Analysis
-
max time kernel
148s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/05/2024, 17:47
Behavioral task
behavioral1
Sample
403021839d6ac65801974d38cbc76e1f.jaffacakes118.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
403021839d6ac65801974d38cbc76e1f.jaffacakes118.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
403021839d6ac65801974d38cbc76e1f.jaffacakes118.exe
-
Size
548KB
-
MD5
403021839d6ac65801974d38cbc76e1f
-
SHA1
37f2887b58c6a9895d84ffe8dafd9bb339c782a6
-
SHA256
c63548a74bed7faf7622b059993a58a6a1d4fd02f10828092d333eb7c51f28f5
-
SHA512
d6ececf5e1cac2baa10c46f39f6cfce73f5637721bf5358cfe3533f87eb2a5b048402793498cae0dae62ee19a8355ed953413970faf54add0c94f433fd9b5dd4
-
SSDEEP
12288:lOvu6IveDVqvQ6IvBaSHaMaZRBEYyqmaf2qwiHPKgRC4gvGZ+C8lM1:pq5htaSHFaZRBEYyqmaf2qwiHPKgRC45
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldenbcge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfflopdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqkqkdne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejobhppq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpolmdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkhcmgnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhjgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbbkja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oomhcbjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Admemg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgjclbdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckffgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keoapb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcfkfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cngcjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkpgfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abjebn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgjclbdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqgnokip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amndem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cafecmlj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chpmpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alhjai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gphmeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhbcfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doehqead.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnbkddem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncmdhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odjpkihg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjjacf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfqahgpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpphap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lollckbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djefobmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anojbobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgbdhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jofiln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfoocjfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofbfdmeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pndniaop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lihmjejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obafnlpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkkmdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qeqbkkej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoffmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofjfhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofjfhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oonafa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Papfegmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmmiij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiaiqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lefdpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijeghgoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oddpfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkmbgdfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alhjai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amfcikek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chpmpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bafidiio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppmdbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckffgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfbkmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mimbdhhb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffkcbgek.