWOW64\imkiup.exe"

C:\Windows\SysWOW64\csbrju.exe

C:\Windows\system32\csbrju.exe 988 "C:\Windows\SysWOW64\imkiup.exe"

C:\Windows\SysWOW64\xvhmun.exe

C:\Windows\system32\xvhmun.exe 1120 "C:\Windows\SysWOW64\csbrju.exe"

C:\Windows\SysWOW64\xvhmun.exe

C:\Windows\system32\xvhmun.exe 1120 "C:\Windows\SysWOW64\csbrju.exe"

C:\Windows\SysWOW64\smkuvk.exe

C:\Windows\system32\smkuvk.exe 1120 "C:\Windows\SysWOW64\xvhmun.exe"

C:\Windows\SysWOW64\smkuvk.exe

C:\Windows\system32\smkuvk.exe 1120 "C:\Windows\SysWOW64\xvhmun.exe"

C:\Windows\SysWOW64\lphkib.exe

C:\Windows\system32\lphkib.exe 1000 "C:\Windows\SysWOW64\smkuvk.exe"

C:\Windows\SysWOW64\lphkib.exe

C:\Windows\system32\lphkib.exe 1000 "C:\Windows\SysWOW64\smkuvk.exe"

C:\Windows\SysWOW64\ceinzp.exe

C:\Windows\system32\ceinzp.exe 988 "C:\Windows\SysWOW64\lphkib.exe"

C:\Windows\SysWOW64\ceinzp.exe

C:\Windows\system32\ceinzp.exe 988 "C:\Windows\SysWOW64\lphkib.exe"

C:\Windows\SysWOW64\pvdvhm.exe

C:\Windows\system32\pvdvhm.exe 1000 "C:\Windows\SysWOW64\ceinzp.exe"

C:\Windows\SysWOW64\pvdvhm.exe

C:\Windows\system32\pvdvhm.exe 1000 "C:\Windows\SysWOW64\ceinzp.exe"

C:\Windows\SysWOW64\feybuq.exe

C:\Windows\system32\feybuq.exe 988 "C:\Windows\SysWOW64\pvdvhm.exe"

C:\Windows\SysWOW64\feybuq.exe

C:\Windows\system32\feybuq.exe 988 "C:\Windows\SysWOW64\pvdvhm.exe"

C:\Windows\SysWOW64\xszekm.exe

C:\Windows\system32\xszekm.exe 1000 "C:\Windows\SysWOW64\feybuq.exe"

C:\Windows\SysWOW64\xszekm.exe

C:\Windows\system32\xszekm.exe 1000 "C:\Windows\SysWOW64\feybuq.exe"

C:\Windows\SysWOW64\pwwuyd.exe

C:\Windows\system32\pwwuyd.exe 1120 "C:\Windows\SysWOW64\xszekm.exe"

C:\Windows\SysWOW64\pwwuyd.exe

C:\Windows\system32\pwwuyd.exe 1120 "C:\Windows\SysWOW64\xszekm.exe"

C:\Windows\SysWOW64\hhmkln.exe

C:\Windows\system32\hhmkln.exe 988 "C:\Windows\SysWOW64\pwwuyd.exe"

C:\Windows\SysWOW64\hhmkln.exe

C:\Windows\system32\hhmkln.exe 988 "C:\Windows\SysWOW64\pwwuyd.exe"

C:\Windows\SysWOW64\cvdnrf.exe

C:\Windows\system32\cvdnrf.exe 992 "C:\Windows\SysWOW64\hhmkln.exe"

C:\Windows\SysWOW64\cvdnrf.exe

C:\Windows\system32\cvdnrf.exe 992 "C:\Windows\SysWOW64\hhmkln.exe"

C:\Windows\SysWOW64\unpvkf.exe

C:\Windows\system32\unpvkf.exe 964 "C:\Windows\SysWOW64\cvdnrf.exe"

C:\Windows\SysWOW64\unpvkf.exe

C:\Windows\system32\unpvkf.exe 964 "C:\Windows\SysWOW64\cvdnrf.exe"

C:\Windows\SysWOW64\szmwui.exe

C:\Windows\system32\szmwui.exe 1120 "C:\Windows\SysWOW64\unpvkf.exe"

C:\Windows\SysWOW64\szmwui.exe

C:\Windows\system32\szmwui.exe 1120 "C:\Windows\SysWOW64\unpvkf.exe"

