Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system -
submitted
07/04/2024, 00:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e39cdf07cbba4ce80ea4ea970a29a88d_JaffaCakes118.exe
Resource
win7-20240319-en
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
e39cdf07cbba4ce80ea4ea970a29a88d_JaffaCakes118.exe
Resource
win10v2004-20240226-en
0 signatures
150 seconds
General
-
Target
e39cdf07cbba4ce80ea4ea970a29a88d_JaffaCakes118.exe
-
Size
55KB
-
MD5
e39cdf07cbba4ce80ea4ea970a29a88d
-
SHA1
d701d9b43b490d309dc65e12b3f214f8e0ea3f80
-
SHA256
82c8428113cf6c8a40ffd8f70b2d0853829f40951408a16d1ee7a3c7c35247e5
-
SHA512
8f9c98aed4989ae17085f63fead07313bc47bd7977e230cb4005a1a9d3e5758177ade7e9d18969a3cf016732b800c24c227b57ebd3fe500a35dc56b3744d3134
-
SSDEEP
1536:bVvdEW1oUc+XA+czEYvg1zyHCvqFgwV/z2LO:bz1oUAxg1OdgmYO
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaldcb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbfdaigg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbkmlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlfojn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Homclekn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjpcbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qflhbhgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfiale32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnimnfpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aijpnfif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amqccfed.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmgninie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kiqpop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qiladcdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhajdblk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbcfadgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiknhbcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqnejn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfnmfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llohjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okfgfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beejng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdbkjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Migbnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjbjhgde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qflhbhgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpceidcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bejdiffp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojigbhlp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjnmlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhhpeafc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqlhdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfpclh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbomfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdacop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bphbeplm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocdmaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqemdbaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ackkppma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjldghjm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihgainbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkolkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lghjel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Picnndmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhajdblk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfnmfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmihhelk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndhipoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqqboncb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lapnnafn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmikibio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Modkfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Libicbma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