Analysis
-
max time kernel
142s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
05-05-2024 09:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a9cd81ca2fe9a8c3e8e05619eebad062_JaffaCakes118.exe
Resource
win7-20240220-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
a9cd81ca2fe9a8c3e8e05619eebad062_JaffaCakes118.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
a9cd81ca2fe9a8c3e8e05619eebad062_JaffaCakes118.exe
-
Size
727KB
-
MD5
a9cd81ca2fe9a8c3e8e05619eebad062
-
SHA1
c73b371222d7ac1c962d60b0dc0f186888638e16
-
SHA256
6033e0ce1fcb1d5d9400017e7b39a300f5a4872bab7233d9425b7dbd7e7d9a9d
-
SHA512
450b74a8e966daa7e8947b42ac0d72a88cdacaa9fe2c74db67e4ca13a5b9a8e24258820f8f0340d7eddfc224efdb7925da345abbd049623468657ecbed55b977
-
SSDEEP
12288:dk5turkWhbi5thyDf5turkWhbi5td2a5turkWhbi5thyDf5turkWhbi5t:dhkEUyD0kEDkEUyD0kE
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmmcjehm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjcpii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llfifq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkiogn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkiogn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpbheh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad a9cd81ca2fe9a8c3e8e05619eebad062_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbllihbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apimacnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Behnnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlcgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lckdanld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlkdkd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bocolb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmcoja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lojomkdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceaadk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cahail32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dglpbbbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecejkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moiklogi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caknol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecqqpgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbgmbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpgpkcpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adnopfoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Logbhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgbhabjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dojald32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efaibbij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oikojfgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cldooj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cldooj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhbfdjdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efcfga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncgdbmmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Namqci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejhlgaeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcifgjgc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amfcikek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edkcojga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oikojfgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dccagcgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enhacojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqijej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogblbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohfeog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enfenplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffkcbgek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkkemh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjcpii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kifpdelo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldfgebbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcifgjgc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onjgiiad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Albjlcao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhndldcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmahdggc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pggbla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckoilb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enhacojl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dliijipn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Namqci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onmdoioa.exe -
Executes dropped EXE 64 IoCs
pid Process 2840 Fmcoja32.exe 1404 Ffkcbgek.exe 2672 Facdeo32.exe 2928 Fbgmbg32.exe 2136 Gfefiemq.exe 2452 Gejcjbah.exe 2868 Ghkllmoi.exe 820 Gdamqndn.exe 816 Gkkemh32.exe 2412 Hcifgjgc.exe 2248 Hnojdcfi.exe 1952 Hlcgeo32.exe 1168 Hhjhkq32.exe 2384 Hcplhi32.exe 2088 Iaeiieeb.exe 1324 Ifcbodli.exe 1140 Ihdkao32.exe 2960 Igihbknb.exe 1580 Ijgdngmf.exe 1876 Iqalka32.exe 1792 Igkdgk32.exe 3036 Jnemdecl.exe 1516 Jqdipqbp.exe 1584 Jfqahgpg.exe 896 Jiondcpk.exe 2324 Jbgbni32.exe 2852 Jkpgfn32.exe 2652 Jcgogk32.exe 2712 Jkbcln32.exe 2776 Jbllihbf.exe 1704 Jkdpanhg.exe 2512 Jnclnihj.exe 2872 Kneicieh.exe 2372 Kaceodek.exe 2040 Kcbakpdo.exe 2424 Kmjfdejp.exe 2344 Kjnfniii.exe 2676 Knjbnh32.exe 448 Kmmcjehm.exe 1148 Kfegbj32.exe 1720 Kblhgk32.exe 1864 Kjcpii32.exe 2068 Kifpdelo.exe 108 Lckdanld.exe 2972 Lemaif32.exe 1616 Lmcijcbe.exe 960 Llfifq32.exe 1440 Lbqabkql.exe 3060 Leonofpp.exe 1508 Lliflp32.exe 2408 Lpdbloof.exe 2616 Logbhl32.exe 2588 Limfed32.exe 2708 Lkncmmle.exe 2572 Lojomkdn.exe 2600 Lecgje32.exe 1668 Ldfgebbe.exe 1768 Lollckbk.exe 2496 Ldidkbpb.exe 1976 Mkclhl32.exe 1960 Mmahdggc.exe 268 Mppepcfg.exe 2072 Mhgmapfi.exe 2628 Mihiih32.exe -
Loads dropped DLL 64 IoCs
pid Process 2732 a9cd81ca2fe9a8c3e8e05619eebad062_JaffaCakes118.exe 2732 a9cd81ca2fe9a8c3e8e05619eebad062_JaffaCakes118.exe 2840 Fmcoja32.exe 2840 Fmcoja32.exe 1404 Ffkcbgek.exe 1404 Ffkcbgek.exe 2672 Facdeo32.exe 2672 Facdeo32.exe 2928 Fbgmbg32.exe 2928 Fbgmbg32.exe 2136 Gfefiemq.exe 2136 Gfefiemq.exe 2452 Gejcjbah.exe 2452 Gejcjbah.exe 2868 Ghkllmoi.exe 2868 Ghkllmoi.exe 820 Gdamqndn.exe 820 Gdamqndn.exe 816 Gkkemh32.exe 816 Gkkemh32.exe 2412 Hcifgjgc.exe 2412 Hcifgjgc.exe 2248 Hnojdcfi.exe 2248 Hnojdcfi.exe 1952 Hlcgeo32.exe 1952 Hlcgeo32.exe 1168 Hhjhkq32.exe 1168 Hhjhkq32.exe 2384 Hcplhi32.exe 2384 Hcplhi32.exe 2088 Iaeiieeb.exe 2088 Iaeiieeb.exe 1324 Ifcbodli.exe 1324 Ifcbodli.exe 1140 Ihdkao32.exe 1140 Ihdkao32.exe 2960 Igihbknb.exe 2960 Igihbknb.exe 1580 Ijgdngmf.exe 1580 Ijgdngmf.exe 1876 Iqalka32.exe 1876 Iqalka32.exe 1792 Igkdgk32.exe 1792 Igkdgk32.exe 3036 Jnemdecl.exe 3036 Jnemdecl.exe 1516 Jqdipqbp.exe 1516 Jqdipqbp.exe 1584 Jfqahgpg.exe 1584 Jfqahgpg.exe 896 Jiondcpk.exe 896 Jiondcpk.exe 1448 Jjojofgn.exe 1448 Jjojofgn.exe 2852 Jkpgfn32.exe 2852 Jkpgfn32.exe 2652 Jcgogk32.exe 2652 Jcgogk32.exe 2712 Jkbcln32.exe 2712 Jkbcln32.exe 2776 Jbllihbf.exe 2776 Jbllihbf.exe 1704 Jkdpanhg.exe 1704 Jkdpanhg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kfegbj32.exe Kmmcjehm.exe File created C:\Windows\SysWOW64\Mbpnanch.exe Maoajf32.exe File created C:\Windows\SysWOW64\Oddpfc32.exe Onjgiiad.exe File created C:\Windows\SysWOW64\Hlcgeo32.exe Hnojdcfi.exe File created C:\Windows\SysWOW64\Jcgogk32.exe Jkpgfn32.exe File opened for modification C:\Windows\SysWOW64\Lmcijcbe.exe Lemaif32.exe File created C:\Windows\SysWOW64\Fpebfbaj.dll Npdjje32.exe File created C:\Windows\SysWOW64\Cpkbdiqb.exe Cahail32.exe File created C:\Windows\SysWOW64\Akodpalp.dll Kjnfniii.exe File opened for modification C:\Windows\SysWOW64\Dhpiojfb.exe Djmicm32.exe File opened for modification