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000d000000012324-5.dat family_berbew behavioral1/files/0x0009000000013a06-19.dat family_berbew behavioral1/files/0x0008000000013a46-43.dat family_berbew behavioral1/files/0x0008000000013a84-51.dat family_berbew behavioral1/files/0x000600000001469d-71.dat family_berbew behavioral1/files/0x00060000000146fc-82.dat family_berbew behavioral1/files/0x000600000001471a-90.dat family_berbew behavioral1/files/0x000600000001487f-111.dat family_berbew behavioral1/files/0x0006000000014b18-126.dat family_berbew behavioral1/files/0x0006000000014fa2-147.dat family_berbew behavioral1/files/0x0006000000014bbc-141.dat family_berbew behavioral1/files/0x0033000000013420-170.dat family_berbew behavioral1/files/0x0006000000015653-178.dat family_berbew behavioral1/files/0x0006000000015677-199.dat family_berbew behavioral1/files/0x0006000000015c87-210.dat family_berbew behavioral1/files/0x0006000000015cae-221.dat family_berbew behavioral1/files/0x0006000000015ce3-243.dat family_berbew behavioral1/files/0x0006000000015d4e-263.dat family_berbew behavioral1/files/0x0006000000015d5f-276.dat family_berbew behavioral1/files/0x0006000000015d93-297.dat family_berbew behavioral1/files/0x0006000000015ecc-305.dat family_berbew behavioral1/files/0x000600000001621e-325.dat family_berbew behavioral1/files/0x0006000000015fe5-316.dat family_berbew behavioral1/files/0x0006000000016adc-349.dat family_berbew behavioral1/memory/2652-356-0x0000000000290000-0x00000000002C3000-memory.dmp family_berbew behavioral1/files/0x0006000000016cb0-372.dat family_berbew behavioral1/files/0x0006000000016d74-425.dat family_berbew behavioral1/files/0x0006000000016d9d-439.dat family_berbew behavioral1/files/0x0006000000016db1-447.dat family_berbew behavioral1/files/0x000600000001708b-469.dat family_berbew behavioral1/files/0x00060000000173d0-482.dat family_berbew behavioral1/files/0x0015000000018644-491.dat family_berbew behavioral1/files/0x0005000000018665-504.dat family_berbew behavioral1/files/0x00050000000186fa-516.dat family_berbew behavioral1/files/0x000500000001876a-527.dat family_berbew behavioral1/files/0x0006000000018b5c-548.dat family_berbew behavioral1/files/0x0006000000018bd2-558.dat family_berbew behavioral1/files/0x000600000001901c-568.dat family_berbew behavioral1/files/0x0005000000019381-592.dat family_berbew behavioral1/files/0x0005000000019414-601.dat family_berbew behavioral1/files/0x00050000000192eb-581.dat family_berbew behavioral1/files/0x0005000000019433-612.dat family_berbew behavioral1/files/0x0005000000019453-623.dat family_berbew behavioral1/files/0x00050000000194ad-636.dat family_berbew behavioral1/files/0x00050000000194e1-645.dat family_berbew behavioral1/files/0x00050000000195ab-658.dat family_berbew behavioral1/files/0x0005000000019608-668.dat family_berbew behavioral1/files/0x000500000001960e-678.dat family_berbew behavioral1/files/0x0005000000019618-701.dat family_berbew behavioral1/files/0x0005000000019614-690.dat family_berbew behavioral1/files/0x000500000001961a-714.dat family_berbew behavioral1/files/0x000500000001961c-724.dat family_berbew behavioral1/files/0x0005000000019620-735.dat family_berbew behavioral1/files/0x000500000001966d-752.dat family_berbew behavioral1/files/0x0005000000019624-746.dat family_berbew behavioral1/files/0x0005000000018774-535.dat family_berbew behavioral1/files/0x00050000000196a1-770.dat family_berbew behavioral1/files/0x000500000001980d-780.dat family_berbew behavioral1/files/0x0005000000019c46-803.dat family_berbew behavioral1/files/0x0005000000019902-792.dat family_berbew behavioral1/files/0x0005000000019c4b-817.dat family_berbew behavioral1/memory/1824-466-0x0000000000300000-0x0000000000333000-memory.dmp family_berbew behavioral1/memory/1824-465-0x0000000000300000-0x0000000000333000-memory.dmp family_berbew behavioral1/files/0x0005000000019daf-832.