Analysis
-
max time kernel
144s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
04/05/2024, 20:05
Behavioral task
behavioral1
Sample
d9930c1fead0bc311631e4541640cea1_JaffaCakes118.exe
Resource
win7-20240220-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
d9930c1fead0bc311631e4541640cea1_JaffaCakes118.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
d9930c1fead0bc311631e4541640cea1_JaffaCakes118.exe
-
Size
456KB
-
MD5
d9930c1fead0bc311631e4541640cea1
-
SHA1
eb7787de1c1ae406b59e1183a0c77e0463562011
-
SHA256
1ff60686eba6aec3cdac97567f6051d5d0c5b076b0f417f596d0a123a33f20b3
-
SHA512
d352a8aabcedcb421702a11605c13d8fa8126cd49bdfc18b552061049532ea0cca21f176d0106c20a51bbf8c66d1c6dc4313ea49f99b4ee64f37b3f90484369d
-
SSDEEP
12288:fM0wIKfDy/phgeczlqczZd7LFB3oFHoGnFjVZnykJGvpHGdm:00wFfDy/phgeczlqczZd7LFB3oFHoGn+
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgilchkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbnemk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgcmlcja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhgmapfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahdaee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doehqead.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdamqndn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoepcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clilkfnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqjepm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emcbkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnpnndgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cddaphkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doehqead.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgfjbgmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlbeqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qbelgood.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohfeog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bldcpf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdopkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgpjanje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lajhofao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pclfkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdgafdfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kahojc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Namqci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oddpfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnobnmpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnoomqbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhhcgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmaled32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjadmnic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iggkllpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjojofgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnomcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Albjlcao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clilkfnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhhnli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eecqjpee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmlnoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icpigm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obojhlbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpkbdiqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dglpbbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dogefd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cljcelan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chemfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpkjko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejkima32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcdbbloa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kblhgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Papfegmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anojbobe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgodbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddcdkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjjddchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amkpegnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egllae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjjmbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lajhofao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mppepcfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccahbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djpmccqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpdhklkl.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000c000000012707-5.dat family_berbew behavioral1/files/0x00080000000153ee-25.dat family_berbew behavioral1/files/0x00070000000158d9-33.dat family_berbew behavioral1/files/0x000a000000015b50-47.dat family_berbew behavioral1/files/0x0006000000015d85-60.dat family_berbew behavioral1/files/0x0006000000015f23-74.dat family_berbew behavioral1/files/0x0006000000016013-87.dat family_berbew behavioral1/files/0x00060000000161ee-107.dat family_berbew behavioral1/files/0x00060000000164ec-115.dat family_berbew behavioral1/files/0x00060000000167bf-130.dat family_berbew behavioral1/files/0x0006000000016c1f-144.dat family_berbew behavioral1/files/0x002f000000014f57-161.dat family_berbew behavioral1/files/0x0006000000016c84-172.dat family_berbew behavioral1/memory/2180-179-0x0000000000250000-0x0000000000283000-memory.dmp family_berbew behavioral1/files/0x0006000000016ce0-187.dat family_berbew behavioral1/files/0x0006000000016cf3-200.dat family_berbew behavioral1/files/0x0006000000016d06-214.dat family_berbew behavioral1/files/0x0006000000016d18-231.dat family_berbew behavioral1/files/0x0006000000016d29-239.dat family_berbew behavioral1/files/0x0006000000016d81-250.dat family_berbew behavioral1/files/0x0006000000016da9-259.dat family_berbew behavioral1/files/0x0006000000016f7e-270.dat family_berbew behavioral1/files/0x000600000001737e-281.dat family_berbew behavioral1/files/0x00060000000173c5-292.dat family_berbew behavioral1/files/0x00060000000173df-303.dat family_berbew behavioral1/memory/2840-307-0x00000000002F0000-0x0000000000323000-memory.dmp family_berbew behavioral1/files/0x000600000001745d-316.dat family_berbew behavioral1/files/0x000600000001748d-325.dat family_berbew behavioral1/files/0x000600000001864a-336.dat family_berbew behavioral1/memory/2316-339-0x0000000000310000-0x0000000000343000-memory.dmp family_berbew behavioral1/files/0x0005000000018674-347.dat family_berbew behavioral1/memory/2956-350-0x0000000000290000-0x00000000002C3000-memory.dmp family_berbew behavioral1/files/0x00060000000190b3-358.dat family_berbew behavioral1/memory/2508-361-0x00000000005D0000-0x0000000000603000-memory.dmp family_berbew behavioral1/files/0x00050000000191d7-371.dat family_berbew behavioral1/memory/2556-373-0x00000000005D0000-0x0000000000603000-memory.dmp family_berbew behavioral1/files/0x00050000000191fd-381.dat family_berbew behavioral1/memory/2324-387-0x0000000000270000-0x00000000002A3000-memory.dmp family_berbew behavioral1/files/0x000500000001921a-392.dat family_berbew behavioral1/files/0x0005000000019251-402.dat family_berbew behavioral1/files/0x0005000000019259-410.dat family_berbew behavioral1/memory/360-417-0x0000000000250000-0x0000000000283000-memory.dmp family_berbew behavioral1/files/0x0005000000019367-424.dat family_berbew behavioral1/files/0x00050000000193a3-432.dat family_berbew behavioral1/files/0x00050000000193b1-446.dat family_berbew behavioral1/files/0x00050000000193c2-457.dat family_berbew behavioral1/files/0x00050000000193e8-468.dat family_berbew behavioral1/files/0x0005000000019426-480.dat family_berbew behavioral1/files/0x00050000000194be-492.dat