Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
16-04-2024 09:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f3372fb359cb971ef5578915ebd2f464_JaffaCakes118.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
f3372fb359cb971ef5578915ebd2f464_JaffaCakes118.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
f3372fb359cb971ef5578915ebd2f464_JaffaCakes118.exe
-
Size
72KB
-
MD5
f3372fb359cb971ef5578915ebd2f464
-
SHA1
0baf1a378670b558d19d1161124d0b0b426a77d4
-
SHA256
6299839c6e772ce68435ecfc95a43f0979b339b0134d37cc5a5314156c6980fa
-
SHA512
fc5c04b896adb30715b906de7813c6ba2dc54051869aabc037a61f1374191fdb0ded426b64442f7f1f35967ab347d1abefdd88994912d2a71ffe70c28d60b76a
-
SSDEEP
1536:DNCt3fSfzng/QOd0RxGDyLBtmzOgUEnmIU+GLkzTIcJGJZ9Jx301j/F95:DERfSfs/QOdAGuLBtmqgU6mIpGLkzTtf
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdgged32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qpcecb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmdonkgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkbdki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knkekn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncofplba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndflak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aojefobm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lokdnjkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgphpe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhbfff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpqodfij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohiemobf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnbnhedj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bidqko32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cadlbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbinam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnkggfkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohiemobf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Megljppl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Baadiiif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jofalmmp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kelalp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lppbkgcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olckbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cidjbmcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljnlecmp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjlpjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emkndc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnmopk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oljaccjf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amodep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lankbigo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nopfpgip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noehba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Inainbcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlpokp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jddnfd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fneggdhg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipgbdbqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npbceggm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phelcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bqmeal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjfjka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejlbhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfendmoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njiegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdnoplhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdagpnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnfhfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agbkmijg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmjaphek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iafonaao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogjdmbil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkqkhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmgabcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmadco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flfkkhid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnkpnclp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agbkmijg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnaqgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Malgcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hienlpel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbmoen32.exe -
Executes dropped EXE 64 IoCs
pid Process 1996 Famjkl32.exe 2184 Fkeodaai.exe 856 Gekcaj32.exe 4676 Gglpibgm.exe 3596 Gnfhfl32.exe 4840 Gdppbfff.exe 4572 Gnhdkl32.exe 2504 Ggqida32.exe 4624 Gafmaj32.exe 3396 Gojnko32.exe 4720 Ggeboaob.exe 3792 Hnoklk32.exe 312 Hghoeqmp.exe 1464 Hbmcbime.exe 1824 Hnddgjbj.exe 4268 Hkhdqoac.exe 4384 Hdpiid32.exe 4940 Hofmfmhj.exe 4224 Hfpecg32.exe 1340 Iohjlmeg.exe 3896 Idebdcdo.exe 1808 Iokgal32.exe 380 Ifdonfka.exe 4824 Iomcgl32.exe 4576 Iiehpahb.exe 4696 Ioopml32.exe 3068 Ifihif32.exe 936 Indmnh32.exe 1240 Ienekbld.exe 1736 Jkhngl32.exe 4980 Jbbfdfkn.exe 1844 Jeqbpb32.exe 4408 Jkkjmlan.exe 4396 Jfpojead.exe 2552 Jgakbm32.exe 532 Jfbkpd32.exe 2680 Jgdhgmep.exe 1784 Jnnpdg32.exe 3800 Jehhaaci.exe 2468 Jnpmjf32.exe 1436 Jfgdkd32.exe 432 Jghabl32.exe 4288 Knbiofhg.exe 1036 Kelalp32.exe 408 Kgknhl32.exe 220 Kimghn32.exe 3052 Kbekqdjh.exe 824 Kechmoil.exe 4236 Kpiljh32.exe 1756 Kfcdfbqo.exe 4040 Llpmoiof.exe 3176 Lbjelc32.exe 1692 Lhfmdj32.exe 3384 Lnqeqd32.exe 1660 Lejnmncd.exe 2604 Lppbkgcj.exe 1960 Lhkgoiqe.exe 2544 Lbqklb32.exe 1312 Lhncdi32.exe 2084 Mhppji32.exe 4632 Mefmimif.exe 2516 Mplafeil.exe 4988 Mhgfkg32.exe 4776 Mekgdl32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kelalp32.exe Knbiofhg.exe File created C:\Windows\SysWOW64\Phelcc32.exe Pgdokkfg.exe File opened for modification C:\Windows\SysWOW64\Lelchgne.exe Lbngllob.exe File created C:\Windows\SysWOW64\Ghndhd32.dll Nnojho32.exe File opened for modification C:\Windows\SysWOW64\Kniieo32.exe Kgopidgf.exe File created C:\Windows\SysWOW64\Phodcg32.exe Oacoqnci.exe File opened for modification C:\Windows\SysWOW64\Kofkbk32.exe Kpcjgnhb.exe File created C:\Windows\SysWOW64\Nchjdo32.exe Npjnhc32.exe File created C:\Windows\SysWOW64\Kclgmq32.exe Kmaopfjm.exe File created C:\Windows\SysWOW64\Badanigc.exe Baadiiif.exe File created C:\Windows\SysWOW64\Hbmcbime.exe Hghoeqmp.exe File created C:\Windows\SysWOW64\Fmgejhgn.exe Fkihnmhj.exe File opened for modification C:\Windows\SysWOW64\Jbdlop32.exe Jhlgfj32.exe File created C:\Windows\SysWOW64\Gdglhf32.dll Nfaemp32.exe File opened for modification C:\Windows\SysWOW64\Oileggkb.exe Ogmijllo.exe File opened for modification C:\Windows\SysWOW64\Hgiepjga.exe Hdkidohn.exe File created C:\Windows\SysWOW64\Kdpmbc32.exe Kmieae32.exe File created C:\Windows\SysWOW64\Kmeddp32.dll Akepfpcl.exe File opened for modification C:\Windows\SysWOW64\Ggpbjkpl.exe Gacjadad.exe File opened for modification C:\Windows\SysWOW64\Hgelek32.exe Gpkchqdj.exe File created C:\Windows\SysWOW64\Dihlbf32.exe Dbndfl32.exe File created C:\Windows\SysWOW64\Igchfiof.exe Iddljmpc.exe File opened for modification C:\Windows\SysWOW64\Jdgafjpn.exe Jbiejoaj.exe File opened for modification C:\Windows\SysWOW64\Fjadje32.exe Fdglmkeg.exe