C:\Windows\SysWOW64\Dhbfdjdp.exe Ddgjdk32.exe File created C:\Windows\SysWOW64\Oincig32.dll Mdpjlajk.exe File opened for modification C:\Windows\SysWOW64\Ngnbgplj.exe Npdjje32.exe File created C:\Windows\SysWOW64\Acmmle32.dll Aibajhdn.exe File created C:\Windows\SysWOW64\Cahqdihi.dll Aaaoij32.exe File opened for modification C:\Windows\SysWOW64\Bmmiij32.exe Bfcampgf.exe File created C:\Windows\SysWOW64\Jbllihbf.exe Jkbcln32.exe File created C:\Windows\SysWOW64\Hgeegb32.dll Ldidkbpb.exe File opened for modification C:\Windows\SysWOW64\Ohibdf32.exe Obojhlbq.exe File opened for modification C:\Windows\SysWOW64\Pnjdhmdo.exe Pogclp32.exe File created C:\Windows\SysWOW64\Edekcace.dll Dojald32.exe File created C:\Windows\SysWOW64\Fmcoja32.exe a9cd81ca2fe9a8c3e8e05619eebad062_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Jbgbni32.exe Jiondcpk.exe File created C:\Windows\SysWOW64\Ngpolo32.exe Ndbcpd32.exe File created C:\Windows\SysWOW64\Ejhlgaeh.exe Ejhlgaeh.exe File created C:\Windows\SysWOW64\Dhcebp32.dll Igkdgk32.exe File opened for modification C:\Windows\SysWOW64\Obcccl32.exe Omfkke32.exe File opened for modification C:\Windows\SysWOW64\Dglpkenb.dll Ckccgane.exe File opened for modification C:\Windows\SysWOW64\Ccngld32.exe Cppkph32.exe File opened for modification C:\Windows\SysWOW64\Cpkbdiqb.exe Cahail32.exe File opened for modification C:\Windows\SysWOW64\Hcplhi32.exe Hhjhkq32.exe File opened for modification C:\Windows\SysWOW64\Jnemdecl.exe Igkdgk32.exe File created C:\Windows\SysWOW64\Ijqnib32.dll Lollckbk.exe File created C:\Windows\SysWOW64\Mihiih32.exe Mhgmapfi.exe File opened for modification C:\Windows\SysWOW64\Albjlcao.exe Aehboi32.exe File created C:\Windows\SysWOW64\Bjlqhoba.exe Bhndldcn.exe File created C:\Windows\SysWOW64\Pmbdhi32.dll Bpleef32.exe File created C:\Windows\SysWOW64\Facdeo32.exe Ffkcbgek.exe File created C:\Windows\SysWOW64\Ihdkao32.exe Ifcbodli.exe File created C:\Windows\SysWOW64\Mbcjffka.dll Mhgmapfi.exe File created C:\Windows\SysWOW64\Qjjgclai.exe Qcpofbjl.exe File created C:\Windows\SysWOW64\Cbcodmih.dll Dhdcji32.exe File created C:\Windows\SysWOW64\Ejmmiihp.dll Ckoilb32.exe File opened for modification C:\Windows\SysWOW64\Doehqead.exe Dpbheh32.exe File opened for modification C:\Windows\SysWOW64\Endhhp32.exe Ejhlgaeh.exe File created C:\Windows\SysWOW64\Knjbnh32.exe Kjnfniii.exe File opened for modification C:\Windows\SysWOW64\Ndmjedoi.exe Nlbeqb32.exe File created C:\Windows\SysWOW64\Dfffnn32.exe Dfffnn32.exe File opened for modification C:\Windows\SysWOW64\Fmcoja32.exe a9cd81ca2fe9a8c3e8e05619eebad062_JaffaCakes118.exe File created C:\Windows\SysWOW64\Bgmefakc.dll Omfkke32.exe File created C:\Windows\SysWOW64\Bocolb32.exe Bldcpf32.exe File opened for modification C:\Windows\SysWOW64\Blgpef32.exe Biicik32.exe File created C:\Windows\SysWOW64\Opfdll32.dll Chbjffad.exe File opened for modification C:\Windows\SysWOW64\Ednpej32.exe Ebodiofk.exe File created C:\Windows\SysWOW64\Jqdipqbp.exe Jnemdecl.exe File opened for modification C:\Windows\SysWOW64\Jcgogk32.exe Jkpgfn32.exe File created C:\Windows\SysWOW64\Chgdod32.dll Jkpgfn32.exe File opened for modification C:\Windows\SysWOW64\Limfed32.exe Logbhl32.exe File created C:\Windows\SysWOW64\Pmdjdh32.exe Pjenhm32.exe File opened for modification C:\Windows\SysWOW64\Ckccgane.exe Cclkfdnc.exe File created C:\Windows\SysWOW64\Endhhp32.exe Ejhlgaeh.exe File created C:\Windows\SysWOW64\Gmibbifn.dll Hcplhi32.exe File created C:\Windows\SysWOW64\Cekkkkhe.dll Knjbnh32.exe File created C:\Windows\SysWOW64\Mpioaoic.dll Qjjgclai.