C:\Windows\SysWOW64\kkjmhz.exe

C:\Windows\system32\kkjmhz.exe 996 "C:\Windows\SysWOW64\szmwui.exe"

C:\Windows\SysWOW64\kkjmhz.exe

C:\Windows\system32\kkjmhz.exe 996 "C:\Windows\SysWOW64\szmwui.exe"

C:\Windows\SysWOW64\ffqhts.exe

C:\Windows\system32\ffqhts.exe 1000 "C:\Windows\SysWOW64\kkjmhz.exe"

C:\Windows\SysWOW64\ffqhts.exe

C:\Windows\system32\ffqhts.exe 1000 "C:\Windows\SysWOW64\kkjmhz.exe"

C:\Windows\SysWOW64\aiwcwt.exe

C:\Windows\system32\aiwcwt.exe 1000 "C:\Windows\SysWOW64\ffqhts.exe"

C:\Windows\SysWOW64\aiwcwt.exe

C:\Windows\system32\aiwcwt.exe 1000 "C:\Windows\SysWOW64\ffqhts.exe"

C:\Windows\SysWOW64\hqrirx.exe

C:\Windows\system32\hqrirx.exe 1120 "C:\Windows\SysWOW64\aiwcwt.exe"

C:\Windows\SysWOW64\hqrirx.exe

C:\Windows\system32\hqrirx.exe 1120 "C:\Windows\SysWOW64\aiwcwt.exe"

C:\Windows\SysWOW64\ztoyep.exe

C:\Windows\system32\ztoyep.exe 1008 "C:\Windows\SysWOW64\hqrirx.exe"

C:\Windows\SysWOW64\ztoyep.exe

C:\Windows\system32\ztoyep.exe 1008 "C:\Windows\SysWOW64\hqrirx.exe"

C:\Windows\SysWOW64\uwvtii.exe

C:\Windows\system32\uwvtii.exe 968 "C:\Windows\SysWOW64\ztoyep.exe"

C:\Windows\SysWOW64\uwvtii.exe

C:\Windows\system32\uwvtii.exe 968 "C:\Windows\SysWOW64\ztoyep.exe"

C:\Windows\SysWOW64\jibefq.exe

C:\Windows\system32\jibefq.exe 1152 "C:\Windows\SysWOW64\uwvtii.exe"

C:\Windows\SysWOW64\jibefq.exe

C:\Windows\system32\jibefq.exe 1152 "C:\Windows\SysWOW64\uwvtii.exe"

C:\Windows\SysWOW64\ceccnz.exe

C:\Windows\system32\ceccnz.exe 988 "C:\Windows\SysWOW64\jibefq.exe"

C:\Windows\SysWOW64\ceccnz.exe

C:\Windows\system32\ceccnz.exe 988 "C:\Windows\SysWOW64\jibefq.exe"

C:\Windows\SysWOW64\uissaq.exe

C:\Windows\system32\uissaq.exe 1128 "C:\Windows\SysWOW64\ceccnz.exe"

C:\Windows\SysWOW64\uissaq.exe

C:\Windows\system32\uissaq.exe 1128 "C:\Windows\SysWOW64\ceccnz.exe"

C:\Windows\SysWOW64\mtpioi.exe

C:\Windows\system32\mtpioi.exe 1020 "C:\Windows\SysWOW64\uissaq.exe"

C:\Windows\SysWOW64\mtpioi.exe

C:\Windows\system32\mtpioi.exe 1020 "C:\Windows\SysWOW64\uissaq.exe"

C:\Windows\SysWOW64\eiqlee.exe

C:\Windows\system32\eiqlee.exe 1000 "C:\Windows\SysWOW64\mtpioi.exe"

C:\Windows\SysWOW64\eiqlee.exe

C:\Windows\system32\eiqlee.exe 1000 "C:\Windows\SysWOW64\mtpioi.exe"

C:\Windows\SysWOW64\zzktfs.exe

C:\Windows\system32\zzktfs.exe 988 "C:\Windows\SysWOW64\eiqlee.exe"

C:\Windows\SysWOW64\zzktfs.exe

C:\Windows\system32\zzktfs.exe 988 "C:\Windows\SysWOW64\eiqlee.exe"

C:\Windows\SysWOW64\rgtwvo.exe

C:\Windows\system32\rgtwvo.exe 1008 "C:\Windows\SysWOW64\zzktfs.exe"