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3048 Khekgc32.exe 2572 Kdlkld32.exe 2800 Laplei32.exe 2624 Ldnhad32.exe 2732 Lkkmdn32.exe 2540 Lmiipi32.exe 1656 Ldenbcge.exe 1644 Lchnnp32.exe 1316 Mpolmdkg.exe 1980 Mcmhiojk.exe 2180 Migpeiag.exe 1344 Mkhmma32.exe 2088 Mnkbdlbd.exe 1452 Mpjoqhah.exe 776 Mgcgmb32.exe 1120 Nnnojlpa.exe 2184 Ncmdhb32.exe 2156 Njgldmdc.exe 1692 Nocemcbj.exe 1636 Nfmmin32.exe 1040 Nlgefh32.exe 688 Nofabc32.exe 2836 Nfpjomgd.exe 600 Nhnfkigh.exe 880 Nkmbgdfl.exe 2332 Ofbfdmeb.exe 2652 Onmkio32.exe 2932 Obigjnkf.exe 2664 Okalbc32.exe 2728 Oomhcbjp.exe 2464 Odjpkihg.exe 2476 Oghlgdgk.exe 2736 Onbddoog.exe 2864 Oelmai32.exe 2440 Ogjimd32.exe 1756 Ogmfbd32.exe 1824 Pminkk32.exe 2380 Paejki32.exe 2824 Pgobhcac.exe 2284 Pmlkpjpj.exe 1964 Paggai32.exe 884 Pbiciana.exe 1504 Pjpkjond.exe 2064 Pmnhfjmg.exe 536 Ppmdbe32.exe 1064 Pfflopdh.exe 1048 Piehkkcl.exe 1100 Ppoqge32.exe 2860 Pigeqkai.exe 2148 Phjelg32.exe 2780 Ppamme32.exe 2568 Pndniaop.exe 2580 Penfelgm.exe 2600 Qjknnbed.exe 2868 Qeqbkkej.exe 2920 Qdccfh32.exe 2680 Qljkhe32.exe 2872 Qnigda32.exe 2692 Qagcpljo.exe 1808 Qecoqk32.exe 1208 Ahakmf32.exe 2068 Ajphib32.exe 3036 Ankdiqih.exe 1176 Amndem32.exe -
Loads dropped DLL 64 IoCs
pid Process 2904 403021839d6ac65801974d38cbc76e1f.jaffacakes118.exe 2904 403021839d6ac65801974d38cbc76e1f.jaffacakes118.exe 3048 Khekgc32.exe 3048 Khekgc32.exe 2572 Kdlkld32.exe 2572 Kdlkld32.exe 2800 Laplei32.exe 2800 Laplei32.exe 2624 Ldnhad32.exe 2624 Ldnhad32.exe 2732 Lkkmdn32.exe 2732 Lkkmdn32.exe 2540 Lmiipi32.exe 2540 Lmiipi32.exe 1656 Ldenbcge.exe 1656 Ldenbcge.exe 1644 Lchnnp32.exe 1644 Lchnnp32.exe 1316 Mpolmdkg.exe 1316 Mpolmdkg.exe 1980 Mcmhiojk.exe 1980 Mcmhiojk.exe 2180 Migpeiag.exe 2180 Migpeiag.exe 1344 Mkhmma32.exe 1344 Mkhmma32.exe 2088 Mnkbdlbd.exe 2088 Mnkbdlbd.exe 1452 Mpjoqhah.exe 1452 Mpjoqhah.exe 776 Mgcgmb32.exe 776 Mgcgmb32.exe 1120 Nnnojlpa.exe 1120 Nnnojlpa.exe 2184 Ncmdhb32.exe 2184 Ncmdhb32.exe 2156 Njgldmdc.exe 2156 Njgldmdc.exe 1692 Nocemcbj.exe 1692 Nocemcbj.exe 1636 Nfmmin32.exe 1636 Nfmmin32.exe 1040 Nlgefh32.exe 1040 Nlgefh32.exe 688 Nofabc32.exe 688 Nofabc32.exe 2836 Nfpjomgd.exe 2836 Nfpjomgd.exe 600 Nhnfkigh.exe 600 Nhnfkigh.exe 880 Nkmbgdfl.exe 880 Nkmbgdfl.exe 1592 Okoomd32.exe 1592 Okoomd32.exe 2652 Onmkio32.exe 2652 Onmkio32.exe 2932 Obigjnkf.exe 2932 Obigjnkf.exe 2664 Okalbc32.exe 2664 Okalbc32.exe 2728 Oomhcbjp.exe 2728 Oomhcbjp.exe 2464 Odjpkihg.exe 2464 Odjpkihg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Bbokmqie.exe Bocolb32.exe File created C:\Windows\SysWOW64\Nofabc32.exe Nlgefh32.exe File opened for modification C:\Windows\SysWOW64\Phjelg32.exe Pigeqkai.exe File opened for modification C:\Windows\SysWOW64\Ajdadamj.exe Adjigg32.exe File created C:\Windows\SysWOW64\Bbflib32.exe Bkodhe32.exe File created C:\Windows\SysWOW64\Gphmeo32.exe Gkkemh32.exe File created C:\Windows\SysWOW64\Dgjclbdi.exe Cldooj32.exe File created C:\Windows\SysWOW64\Iffhidee.dll Nnnojlpa.exe File opened for modification C:\Windows\SysWOW64\Nfmmin32.exe Nocemcbj.exe File created C:\Windows\SysWOW64\Kjqipbka.dll Bhahlj32.exe File opened for modification C:\Windows\SysWOW64\Gieojq32.exe Gangic32.exe File created C:\Windows\SysWOW64\Ajlppdeb.dll Fckjalhj.exe File created C:\Windows\SysWOW64\Gkkemh32.exe Gacpdbej.exe File opened for modification C:\Windows\SysWOW64\Lhbcfa32.exe Lbeknj32.exe File opened for modification C:\Windows\SysWOW64\Mggpgmof.exe Lefdpe32.exe File created C:\Windows\SysWOW64\Negbaime.dll Mpolmdkg.exe File opened for modification C:\Windows\SysWOW64\Pgobhcac.exe Paejki32.exe File created C:\Windows\SysWOW64\Apomfh32.exe Ampqjm32.exe File created C:\Windows\SysWOW64\Cibgai32.dll Alhjai32.exe File opened for modification C:\Windows\SysWOW64\Oqmmpd32.exe Ombapedi.exe File created C:\Windows\SysWOW64\Onhgbmfb.exe Oikojfgk.exe File opened for modification C:\Windows\SysWOW64\Chpmpg32.exe Cafecmlj.exe File opened for modification C:\Windows\SysWOW64\Cfbhnaho.exe Ccdlbf32.exe File created C:\Windows\SysWOW64\Bibckiab.dll Eajaoq32.exe File opened for modification C:\Windows\SysWOW64\Mgnfhlin.exe Mdpjlajk.exe File opened for modification C:\Windows\SysWOW64\Ionkallc.dll Ofjfhk32.exe File created C:\Windows\SysWOW64\Dejpca32.dll Icmlam32.exe File created C:\Windows\SysWOW64\Nefpnhlc.exe Nolhan32.exe File opened for modification C:\Windows\SysWOW64\Nhfipcid.exe Namqci32.exe File created C:\Windows\SysWOW64\Eccmffjf.exe Eqdajkkb.exe File created C:\Windows\SysWOW64\Andkhh32.dll Ajdadamj.exe File opened for modification C:\Windows\SysWOW64\Dgdmmgpj.exe Ddeaalpg.exe File created C:\Windows\SysWOW64\Hejoiedd.exe Hckcmjep.exe File created C:\Windows\SysWOW64\Amammd32.dll Icbimi32.exe File created C:\Windows\SysWOW64\Mmfbogcn.exe