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3816 3784 WerFault.exe 258 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cekkkkhe.dll" Knjbnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgqcmlgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mijgof32.dll" Ohibdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amfcikek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hokokc32.dll" Bjlqhoba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljefkdjq.dll" Kfegbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alpmfdcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhnmij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dojald32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqljpedj.dll" Jnclnihj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gemaaoaf.dll" Kcbakpdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Naajoinb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iooklook.dll" Aoepcn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bocolb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nefpnhlc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okgnab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giaekk32.dll" Bmmiij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cklmgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ednpej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpnbkeld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahoanjcc.dll" Eqijej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qabcjgkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpbbfi32.dll" Ebodiofk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Logbhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhgmapfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlnbeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eibbcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igihbknb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohfeog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbllihbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkdpanhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmahdggc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddgjdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iqalka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmcijcbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpdbloof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kifpdelo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lojomkdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lecgje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oacima32.dll" Mihiih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlmlecec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npdjje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnhkcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcoich32.dll" Nnhkcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccahbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddigjkid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlfgbn32.dll" Ihdkao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldfgebbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgoboqcm.dll" Ngpolo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obojhlbq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oikojfgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfkjnkib.dll" Pggbla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Albjlcao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlhfbqi.dll" Bldcpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejmmiihp.dll" Ckoilb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhpiojfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfekgp32.dll" Facdeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmjfdejp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfegbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbiaej32.dll" Bmkmdk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ceodnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchafg32.dll" Dliijipn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffkcbgek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqdipqbp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2732 wrote to memory of 2840 2732 