C:\Windows\SysWOW64\rgtwvo.exe

C:\Windows\system32\rgtwvo.exe 1008 "C:\Windows\SysWOW64\zzktfs.exe"

C:\Windows\SysWOW64\bnxhgb.exe

C:\Windows\system32\bnxhgb.exe 992 "C:\Windows\SysWOW64\rgtwvo.exe"

C:\Windows\SysWOW64\bnxhgb.exe

C:\Windows\system32\bnxhgb.exe 992 "C:\Windows\SysWOW64\rgtwvo.exe"

C:\Windows\SysWOW64\unjkqp.exe

C:\Windows\system32\unjkqp.exe 1136 "C:\Windows\SysWOW64\bnxhgb.exe"

C:\Windows\SysWOW64\unjkqp.exe

C:\Windows\system32\unjkqp.exe 1136 "C:\Windows\SysWOW64\bnxhgb.exe"

C:\Windows\SysWOW64\jzqvnx.exe

C:\Windows\system32\jzqvnx.exe 1120 "C:\Windows\SysWOW64\unjkqp.exe"

C:\Windows\SysWOW64\jzqvnx.exe

C:\Windows\system32\jzqvnx.exe 1120 "C:\Windows\SysWOW64\unjkqp.exe"

C:\Windows\SysWOW64\bzugyk.exe

C:\Windows\system32\bzugyk.exe 1124 "C:\Windows\SysWOW64\jzqvnx.exe"

C:\Windows\SysWOW64\bzugyk.exe

C:\Windows\system32\bzugyk.exe 1124 "C:\Windows\SysWOW64\jzqvnx.exe"

C:\Windows\SysWOW64\uzgjjx.exe

C:\Windows\system32\uzgjjx.exe 988 "C:\Windows\SysWOW64\bzugyk.exe"

C:\Windows\SysWOW64\uzgjjx.exe

C:\Windows\system32\uzgjjx.exe 988 "C:\Windows\SysWOW64\bzugyk.exe"

C:\Windows\SysWOW64\mkwzwh.exe

C:\Windows\system32\mkwzwh.exe 1120 "C:\Windows\SysWOW64\uzgjjx.exe"

C:\Windows\SysWOW64\mkwzwh.exe

C:\Windows\system32\mkwzwh.exe 1120 "C:\Windows\SysWOW64\uzgjjx.exe"

C:\Windows\SysWOW64\bwdslp.exe

C:\Windows\system32\bwdslp.exe 1000 "C:\Windows\SysWOW64\mkwzwh.exe"

C:\Windows\SysWOW64\bwdslp.exe

C:\Windows\system32\bwdslp.exe 1000 "C:\Windows\SysWOW64\mkwzwh.exe"

C:\Windows\SysWOW64\twpvwc.exe

C:\Windows\system32\twpvwc.exe 1008 "C:\Windows\SysWOW64\bwdslp.exe"

C:\Windows\SysWOW64\twpvwc.exe

C:\Windows\system32\twpvwc.exe 1008 "C:\Windows\SysWOW64\bwdslp.exe"

C:\Windows\SysWOW64\mvtghq.exe

C:\Windows\system32\mvtghq.exe 1120 "C:\Windows\SysWOW64\twpvwc.exe"

C:\Windows\SysWOW64\mvtghq.exe

C:\Windows\system32\mvtghq.exe 1120 "C:\Windows\SysWOW64\twpvwc.exe"

C:\Windows\SysWOW64\bparwy.exe

C:\Windows\system32\bparwy.exe 1120 "C:\Windows\SysWOW64\mvtghq.exe"

C:\Windows\SysWOW64\bparwy.exe

C:\Windows\system32\bparwy.exe 1120 "C:\Windows\SysWOW64\mvtghq.exe"

C:\Windows\SysWOW64\jqvwic.exe

C:\Windows\system32\jqvwic.exe 1120 "C:\Windows\SysWOW64\bparwy.exe"

C:\Windows\SysWOW64\jqvwic.exe

C:\Windows\system32\jqvwic.exe 1120 "C:\Windows\SysWOW64\bparwy.exe"

C:\Windows\SysWOW64\bxhztp.exe

C:\Windows\system32\bxhztp.exe 988 "C:\Windows\SysWOW64\jqvwic.exe"

C:\Windows\SysWOW64\bxhztp.exe

C:\Windows\system32\bxhztp.exe 988 "C:\Windows\SysWOW64\jqvwic.exe"