Mbpnanch.exe File created C:\Windows\SysWOW64\Ajejgp32.exe Ahgnke32.exe File created C:\Windows\SysWOW64\Bafidiio.exe Bjlqhoba.exe File opened for modification C:\Windows\SysWOW64\Dglpbbbg.exe Doehqead.exe File opened for modification C:\Windows\SysWOW64\Mpolmdkg.exe Lchnnp32.exe File created C:\Windows\SysWOW64\Bccnbmal.dll Fnbkddem.exe File opened for modification C:\Windows\SysWOW64\Hnagjbdf.exe Hejoiedd.exe File created C:\Windows\SysWOW64\Henidd32.exe Hodpgjha.exe File created C:\Windows\SysWOW64\Jdjfho32.dll Dbhnhp32.exe File opened for modification C:\Windows\SysWOW64\Dggcffhg.exe Dhdcji32.exe File created C:\Windows\SysWOW64\Dodonf32.exe Dkhcmgnl.exe File created C:\Windows\SysWOW64\Fncann32.dll Ddagfm32.exe File created C:\Windows\SysWOW64\Acpmei32.dll Eiaiqn32.exe File created C:\Windows\SysWOW64\Dhdcji32.exe Dfffnn32.exe File created C:\Windows\SysWOW64\Ckdjbh32.exe Cjbmjplb.exe File created C:\Windows\SysWOW64\Fqmmidel.dll Mkclhl32.exe File created C:\Windows\SysWOW64\Cafecmlj.exe Cnkicn32.exe File created C:\Windows\SysWOW64\Chhjkl32.exe Cbnbobin.exe File opened for modification C:\Windows\SysWOW64\Fpdhklkl.exe Fnbkddem.exe File created C:\Windows\SysWOW64\Jbgbni32.exe Jcdbbloa.exe File created C:\Windows\SysWOW64\Hjkbhikj.dll Qabcjgkh.exe File opened for modification C:\Windows\SysWOW64\Onmkio32.exe Okoomd32.exe File opened for modification C:\Windows\SysWOW64\Dmafennb.exe Dnneja32.exe File opened for modification C:\Windows\SysWOW64\Dlnbeh32.exe Dfdjhndl.exe File created C:\Windows\SysWOW64\Nemacb32.dll Aemkjiem.exe File created C:\Windows\SysWOW64\Nmnlfg32.dll Cnmehnan.exe File created C:\Windows\SysWOW64\Ldenbcge.exe Lmiipi32.exe File created C:\Windows\SysWOW64\Cgbdhd32.exe Coklgg32.exe File created C:\Windows\SysWOW64\Omeope32.dll Chhjkl32.exe File opened for modification C:\Windows\SysWOW64\Nnhkcj32.exe Njlockkm.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4416 4436 WerFault.exe 440 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgcgmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onmkio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Andkhh32.dll" Ajdadamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iklgpmjo.dll" Cgmkmecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fejgko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnhnca32.dll" 403021839d6ac65801974d38cbc76e1f.jaffacakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkamkfgh.dll" Fhkpmjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokfbfnk.dll" Noqamn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qabcjgkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bghabf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alhjai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icbimi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnjdhmdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chbjffad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apomfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Balijo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Coklgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbbkja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncjqhmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdeeqehb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmpfojmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncmdhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcmhiojk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbflib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iggkllpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikddbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oincig32.dll" Mgnfhlin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdlkld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffkcbgek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnomcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qecoqk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alnqqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahdaee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chpmpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmoipopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Paggai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epgnljad.dll" Dcfdgiid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkmbgdfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opiehf32.dll" Chpmpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Focnmm32.dll" Dkqbaecc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oklkmnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdanej32.dll" Fejgko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahcocb32.dll" Gaqcoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iokfhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Coelaaoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfdjhndl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aodnnc32.dll" Mcmhiojk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imhjppim.dll" Ccdlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqhhknjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idfbkq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgkafo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Doehqead.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aiinen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qljkhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aljgfioc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahcfok32.dll" Dnilobkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmcoja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmlapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccnnibig.dll" Ajejgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmbdhi32.dll" Blpjegfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmnhkk32.dll" Pmlkpjpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dekpaqgc.dll" Eijcpoac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Incpoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blleofcd.dll" Lbeknj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2904 wrote to memory of 3048 2904 403021839d6ac65801974d38cbc76e1f.jaffacakes118.exe 28 PID 2904 wrote to memory of 3048 2904 403021839d6ac65801974d38cbc76e1f.jaffacakes118.exe 28 PID 2904 wrote to memory of 3048 2904 403021839d6ac65801974d38cbc76e1f.jaffacakes118.exe 28 PID 2904 wrote to memory of 3048 2904 403021839d6ac65801974d38cbc76e1f.jaffacakes118.exe 28 PID 3048 wrote to memory of 2572 3048 Khekgc32.exe 29 PID 3048 wrote to memory of 2572 3048 Khekgc32.exe 29 PID 3048 wrote to memory of 2572 3048 Khekgc32.exe 29 PID 3048 wrote to memory of 2572 3048 Khekgc32.exe 29 PID 2572 wrote to memory of 2800 2572 Kdlkld32.exe 30 PID 2572 wrote to memory of 2800 2572 Kdlkld32.exe 30 PID 2572 wrote to memory of 2800 2572 Kdlkld32.exe 30 PID 2572 wrote to memory of 2800 2572 Kdlkld32.exe 30 PID 2800 wrote to memory of 2624 2800 Laplei32.exe 31 PID 2800 wrote to memory of 2624 2800 Laplei32.exe 31 PID 2800 wrote to memory of 2624 2800 Laplei32.exe 31 PID 2800 wrote to memory of 2624 2800 Laplei32.exe 31 PID 2624 wrote to memory of 2732 2624 Ldnhad32.exe 32 PID 2624 wrote to memory of 2732 2624 Ldnhad32.exe 32 PID 2624 wrote to memory of 2732 2624 Ldnhad32.exe 32 PID 2624 wrote to memory of 2732 2624 Ldnhad32.exe 32 PID 2732 wrote to memory of 2540 2732 Lkkmdn32.exe 33 PID 2732 wrote to memory of 2540 2732 Lkkmdn32.exe 33 PID 2732 wrote to memory of 2540 2732 Lkkmdn32.exe 33 PID 2732 wrote to memory of 2540 2732 Lkkmdn32.exe 33 PID 2540 wrote to memory of 1656 2540 Lmiipi32.exe 34 PID 2540 wrote to memory of 1656 2540 Lmiipi32.exe 34 PID 2540 wrote to memory of 1656 2540 Lmiipi32.exe 34 PID 2540 wrote to memory of 1656 2540 Lmiipi32.exe 34 PID 1656 wrote to memory of 1644 1656 Ldenbcge.exe 35 PID 1656 wrote to memory of 1644 1656 Ldenbcge.exe 35 PID 1656 wrote to memory of 1644 1656 Ldenbcge.exe 35 PID 1656 wrote to memory of 1644 1656 Ldenbcge.exe 35 PID 1644 wrote to memory of 1316 1644 Lchnnp32.exe 36 PID 1644 wrote to memory of 1316 1644 Lchnnp32.exe 36 PID 1644 wrote to memory of 1316 1644 Lchnnp32.exe 36 PID 1644 wrote to memory of 1316 1644 Lchnnp32.exe 36 PID 1316 wrote to memory of 1980 1316 Mpolmdkg.exe 37 PID 1316 wrote to memory of 1980 1316 Mpolmdkg.exe 37 PID 1316 wrote to memory of 1980 1316 Mpolmdkg.exe 37 PID 1316 wrote to memory of 1980 1316 Mpolmdkg.exe 37 PID 1980 wrote to memory of 2180 1980 Mcmhiojk.exe 38 PID 1980 wrote to memory of 2180 1980 Mcmhiojk.exe 38 PID 1980 wrote to memory of 2180 1980 Mcmhiojk.exe 38 PID 1980 wrote to memory of 2180 1980 Mcmhiojk.exe 38 PID 2180 wrote to memory of 1344 2180 Migpeiag.exe 39 PID 2180 wrote to memory of 1344 2180 Migpeiag.exe 39 PID 2180 wrote to memory of 1344 2180 Migpeiag.exe 39 PID 2180 wrote to memory of 1344 2180 Migpeiag.exe 39 