a9cd81ca2fe9a8c3e8e05619eebad062_JaffaCakes118.exe 28 PID 2732 wrote to memory of 2840 2732 a9cd81ca2fe9a8c3e8e05619eebad062_JaffaCakes118.exe 28 PID 2732 wrote to memory of 2840 2732 a9cd81ca2fe9a8c3e8e05619eebad062_JaffaCakes118.exe 28 PID 2732 wrote to memory of 2840 2732 a9cd81ca2fe9a8c3e8e05619eebad062_JaffaCakes118.exe 28 PID 2840 wrote to memory of 1404 2840 Fmcoja32.exe 29 PID 2840 wrote to memory of 1404 2840 Fmcoja32.exe 29 PID 2840 wrote to memory of 1404 2840 Fmcoja32.exe 29 PID 2840 wrote to memory of 1404 2840 Fmcoja32.exe 29 PID 1404 wrote to memory of 2672 1404 Ffkcbgek.exe 30 PID 1404 wrote to memory of 2672 1404 Ffkcbgek.exe 30 PID 1404 wrote to memory of 2672 1404 Ffkcbgek.exe 30 PID 1404 wrote to memory of 2672 1404 Ffkcbgek.exe 30 PID 2672 wrote to memory of 2928 2672 Facdeo32.exe 31 PID 2672 wrote to memory of 2928 2672 Facdeo32.exe 31 PID 2672 wrote to memory of 2928 2672 Facdeo32.exe 31 PID 2672 wrote to memory of 2928 2672 Facdeo32.exe 31 PID 2928 wrote to memory of 2136 2928 Fbgmbg32.exe 32 PID 2928 wrote to memory of 2136 2928 Fbgmbg32.exe 32 PID 2928 wrote to memory of 2136 2928 Fbgmbg32.exe 32 PID 2928 wrote to memory of 2136 2928 Fbgmbg32.exe 32 PID 2136 wrote to memory of 2452 2136 Gfefiemq.exe 33 PID 2136 wrote to memory of 2452 2136 Gfefiemq.exe 33 PID 2136 wrote to memory of 2452 2136 Gfefiemq.exe 33 PID 2136 wrote to memory of 2452 2136 Gfefiemq.exe 33 PID 2452 wrote to memory of 2868 2452 Gejcjbah.exe 34 PID 2452 wrote to memory of 2868 2452 Gejcjbah.exe 34 PID 2452 wrote to memory of 2868 2452 Gejcjbah.exe 34 PID 2452 wrote to memory of 2868 2452 Gejcjbah.exe 34 PID 2868 wrote to memory of 820 2868 Ghkllmoi.exe 35 PID 2868 wrote to memory of 820 2868 Ghkllmoi.exe 35 PID 2868 wrote to memory of 820 2868 Ghkllmoi.exe 35 PID 2868 wrote to memory of 820 2868 Ghkllmoi.exe 35 PID 820 wrote to memory of 816 820 Gdamqndn.exe 36 PID 820 wrote to memory of 816 820 Gdamqndn.exe 36 PID 820 wrote to memory of 816 820 Gdamqndn.exe 36 PID 820 wrote to memory of 816 820 Gdamqndn.exe 36 PID 816 wrote to memory of 2412 816 Gkkemh32.exe 37 PID 816 wrote to memory of 2412 816 Gkkemh32.exe 37 PID 816 wrote to memory of 2412 816 Gkkemh32.exe 37 PID 816 wrote to memory of 2412 816 Gkkemh32.exe 37 PID 2412 wrote to memory of 2248 2412 Hcifgjgc.exe 38 PID 2412 wrote to memory of 2248 2412 Hcifgjgc.exe 38 PID 2412 wrote to memory of 2248 2412 Hcifgjgc.exe 38 PID 2412 wrote to memory of 2248 2412 Hcifgjgc.exe 38 PID 2248 wrote to memory of 1952 2248 Hnojdcfi.exe 39 PID 2248 wrote to memory of 1952 2248 Hnojdcfi.exe 39 PID 2248 wrote to memory of 1952 2248 Hnojdcfi.exe 39 PID 2248 wrote to memory of 1952 2248 Hnojdcfi.exe 39 PID 1952 wrote to memory of 1168 1952 Hlcgeo32.exe 40 PID 1952 wrote to memory of 1168 1952 Hlcgeo32.exe 40 PID 1952 wrote to memory of 1168 1952 Hlcgeo32.exe 40 PID 1952 wrote to memory of 1168 1952 Hlcgeo32.exe 40 PID 1168 wrote to memory of 2384 1168 Hhjhkq32.exe 41 PID 1168 wrote to memory of 2384 1168 Hhjhkq32.exe 41 PID 1168 wrote to memory of 2384 1168 Hhjhkq32.exe 41 PID 1168 wrote to memory of 2384 1168 Hhjhkq32.exe 41 PID 2384 wrote to memory of 2088 2384 Hcplhi32.exe 42 PID 2384 wrote to memory of 2088 2384 Hcplhi32.exe 42 PID 2384 wrote to memory of 2088 2384 Hcplhi32.exe 42 PID 2384 wrote to memory of 2088 2384 Hcplhi32.exe 42 PID 2088 wrote to memory of 1324 2088 Iaeiieeb.exe 43 PID 2088 wrote to memory of 1324 2088 Iaeiieeb.exe 43 PID 2088 wrote to memory of 1324 2088 Iaeiieeb.exe 43 PID 2088 wrote to memory of 1324 2088 Iaeiieeb.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9cd81ca2fe9a8c3e8e05619eebad062_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a9cd81ca2fe9a8c3e8e05619eebad062_JaffaCakes118.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Ffkcbgek.exeC:\Windows\system32\Ffkcbgek.