C:\Windows\SysWOW64\qjgsqx.exe

C:\Windows\system32\qjgsqx.exe 1012 "C:\Windows\SysWOW64\bxhztp.exe"

C:\Windows\SysWOW64\qjgsqx.exe

C:\Windows\system32\qjgsqx.exe 1012 "C:\Windows\SysWOW64\bxhztp.exe"

C:\Windows\SysWOW64\indidp.exe

C:\Windows\system32\indidp.exe 1008 "C:\Windows\SysWOW64\qjgsqx.exe"

C:\Windows\SysWOW64\indidp.exe

C:\Windows\system32\indidp.exe 1008 "C:\Windows\SysWOW64\qjgsqx.exe"

C:\Windows\SysWOW64\eandbh.exe

C:\Windows\system32\eandbh.exe 1012 "C:\Windows\SysWOW64\indidp.exe"

C:\Windows\SysWOW64\eandbh.exe

C:\Windows\system32\eandbh.exe 1012 "C:\Windows\SysWOW64\indidp.exe"

C:\Windows\SysWOW64\tuuozp.exe

C:\Windows\system32\tuuozp.exe 1000 "C:\Windows\SysWOW64\eandbh.exe"

C:\Windows\SysWOW64\tuuozp.exe

C:\Windows\system32\tuuozp.exe 1000 "C:\Windows\SysWOW64\eandbh.exe"

C:\Windows\SysWOW64\jgahox.exe

C:\Windows\system32\jgahox.exe 1120 "C:\Windows\SysWOW64\tuuozp.exe"

C:\Windows\SysWOW64\jgahox.exe

C:\Windows\system32\jgahox.exe 1120 "C:\Windows\SysWOW64\tuuozp.exe"

C:\Windows\SysWOW64\wmuuzw.exe

C:\Windows\system32\wmuuzw.exe 1120 "C:\Windows\SysWOW64\jgahox.exe"

C:\Windows\SysWOW64\wmuuzw.exe

C:\Windows\system32\wmuuzw.exe 1120 "C:\Windows\SysWOW64\jgahox.exe"

C:\Windows\SysWOW64\oxjknf.exe

C:\Windows\system32\oxjknf.exe 1000 "C:\Windows\SysWOW64\wmuuzw.exe"

C:\Windows\SysWOW64\oxjknf.exe

C:\Windows\system32\oxjknf.exe 1000 "C:\Windows\SysWOW64\wmuuzw.exe"

C:\Windows\SysWOW64\jomswc.exe

C:\Windows\system32\jomswc.exe 1008 "C:\Windows\SysWOW64\oxjknf.exe"

C:\Windows\SysWOW64\jomswc.exe

C:\Windows\system32\jomswc.exe 1008 "C:\Windows\SysWOW64\oxjknf.exe"

C:\Windows\SysWOW64\dudbkz.exe

C:\Windows\system32\dudbkz.exe 1012 "C:\Windows\SysWOW64\jomswc.exe"

C:\Windows\SysWOW64\dudbkz.exe

C:\Windows\system32\dudbkz.exe 1012 "C:\Windows\SysWOW64\jomswc.exe"

C:\Windows\SysWOW64\qpkwwa.exe

C:\Windows\system32\qpkwwa.exe 1000 "C:\Windows\SysWOW64\dudbkz.exe"

C:\Windows\SysWOW64\qpkwwa.exe

C:\Windows\system32\qpkwwa.exe 1000 "C:\Windows\SysWOW64\dudbkz.exe"

C:\Windows\SysWOW64\iekzmw.exe

C:\Windows\system32\iekzmw.exe 1120 "C:\Windows\SysWOW64\qpkwwa.exe"

C:\Windows\SysWOW64\iekzmw.exe

C:\Windows\system32\iekzmw.exe 1120 "C:\Windows\SysWOW64\qpkwwa.exe"

C:\Windows\SysWOW64\dvnhnl.exe

C:\Windows\system32\dvnhnl.exe 996 "C:\Windows\SysWOW64\iekzmw.exe"

C:\Windows\SysWOW64\dvnhnl.exe

C:\Windows\system32\dvnhnl.exe 996 "C:\Windows\SysWOW64\iekzmw.exe"

C:\Windows\SysWOW64\yytcyl.exe

C:\Windows\system32\yytcyl.exe 1156 "C:\Windows\SysWOW64\dvnhnl.exe"