family_berbew behavioral1/files/0x00050000000195c9-501.dat family_berbew behavioral1/files/0x0005000000019602-514.dat family_berbew behavioral1/files/0x0005000000019606-522.dat family_berbew behavioral1/files/0x0005000000019608-534.dat family_berbew behavioral1/files/0x000500000001960c-545.dat family_berbew behavioral1/files/0x000500000001961e-558.dat family_berbew behavioral1/files/0x00050000000196a4-567.dat family_berbew behavioral1/files/0x000500000001996f-579.dat family_berbew behavioral1/files/0x0005000000019c2c-592.dat family_berbew behavioral1/files/0x0005000000019c49-600.dat family_berbew behavioral1/files/0x0005000000019da7-611.dat family_berbew behavioral1/files/0x0005000000019faf-622.dat family_berbew behavioral1/files/0x000500000001a071-634.dat family_berbew behavioral1/files/0x000500000001a2f6-644.dat family_berbew behavioral1/files/0x000500000001a423-657.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2588 Pnbacbac.exe 2596 Pelipl32.exe 2692 Qhmbagfa.exe 2432 Qbbfopeg.exe 2512 Qmlgonbe.exe 2292 Afdlhchf.exe 1564 Adhlaggp.exe 2636 Ampqjm32.exe 1540 Ajdadamj.exe 1020 Apajlhka.exe 2288 Apcfahio.exe 2180 Aepojo32.exe 1668 Bingpmnl.exe 2064 Bbflib32.exe 1052 Begeknan.exe 1748 Bopicc32.exe 3004 Bhhnli32.exe 2272 Bjijdadm.exe 1688 Bpcbqk32.exe 1304 Ckignd32.exe 1012 Cljcelan.exe 1912 Ccdlbf32.exe 2840 Cphlljge.exe 1700 Cgbdhd32.exe 868 Cjpqdp32.exe 2316 Cpjiajeb.exe 2956 Cbkeib32.exe 2508 Chemfl32.exe 2556 Ckdjbh32.exe 2324 Cdlnkmha.exe 2440 Clcflkic.exe 2416 Cndbcc32.exe 360 Dflkdp32.exe 2716 Dkhcmgnl.exe 2644 Dngoibmo.exe 2172 Dgodbh32.exe 2312 Djnpnc32.exe 1192 Ddcdkl32.exe 2044 Djpmccqq.exe 2248 Dqjepm32.exe 2260 Dchali32.exe 276 Djbiicon.exe 1188 Dqlafm32.exe 2092 Dcknbh32.exe 696 Dgfjbgmh.exe 1576 Emcbkn32.exe 2824 Epaogi32.exe 608 Eflgccbp.exe 1208 Ejgcdb32.exe 1928 Epdkli32.exe 2296 Ebbgid32.exe 2340 Emhlfmgj.exe 2820 Epfhbign.exe 2600 Efppoc32.exe 2696 Eecqjpee.exe 2520 Elmigj32.exe 2896 Ebgacddo.exe 2468 Eeempocb.exe 2772 Eloemi32.exe 1584 Ennaieib.exe 1640 Ealnephf.exe 1452 Fckjalhj.exe 1896 Fhffaj32.exe 1832 Fnpnndgp.exe -
Loads dropped DLL 64 IoCs
pid Process 2916 d9930c1fead0bc311631e4541640cea1_JaffaCakes118.exe 2916 d9930c1fead0bc311631e4541640cea1_JaffaCakes118.exe 2588 Pnbacbac.exe 2588 Pnbacbac.exe 2596 Pelipl32.exe 2596 Pelipl32.exe 2692 Qhmbagfa.exe 2692 Qhmbagfa.exe 2432 Qbbfopeg.exe 2432 Qbbfopeg.exe 2512 Qmlgonbe.exe 2512 Qmlgonbe.exe 2292 Afdlhchf.exe 2292 Afdlhchf.exe 1564 Adhlaggp.exe 1564 Adhlaggp.exe 2636 Ampqjm32.exe 2636 Ampqjm32.exe 1540 Ajdadamj.exe 1540 Ajdadamj.exe 1020 Apajlhka.exe 1020 Apajlhka.exe 2288 Apcfahio.exe 2288 Apcfahio.exe 2180 Aepojo32.exe 2180 Aepojo32.exe 1668 Bingpmnl.exe 1668 Bingpmnl.exe 2064 Bbflib32.exe 2064 Bbflib32.exe 1052 Begeknan.exe 1052 Begeknan.exe 1748 Bopicc32.exe 1748 Bopicc32.exe 3004 Bhhnli32.exe 3004 Bhhnli32.exe 2272 Bjijdadm.exe 2272 Bjijdadm.exe 1688 Bpcbqk32.exe 1688 Bpcbqk32.exe 1304 Ckignd32.exe 1304 Ckignd32.exe 1012 Cljcelan.exe 1012 Cljcelan.exe 1912 Ccdlbf32.exe 1912 Ccdlbf32.exe 2840 Cphlljge.exe 2840 Cphlljge.exe 1700 Cgbdhd32.exe 1700 Cgbdhd32.exe 868 Cjpqdp32.exe 868 Cjpqdp32.exe 2316 Cpjiajeb.exe 2316 Cpjiajeb.exe 2956 Cbkeib32.exe 2956 Cbkeib32.exe 2508 Chemfl32.exe 2508 Chemfl32.exe 2556 Ckdjbh32.exe 2556 Ckdjbh32.exe 2324 Cdlnkmha.exe 2324 Cdlnkmha.exe 2440 Clcflkic.exe 2440 Clcflkic.