ollajp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okfgfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaldcb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oghopm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oappcfmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akmjfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Achojp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Behgcf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knklagmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgjfkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqcpob32.exe -
Executes dropped EXE 64 IoCs
pid Process 1732 Gffoldhp.exe 2152 Gpncej32.exe 2520 Gjdhbc32.exe 2712 Ganpomec.exe 2436 Gbomfe32.exe 2640 Glgaok32.exe 2492 Gmgninie.exe 2504 Gbcfadgl.exe 2340 Ginnnooi.exe 960 Hlljjjnm.exe 2188 Hbfbgd32.exe 2652 Hlngpjlj.exe 1636 Homclekn.exe 2828 Heglio32.exe 2844 Hhehek32.exe 2824 Hoopae32.exe 2320 Hmbpmapf.exe 2020 Heihnoph.exe 992 Hkfagfop.exe 1544 Hdnepk32.exe 912 Hiknhbcg.exe 1964 Hpefdl32.exe 2236 Ikkjbe32.exe 768 Inifnq32.exe 2952 Icfofg32.exe 968 Iipgcaob.exe 2292 Ipjoplgo.exe 2512 Igchlf32.exe 2208 Iheddndj.exe 2556 Ioolqh32.exe 1296 Ihgainbg.exe 2716 Icmegf32.exe 2600 Ihjnom32.exe 2500 Ikhjki32.exe 1808 Jabbhcfe.exe 572 Jkjfah32.exe 524 Jnicmdli.exe 744 Jdbkjn32.exe 2684 Jkmcfhkc.exe 1672 Jjpcbe32.exe 852 Jqilooij.exe 2764 Jgcdki32.exe 1016 Jjbpgd32.exe 2964 Jqlhdo32.exe 812 Jcjdpj32.exe 1684 Jfiale32.exe 1980 Jnpinc32.exe 560 Jqnejn32.exe 432 Jcmafj32.exe 896 Kjfjbdle.exe 2116 Kqqboncb.exe 2076 Kbbngf32.exe 2996 Kjifhc32.exe 1604 Kilfcpqm.exe 1364 Kkjcplpa.exe 2272 Kcakaipc.exe 1960 Kfpgmdog.exe 2592 Kmjojo32.exe 880 Knklagmb.exe 740 Kbfhbeek.exe 1912 Kiqpop32.exe 340 Kkolkk32.exe 3008 Knmhgf32.exe 1548 Kaldcb32.exe -
Loads dropped DLL 64 IoCs
pid Process 2112 e39cdf07cbba4ce80ea4ea970a29a88d_JaffaCakes118.exe 2112 e39cdf07cbba4ce80ea4ea970a29a88d_JaffaCakes118.exe 1732 Gffoldhp.exe 1732 Gffoldhp.exe 2152 Gpncej32.exe 2152 Gpncej32.exe 2520 Gjdhbc32.exe 2520 Gjdhbc32.exe 2712 Ganpomec.exe 2712 Ganpomec.exe 2436 Gbomfe32.exe 2436 Gbomfe32.exe 2640 Glgaok32.exe 2640 Glgaok32.exe 2492 Gmgninie.exe 2492 Gmgninie.exe 2504 Gbcfadgl.exe 2504 Gbcfadgl.exe 2340 Ginnnooi.exe 2340 Ginnnooi.exe 960 Hlljjjnm.exe 960 Hlljjjnm.exe 2188 Hbfbgd32.exe 2188 Hbfbgd32.exe 2652 Hlngpjlj.exe 2652 Hlngpjlj.exe 1636 Homclekn.exe 1636 Homclekn.exe 2828 Heglio32.exe 2828 Heglio32.exe 2844 Hhehek32.exe 2844 Hhehek32.exe 2824 Hoopae32.exe 2824 Hoopae32.exe 2320 Hmbpmapf.exe 2320 Hmbpmapf.exe 2020 Heihnoph.exe 2020 Heihnoph.exe 992 Hkfagfop.exe 992 Hkfagfop.exe 1544 Hdnepk32.exe 1544 Hdnepk32.exe 912 Hiknhbcg.exe 912 Hiknhbcg.exe 1964 Hpefdl32.exe 1964 Hpefdl32.exe 2236 Ikkjbe32.exe 2236 Ikkjbe32.exe 768 Inifnq32.exe 768 Inifnq32.exe 2952 Icfofg32.exe 2952 Icfofg32.exe 968 Iipgcaob.exe 968 Iipgcaob.exe 2292 Ipjoplgo.exe 2292 Ipjoplgo.exe 2512 Igchlf32.exe 2512 Igchlf32.exe 2208 Iheddndj.exe 2208 Iheddndj.exe 2556 Ioolqh32.exe 2556 Ioolqh32.exe 1296 Ihgainbg.exe 1296 Ihgainbg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Deeieqod.dll Kicmdo32.exe File created C:\Windows\SysWOW64\Neplhf32.exe Ncbplk32.exe File created C:\Windows\SysWOW64\Hlngpjlj.exe Hbfbgd32.exe File created C:\Windows\SysWOW64\Hhehek32.exe Heglio32.exe File created C:\Windows\SysWOW64\Abbeflpf.exe Acpdko32.exe File created C:\Windows\SysWOW64\Bpmiamoh.dll Kbfhbeek.exe File created C:\Windows\SysWOW64\Pcdipnqn.exe Pqemdbaj.exe File opened for modification C:\Windows\SysWOW64\Migbnb32.exe Mapjmehi.exe File created C:\Windows\SysWOW64\Kganqf32.dll Qiladcdh.exe File created C:\Windows\SysWOW64\Fhbhji32.dll Bnkbam32.exe File created C:\Windows\SysWOW64\Pkfaka32.dll Bhhpeafc.exe File created C:\Windows\SysWOW64\Homclekn.exe Hlngpjlj.exe File created C:\Windows\SysWOW64\Bohnbn32.dll Knmhgf32.exe File created C:\Windows\SysWOW64\Kkolkk32.exe Kiqpop32.exe File created C:\Windows\SysWOW64\Pqjfoa32.exe Picnndmb.exe File created