File created C:\Windows\SysWOW64\Gedobm32.dll Bmofagfp.exe File opened for modification C:\Windows\SysWOW64\Knhakh32.exe Kdpmbc32.exe File created C:\Windows\SysWOW64\Ehighp32.dll Ihbdplfi.exe File created C:\Windows\SysWOW64\Nacmdf32.exe Njiegl32.exe File opened for modification C:\Windows\SysWOW64\Pkhjph32.exe Phincl32.exe File opened for modification C:\Windows\SysWOW64\Fnlmhc32.exe Fiodpl32.exe File created C:\Windows\SysWOW64\Ndoell32.dll Gihgfk32.exe File created C:\Windows\SysWOW64\Lhncdi32.exe Lbqklb32.exe File opened for modification C:\Windows\SysWOW64\Hgnoki32.exe Hhknpmma.exe File opened for modification C:\Windows\SysWOW64\Dhphmj32.exe Dafppp32.exe File opened for modification C:\Windows\SysWOW64\Bfchidda.exe Boipmj32.exe File opened for modification C:\Windows\SysWOW64\Hnaqgd32.exe Hkbdki32.exe File created C:\Windows\SysWOW64\Igpoaebh.dll Phaahggp.exe File created C:\Windows\SysWOW64\Hlnjbedi.exe Hmkigh32.exe File created C:\Windows\SysWOW64\Gbemad32.dll Gijekg32.exe File created C:\Windows\SysWOW64\Ecgflaec.dll Gigaka32.exe File created C:\Windows\SysWOW64\Eejeiocj.exe Enpmld32.exe File created C:\Windows\SysWOW64\Ichqihli.dll Aagkhd32.exe File created C:\Windows\SysWOW64\Afjeceml.exe Aopmfk32.exe File created C:\Windows\SysWOW64\Mnmmboed.exe Mjaabq32.exe File created C:\Windows\SysWOW64\Aagkhd32.exe Afbgkl32.exe File created C:\Windows\SysWOW64\Olfghg32.exe Oelolmnd.exe File opened for modification C:\Windows\SysWOW64\Gafmaj32.exe Ggqida32.exe File created C:\Windows\SysWOW64\Nkpcjeml.dll Dpqodfij.exe File created C:\Windows\SysWOW64\Embccf32.dll Edmclccp.exe File created C:\Windows\SysWOW64\Pfhkccfn.dll Jnpmjf32.exe File created C:\Windows\SysWOW64\Kkfkkmmp.dll Fibojhim.exe File created C:\Windows\SysWOW64\Nlkngo32.exe Nliaao32.exe File created C:\Windows\SysWOW64\Cfapoa32.dll Bfbaonae.exe File opened for modification C:\Windows\SysWOW64\Jnpmjf32.exe Jehhaaci.exe File opened for modification C:\Windows\SysWOW64\Dikpbl32.exe Dhjckcgi.exe File opened for modification C:\Windows\SysWOW64\Ejflhm32.exe Edmclccp.exe File opened for modification C:\Windows\SysWOW64\Ocohmc32.exe Oclkgccf.exe File created C:\Windows\SysWOW64\Ibajgf32.dll Cqpbglno.exe File opened for modification C:\Windows\SysWOW64\Njinmf32.exe Ncofplba.exe File opened for modification C:\Windows\SysWOW64\Pmoiqneg.exe Phaahggp.exe File created C:\Windows\SysWOW64\Anhejhfp.dll Jiiicf32.exe File created C:\Windows\SysWOW64\Figfoijn.dll Mjaabq32.exe File created C:\Windows\SysWOW64\Igdnabjh.exe Iciaqc32.exe File created C:\Windows\SysWOW64\Hmfdddkc.dll Famjkl32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1064 5344 WerFault.exe 728 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Migidc32.dll" Ggpbjkpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jlfpdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpihol32.dll" Fmlneg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjkpoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iomcgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naqbda32.dll" Bfchidda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Inainbcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dimenegi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ipoopgnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aajohjon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmgejhgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkbado32.dll" Idahjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ddgplado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glokko32.dll" Hnoklk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hnoklk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpnpfack.dll" Dikpbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emmoafdl.dll" Iddljmpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ljdceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmfgek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Opcqnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Biadeoce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjfjka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cceddf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mifljdjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iohjlmeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqcdkk32.dll" Kgknhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lbjelc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdodhh32.dll" Ogmijllo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nainbl32.dll" Jfpojead.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Algpao32.dll" Jnnpdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmdonkgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iddljmpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phaahggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Famjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ccqkigkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dabhdinj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjadje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddgplado.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Flfkkhid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njhgbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jehhaaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edopabqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkhjph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlqjei32.dll" Fdqfll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkefnho.dll" Nmlddqem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Phodcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgdkgc32.dll" Niooqcad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lkalplel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gnhdkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jdgafjpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejhmqp32.dll" Fllkqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcaihm32.dll" Mlmbfqoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ebejfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gihgfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hminmc32.dll" Lhkgoiqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljkifn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Milidebi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oblmdhdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lkchelci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ogjdmbil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idfjphid.dll" Fdkpma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jhndljll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpcblj32.dll" Jcbdgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjcejfha.dll" Fdcjlb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4852 wrote to memory of 1996 4852 f3372fb359cb971ef5578915ebd2f464_JaffaCakes118.exe 86 PID 4852 wrote to memory of 1996 4852 f3372fb359cb971ef5578915ebd2f464_JaffaCakes118.exe 86 PID 4852 wrote to memory of 1996 4852 f3372fb359cb971ef5578915ebd2f464_JaffaCakes118.exe 86 PID 1996 wrote to memory of 2184 1996 Famjkl32.exe 87 PID 1996 wrote to memory of 2184 1996 Famjkl32.exe 87 PID 1996 wrote to memory of 2184 1996 Famjkl32.exe 87 PID 2184 wrote to memory of 856 2184 Fkeodaai.exe 89 PID 2184 wrote to memory of 856 2184 Fkeodaai.exe 89 PID 2184 wrote to memory of 856 2184 Fkeodaai.exe 