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Llfifq32.exe Lihmjejl.exe File opened for modification C:\Windows\SysWOW64\Qpgpkcpp.exe Qmicohqm.exe File opened for modification C:\Windows\SysWOW64\Gdopkn32.exe Gelppaof.exe File opened for modification C:\Windows\SysWOW64\Ifcbodli.exe Ioijbj32.exe File opened for modification C:\Windows\SysWOW64\Bemgilhh.exe Bbokmqie.exe File opened for modification C:\Windows\SysWOW64\Cnobnmpl.exe Cjdfmo32.exe File opened for modification C:\Windows\SysWOW64\Dqlafm32.exe Djbiicon.exe File created C:\Windows\SysWOW64\Omfkke32.exe Odobjg32.exe File created C:\Windows\SysWOW64\Kaceodek.exe Kbqecg32.exe File created C:\Windows\SysWOW64\Pqhmfm32.dll Ncgdbmmp.exe File created C:\Windows\SysWOW64\Mnhlblil.dll Ofelmloo.exe File created C:\Windows\SysWOW64\Pclfkc32.exe Pnomcl32.exe File opened for modification C:\Windows\SysWOW64\Bjijdadm.exe Bhhnli32.exe File opened for modification C:\Windows\SysWOW64\Jbllihbf.exe Jonplmcb.exe File created C:\Windows\SysWOW64\Ilcbjpbn.dll Bdbhke32.exe File created C:\Windows\SysWOW64\Nclpan32.dll Kaaijdgn.exe File opened for modification C:\Windows\SysWOW64\Lollckbk.exe Ldfgebbe.exe File opened for modification C:\Windows\SysWOW64\Ohibdf32.exe Ofjfhk32.exe File created C:\Windows\SysWOW64\Npfgpe32.exe Nnhkcj32.exe File created C:\Windows\SysWOW64\Bhkdeggl.exe Bemgilhh.exe File created C:\Windows\SysWOW64\Djpmccqq.exe Ddcdkl32.exe File opened for modification C:\Windows\SysWOW64\Jgidao32.exe Jifdebic.exe File opened for modification C:\Windows\SysWOW64\Namqci32.exe Nkbhgojk.exe File opened for modification C:\Windows\SysWOW64\Enhacojl.exe Ejmebq32.exe File created C:\Windows\SysWOW64\Jbllihbf.exe Jonplmcb.exe File opened for modification C:\Windows\SysWOW64\Kifpdelo.exe Kblhgk32.exe File created C:\Windows\SysWOW64\Dqjepm32.exe Djpmccqq.exe File created C:\Windows\SysWOW64\Ojdngl32.dll Bingpmnl.exe File created C:\Windows\SysWOW64\Mhgmapfi.exe Mppepcfg.exe File opened for modification C:\Windows\SysWOW64\Qedhdjnh.exe Qbelgood.exe File created C:\Windows\SysWOW64\Kemedbfd.dll Mdmmfa32.exe File created C:\Windows\SysWOW64\Pfjbgnme.exe Pclfkc32.exe File created C:\Windows\SysWOW64\Ndpfkdmf.exe Naajoinb.exe File created C:\Windows\SysWOW64\Dnoomqbg.exe Dkqbaecc.exe File created C:\Windows\SysWOW64\Acpmei32.dll Eloemi32.exe File created C:\Windows\SysWOW64\Baoohhdn.dll Kgnnln32.exe File opened for modification C:\Windows\SysWOW64\Dchali32.exe Dqjepm32.exe File opened for modification C:\Windows\SysWOW64\Idklfpon.exe Ijeghgoh.exe File created C:\Windows\SysWOW64\Aloeodfi.dll Ffpmnf32.exe File created C:\Windows\SysWOW64\Blpjegfm.exe Bkommo32.exe File opened for modification C:\Windows\SysWOW64\Cddaphkn.exe Cafecmlj.exe File opened for modification C:\Windows\SysWOW64\Pelipl32.exe Pnbacbac.exe File created C:\Windows\SysWOW64\Qoflni32.dll Cpjiajeb.exe File opened for modification C:\Windows\SysWOW64\Dcknbh32.exe Dqlafm32.exe File created C:\Windows\SysWOW64\Eqmbdn32.dll Lihmjejl.exe File created C:\Windows\SysWOW64\Hlnbfd32.dll Mimbdhhb.exe File opened for modification C:\Windows\SysWOW64\Nkgbbo32.exe Nglfapnl.exe File opened for modification C:\Windows\SysWOW64\Qbbfopeg.exe Qhmbagfa.exe File created C:\Windows\SysWOW64\Jdekadnf.dll Jjjacf32.exe File opened for modification C:\Windows\SysWOW64\Pflomnkb.exe Pgioaa32.exe File opened for modification C:\Windows\SysWOW64\Alnqqd32.exe Amkpegnj.exe File created C:\Windows\SysWOW64\Qjdijm32.dll Jehkodcm.exe File created C:\Windows\SysWOW64\Dmpknpme.dll Jgidao32.exe File created C:\Windows\SysWOW64\Ffpmnf32.exe Facdeo32.exe File created C:\Windows\SysWOW64\Daoiajfm.dll Lflmci32.exe File created C:\Windows\SysWOW64\Qmlgonbe.exe Qbbfopeg.exe File opened for modification C:\Windows\SysWOW64\Ckdjbh32.exe Chemfl32.exe File opened for modification C:\Windows\SysWOW64\Fmhheqje.exe Fjilieka.exe File created C:\Windows\SysWOW64\Dgjclbdi.exe Cppkph32.exe File created C:\Windows\SysWOW64\Mimbdhhb.exe Meagci32.exe File opened for modification C:\Windows\SysWOW64\Piphee32.exe Pedleg32.exe File created C:\Windows\SysWOW64\Amfcikek.exe Ajhgmpfg.exe File opened for modification C:\Windows\SysWOW64\Cdikkg32.exe Cnobnmpl.exe File created C:\Windows\SysWOW64\Djnpnc32.exe Dgodbh32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3576 3880 WerFault.exe 361 