C:\Windows\SysWOW64\yytcyl.exe

C:\Windows\system32\yytcyl.exe 1156 "C:\Windows\SysWOW64\dvnhnl.exe"

C:\Windows\SysWOW64\qmcfoh.exe

C:\Windows\system32\qmcfoh.exe 988 "C:\Windows\SysWOW64\yytcyl.exe"

C:\Windows\SysWOW64\qmcfoh.exe

C:\Windows\system32\qmcfoh.exe 988 "C:\Windows\SysWOW64\yytcyl.exe"

C:\Windows\SysWOW64\ovntvf.exe

C:\Windows\system32\ovntvf.exe 1000 "C:\Windows\SysWOW64\qmcfoh.exe"

C:\Windows\SysWOW64\ovntvf.exe

C:\Windows\system32\ovntvf.exe 1000 "C:\Windows\SysWOW64\qmcfoh.exe"

C:\Windows\SysWOW64\gkowmb.exe

C:\Windows\system32\gkowmb.exe 1000 "C:\Windows\SysWOW64\ovntvf.exe"

C:\Windows\SysWOW64\gkowmb.exe

C:\Windows\system32\gkowmb.exe 1000 "C:\Windows\SysWOW64\ovntvf.exe"

C:\Windows\SysWOW64\bbreuq.exe

C:\Windows\system32\bbreuq.exe 1000 "C:\Windows\SysWOW64\gkowmb.exe"

C:\Windows\SysWOW64\bbreuq.exe

C:\Windows\system32\bbreuq.exe 1000 "C:\Windows\SysWOW64\gkowmb.exe"

C:\Windows\SysWOW64\tqrhlm.exe

C:\Windows\system32\tqrhlm.exe 1000 "C:\Windows\SysWOW64\bbreuq.exe"

C:\Windows\SysWOW64\tqrhlm.exe

C:\Windows\system32\tqrhlm.exe 1000 "C:\Windows\SysWOW64\bbreuq.exe"

C:\Windows\SysWOW64\ltpxyd.exe

C:\Windows\system32\ltpxyd.exe 992 "C:\Windows\SysWOW64\tqrhlm.exe"

C:\Windows\SysWOW64\ltpxyd.exe

C:\Windows\system32\ltpxyd.exe 992 "C:\Windows\SysWOW64\tqrhlm.exe"

C:\Windows\SysWOW64\xzgffb.exe

C:\Windows\system32\xzgffb.exe 1120 "C:\Windows\SysWOW64\ltpxyd.exe"

C:\Windows\SysWOW64\xzgffb.exe

C:\Windows\system32\xzgffb.exe 1120 "C:\Windows\SysWOW64\ltpxyd.exe"

C:\Windows\SysWOW64\scmbqc.exe

C:\Windows\system32\scmbqc.exe 1128 "C:\Windows\SysWOW64\xzgffb.exe"

C:\Windows\SysWOW64\scmbqc.exe

C:\Windows\system32\scmbqc.exe 1128 "C:\Windows\SysWOW64\xzgffb.exe"

C:\Windows\SysWOW64\nxswcu.exe

C:\Windows\system32\nxswcu.exe 1120 "C:\Windows\SysWOW64\scmbqc.exe"

C:\Windows\SysWOW64\nxswcu.exe

C:\Windows\system32\nxswcu.exe 1120 "C:\Windows\SysWOW64\scmbqc.exe"

C:\Windows\SysWOW64\izgjnv.exe

C:\Windows\system32\izgjnv.exe 996 "C:\Windows\SysWOW64\nxswcu.exe"

C:\Windows\SysWOW64\izgjnv.exe

C:\Windows\system32\izgjnv.exe 996 "C:\Windows\SysWOW64\nxswcu.exe"

C:\Windows\SysWOW64\adwhbf.exe

C:\Windows\system32\adwhbf.exe 988 "C:\Windows\SysWOW64\izgjnv.exe"

C:\Windows\SysWOW64\adwhbf.exe

C:\Windows\system32\adwhbf.exe 988 "C:\Windows\SysWOW64\izgjnv.exe"

C:\Windows\SysWOW64\sotxox.exe

C:\Windows\system32\sotxox.exe 960 "C:\Windows\SysWOW64\adwhbf.exe"

C:\Windows\SysWOW64\sotxox.exe

C:\Windows\system32\sotxox.exe 960 "C:\Windows\SysWOW64\adwhbf.exe"