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\Facdeo32.exeC:\Windows\system32\Facdeo32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Fbgmbg32.exeC:\Windows\system32\Fbgmbg32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Gfefiemq.exeC:\Windows\system32\Gfefiemq.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Gejcjbah.exeC:\Windows\system32\Gejcjbah.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Ghkllmoi.exeC:\Windows\system32\Ghkllmoi.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Gdamqndn.exeC:\Windows\system32\Gdamqndn.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\Hcifgjgc.exeC:\Windows\system32\Hcifgjgc.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Hnojdcfi.exeC:\Windows\system32\Hnojdcfi.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Hlcgeo32.exeC:\Windows\system32\Hlcgeo32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Hhjhkq32.exeC:\Windows\system32\Hhjhkq32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\Hcplhi32.exeC:\Windows\system32\Hcplhi32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Iaeiieeb.exeC:\Windows\system32\Iaeiieeb.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1324 -
C:\Windows\SysWOW64\Ihdkao32.exeC:\Windows\system32\Ihdkao32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1140 -
C:\Windows\SysWOW64\Igihbknb.exeC:\Windows\system32\Igihbknb.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Ijgdngmf.exeC:\Windows\system32\Ijgdngmf.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1580 -
C:\Windows\SysWOW64\Iqalka32.exeC:\Windows\system32\Iqalka32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1876 -
C:\Windows\SysWOW64\Igkdgk32.exeC:\Windows\system32\Igkdgk32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1792 -
C:\Windows\SysWOW64\Jnemdecl.exeC:\Windows\system32\Jnemdecl.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3036 -
C:\Windows\SysWOW64\Jqdipqbp.exeC:\Windows\system32\Jqdipqbp.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1516 -
C:\Windows\SysWOW64\Jfqahgpg.exeC:\Windows\system32\Jfqahgpg.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1584 -
C:\Windows\SysWOW64\Jiondcpk.exeC:\Windows\system32\Jiondcpk.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:896 -
C:\Windows\SysWOW64\Jbgbni32.exeC:\Windows\system32\Jbgbni32.exe27⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Jjojofgn.exeC:\Windows\system32\Jjojofgn.exe28⤵
- Loads dropped DLL
PID:1448 -
C:\Windows\SysWOW64\Jkpgfn32.exeC:\Windows\system32\Jkpgfn32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\Jcgogk32.exeC:\Windows\system32\Jcgogk32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2652 -
C:\Windows\SysWOW64\Jkbcln32.exeC:\Windows\system32\Jkbcln32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2712 -
C:\Windows\SysWOW64\Jbllihbf.exeC:\Windows\system32\Jbllihbf.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Jkdpanhg.exeC:\Windows\system32\Jkdpanhg.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Jnclnihj.exeC:\Windows\system32\Jnclnihj.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Kneicieh.exeC:\Windows\system32\Kneicieh.exe35⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Kaceodek.exeC:\Windows\system32\Kaceodek.exe36⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Kcbakpdo.exeC:\Windows\system32\Kcbakpdo.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2040 -
C:\Windows\SysWOW64\Kmjfdejp.exeC:\Windows\system32\Kmjfdejp.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Kjnfniii.exeC:\Windows\system32\Kjnfniii.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2344 -
C:\Windows\SysWOW64\Knjbnh32.exeC:\Windows\system32\Knjbnh32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Kmmcjehm.exeC:\Windows\system32\Kmmcjehm.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:448 -
C:\Windows\SysWOW64\Kfegbj32.exeC:\Windows\system32\Kfegbj32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1148 -
