Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05/05/2024, 09:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bdf698f665e97cc0b6c617c54f54a5b6_JaffaCakes118.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
bdf698f665e97cc0b6c617c54f54a5b6_JaffaCakes118.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
bdf698f665e97cc0b6c617c54f54a5b6_JaffaCakes118.exe
-
Size
323KB
-
MD5
bdf698f665e97cc0b6c617c54f54a5b6
-
SHA1
cd448589622b9357d559f476cc17d6fdcefb2b7c
-
SHA256
d1f92cc0ec1f658c66ebeed78a00a1a7a639c7a07bae575b62a22ec13e78ae46
-
SHA512
908c173b21cb664907871821b67f2e5cafcb6784b61adc5a353b97e4e0841a817a1c1ed4b6d995b383f67e8734687522a29b585351bf7296c56a189e0f3c790a
-
SSDEEP
6144:/eoOqlljd3rKzwN8Jlljd3njPX9ZAk3fs:GojjpKXjtjP9Zt0
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amkpegnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgeefbhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cklmgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekhhadmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpeofk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmopod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkpnhgge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqdipqbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbpnanch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlbeqb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdakgibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djnpnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icmlam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbeknj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pimkpfeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aadloj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Magnek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppamme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcfdgiid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amkpegnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njlockkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbdocc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Namqci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngnbgplj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpleef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piehkkcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emhlfmgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djklnnaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmafennb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqhpdhcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peiepfgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chbjffad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnbhek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcegmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nondgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbkgnfbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghoegl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmjblg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhjgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Claifkkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeqdep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keanebkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pciifc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpgpkcpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dookgcij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdcnlglc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlgefh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejbfhfaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilknfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icpigm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcdnao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgbggnhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alpmfdcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amndem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alenki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amndem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajbdna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghoegl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocgpappk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dglpbbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Migpeiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncjgbcoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmafennb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikpjgkjq.exe -
Executes dropped EXE 64 IoCs