C:\Windows\SysWOW64\krjnco.exe

C:\Windows\system32\krjnco.exe 992 "C:\Windows\SysWOW64\sotxox.exe"

C:\Windows\SysWOW64\krjnco.exe

C:\Windows\system32\krjnco.exe 992 "C:\Windows\SysWOW64\sotxox.exe"

C:\Windows\SysWOW64\gfajag.exe

C:\Windows\system32\gfajag.exe 1128 "C:\Windows\SysWOW64\krjnco.exe"

C:\Windows\SysWOW64\gfajag.exe

C:\Windows\system32\gfajag.exe 1128 "C:\Windows\SysWOW64\krjnco.exe"

C:\Windows\SysWOW64\xubmyu.exe

C:\Windows\system32\xubmyu.exe 1120 "C:\Windows\SysWOW64\gfajag.exe"

C:\Windows\SysWOW64\xubmyu.exe

C:\Windows\system32\xubmyu.exe 1120 "C:\Windows\SysWOW64\gfajag.exe"

C:\Windows\SysWOW64\qtnxii.exe

C:\Windows\system32\qtnxii.exe 996 "C:\Windows\SysWOW64\xubmyu.exe"

C:\Windows\SysWOW64\qtnxii.exe

C:\Windows\system32\qtnxii.exe 996 "C:\Windows\SysWOW64\xubmyu.exe"

C:\Windows\SysWOW64\itzalv.exe

C:\Windows\system32\itzalv.exe 1008 "C:\Windows\SysWOW64\qtnxii.exe"

C:\Windows\SysWOW64\itzalv.exe

C:\Windows\system32\itzalv.exe 1008 "C:\Windows\SysWOW64\qtnxii.exe"

C:\Windows\SysWOW64\pjjxlh.exe

C:\Windows\system32\pjjxlh.exe 1116 "C:\Windows\SysWOW64\itzalv.exe"

C:\Windows\SysWOW64\pjjxlh.exe

C:\Windows\system32\pjjxlh.exe 1116 "C:\Windows\SysWOW64\itzalv.exe"

C:\Windows\SysWOW64\frfdyl.exe

C:\Windows\system32\frfdyl.exe 1116 "C:\Windows\SysWOW64\pjjxlh.exe"

C:\Windows\SysWOW64\frfdyl.exe

C:\Windows\system32\frfdyl.exe 1116 "C:\Windows\SysWOW64\pjjxlh.exe"

C:\Windows\SysWOW64\xcutld.exe

C:\Windows\system32\xcutld.exe 1084 "C:\Windows\SysWOW64\frfdyl.exe"

C:\Windows\SysWOW64\xcutld.exe

C:\Windows\system32\xcutld.exe 1084 "C:\Windows\SysWOW64\frfdyl.exe"

C:\Windows\SysWOW64\stxbuz.exe

C:\Windows\system32\stxbuz.exe 1000 "C:\Windows\SysWOW64\xcutld.exe"

C:\Windows\SysWOW64\stxbuz.exe

C:\Windows\system32\stxbuz.exe 1000 "C:\Windows\SysWOW64\xcutld.exe"

C:\Windows\SysWOW64\nwdxfs.exe

C:\Windows\system32\nwdxfs.exe 1000 "C:\Windows\SysWOW64\stxbuz.exe"

C:\Windows\SysWOW64\nwdxfs.exe

C:\Windows\system32\nwdxfs.exe 1000 "C:\Windows\SysWOW64\stxbuz.exe"

C:\Windows\SysWOW64\hcufmy.exe

C:\Windows\system32\hcufmy.exe 1008 "C:\Windows\SysWOW64\nwdxfs.exe"

C:\Windows\SysWOW64\hcufmy.exe

C:\Windows\system32\hcufmy.exe 1008 "C:\Windows\SysWOW64\nwdxfs.exe"

C:\Windows\SysWOW64\dtxnvm.exe

C:\Windows\system32\dtxnvm.exe 988 "C:\Windows\SysWOW64\hcufmy.exe"

C:\Windows\SysWOW64\dtxnvm.exe

C:\Windows\system32\dtxnvm.exe 988 "C:\Windows\SysWOW64\hcufmy.exe"

C:\Windows\SysWOW64\uiyqli.exe

C:\Windows\system32\uiyqli.exe 992 "C:\Windows\SysWOW64\dtxnvm.exe"