C:\Windows\SysWOW64\Kblhgk32.exeC:\Windows\system32\Kblhgk32.exe43⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Kjcpii32.exeC:\Windows\system32\Kjcpii32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Kifpdelo.exeC:\Windows\system32\Kifpdelo.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2068 -
C:\Windows\SysWOW64\Lckdanld.exeC:\Windows\system32\Lckdanld.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:108 -
C:\Windows\SysWOW64\Lemaif32.exeC:\Windows\system32\Lemaif32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2972 -
C:\Windows\SysWOW64\Lmcijcbe.exeC:\Windows\system32\Lmcijcbe.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1616 -
C:\Windows\SysWOW64\Llfifq32.exeC:\Windows\system32\Llfifq32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Lbqabkql.exeC:\Windows\system32\Lbqabkql.exe50⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Leonofpp.exeC:\Windows\system32\Leonofpp.exe51⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Lliflp32.exeC:\Windows\system32\Lliflp32.exe52⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Lpdbloof.exeC:\Windows\system32\Lpdbloof.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2408 -
C:\Windows\SysWOW64\Logbhl32.exeC:\Windows\system32\Logbhl32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Limfed32.exeC:\Windows\system32\Limfed32.exe55⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Lkncmmle.exeC:\Windows\system32\Lkncmmle.exe56⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Lojomkdn.exeC:\Windows\system32\Lojomkdn.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Lecgje32.exeC:\Windows\system32\Lecgje32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Ldfgebbe.exeC:\Windows\system32\Ldfgebbe.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1668 -
C:\Windows\SysWOW64\Lollckbk.exeC:\Windows\system32\Lollckbk.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1768 -
C:\Windows\SysWOW64\Ldidkbpb.exeC:\Windows\system32\Ldidkbpb.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2496 -
C:\Windows\SysWOW64\Mkclhl32.exeC:\Windows\system32\Mkclhl32.exe62⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Mmahdggc.exeC:\Windows\system32\Mmahdggc.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1960 -
C:\Windows\SysWOW64\Mppepcfg.exeC:\Windows\system32\Mppepcfg.exe64⤵
- Executes dropped EXE
PID:268 -
C:\Windows\SysWOW64\Mhgmapfi.exeC:\Windows\system32\Mhgmapfi.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2072 -
C:\Windows\SysWOW64\Mihiih32.exeC:\Windows\system32\Mihiih32.exe66⤵
- Executes dropped EXE
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Maoajf32.exeC:\Windows\system32\Maoajf32.exe67⤵
- Drops file in System32 directory
PID:644 -
C:\Windows\SysWOW64\Mbpnanch.exeC:\Windows\system32\Mbpnanch.exe68⤵PID:3052
-
C:\Windows\SysWOW64\Mkgfckcj.exeC:\Windows\system32\Mkgfckcj.exe69⤵PID:1368
-
C:\Windows\SysWOW64\Mpdnkb32.exeC:\Windows\system32\Mpdnkb32.exe70⤵PID:1936
-
C:\Windows\SysWOW64\Mdpjlajk.exeC:\Windows\system32\Mdpjlajk.exe71⤵
- Drops file in System32 directory
PID:1336 -
C:\Windows\SysWOW64\Mimbdhhb.exeC:\Windows\system32\Mimbdhhb.exe72⤵PID:2160
-
C:\Windows\SysWOW64\Moiklogi.exeC:\Windows\system32\Moiklogi.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2896 -
C:\Windows\SysWOW64\Mgqcmlgl.exeC:\Windows\system32\Mgqcmlgl.exe74⤵
- Modifies registry class
PID:360 -
C:\Windows\SysWOW64\Mlmlecec.exeC:\Windows\system32\Mlmlecec.exe75⤵
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Ncgdbmmp.exeC:\Windows\system32\Ncgdbmmp.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2780 -
C:\Windows\SysWOW64\Nefpnhlc.exeC:\Windows\system32\Nefpnhlc.exe77⤵
- Modifies registry class
PID:2724 -
C:\Windows\SysWOW64\Nondgn32.exeC:\Windows\system32\Nondgn32.exe78⤵PID:2272
-
C:\Windows\SysWOW64\Namqci32.exeC:\Windows\system32\Namqci32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1980 -
C:\Windows\SysWOW64\Nhfipcid.exeC:\Windows\system32\Nhfipcid.exe80⤵PID:2012
-