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edpmjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmqgncdn.dll" Dgfjbgmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelpgepb.dll" Aaobdjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdjfho32.dll" Dcenlceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncolgf32.dll" Hknach32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhdlkdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Noqamn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Behnnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgfjbgmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlbeqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnojdcfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbqecg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kiccofna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbolpc32.dll" Dkhcmgnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadkgl32.dll" Fckjalhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpdhklkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ioijbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncffdfn.dll" Bbflib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Begeknan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kemejc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Miooigfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgjclbdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcknbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jiondcpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dqjepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojolhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnobnmpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dflkdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgodbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpenlb32.dll" Clcflkic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnmfog32.dll" Monhhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohfeog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nglknl32.dll" Qpecfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdilpjih.dll" Egafleqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoogfn32.dll" Ebjglbml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bopicc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaqlckoi.dll" Cphlljge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljefkdjq.dll" Kaklpcoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Naoniipe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Naajoinb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhlgc32.dll" Ehgppi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Henidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjjddchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkoacn32.dll" Mlibjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djnpnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fckjalhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecdjal32.dll" Dogefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhbfdjdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgpjanje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahdaee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kafbec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bafidiio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpkbdiqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebbgid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eeempocb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpdbloof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeopgmbf.dll" Naoniipe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aoepcn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boqbfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejkima32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eplkpgnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eeempocb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbgmbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moljch32.dll" Qedhdjnh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2916 