C:\Windows\SysWOW64\Jkmcfhkc.exe Jdbkjn32.exe File created C:\Windows\SysWOW64\Hqalfl32.dll Kfpgmdog.exe File opened for modification C:\Windows\SysWOW64\Jcjdpj32.exe Jqlhdo32.exe File created C:\Windows\SysWOW64\Lphhenhc.exe Lmikibio.exe File opened for modification C:\Windows\SysWOW64\Mlaeonld.exe Libicbma.exe File created C:\Windows\SysWOW64\Mapjmehi.exe Moanaiie.exe File created C:\Windows\SysWOW64\Olonpp32.exe Odhfob32.exe File created C:\Windows\SysWOW64\Pmmani32.dll Aaloddnn.exe File created C:\Windows\SysWOW64\Mecjiaic.dll Ihjnom32.exe File created C:\Windows\SysWOW64\Jjpcbe32.exe Jkmcfhkc.exe File opened for modification C:\Windows\SysWOW64\Jgcdki32.exe Jqilooij.exe File created C:\Windows\SysWOW64\Mlcbenjb.exe Mhhfdo32.exe File created C:\Windows\SysWOW64\Hljdna32.dll Nckjkl32.exe File created C:\Windows\SysWOW64\Poapfn32.exe Pbnoliap.exe File opened for modification C:\Windows\SysWOW64\Bnkbam32.exe Bphbeplm.exe File created C:\Windows\SysWOW64\Beejng32.exe Bajomhbl.exe File created C:\Windows\SysWOW64\Godgob32.dll Ginnnooi.exe File created C:\Windows\SysWOW64\Jmamaoln.dll Hlljjjnm.exe File opened for modification C:\Windows\SysWOW64\Ljibgg32.exe Lgjfkk32.exe File created C:\Windows\SysWOW64\Nkeghkck.dll Mkklljmg.exe File opened for modification C:\Windows\SysWOW64\Okfgfl32.exe Ohhkjp32.exe File opened for modification C:\Windows\SysWOW64\Blkioa32.exe Bilmcf32.exe File created C:\Windows\SysWOW64\Fpcopobi.dll Blaopqpo.exe File created C:\Windows\SysWOW64\Gpncej32.exe Gffoldhp.exe File opened for modification C:\Windows\SysWOW64\Hkfagfop.exe Heihnoph.exe File opened for modification C:\Windows\SysWOW64\Mlcbenjb.exe Mhhfdo32.exe File opened for modification C:\Windows\SysWOW64\Bbikgk32.exe Bhdgjb32.exe File created C:\Windows\SysWOW64\Dhnook32.dll Bbikgk32.exe File created C:\Windows\SysWOW64\Nmgpon32.dll Iipgcaob.exe File created C:\Windows\SysWOW64\Hnecbc32.dll Lgmcqkkh.exe File opened for modification C:\Windows\SysWOW64\Kilfcpqm.exe Kjifhc32.exe File created C:\Windows\SysWOW64\Icdleb32.dll Ocdmaj32.exe File opened for modification C:\Windows\SysWOW64\Oghopm32.exe Olonpp32.exe File opened for modification C:\Windows\SysWOW64\Ihjnom32.exe Icmegf32.exe File opened for modification C:\Windows\SysWOW64\Jnpinc32.exe Jfiale32.exe File created C:\Windows\SysWOW64\Okfgfl32.exe Ohhkjp32.exe File opened for modification C:\Windows\SysWOW64\Pqjfoa32.exe Picnndmb.exe File created C:\Windows\SysWOW64\Pcibkm32.exe Pqjfoa32.exe File opened for modification C:\Windows\SysWOW64\Behgcf32.exe Bbikgk32.exe File created C:\Windows\SysWOW64\Ljacemio.dll Bobhal32.exe File created C:\Windows\SysWOW64\Gbomfe32.exe Ganpomec.exe File created C:\Windows\SysWOW64\Libicbma.exe Lfdmggnm.exe File opened for modification C:\Windows\SysWOW64\Jjpcbe32.exe Jkmcfhkc.exe File opened for modification C:\Windows\SysWOW64\Ndemjoae.exe Magqncba.exe File created C:\Windows\SysWOW64\Qijdocfj.exe Qflhbhgg.exe File opened for modification C:\Windows\SysWOW64\Glgaok32.exe Gbomfe32.exe File created C:\Windows\SysWOW64\Mmihhelk.exe Mkklljmg.exe File opened for modification C:\Windows\SysWOW64\Lfpclh32.exe Lgmcqkkh.exe File created C:\Windows\SysWOW64\Plnfdigq.dll Pndpajgd.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3328 3304 WerFault.exe 222 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnicmdli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeaceffc.dll" Mmihhelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apdhjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhdgjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okfgfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjnmlk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lapnnafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbelde32.dll" Lfdmggnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ombhbhel.dll" Mhhfdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkmhaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncbplk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfdmggnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdacop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imjcfnhk.dll" Qijdocfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kganqf32.dll" Qiladcdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apdhjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpekon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qijdocfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikhjki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olonpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inifnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpgimglf.dll" Igchlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aaheie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnalpimd.dll" Oeeecekc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajgpbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqnfen32.dll" Glgaok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdbkjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpfdhnai.dll" Jdbkjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkqmaqbm.dll" Jcjdpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Libicbma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojigbhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pqemdbaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajpjcomh.dll" Bilmcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfgheegc.dll" Behgcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhdffl32.dll" Jfiale32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpcqjacl.dll" Kbbngf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llohjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elmnchif.dll" Aaheie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajecmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khpnecca.dll" Jqlhdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcakaipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Leimip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akmjfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhhpeafc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jqlhdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Moanaiie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nckjkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icfofg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpjmjp32.dll" Icfofg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcjbelmp.dll" Kkjcplpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blkioa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgpeal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnimnfpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Achojp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlljjjnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgcdki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lghjel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdcpdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceamohhb.dll" Ngfflj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhnnjk32.dll" Pjbjhgde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhfglad.dll" Bhajdblk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aaolidlk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Biojif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID e39cdf07cbba4ce80ea4ea970a29a88d_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2112 wrote to memory of 1732 2112 e39cdf07cbba4ce80ea4ea970a29a88d_JaffaCakes118.exe 28 PID 2112 wrote to memory of 1732 2112 e39cdf07cbba4ce80ea4ea970a29a88d_JaffaCakes118.exe 28 PID 2112 wrote to memory of 1732 2112 e39cdf07cbba4ce80ea4ea970a29a88d_JaffaCakes118.exe 28 PID 2112 wrote to memory of 1732 2112 e39cdf07cbba4ce80ea4ea970a29a88d_JaffaCakes118.exe 28 PID 1732 wrote to memory of 2152 1732 Gffoldhp.exe 29 PID 1732 wrote to memory of 2152 1732 Gffoldhp.exe 29 PID 1732 wrote to memory of 2152 1732 Gffoldhp.exe 29 PID 1732 wrote to memory of 2152 1732 Gffoldhp.exe 29 PID 2152 wrote