C:\Windows\SysWOW64\uiyqli.exe

C:\Windows\system32\uiyqli.exe 992 "C:\Windows\SysWOW64\dtxnvm.exe"

C:\Windows\SysWOW64\pdelwb.exe

C:\Windows\system32\pdelwb.exe 1004 "C:\Windows\SysWOW64\uiyqli.exe"

C:\Windows\SysWOW64\pdelwb.exe

C:\Windows\system32\pdelwb.exe 1004 "C:\Windows\SysWOW64\uiyqli.exe"

C:\Windows\SysWOW64\kgshic.exe

C:\Windows\system32\kgshic.exe 996 "C:\Windows\SysWOW64\pdelwb.exe"

C:\Windows\SysWOW64\kgshic.exe

C:\Windows\system32\kgshic.exe 996 "C:\Windows\SysWOW64\pdelwb.exe"

C:\Windows\SysWOW64\faycmd.exe

C:\Windows\system32\faycmd.exe 1120 "C:\Windows\SysWOW64\kgshic.exe"

C:\Windows\SysWOW64\faycmd.exe

C:\Windows\system32\faycmd.exe 1120 "C:\Windows\SysWOW64\kgshic.exe"

C:\Windows\SysWOW64\myiamp.exe

C:\Windows\system32\myiamp.exe 1000 "C:\Windows\SysWOW64\faycmd.exe"

C:\Windows\SysWOW64\myiamp.exe

C:\Windows\system32\myiamp.exe 1000 "C:\Windows\SysWOW64\faycmd.exe"

C:\Windows\SysWOW64\hlavka.exe

C:\Windows\system32\hlavka.exe 996 "C:\Windows\SysWOW64\myiamp.exe"

C:\Windows\SysWOW64\hlavka.exe

C:\Windows\system32\hlavka.exe 996 "C:\Windows\SysWOW64\myiamp.exe"

C:\Windows\SysWOW64\zemlla.exe

C:\Windows\system32\zemlla.exe 996 "C:\Windows\SysWOW64\hlavka.exe"

C:\Windows\SysWOW64\zemlla.exe

C:\Windows\system32\zemlla.exe 996 "C:\Windows\SysWOW64\hlavka.exe"

C:\Windows\SysWOW64\uysgot.exe

C:\Windows\system32\uysgot.exe 1000 "C:\Windows\SysWOW64\zemlla.exe"

C:\Windows\SysWOW64\uysgot.exe

C:\Windows\system32\uysgot.exe 1000 "C:\Windows\SysWOW64\zemlla.exe"

C:\Windows\SysWOW64\mkpwck.exe

C:\Windows\system32\mkpwck.exe 1008 "C:\Windows\SysWOW64\uysgot.exe"

C:\Windows\SysWOW64\mkpwck.exe

C:\Windows\system32\mkpwck.exe 1008 "C:\Windows\SysWOW64\uysgot.exe"

C:\Windows\SysWOW64\ejbzmy.exe

C:\Windows\system32\ejbzmy.exe 1000 "C:\Windows\SysWOW64\mkpwck.exe"

C:\Windows\SysWOW64\ejbzmy.exe

C:\Windows\system32\ejbzmy.exe 1000 "C:\Windows\SysWOW64\mkpwck.exe"

C:\Windows\SysWOW64\uolsex.exe

C:\Windows\system32\uolsex.exe 992 "C:\Windows\SysWOW64\ejbzmy.exe"

C:\Windows\SysWOW64\uolsex.exe

C:\Windows\system32\uolsex.exe 992 "C:\Windows\SysWOW64\ejbzmy.exe"

C:\Windows\SysWOW64\msbirp.exe

C:\Windows\system32\msbirp.exe 1000 "C:\Windows\SysWOW64\uolsex.exe"

C:\Windows\SysWOW64\msbirp.exe

C:\Windows\system32\msbirp.exe 1000 "C:\Windows\SysWOW64\uolsex.exe"

C:\Windows\SysWOW64\ceiahx.exe

C:\Windows\system32\ceiahx.exe 1120 "C:\Windows\SysWOW64\msbirp.exe"

C:\Windows\SysWOW64\ceiahx.exe

C:\Windows\system32\ceiahx.exe 1120 "C:\Windows\SysWOW64\msbirp.exe"

C:\Windows\SysWOW64\ududrk.exe

C:\Windows\system32\ududrk.exe 992 "C:\Windows\SysWOW64\ceiahx.exe"