wrote to memory of 2588 2916 d9930c1fead0bc311631e4541640cea1_JaffaCakes118.exe 28 PID 2916 wrote to memory of 2588 2916 d9930c1fead0bc311631e4541640cea1_JaffaCakes118.exe 28 PID 2916 wrote to memory of 2588 2916 d9930c1fead0bc311631e4541640cea1_JaffaCakes118.exe 28 PID 2916 wrote to memory of 2588 2916 d9930c1fead0bc311631e4541640cea1_JaffaCakes118.exe 28 PID 2588 wrote to memory of 2596 2588 Pnbacbac.exe 29 PID 2588 wrote to memory of 2596 2588 Pnbacbac.exe 29 PID 2588 wrote to memory of 2596 2588 Pnbacbac.exe 29 PID 2588 wrote to memory of 2596 2588 Pnbacbac.exe 29 PID 2596 wrote to memory of 2692 2596 Pelipl32.exe 30 PID 2596 wrote to memory of 2692 2596 Pelipl32.exe 30 PID 2596 wrote to memory of 2692 2596 Pelipl32.exe 30 PID 2596 wrote to memory of 2692 2596 Pelipl32.exe 30 PID 2692 wrote to memory of 2432 2692 Qhmbagfa.exe 31 PID 2692 wrote to memory of 2432 2692 Qhmbagfa.exe 31 PID 2692 wrote to memory of 2432 2692 Qhmbagfa.exe 31 PID 2692 wrote to memory of 2432 2692 Qhmbagfa.exe 31 PID 2432 wrote to memory of 2512 2432 Qbbfopeg.exe 32 PID 2432 wrote to memory of 2512 2432 Qbbfopeg.exe 32 PID 2432 wrote to memory of 2512 2432 Qbbfopeg.exe 32 PID 2432 wrote to memory of 2512 2432 Qbbfopeg.exe 32 PID 2512 wrote to memory of 2292 2512 Qmlgonbe.exe 33 PID 2512 wrote to memory of 2292 2512 Qmlgonbe.exe 33 PID 2512 wrote to memory of 2292 2512 Qmlgonbe.exe 33 PID 2512 wrote to memory of 2292 2512 Qmlgonbe.exe 33 PID 2292 wrote to memory of 1564 2292 Afdlhchf.exe 34 PID 2292 wrote to memory of 1564 2292 Afdlhchf.exe 34 PID 2292 wrote to memory of 1564 2292 Afdlhchf.exe 34 PID 2292 wrote to memory of 1564 2292 Afdlhchf.exe 34 PID 1564 wrote to memory of 2636 1564 Adhlaggp.exe 35 PID 1564 wrote to memory of 2636 1564 Adhlaggp.exe 35 PID 1564 wrote to memory of 2636 1564 Adhlaggp.exe 35 PID 1564 wrote to memory of 2636 1564 Adhlaggp.exe 35 PID 2636 wrote to memory of 1540 2636 Ampqjm32.exe 36 PID 2636 wrote to memory of 1540 2636 Ampqjm32.exe 36 PID 2636 wrote to memory of 1540 2636 Ampqjm32.exe 36 PID 2636 wrote to memory of 1540 2636 Ampqjm32.exe 36 PID 1540 wrote to memory of 1020 1540 Ajdadamj.exe 37 PID 1540 wrote to memory of 1020 1540 Ajdadamj.exe 37 PID 1540 wrote to memory of 1020 1540 Ajdadamj.exe 37 PID 1540 wrote to memory of 1020 1540 Ajdadamj.exe 37 PID 1020 wrote to memory of 2288 1020 Apajlhka.exe 38 PID 1020 wrote to memory of 2288 1020 Apajlhka.exe 38 PID 1020 wrote to memory of 2288 1020 Apajlhka.exe 38 PID 1020 wrote to memory of 2288 1020 Apajlhka.exe 38 PID 2288 wrote to memory of 2180 2288 Apcfahio.exe 39 PID 2288 wrote to memory of 2180 2288 Apcfahio.exe 39 PID 2288 wrote to memory of 2180 2288 Apcfahio.exe 39 PID 2288 wrote to memory of 2180 2288 Apcfahio.exe 39 PID 2180 wrote to memory of 1668 2180 Aepojo32.exe 40 PID 2180 wrote to memory of 1668 2180 Aepojo32.exe 40 PID 2180 wrote to memory of 1668 2180 Aepojo32.exe 40 PID 2180 wrote to memory of 1668 2180 Aepojo32.exe 40 PID 1668 wrote to memory of 2064 1668 Bingpmnl.exe 41 PID 1668 wrote to memory of 2064 1668 Bingpmnl.exe 41 PID 1668 wrote to memory of 2064 1668 Bingpmnl.exe 41 PID 1668 wrote to memory of 2064 1668 Bingpmnl.exe 41 PID 2064 wrote to memory of 1052 2064 Bbflib32.exe 42 PID 2064 wrote to memory of 1052 2064 Bbflib32.exe 42 PID 2064 wrote to memory of 1052 2064 Bbflib32.exe 42 PID 2064 wrote to memory of 1052 2064 Bbflib32.exe 42 PID 1052 wrote to memory of 1748 1052 Begeknan.exe 43 PID 1052 wrote to memory of 1748 1052 Begeknan.exe 43 PID 1052 wrote to memory of 1748 1052 Begeknan.exe 43 PID 1052 wrote to memory of 1748 1052 Begeknan.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9930c1fead0bc311631e4541640cea1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d9930c1fead0bc311631e4541640cea1_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1748 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3004 -