to memory of 2520 2152 Gpncej32.exe 30 PID 2152 wrote to memory of 2520 2152 Gpncej32.exe 30 PID 2152 wrote to memory of 2520 2152 Gpncej32.exe 30 PID 2152 wrote to memory of 2520 2152 Gpncej32.exe 30 PID 2520 wrote to memory of 2712 2520 Gjdhbc32.exe 31 PID 2520 wrote to memory of 2712 2520 Gjdhbc32.exe 31 PID 2520 wrote to memory of 2712 2520 Gjdhbc32.exe 31 PID 2520 wrote to memory of 2712 2520 Gjdhbc32.exe 31 PID 2712 wrote to memory of 2436 2712 Ganpomec.exe 32 PID 2712 wrote to memory of 2436 2712 Ganpomec.exe 32 PID 2712 wrote to memory of 2436 2712 Ganpomec.exe 32 PID 2712 wrote to memory of 2436 2712 Ganpomec.exe 32 PID 2436 wrote to memory of 2640 2436 Gbomfe32.exe 33 PID 2436 wrote to memory of 2640 2436 Gbomfe32.exe 33 PID 2436 wrote to memory of 2640 2436 Gbomfe32.exe 33 PID 2436 wrote to memory of 2640 2436 Gbomfe32.exe 33 PID 2640 wrote to memory of 2492 2640 Glgaok32.exe 34 PID 2640 wrote to memory of 2492 2640 Glgaok32.exe 34 PID 2640 wrote to memory of 2492 2640 Glgaok32.exe 34 PID 2640 wrote to memory of 2492 2640 Glgaok32.exe 34 PID 2492 wrote to memory of 2504 2492 Gmgninie.exe 35 PID 2492 wrote to memory of 2504 2492 Gmgninie.exe 35 PID 2492 wrote to memory of 2504 2492 Gmgninie.exe 35 PID 2492 wrote to memory of 2504 2492 Gmgninie.exe 35 PID 2504 wrote to memory of 2340 2504 Gbcfadgl.exe 36 PID 2504 wrote to memory of 2340 2504 Gbcfadgl.exe 36 PID 2504 wrote to memory of 2340 2504 Gbcfadgl.exe 36 PID 2504 wrote to memory of 2340 2504 Gbcfadgl.exe 36 PID 2340 wrote to memory of 960 2340 Ginnnooi.exe 37 PID 2340 wrote to memory of 960 2340 Ginnnooi.exe 37 PID 2340 wrote to memory of 960 2340 Ginnnooi.exe 37 PID 2340 wrote to memory of 960 2340 Ginnnooi.exe 37 PID 960 wrote to memory of 2188 960 Hlljjjnm.exe 38 PID 960 wrote to memory of 2188 960 Hlljjjnm.exe 38 PID 960 wrote to memory of 2188 960 Hlljjjnm.exe 38 PID 960 wrote to memory of 2188 960 Hlljjjnm.exe 38 PID 2188 wrote to memory of 2652 2188 Hbfbgd32.exe 39 PID 2188 wrote to memory of 2652 2188 Hbfbgd32.exe 39 PID 2188 wrote to memory of 2652 2188 Hbfbgd32.exe 39 PID 2188 wrote to memory of 2652 2188 Hbfbgd32.exe 39 PID 2652 wrote to memory of 1636 2652 Hlngpjlj.exe 40 PID 2652 wrote to memory of 1636 2652 Hlngpjlj.exe 40 PID 2652 wrote to memory of 1636 2652 Hlngpjlj.exe 40 PID 2652 wrote to memory of 1636 2652 Hlngpjlj.exe 40 PID 1636 wrote to memory of 2828 1636 Homclekn.exe 41 PID 1636 wrote to memory of 2828 1636 Homclekn.exe 41 PID 1636 wrote to memory of 2828 1636 Homclekn.exe 41 PID 1636 wrote to memory of 2828 1636 Homclekn.exe 41 PID 2828 wrote to memory of 2844 2828 Heglio32.exe 42 PID 2828 wrote to memory of 2844 2828 Heglio32.exe 42 PID 2828 wrote to memory of 2844 2828 Heglio32.exe 42 PID 2828 wrote to memory of 2844 2828 Heglio32.exe 42 PID 2844 wrote to memory of 2824 2844 Hhehek32.exe 43 PID 2844 wrote to memory of 2824 2844 Hhehek32.exe 43 PID 2844 wrote to memory of 2824 2844 Hhehek32.exe 43 PID 2844 wrote to memory of 2824 2844 Hhehek32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\e39cdf07cbba4ce80ea4ea970a29a88d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e39cdf07cbba4ce80ea4ea970a29a88d_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Gffoldhp.exeC:\Windows\system32\Gffoldhp.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Gpncej32.exeC:\Windows\system32\Gpncej32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Gjdhbc32.exeC:\Windows\system32\Gjdhbc32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Ganpomec.exeC:\Windows\system32\Ganpomec.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Gbomfe32.exeC:\Windows\system32\Gbomfe32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Glgaok32.exeC:\Windows\system32\Glgaok32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Gmgninie.exeC:\Windows\system32\Gmgninie.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Gbcfadgl.exeC:\Windows\system32\Gbcfadgl.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Ginnnooi.exeC:\Windows\system32\Ginnnooi.