C:\Windows\SysWOW64\Nlbeqb32.exeC:\Windows\system32\Nlbeqb32.exe81⤵
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\Ndmjedoi.exeC:\Windows\system32\Ndmjedoi.exe82⤵PID:336
-
C:\Windows\SysWOW64\Nglfapnl.exeC:\Windows\system32\Nglfapnl.exe83⤵PID:1264
-
C:\Windows\SysWOW64\Nocnbmoo.exeC:\Windows\system32\Nocnbmoo.exe84⤵PID:3048
-
C:\Windows\SysWOW64\Naajoinb.exeC:\Windows\system32\Naajoinb.exe85⤵
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Npdjje32.exeC:\Windows\system32\Npdjje32.exe86⤵
- Drops file in System32 directory
- Modifies registry class
PID:1808 -
C:\Windows\SysWOW64\Ngnbgplj.exeC:\Windows\system32\Ngnbgplj.exe87⤵PID:1756
-
C:\Windows\SysWOW64\Nkiogn32.exeC:\Windows\system32\Nkiogn32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2740 -
C:\Windows\SysWOW64\Nnhkcj32.exeC:\Windows\system32\Nnhkcj32.exe89⤵
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\Npfgpe32.exeC:\Windows\system32\Npfgpe32.exe90⤵PID:2820
-
C:\Windows\SysWOW64\Ndbcpd32.exeC:\Windows\system32\Ndbcpd32.exe91⤵
- Drops file in System32 directory
PID:2180 -
C:\Windows\SysWOW64\Ngpolo32.exeC:\Windows\system32\Ngpolo32.exe92⤵
- Modifies registry class
PID:768 -
C:\Windows\SysWOW64\Onjgiiad.exeC:\Windows\system32\Onjgiiad.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1256 -
C:\Windows\SysWOW64\Oddpfc32.exeC:\Windows\system32\Oddpfc32.exe94⤵PID:1136
-
C:\Windows\SysWOW64\Ogblbo32.exeC:\Windows\system32\Ogblbo32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2420 -
C:\Windows\SysWOW64\Onmdoioa.exeC:\Windows\system32\Onmdoioa.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1776 -
C:\Windows\SysWOW64\Ocimgp32.exeC:\Windows\system32\Ocimgp32.exe97⤵PID:712
-
C:\Windows\SysWOW64\Ogeigofa.exeC:\Windows\system32\Ogeigofa.exe98⤵PID:1904
-
C:\Windows\SysWOW64\Ofhick32.exeC:\Windows\system32\Ofhick32.exe99⤵PID:1820
-
C:\Windows\SysWOW64\Ohfeog32.exeC:\Windows\system32\Ohfeog32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Oclilp32.exeC:\Windows\system32\Oclilp32.exe101⤵PID:872
-
C:\Windows\SysWOW64\Obojhlbq.exeC:\Windows\system32\Obojhlbq.exe102⤵
- Drops file in System32 directory
- Modifies registry class
PID:1724 -
C:\Windows\SysWOW64\Ohibdf32.exeC:\Windows\system32\Ohibdf32.exe103⤵
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Omdneebf.exeC:\Windows\system32\Omdneebf.exe104⤵PID:2716
-
C:\Windows\SysWOW64\Okgnab32.exeC:\Windows\system32\Okgnab32.exe105⤵
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Ofmbnkhg.exeC:\Windows\system32\Ofmbnkhg.exe106⤵PID:2240
-
C:\Windows\SysWOW64\Oikojfgk.exeC:\Windows\system32\Oikojfgk.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Omfkke32.exeC:\Windows\system32\Omfkke32.exe108⤵
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\Obcccl32.exeC:\Windows\system32\Obcccl32.exe109⤵PID:2004
-
C:\Windows\SysWOW64\Pfoocjfd.exeC:\Windows\system32\Pfoocjfd.exe110⤵PID:2796
-
C:\Windows\SysWOW64\Pklhlael.exeC:\Windows\system32\Pklhlael.exe111⤵PID:2800
-
C:\Windows\SysWOW64\Pogclp32.exeC:\Windows\system32\Pogclp32.exe112⤵
- Drops file in System32 directory
PID:1676 -
C:\Windows\SysWOW64\Pnjdhmdo.exeC:\Windows\system32\Pnjdhmdo.exe113⤵PID:1244
-
C:\Windows\SysWOW64\Pbfpik32.exeC:\Windows\system32\Pbfpik32.exe114⤵PID:3000
-
C:\Windows\SysWOW64\Pgbhabjp.exeC:\Windows\system32\Pgbhabjp.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1492 -
C:\Windows\SysWOW64\Pnlqnl32.exeC:\Windows\system32\Pnlqnl32.exe116⤵PID:2576
-
C:\Windows\SysWOW64\Pbhmnkjf.exeC:\Windows\system32\Pbhmnkjf.exe117⤵PID:2464
-
C:\Windows\SysWOW64\Pqkmjh32.exeC:\Windows\system32\Pqkmjh32.exe118⤵PID:2468
-
C:\Windows\SysWOW64\Pkpagq32.exeC:\Windows\system32\Pkpagq32.exe119⤵PID:2864
-
C:\Windows\SysWOW64\Pmanoifd.exeC:\Windows\system32\Pmanoifd.exe120⤵PID:312
-
C:\Windows\SysWOW64\Pggbla32.exeC:\Windows\system32\Pggbla32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2492
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-