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2272 -
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1688 -
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1304 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1012 -
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1912 -
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1700 -
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:868 -
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2316 -
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2956 -
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2508 -
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2324 -
C:\Windows\SysWOW64\Clcflkic.exeC:\Windows\system32\Clcflkic.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2440 -
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe33⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:360 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe36⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2312 -
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1192 -
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2044 -
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe42⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:276 -
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1188 -
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:2092 -
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:696 -
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Epaogi32.exeC:\Windows\system32\Epaogi32.exe48⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe49⤵
- Executes dropped EXE
PID:608 -
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe50⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe51⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2296 -
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe53⤵PID:1956
-
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe54⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe55⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe56⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Elmigj32.exeC:\Windows\system32\Elmigj32.exe58⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Ebgacddo.exeC:\Windows\system32\Ebgacddo.exe59⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Eeempocb.exeC:\Windows\system32\Eeempocb.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2468 -
C:\Windows\SysWOW64\Eloemi32.exeC:\Windows\system32\Eloemi32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2772 -
C:\Windows\SysWOW64\Ennaieib.exeC:\Windows\system32\Ennaieib.exe62⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe63⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1452 -
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe65⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Fcmgfkeg.exeC:\Windows\system32\Fcmgfkeg.exe67⤵PID:1768
-
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2232 -
C:\Windows\SysWOW64\Fmekoalh.exeC:\Windows\system32\Fmekoalh.exe69⤵PID:612
-
C:\Windows\SysWOW64\Fpdhklkl.exeC:\Windows\system32\Fpdhklkl.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:864 -
C:\Windows\SysWOW64\Fhkpmjln.exeC:\Windows\system32\Fhkpmjln.exe71⤵PID:332
-
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe72⤵
- Drops file in System32 directory
PID:1936 -
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe73⤵PID:2800
-
C:\Windows\SysWOW64\Facdeo32.exeC:\Windows\system32\Facdeo32.exe74⤵
- Drops file in System32 directory
PID:1416 -
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe75⤵
- Drops file in System32 directory
PID:1616 -
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe76⤵PID:2608
-
C:\Windows\SysWOW64\Fphafl32.exeC:\Windows\system32\Fphafl32.exe77⤵PID:2532
-
C:\Windows\SysWOW64\Fbgmbg32.exeC:\Windows\system32\Fbgmbg32.exe78⤵
- Modifies registry class