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Hlljjjnm.exeC:\Windows\system32\Hlljjjnm.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\Hbfbgd32.exeC:\Windows\system32\Hbfbgd32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Hlngpjlj.exeC:\Windows\system32\Hlngpjlj.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Homclekn.exeC:\Windows\system32\Homclekn.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Heglio32.exeC:\Windows\system32\Heglio32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Hhehek32.exeC:\Windows\system32\Hhehek32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Hoopae32.exeC:\Windows\system32\Hoopae32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2824 -
C:\Windows\SysWOW64\Hmbpmapf.exeC:\Windows\system32\Hmbpmapf.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2320 -
C:\Windows\SysWOW64\Heihnoph.exeC:\Windows\system32\Heihnoph.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2020 -
C:\Windows\SysWOW64\Hkfagfop.exeC:\Windows\system32\Hkfagfop.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:992 -
C:\Windows\SysWOW64\Hdnepk32.exeC:\Windows\system32\Hdnepk32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1544 -
C:\Windows\SysWOW64\Hiknhbcg.exeC:\Windows\system32\Hiknhbcg.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:912 -
C:\Windows\SysWOW64\Hpefdl32.exeC:\Windows\system32\Hpefdl32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1964 -
C:\Windows\SysWOW64\Ikkjbe32.exeC:\Windows\system32\Ikkjbe32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2236 -
C:\Windows\SysWOW64\Inifnq32.exeC:\Windows\system32\Inifnq32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:768 -
C:\Windows\SysWOW64\Icfofg32.exeC:\Windows\system32\Icfofg32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2952 -
C:\Windows\SysWOW64\Iipgcaob.exeC:\Windows\system32\Iipgcaob.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:968 -
C:\Windows\SysWOW64\Ipjoplgo.exeC:\Windows\system32\Ipjoplgo.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2292 -
C:\Windows\SysWOW64\Igchlf32.exeC:\Windows\system32\Igchlf32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Iheddndj.exeC:\Windows\system32\Iheddndj.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2208 -
C:\Windows\SysWOW64\Ioolqh32.exeC:\Windows\system32\Ioolqh32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Windows\SysWOW64\Ihgainbg.exeC:\Windows\system32\Ihgainbg.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1296 -
C:\Windows\SysWOW64\Icmegf32.exeC:\Windows\system32\Icmegf32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2716 -
C:\Windows\SysWOW64\Ihjnom32.exeC:\Windows\system32\Ihjnom32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2600 -
C:\Windows\SysWOW64\Ikhjki32.exeC:\Windows\system32\Ikhjki32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2500 -
C:\Windows\SysWOW64\Jabbhcfe.exeC:\Windows\system32\Jabbhcfe.exe36⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Jkjfah32.exeC:\Windows\system32\Jkjfah32.exe37⤵
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\Jnicmdli.exeC:\Windows\system32\Jnicmdli.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:524 -
C:\Windows\SysWOW64\Jdbkjn32.exeC:\Windows\system32\Jdbkjn32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:744 -
C:\Windows\SysWOW64\Jkmcfhkc.exeC:\Windows\system32\Jkmcfhkc.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2684 -
C:\Windows\SysWOW64\Jjpcbe32.exeC:\Windows\system32\Jjpcbe32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Jqilooij.exeC:\Windows\system32\Jqilooij.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:852 -
C:\Windows\SysWOW64\Jgcdki32.exeC:\Windows\system32\Jgcdki32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Jjbpgd32.exeC:\Windows\system32\Jjbpgd32.exe44⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Jqlhdo32.exeC:\Windows\system32\Jqlhdo32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Jcjdpj32.exeC:\Windows\system32\Jcjdpj32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:812 -