89 PID 856 wrote to memory of 4676 856 Gekcaj32.exe 90 PID 856 wrote to memory of 4676 856 Gekcaj32.exe 90 PID 856 wrote to memory of 4676 856 Gekcaj32.exe 90 PID 4676 wrote to memory of 3596 4676 Gglpibgm.exe 91 PID 4676 wrote to memory of 3596 4676 Gglpibgm.exe 91 PID 4676 wrote to memory of 3596 4676 Gglpibgm.exe 91 PID 3596 wrote to memory of 4840 3596 Gnfhfl32.exe 92 PID 3596 wrote to memory of 4840 3596 Gnfhfl32.exe 92 PID 3596 wrote to memory of 4840 3596 Gnfhfl32.exe 92 PID 4840 wrote to memory of 4572 4840 Gdppbfff.exe 93 PID 4840 wrote to memory of 4572 4840 Gdppbfff.exe 93 PID 4840 wrote to memory of 4572 4840 Gdppbfff.exe 93 PID 4572 wrote to memory of 2504 4572 Gnhdkl32.exe 94 PID 4572 wrote to memory of 2504 4572 Gnhdkl32.exe 94 PID 4572 wrote to memory of 2504 4572 Gnhdkl32.exe 94 PID 2504 wrote to memory of 4624 2504 Ggqida32.exe 95 PID 2504 wrote to memory of 4624 2504 Ggqida32.exe 95 PID 2504 wrote to memory of 4624 2504 Ggqida32.exe 95 PID 4624 wrote to memory of 3396 4624 Gafmaj32.exe 96 PID 4624 wrote to memory of 3396 4624 Gafmaj32.exe 96 PID 4624 wrote to memory of 3396 4624 Gafmaj32.exe 96 PID 3396 wrote to memory of 4720 3396 Gojnko32.exe 97 PID 3396 wrote to memory of 4720 3396 Gojnko32.exe 97 PID 3396 wrote to memory of 4720 3396 Gojnko32.exe 97 PID 4720 wrote to memory of 3792 4720 Ggeboaob.exe 99 PID 4720 wrote to memory of 3792 4720 Ggeboaob.exe 99 PID 4720 wrote to memory of 3792 4720 Ggeboaob.exe 99 PID 3792 wrote to memory of 312 3792 Hnoklk32.exe 100 PID 3792 wrote to memory of 312 3792 Hnoklk32.exe 100 PID 3792 wrote to memory of 312 3792 Hnoklk32.exe 100 PID 312 wrote to memory of 1464 312 Hghoeqmp.exe 101 PID 312 wrote to memory of 1464 312 Hghoeqmp.exe 101 PID 312 wrote to memory of 1464 312 Hghoeqmp.exe 101 PID 1464 wrote to memory of 1824 1464 Hbmcbime.exe 102 PID 1464 wrote to memory of 1824 1464 Hbmcbime.exe 102 PID 1464 wrote to memory of 1824 1464 Hbmcbime.exe 102 PID 1824 wrote to memory of 4268 1824 Hnddgjbj.exe 103 PID 1824 wrote to memory of 4268 1824 Hnddgjbj.exe 103 PID 1824 wrote to memory of 4268 1824 Hnddgjbj.exe 103 PID 4268 wrote to memory of 4384 4268 Hkhdqoac.exe 104 PID 4268 wrote to memory of 4384 4268 Hkhdqoac.exe 104 PID 4268 wrote to memory of 4384 4268 Hkhdqoac.exe 104 PID 4384 wrote to memory of 4940 4384 Hdpiid32.exe 106 PID 4384 wrote to memory of 4940 4384 Hdpiid32.exe 106 PID 4384 wrote to memory of 4940 4384 Hdpiid32.exe 106 PID 4940 wrote to memory of 4224 4940 Hofmfmhj.exe 107 PID 4940 wrote to memory of 4224 4940 Hofmfmhj.exe 107 PID 4940 wrote to memory of 4224 4940 Hofmfmhj.exe 107 PID 4224 wrote to memory of 1340 4224 Hfpecg32.exe 108 PID 4224 wrote to memory of 1340 4224 Hfpecg32.exe 108 PID 4224 wrote to memory of 1340 4224 Hfpecg32.exe 108 PID 1340 wrote to memory of 3896 1340 Iohjlmeg.exe 109 PID 1340 wrote to memory of 3896 1340 Iohjlmeg.exe 109 PID 1340 wrote to memory of 3896 1340 Iohjlmeg.exe 109 PID 3896 wrote to memory of 1808 3896 Idebdcdo.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\f3372fb359cb971ef5578915ebd2f464_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f3372fb359cb971ef5578915ebd2f464_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\SysWOW64\Famjkl32.exeC:\Windows\system32\Famjkl32.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Fkeodaai.exeC:\Windows\system32\Fkeodaai.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Gekcaj32.exeC:\Windows\system32\Gekcaj32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\Gglpibgm.exeC:\Windows\system32\Gglpibgm.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\SysWOW64\Gnfhfl32.exeC:\Windows\system32\Gnfhfl32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\SysWOW64\Gdppbfff.exeC:\Windows\system32\Gdppbfff.