PID:2472 -
C:\Windows\SysWOW64\Fiaeoang.exeC:\Windows\system32\Fiaeoang.exe79⤵PID:2412
-
C:\Windows\SysWOW64\Gonnhhln.exeC:\Windows\system32\Gonnhhln.exe80⤵PID:2712
-
C:\Windows\SysWOW64\Gicbeald.exeC:\Windows\system32\Gicbeald.exe81⤵PID:356
-
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe82⤵PID:1248
-
C:\Windows\SysWOW64\Ghhofmql.exeC:\Windows\system32\Ghhofmql.exe83⤵PID:2004
-
C:\Windows\SysWOW64\Gkgkbipp.exeC:\Windows\system32\Gkgkbipp.exe84⤵PID:580
-
C:\Windows\SysWOW64\Gelppaof.exeC:\Windows\system32\Gelppaof.exe85⤵
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\Gdopkn32.exeC:\Windows\system32\Gdopkn32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1140 -
C:\Windows\SysWOW64\Gkihhhnm.exeC:\Windows\system32\Gkihhhnm.exe87⤵PID:1776
-
C:\Windows\SysWOW64\Goddhg32.exeC:\Windows\system32\Goddhg32.exe88⤵PID:1492
-
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe89⤵PID:1420
-
C:\Windows\SysWOW64\Gdamqndn.exeC:\Windows\system32\Gdamqndn.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3024 -
C:\Windows\SysWOW64\Hknach32.exeC:\Windows\system32\Hknach32.exe91⤵
- Modifies registry class
PID:1920 -
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1028 -
C:\Windows\SysWOW64\Hpkjko32.exeC:\Windows\system32\Hpkjko32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2536 -
C:\Windows\SysWOW64\Hcifgjgc.exeC:\Windows\system32\Hcifgjgc.exe94⤵PID:1536
-
C:\Windows\SysWOW64\Hnojdcfi.exeC:\Windows\system32\Hnojdcfi.exe95⤵
- Modifies registry class
PID:832 -
C:\Windows\SysWOW64\Hckcmjep.exeC:\Windows\system32\Hckcmjep.exe96⤵PID:2356
-
C:\Windows\SysWOW64\Hiekid32.exeC:\Windows\system32\Hiekid32.exe97⤵PID:2880
-
C:\Windows\SysWOW64\Hlcgeo32.exeC:\Windows\system32\Hlcgeo32.exe98⤵PID:564
-
C:\Windows\SysWOW64\Hobcak32.exeC:\Windows\system32\Hobcak32.exe99⤵PID:1848
-
C:\Windows\SysWOW64\Hgilchkf.exeC:\Windows\system32\Hgilchkf.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:956 -
C:\Windows\SysWOW64\Hacmcfge.exeC:\Windows\system32\Hacmcfge.exe101⤵PID:292
-
C:\Windows\SysWOW64\Henidd32.exeC:\Windows\system32\Henidd32.exe102⤵
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Hjjddchg.exeC:\Windows\system32\Hjjddchg.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1508 -
C:\Windows\SysWOW64\Hogmmjfo.exeC:\Windows\system32\Hogmmjfo.exe104⤵PID:2792
-
C:\Windows\SysWOW64\Ieqeidnl.exeC:\Windows\system32\Ieqeidnl.exe105⤵PID:2504
-
C:\Windows\SysWOW64\Ihoafpmp.exeC:\Windows\system32\Ihoafpmp.exe106⤵PID:2516
-
C:\Windows\SysWOW64\Ilknfn32.exeC:\Windows\system32\Ilknfn32.exe107⤵PID:2408
-
C:\Windows\SysWOW64\Ioijbj32.exeC:\Windows\system32\Ioijbj32.exe108⤵
- Drops file in System32 directory
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe109⤵PID:2280
-
C:\Windows\SysWOW64\Ikpjgkjq.exeC:\Windows\system32\Ikpjgkjq.exe110⤵PID:2020
-
C:\Windows\SysWOW64\Inngcfid.exeC:\Windows\system32\Inngcfid.exe111⤵PID:336
-
C:\Windows\SysWOW64\Iqmcpahh.exeC:\Windows\system32\Iqmcpahh.exe112⤵PID:1268
-
C:\Windows\SysWOW64\Iggkllpe.exeC:\Windows\system32\Iggkllpe.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:840 -
C:\Windows\SysWOW64\Ijeghgoh.exeC:\Windows\system32\Ijeghgoh.exe114⤵
- Drops file in System32 directory
PID:2116 -
C:\Windows\SysWOW64\Idklfpon.exeC:\Windows\system32\Idklfpon.exe115⤵PID:1284
-
C:\Windows\SysWOW64\Icmlam32.exeC:\Windows\system32\Icmlam32.exe116⤵PID:1696
-
C:\Windows\SysWOW64\Ijgdngmf.exeC:\Windows\system32\Ijgdngmf.exe117⤵PID:1664
-
C:\Windows\SysWOW64\Iqalka32.exeC:\Windows\system32\Iqalka32.exe118⤵PID:2156
-
C:\Windows\SysWOW64\Icpigm32.exeC:\Windows\system32\Icpigm32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2552 -
C:\Windows\SysWOW64\Igkdgk32.exeC:\Windows\system32\Igkdgk32.exe120⤵PID:2460
-
C:\Windows\SysWOW64\Jjjacf32.exeC:\Windows\system32\Jjjacf32.exe121⤵
- Drops file in System32 directory
PID:2736
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-