C:\Windows\SysWOW64\ududrk.exe

C:\Windows\system32\ududrk.exe 992 "C:\Windows\SysWOW64\ceiahx.exe"

C:\Windows\SysWOW64\edypcy.exe

C:\Windows\system32\edypcy.exe 1008 "C:\Windows\SysWOW64\ududrk.exe"

C:\Windows\SysWOW64\edypcy.exe

C:\Windows\system32\edypcy.exe 1008 "C:\Windows\SysWOW64\ududrk.exe"

C:\Windows\SysWOW64\uxfzrg.exe

C:\Windows\system32\uxfzrg.exe 1064 "C:\Windows\SysWOW64\edypcy.exe"

C:\Windows\SysWOW64\uxfzrg.exe

C:\Windows\system32\uxfzrg.exe 1064 "C:\Windows\SysWOW64\edypcy.exe"

C:\Windows\SysWOW64\poziac.exe

C:\Windows\system32\poziac.exe 1008 "C:\Windows\SysWOW64\uxfzrg.exe"

C:\Windows\SysWOW64\poziac.exe

C:\Windows\system32\poziac.exe 1008 "C:\Windows\SysWOW64\uxfzrg.exe"

C:\Windows\SysWOW64\hrxynm.exe

C:\Windows\system32\hrxynm.exe 1000 "C:\Windows\SysWOW64\poziac.exe"

C:\Windows\SysWOW64\hrxynm.exe

C:\Windows\system32\hrxynm.exe 1000 "C:\Windows\SysWOW64\poziac.exe"

C:\Windows\SysWOW64\zzjjyz.exe

C:\Windows\system32\zzjjyz.exe 996 "C:\Windows\SysWOW64\hrxynm.exe"

C:\Windows\SysWOW64\zzjjyz.exe

C:\Windows\system32\zzjjyz.exe 996 "C:\Windows\SysWOW64\hrxynm.exe"

C:\Windows\SysWOW64\optgqm.exe

C:\Windows\system32\optgqm.exe 1120 "C:\Windows\SysWOW64\zzjjyz.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 214.143.182.52.in-addr.arpa udp

Files

memory/4884-1-0x0000000000400000-0x000000000050D000-memory.dmp

memory/4884-2-0x0000000000400000-0x000000000050D000-memory.dmp

memory/4884-3-0x0000000000400000-0x000000000050D000-memory.dmp

C:\Windows\SysWOW64\fahfmz.exe

MD5 06026e4203f13fffe9d741a6872a75ae
SHA1 4bd5ff87c0efda2cafd1cb3254f46955d52a12ec
SHA256 ec530b5f552febe9631fb4d1fd90e74ef21be4093eb9cde42657bf2dfeb6a486
SHA512 37e9d3bf7a38fc16b323c49034f0c754dcd09d2c6c6679b4226bf9d8a659867b2ca27a8d2798f3e0a0ef1f3641761664a6d6b9a6a69ed84b4d2881a8324d3962

memory/4884-12-0x0000000000400000-0x000000000050D000-memory.dmp

memory/3896-17-0x0000000000400000-0x000000000050D000-memory.dmp

memory/3896-25-0x0000000000400000-0x000000000050D000-memory.dmp

memory/4628-30-0x0000000000400000-0x000000000050D000-memory.dmp

memory/4628-38-0x0000000000400000-0x000000000050D000-memory.dmp

memory/2924-47-0x0000000000400000-0x000000000050D000-memory.dmp

memory/4688-57-0x0000000000400000-0x000000000050D000-memory.dmp

memory/2032-67-0x0000000000400000-0x000000000050D000-memory.dmp

memory/4272-77-0x0000000000400000-0x000000000050D000-memory.dmp

memory/4284-87-0x0000000000400000-0x000000000050D000-memory.dmp

memory/1076-97-0x0000000000400000-0x000000000050D000-memory.dmp

memory/2728-107-0x0000000000400000-0x000000000050D000-memory.dmp

memory/4320-117-0x0000000000400000-0x000000000050D000-memory.dmp

memory/316-127-0x0000000000400000-0x000000000050D000-memory.dmp

memory/1128-137-0x0000000000400000-0x000000000050D000-memory.dmp

memory/4632-147-0x0000000000400000-0x000000000050D000-memory.dmp

memory/412-157-0x0000000000400000-0x000000000050D000-memory.dmp