C:\Windows\SysWOW64\Jfiale32.exeC:\Windows\system32\Jfiale32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1684 -
C:\Windows\SysWOW64\Jnpinc32.exeC:\Windows\system32\Jnpinc32.exe48⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Jqnejn32.exeC:\Windows\system32\Jqnejn32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Jcmafj32.exeC:\Windows\system32\Jcmafj32.exe50⤵
- Executes dropped EXE
PID:432 -
C:\Windows\SysWOW64\Kjfjbdle.exeC:\Windows\system32\Kjfjbdle.exe51⤵
- Executes dropped EXE
PID:896 -
C:\Windows\SysWOW64\Kqqboncb.exeC:\Windows\system32\Kqqboncb.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Kbbngf32.exeC:\Windows\system32\Kbbngf32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Kjifhc32.exeC:\Windows\system32\Kjifhc32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2996 -
C:\Windows\SysWOW64\Kilfcpqm.exeC:\Windows\system32\Kilfcpqm.exe55⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Kkjcplpa.exeC:\Windows\system32\Kkjcplpa.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:1364 -
C:\Windows\SysWOW64\Kcakaipc.exeC:\Windows\system32\Kcakaipc.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Kfpgmdog.exeC:\Windows\system32\Kfpgmdog.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1960 -
C:\Windows\SysWOW64\Kmjojo32.exeC:\Windows\system32\Kmjojo32.exe59⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Knklagmb.exeC:\Windows\system32\Knklagmb.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Kbfhbeek.exeC:\Windows\system32\Kbfhbeek.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:740 -
C:\Windows\SysWOW64\Kiqpop32.exeC:\Windows\system32\Kiqpop32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1912 -
C:\Windows\SysWOW64\Kkolkk32.exeC:\Windows\system32\Kkolkk32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:340 -
C:\Windows\SysWOW64\Knmhgf32.exeC:\Windows\system32\Knmhgf32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3008 -
C:\Windows\SysWOW64\Kaldcb32.exeC:\Windows\system32\Kaldcb32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Kicmdo32.exeC:\Windows\system32\Kicmdo32.exe66⤵
- Drops file in System32 directory
PID:736 -
C:\Windows\SysWOW64\Kkaiqk32.exeC:\Windows\system32\Kkaiqk32.exe67⤵PID:1580
-
C:\Windows\SysWOW64\Knpemf32.exeC:\Windows\system32\Knpemf32.exe68⤵PID:816
-
C:\Windows\SysWOW64\Leimip32.exeC:\Windows\system32\Leimip32.exe69⤵
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Lghjel32.exeC:\Windows\system32\Lghjel32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:944 -
C:\Windows\SysWOW64\Ljffag32.exeC:\Windows\system32\Ljffag32.exe71⤵PID:1240
-
C:\Windows\SysWOW64\Lapnnafn.exeC:\Windows\system32\Lapnnafn.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1668 -
C:\Windows\SysWOW64\Lgjfkk32.exeC:\Windows\system32\Lgjfkk32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2016 -
C:\Windows\SysWOW64\Ljibgg32.exeC:\Windows\system32\Ljibgg32.exe74⤵PID:868
-
C:\Windows\SysWOW64\Lpekon32.exeC:\Windows\system32\Lpekon32.exe75⤵
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Lgmcqkkh.exeC:\Windows\system32\Lgmcqkkh.exe76⤵
- Drops file in System32 directory
PID:2748 -
C:\Windows\SysWOW64\Lfpclh32.exeC:\Windows\system32\Lfpclh32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2540 -
C:\Windows\SysWOW64\Lmikibio.exeC:\Windows\system32\Lmikibio.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2564 -
C:\Windows\SysWOW64\Lphhenhc.exeC:\Windows\system32\Lphhenhc.exe79⤵PID:2384
-
C:\Windows\SysWOW64\Lbfdaigg.exeC:\Windows\system32\Lbfdaigg.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2636 -
C:\Windows\SysWOW64\Liplnc32.exeC:\Windows\system32\Liplnc32.exe81⤵PID:540
-
C:\Windows\SysWOW64\Llohjo32.exeC:\Windows\system32\Llohjo32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Lfdmggnm.exeC:\Windows\system32\Lfdmggnm.exe83⤵
- Drops file in System32 directory
- Modifies registry class
PID:1676 -