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\SysWOW64\Gnhdkl32.exeC:\Windows\system32\Gnhdkl32.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\SysWOW64\Ggqida32.exeC:\Windows\system32\Ggqida32.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Gafmaj32.exeC:\Windows\system32\Gafmaj32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\Gojnko32.exeC:\Windows\system32\Gojnko32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\SysWOW64\Ggeboaob.exeC:\Windows\system32\Ggeboaob.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\SysWOW64\Hnoklk32.exeC:\Windows\system32\Hnoklk32.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Windows\SysWOW64\Hghoeqmp.exeC:\Windows\system32\Hghoeqmp.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:312 -
C:\Windows\SysWOW64\Hbmcbime.exeC:\Windows\system32\Hbmcbime.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\Hnddgjbj.exeC:\Windows\system32\Hnddgjbj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\Hkhdqoac.exeC:\Windows\system32\Hkhdqoac.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\SysWOW64\Hdpiid32.exeC:\Windows\system32\Hdpiid32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\Hofmfmhj.exeC:\Windows\system32\Hofmfmhj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\Hfpecg32.exeC:\Windows\system32\Hfpecg32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Windows\SysWOW64\Iohjlmeg.exeC:\Windows\system32\Iohjlmeg.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\SysWOW64\Idebdcdo.exeC:\Windows\system32\Idebdcdo.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Windows\SysWOW64\Iokgal32.exeC:\Windows\system32\Iokgal32.exe23⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Ifdonfka.exeC:\Windows\system32\Ifdonfka.exe24⤵
- Executes dropped EXE
PID:380 -
C:\Windows\SysWOW64\Iomcgl32.exeC:\Windows\system32\Iomcgl32.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:4824 -
C:\Windows\SysWOW64\Iiehpahb.exeC:\Windows\system32\Iiehpahb.exe26⤵
- Executes dropped EXE
PID:4576 -
C:\Windows\SysWOW64\Ioopml32.exeC:\Windows\system32\Ioopml32.exe27⤵
- Executes dropped EXE
PID:4696 -
C:\Windows\SysWOW64\Ifihif32.exeC:\Windows\system32\Ifihif32.exe28⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Indmnh32.exeC:\Windows\system32\Indmnh32.exe29⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Ienekbld.exeC:\Windows\system32\Ienekbld.exe30⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\Jkhngl32.exeC:\Windows\system32\Jkhngl32.exe31⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Jbbfdfkn.exeC:\Windows\system32\Jbbfdfkn.exe32⤵
- Executes dropped EXE
PID:4980 -
C:\Windows\SysWOW64\Jeqbpb32.exeC:\Windows\system32\Jeqbpb32.exe33⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Jkkjmlan.exeC:\Windows\system32\Jkkjmlan.exe34⤵
- Executes dropped EXE
PID:4408 -
C:\Windows\SysWOW64\Jfpojead.exeC:\Windows\system32\Jfpojead.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:4396 -
C:\Windows\SysWOW64\Jgakbm32.exeC:\Windows\system32\Jgakbm32.exe36⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Jfbkpd32.exeC:\Windows\system32\Jfbkpd32.exe37⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Jgdhgmep.exeC:\Windows\system32\Jgdhgmep.exe38⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Jnnpdg32.exeC:\Windows\system32\Jnnpdg32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1784 -
C:\Windows\SysWOW64\Jehhaaci.exeC:\Windows\system32\Jehhaaci.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3800 -
C:\Windows\SysWOW64\Jnpmjf32.exeC:\Windows\system32\Jnpmjf32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2468 -