PID 1344 wrote to memory of 2088 1344 Mkhmma32.exe 40 PID 1344 wrote to memory of 2088 1344 Mkhmma32.exe 40 PID 1344 wrote to memory of 2088 1344 Mkhmma32.exe 40 PID 1344 wrote to memory of 2088 1344 Mkhmma32.exe 40 PID 2088 wrote to memory of 1452 2088 Mnkbdlbd.exe 41 PID 2088 wrote to memory of 1452 2088 Mnkbdlbd.exe 41 PID 2088 wrote to memory of 1452 2088 Mnkbdlbd.exe 41 PID 2088 wrote to memory of 1452 2088 Mnkbdlbd.exe 41 PID 1452 wrote to memory of 776 1452 Mpjoqhah.exe 42 PID 1452 wrote to memory of 776 1452 Mpjoqhah.exe 42 PID 1452 wrote to memory of 776 1452 Mpjoqhah.exe 42 PID 1452 wrote to memory of 776 1452 Mpjoqhah.exe 42 PID 776 wrote to memory of 1120 776 Mgcgmb32.exe 43 PID 776 wrote to memory of 1120 776 Mgcgmb32.exe 43 PID 776 wrote to memory of 1120 776 Mgcgmb32.exe 43 PID 776 wrote to memory of 1120 776 Mgcgmb32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\403021839d6ac65801974d38cbc76e1f.jaffacakes118.exe"C:\Users\Admin\AppData\Local\Temp\403021839d6ac65801974d38cbc76e1f.jaffacakes118.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Khekgc32.exeC:\Windows\system32\Khekgc32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Kdlkld32.exeC:\Windows\system32\Kdlkld32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Laplei32.exeC:\Windows\system32\Laplei32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Ldnhad32.exeC:\Windows\system32\Ldnhad32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Lkkmdn32.exeC:\Windows\system32\Lkkmdn32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Lmiipi32.exeC:\Windows\system32\Lmiipi32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Ldenbcge.exeC:\Windows\system32\Ldenbcge.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Lchnnp32.exeC:\Windows\system32\Lchnnp32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Mpolmdkg.exeC:\Windows\system32\Mpolmdkg.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Migpeiag.exeC:\Windows\system32\Migpeiag.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Mkhmma32.exeC:\Windows\system32\Mkhmma32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\SysWOW64\Mnkbdlbd.exeC:\Windows\system32\Mnkbdlbd.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Mpjoqhah.exeC:\Windows\system32\Mpjoqhah.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\Mgcgmb32.exeC:\Windows\system32\Mgcgmb32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1120 -
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2156 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1692 -
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1636 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1040 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:688 -
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2836 -
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:600 -
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:880 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe28⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:1592 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2932 -
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2664 -
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2728 -
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2464 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe34⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe35⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe36⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe37⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe38⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe39⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe41⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe44⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe45⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe46⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe49⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe50⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2860 -
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe52⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe53⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe55⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe56⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe58⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe60⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe61⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:1808 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe63⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe64⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe65⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1176 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe67⤵PID:1152