C:\Windows\SysWOW64\Libicbma.exeC:\Windows\system32\Libicbma.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Mlaeonld.exeC:\Windows\system32\Mlaeonld.exe85⤵PID:1948
-
C:\Windows\SysWOW64\Mooaljkh.exeC:\Windows\system32\Mooaljkh.exe86⤵PID:2300
-
C:\Windows\SysWOW64\Mbkmlh32.exeC:\Windows\system32\Mbkmlh32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2980 -
C:\Windows\SysWOW64\Meijhc32.exeC:\Windows\system32\Meijhc32.exe88⤵PID:2852
-
C:\Windows\SysWOW64\Mhhfdo32.exeC:\Windows\system32\Mhhfdo32.exe89⤵
- Drops file in System32 directory
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Mlcbenjb.exeC:\Windows\system32\Mlcbenjb.exe90⤵PID:1956
-
C:\Windows\SysWOW64\Moanaiie.exeC:\Windows\system32\Moanaiie.exe91⤵
- Drops file in System32 directory
- Modifies registry class
PID:684 -
C:\Windows\SysWOW64\Mapjmehi.exeC:\Windows\system32\Mapjmehi.exe92⤵
- Drops file in System32 directory
PID:1728 -
C:\Windows\SysWOW64\Migbnb32.exeC:\Windows\system32\Migbnb32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2908 -
C:\Windows\SysWOW64\Mlfojn32.exeC:\Windows\system32\Mlfojn32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2892 -
C:\Windows\SysWOW64\Mkhofjoj.exeC:\Windows\system32\Mkhofjoj.exe95⤵PID:1496
-
C:\Windows\SysWOW64\Modkfi32.exeC:\Windows\system32\Modkfi32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2304 -
C:\Windows\SysWOW64\Mabgcd32.exeC:\Windows\system32\Mabgcd32.exe97⤵PID:2700
-
C:\Windows\SysWOW64\Mdacop32.exeC:\Windows\system32\Mdacop32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Mkklljmg.exeC:\Windows\system32\Mkklljmg.exe99⤵
- Drops file in System32 directory
PID:1276 -
C:\Windows\SysWOW64\Mmihhelk.exeC:\Windows\system32\Mmihhelk.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2440 -
C:\Windows\SysWOW64\Mdcpdp32.exeC:\Windows\system32\Mdcpdp32.exe101⤵
- Modifies registry class
PID:2412 -
C:\Windows\SysWOW64\Mkmhaj32.exeC:\Windows\system32\Mkmhaj32.exe102⤵
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Magqncba.exeC:\Windows\system32\Magqncba.exe103⤵
- Drops file in System32 directory
PID:308 -
C:\Windows\SysWOW64\Ndemjoae.exeC:\Windows\system32\Ndemjoae.exe104⤵PID:1292
-
C:\Windows\SysWOW64\Nibebfpl.exeC:\Windows\system32\Nibebfpl.exe105⤵PID:1048
-
C:\Windows\SysWOW64\Naimccpo.exeC:\Windows\system32\Naimccpo.exe106⤵PID:2868
-
C:\Windows\SysWOW64\Ndhipoob.exeC:\Windows\system32\Ndhipoob.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2468 -
C:\Windows\SysWOW64\Nckjkl32.exeC:\Windows\system32\Nckjkl32.exe108⤵
- Drops file in System32 directory
- Modifies registry class
PID:1968 -
C:\Windows\SysWOW64\Ngfflj32.exeC:\Windows\system32\Ngfflj32.exe109⤵
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Ncbplk32.exeC:\Windows\system32\Ncbplk32.exe110⤵
- Drops file in System32 directory
- Modifies registry class
PID:1952 -
C:\Windows\SysWOW64\Neplhf32.exeC:\Windows\system32\Neplhf32.exe111⤵PID:1696
-
C:\Windows\SysWOW64\Oohqqlei.exeC:\Windows\system32\Oohqqlei.exe112⤵PID:832
-
C:\Windows\SysWOW64\Ocdmaj32.exeC:\Windows\system32\Ocdmaj32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1664 -
C:\Windows\SysWOW64\Ohaeia32.exeC:\Windows\system32\Ohaeia32.exe114⤵PID:2168
-
C:\Windows\SysWOW64\Ollajp32.exeC:\Windows\system32\Ollajp32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2788 -
C:\Windows\SysWOW64\Ookmfk32.exeC:\Windows\system32\Ookmfk32.exe116⤵PID:1908
-
C:\Windows\SysWOW64\Oeeecekc.exeC:\Windows\system32\Oeeecekc.exe117⤵
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Odhfob32.exeC:\Windows\system32\Odhfob32.exe118⤵
- Drops file in System32 directory
PID:2816 -
C:\Windows\SysWOW64\Olonpp32.exeC:\Windows\system32\Olonpp32.exe119⤵
- Drops file in System32 directory
- Modifies registry class
PID:2668 -
C:\Windows\SysWOW64\Oghopm32.exeC:\Windows\system32\Oghopm32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3004 -
C:\Windows\SysWOW64\Onbgmg32.exeC:\Windows\system32\Onbgmg32.exe121⤵PID:1472
-
C:\Windows\SysWOW64\Oancnfoe.exeC:\Windows\system32\Oancnfoe.exe122⤵PID:1628
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-