C:\Windows\SysWOW64\Jfgdkd32.exeC:\Windows\system32\Jfgdkd32.exe42⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Jghabl32.exeC:\Windows\system32\Jghabl32.exe43⤵
- Executes dropped EXE
PID:432 -
C:\Windows\SysWOW64\Knbiofhg.exeC:\Windows\system32\Knbiofhg.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4288 -
C:\Windows\SysWOW64\Kelalp32.exeC:\Windows\system32\Kelalp32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Kgknhl32.exeC:\Windows\system32\Kgknhl32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:408 -
C:\Windows\SysWOW64\Kimghn32.exeC:\Windows\system32\Kimghn32.exe47⤵
- Executes dropped EXE
PID:220 -
C:\Windows\SysWOW64\Kbekqdjh.exeC:\Windows\system32\Kbekqdjh.exe48⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Kechmoil.exeC:\Windows\system32\Kechmoil.exe49⤵
- Executes dropped EXE
PID:824 -
C:\Windows\SysWOW64\Kpiljh32.exeC:\Windows\system32\Kpiljh32.exe50⤵
- Executes dropped EXE
PID:4236 -
C:\Windows\SysWOW64\Kfcdfbqo.exeC:\Windows\system32\Kfcdfbqo.exe51⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Llpmoiof.exeC:\Windows\system32\Llpmoiof.exe52⤵
- Executes dropped EXE
PID:4040 -
C:\Windows\SysWOW64\Lbjelc32.exeC:\Windows\system32\Lbjelc32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:3176 -
C:\Windows\SysWOW64\Lhfmdj32.exeC:\Windows\system32\Lhfmdj32.exe54⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Lnqeqd32.exeC:\Windows\system32\Lnqeqd32.exe55⤵
- Executes dropped EXE
PID:3384 -
C:\Windows\SysWOW64\Lejnmncd.exeC:\Windows\system32\Lejnmncd.exe56⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Lppbkgcj.exeC:\Windows\system32\Lppbkgcj.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Lhkgoiqe.exeC:\Windows\system32\Lhkgoiqe.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:1960 -
C:\Windows\SysWOW64\Lbqklb32.exeC:\Windows\system32\Lbqklb32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2544 -
C:\Windows\SysWOW64\Lhncdi32.exeC:\Windows\system32\Lhncdi32.exe60⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Mhppji32.exeC:\Windows\system32\Mhppji32.exe61⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Mefmimif.exeC:\Windows\system32\Mefmimif.exe62⤵
- Executes dropped EXE
PID:4632 -
C:\Windows\SysWOW64\Mplafeil.exeC:\Windows\system32\Mplafeil.exe63⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Mhgfkg32.exeC:\Windows\system32\Mhgfkg32.exe64⤵
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Mekgdl32.exeC:\Windows\system32\Mekgdl32.exe65⤵
- Executes dropped EXE
PID:4776 -
C:\Windows\SysWOW64\Niipjj32.exeC:\Windows\system32\Niipjj32.exe66⤵PID:4612
-
C:\Windows\SysWOW64\Noehba32.exeC:\Windows\system32\Noehba32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:760 -
C:\Windows\SysWOW64\Ngmpcn32.exeC:\Windows\system32\Ngmpcn32.exe68⤵PID:3280
-
C:\Windows\SysWOW64\Nhnlkfpp.exeC:\Windows\system32\Nhnlkfpp.exe69⤵PID:2868
-
C:\Windows\SysWOW64\Ngomin32.exeC:\Windows\system32\Ngomin32.exe70⤵PID:2832
-
C:\Windows\SysWOW64\Niniei32.exeC:\Windows\system32\Niniei32.exe71⤵PID:2668
-
C:\Windows\SysWOW64\Nlleaeff.exeC:\Windows\system32\Nlleaeff.exe72⤵PID:3084
-
C:\Windows\SysWOW64\Ncfmno32.exeC:\Windows\system32\Ncfmno32.exe73⤵PID:4944
-
C:\Windows\SysWOW64\Nipekiep.exeC:\Windows\system32\Nipekiep.exe74⤵PID:412
-
C:\Windows\SysWOW64\Nhbfff32.exeC:\Windows\system32\Nhbfff32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2968 -
C:\Windows\SysWOW64\Npjnhc32.exeC:\Windows\system32\Npjnhc32.exe76⤵
- Drops file in System32 directory
PID:548 -
C:\Windows\SysWOW64\Nchjdo32.exeC:\Windows\system32\Nchjdo32.exe77⤵PID:428
-
C:\Windows\SysWOW64\Nibbqicm.exeC:\Windows\system32\Nibbqicm.exe78⤵PID:5000
-
C:\Windows\SysWOW64\Nplkmckj.exeC:\Windows\system32\Nplkmckj.exe79⤵PID:956