-
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe68⤵PID:1856
-
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe69⤵PID:2124
-
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe70⤵
- Drops file in System32 directory
PID:1748 -
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe71⤵
- Modifies registry class
PID:2256 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe72⤵
- Drops file in System32 directory
PID:2856 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe73⤵
- Drops file in System32 directory
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe74⤵PID:1908
-
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2304 -
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe76⤵PID:2672
-
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe77⤵PID:356
-
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe78⤵
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe79⤵PID:2704
-
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3028 -
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1348 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe82⤵PID:1984
-
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe83⤵PID:1000
-
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe84⤵
- Modifies registry class
PID:2176 -
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe85⤵PID:1876
-
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe86⤵PID:324
-
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe87⤵
- Drops file in System32 directory
PID:1360 -
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe88⤵
- Drops file in System32 directory
PID:564 -
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe89⤵
- Modifies registry class
PID:1524 -
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe90⤵PID:2712
-
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe91⤵PID:904
-
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe92⤵PID:2972
-
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe93⤵
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe94⤵PID:2928
-
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe95⤵
- Modifies registry class
PID:768 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe96⤵PID:944
-
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe97⤵PID:2536
-
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe98⤵PID:1396
-
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe99⤵PID:2816
-
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe100⤵PID:1556
-
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe101⤵PID:2436
-
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe102⤵PID:3068
-
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe103⤵
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2520 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe105⤵PID:2344
-
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe106⤵
- Drops file in System32 directory
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe107⤵PID:2392
-
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe108⤵PID:1080
-
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe109⤵PID:1604
-
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe110⤵
- Drops file in System32 directory
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1788 -
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe112⤵PID:1544
-
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe113⤵PID:1144
-
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe114⤵
- Drops file in System32 directory
PID:2916 -
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe115⤵PID:3052
-
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe116⤵
- Drops file in System32 directory
PID:2952 -
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe117⤵
- Drops file in System32 directory
PID:1752 -
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2588 -
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe119⤵PID:2504
-
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe120⤵PID:1688
-
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1760
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-