-
C:\Windows\SysWOW64\Ncjginjn.exeC:\Windows\system32\Ncjginjn.exe80⤵PID:4512
-
C:\Windows\SysWOW64\Oidofh32.exeC:\Windows\system32\Oidofh32.exe81⤵PID:3972
-
C:\Windows\SysWOW64\Olckbd32.exeC:\Windows\system32\Olckbd32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4908 -
C:\Windows\SysWOW64\Ooagno32.exeC:\Windows\system32\Ooagno32.exe83⤵PID:4652
-
C:\Windows\SysWOW64\Oghppm32.exeC:\Windows\system32\Oghppm32.exe84⤵PID:2104
-
C:\Windows\SysWOW64\Ohjlgefb.exeC:\Windows\system32\Ohjlgefb.exe85⤵PID:1228
-
C:\Windows\SysWOW64\Oocddono.exeC:\Windows\system32\Oocddono.exe86⤵PID:3540
-
C:\Windows\SysWOW64\Ogklelna.exeC:\Windows\system32\Ogklelna.exe87⤵PID:5132
-
C:\Windows\SysWOW64\Oiihahme.exeC:\Windows\system32\Oiihahme.exe88⤵PID:5176
-
C:\Windows\SysWOW64\Opcqnb32.exeC:\Windows\system32\Opcqnb32.exe89⤵
- Modifies registry class
PID:5228 -
C:\Windows\SysWOW64\Ogmijllo.exeC:\Windows\system32\Ogmijllo.exe90⤵
- Drops file in System32 directory
- Modifies registry class
PID:5268 -
C:\Windows\SysWOW64\Oileggkb.exeC:\Windows\system32\Oileggkb.exe91⤵PID:5312
-
C:\Windows\SysWOW64\Oljaccjf.exeC:\Windows\system32\Oljaccjf.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5360 -
C:\Windows\SysWOW64\Oohnonij.exeC:\Windows\system32\Oohnonij.exe93⤵PID:5412
-
C:\Windows\SysWOW64\Oebflhaf.exeC:\Windows\system32\Oebflhaf.exe94⤵PID:5456
-
C:\Windows\SysWOW64\Ollnhb32.exeC:\Windows\system32\Ollnhb32.exe95⤵PID:5500
-
C:\Windows\SysWOW64\Ocffempp.exeC:\Windows\system32\Ocffempp.exe96⤵PID:5544
-
C:\Windows\SysWOW64\Pjpobg32.exeC:\Windows\system32\Pjpobg32.exe97⤵PID:5592
-
C:\Windows\SysWOW64\Ppjgoaoj.exeC:\Windows\system32\Ppjgoaoj.exe98⤵PID:5636
-
C:\Windows\SysWOW64\Pgdokkfg.exeC:\Windows\system32\Pgdokkfg.exe99⤵
- Drops file in System32 directory
PID:5676 -
C:\Windows\SysWOW64\Phelcc32.exeC:\Windows\system32\Phelcc32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5720 -
C:\Windows\SysWOW64\Pckppl32.exeC:\Windows\system32\Pckppl32.exe101⤵PID:5768
-
C:\Windows\SysWOW64\Pfillg32.exeC:\Windows\system32\Pfillg32.exe102⤵PID:5812
-
C:\Windows\SysWOW64\Phhhhc32.exeC:\Windows\system32\Phhhhc32.exe103⤵PID:5856
-
C:\Windows\SysWOW64\Poaqemao.exeC:\Windows\system32\Poaqemao.exe104⤵PID:5900
-
C:\Windows\SysWOW64\Pflibgil.exeC:\Windows\system32\Pflibgil.exe105⤵PID:5940
-
C:\Windows\SysWOW64\Pleaoa32.exeC:\Windows\system32\Pleaoa32.exe106⤵PID:5988
-
C:\Windows\SysWOW64\Pcpikkge.exeC:\Windows\system32\Pcpikkge.exe107⤵PID:6024
-
C:\Windows\SysWOW64\Pfnegggi.exeC:\Windows\system32\Pfnegggi.exe108⤵PID:6092
-
C:\Windows\SysWOW64\Pjjahe32.exeC:\Windows\system32\Pjjahe32.exe109⤵PID:6128
-
C:\Windows\SysWOW64\Plhnda32.exeC:\Windows\system32\Plhnda32.exe110⤵PID:5160
-
C:\Windows\SysWOW64\Qcbfakec.exeC:\Windows\system32\Qcbfakec.exe111⤵PID:5252
-
C:\Windows\SysWOW64\Qjlnnemp.exeC:\Windows\system32\Qjlnnemp.exe112⤵PID:5292
-
C:\Windows\SysWOW64\Qhonib32.exeC:\Windows\system32\Qhonib32.exe113⤵PID:5384
-
C:\Windows\SysWOW64\Qoifflkg.exeC:\Windows\system32\Qoifflkg.exe114⤵PID:5420
-
C:\Windows\SysWOW64\Qgpogili.exeC:\Windows\system32\Qgpogili.exe115⤵PID:5492
-
C:\Windows\SysWOW64\Qjnkcekm.exeC:\Windows\system32\Qjnkcekm.exe116⤵PID:2576
-
C:\Windows\SysWOW64\Qlmgopjq.exeC:\Windows\system32\Qlmgopjq.exe117⤵PID:5620
-
C:\Windows\SysWOW64\Aokcklid.exeC:\Windows\system32\Aokcklid.exe118⤵PID:5688
-
C:\Windows\SysWOW64\Agbkmijg.exeC:\Windows\system32\Agbkmijg.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5764 -
C:\Windows\SysWOW64\Ajqgidij.exeC:\Windows\system32\Ajqgidij.exe120⤵PID:5824
-
C:\Windows\SysWOW64\Amodep32.exeC:\Windows\system32\Amodep32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5908
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-