pid Process 2304 Lfmdnp32.exe 2128 Lodlom32.exe 2608 Lmiipi32.exe 2080 Lganiohl.exe 2828 Llnfaffc.exe 2472 Lgdjnofi.exe 2248 Lplogdmj.exe 2924 Mcjkcplm.exe 556 Mcmhiojk.exe 1936 Migpeiag.exe 1624 Mabejlob.exe 2696 Mlgigdoh.exe 2796 Mdcnlglc.exe 1712 Magnek32.exe 1040 Nnnojlpa.exe 1872 Ncjgbcoi.exe 472 Npnhlg32.exe 2404 Ncmdhb32.exe 1360 Nnbhek32.exe 620 Nleiqhcg.exe 1748 Ngkmnacm.exe 708 Nfmmin32.exe 1772 Nlgefh32.exe 2312 Nofabc32.exe 1804 Njkfpl32.exe 1580 Nmjblg32.exe 2548 Nkmbgdfl.exe 2664 Ofbfdmeb.exe 2112 Okoomd32.exe 2600 Onmkio32.exe 2624 Ogfpbeim.exe 2496 Oomhcbjp.exe 2500 Oqndkj32.exe 1996 Okchhc32.exe 1336 Ojficpfn.exe 1208 Obnqem32.exe 1932 Ojieip32.exe 2440 Oqcnfjli.exe 2804 Oqcnfjli.exe 2436 Ocajbekl.exe 2356 Ofpfnqjp.exe 796 Paejki32.exe 1504 Pccfge32.exe 1832 Pjmodopf.exe 2264 Ppjglfon.exe 2340 Pbiciana.exe 1244 Pfdpip32.exe 3060 Piblek32.exe 1308 Ppmdbe32.exe 988 Pchpbded.exe 2992 Pfflopdh.exe 2292 Piehkkcl.exe 2656 Plcdgfbo.exe 3036 Pnbacbac.exe 2592 Pbmmcq32.exe 2024 Pelipl32.exe 2452 Phjelg32.exe 2948 Ppamme32.exe 2832 Pbpjiphi.exe 1568 Qhmbagfa.exe 1444 Qjknnbed.exe 2688 Qbbfopeg.exe 2772 Qaefjm32.exe 584 Qhooggdn.exe -
Loads dropped DLL 64 IoCs
pid Process 2928 bdf698f665e97cc0b6c617c54f54a5b6_JaffaCakes118.exe 2928 bdf698f665e97cc0b6c617c54f54a5b6_JaffaCakes118.exe 2304 Lfmdnp32.exe 2304 Lfmdnp32.exe 2128 Lodlom32.exe 2128 Lodlom32.exe 2608 Lmiipi32.exe 2608 Lmiipi32.exe 2080 Lganiohl.exe 2080 Lganiohl.exe 2828 Llnfaffc.exe 2828 Llnfaffc.exe 2472 Lgdjnofi.exe 2472 Lgdjnofi.exe 2248 Lplogdmj.exe 2248 Lplogdmj.exe 2924 Mcjkcplm.exe 2924 Mcjkcplm.exe 556 Mcmhiojk.exe 556 Mcmhiojk.exe 1936 Migpeiag.exe 1936 Migpeiag.exe 1624 Mabejlob.exe 1624 Mabejlob.exe 2696 Mlgigdoh.exe 2696 Mlgigdoh.exe 2796 Mdcnlglc.exe 2796 Mdcnlglc.exe 1712 Magnek32.exe 1712 Magnek32.exe 1040 Nnnojlpa.exe 1040 Nnnojlpa.exe 1872 Ncjgbcoi.exe 1872 Ncjgbcoi.exe 472 Npnhlg32.exe 472 Npnhlg32.exe 2404 Ncmdhb32.exe 2404 Ncmdhb32.exe 1360 Nnbhek32.exe 1360 Nnbhek32.exe 620 Nleiqhcg.exe 620 Nleiqhcg.exe 1748 Ngkmnacm.exe 1748 Ngkmnacm.exe 708 Nfmmin32.exe 708 Nfmmin32.exe 1772 Nlgefh32.exe 1772 Nlgefh32.exe 2312 Nofabc32.exe 2312 Nofabc32.exe 1804 Njkfpl32.exe 1804 Njkfpl32.exe 1580 Nmjblg32.exe 1580 Nmjblg32.exe 2548 Nkmbgdfl.exe 2548 Nkmbgdfl.exe 2664 Ofbfdmeb.exe 2664 Ofbfdmeb.exe 2112 Okoomd32.exe 2112 Okoomd32.exe 2600 Onmkio32.exe 2600 Onmkio32.exe 2624 Ogfpbeim.exe 2624 Ogfpbeim.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Mggpgmof.exe Mhdplq32.exe File created C:\Windows\SysWOW64\Nefpnhlc.exe Ncgdbmmp.exe File created C:\Windows\SysWOW64\Dinhacjp.dll Eqbddk32.exe File opened for modification C:\Windows\SysWOW64\Gopkmhjk.exe Glaoalkh.exe File opened for modification C:\Windows\SysWOW64\Jifdebic.exe Jfghif32.exe File created C:\Windows\SysWOW64\Jlbjhf32.dll Llkbap32.exe File created C:\Windows\SysWOW64\Mhdplq32.exe Lefdpe32.exe File created C:\Windows\SysWOW64\Qbelgood.exe Qpgpkcpp.exe File created C:\Windows\SysWOW64\Dgfjbgmh.exe Doobajme.exe File created C:\Windows\SysWOW64\Ocjcidbb.dll Gfefiemq.exe File created C:\Windows\SysWOW64\Bhkdeggl.exe Bemgilhh.exe File opened for modification C:\Windows\SysWOW64\Ocimgp32.exe Olpdjf32.exe File opened for modification C:\Windows\SysWOW64\Aoepcn32.exe Ajjcbpdd.exe File created C:\Windows\SysWOW64\Cjfccn32.exe Ckccgane.exe File created C:\Windows\SysWOW64\Bagpopmj.exe Bbdocc32.exe File created C:\Windows\SysWOW64\Dhjgal32.exe Dbpodagk.exe File created C:\Windows\SysWOW64\Nokeef32.dll Hlcgeo32.exe File opened for modification C:\Windows\SysWOW64\Edkcojga.exe Eqpgol32.exe File created C:\Windows\SysWOW64\Ppjglfon.exe Pjmodopf.exe File opened for modification C:\Windows\SysWOW64\Icbimi32.exe Hogmmjfo.exe File created C:\Windows\SysWOW64\Mpigfa32.exe Mhbped32.exe File created C:\Windows\SysWOW64\Idnhde32.dll Pikkiijf.exe File opened for modification C:\Windows\SysWOW64\Oqcnfjli.exe Ojieip32.exe File created C:\Windows\SysWOW64\Fjgoce32.exe Fcmgfkeg.exe File opened for modification C:\Windows\SysWOW64\Iokfhi32.exe Ikpjgkjq.exe File created C:\Windows\SysWOW64\Fbbecd32.dll Npdjje32.exe File opened for modification C:\Windows\SysWOW64\Pgplkb32.exe Pimkpfeh.exe File created C:\Windows\SysWOW64\Gdcbnc32.dll Ocajbekl.exe File opened for modification C:\Windows\SysWOW64\Endhhp32.exe Ejhlgaeh.exe File created C:\Windows\SysWOW64\Bhndldcn.exe Aadloj32.exe File opened for modification C:\Windows\SysWOW64\Facdeo32.exe Filldb32.exe File created C:\Windows\SysWOW64\Pffgja32.dll Hgdbhi32.exe File created C:\Windows\SysWOW64\Mijfnh32.exe Mgljbm32.exe File opened for modification C:\Windows\SysWOW64\Qljkhe32.exe Qhooggdn.exe File created C:\Windows\SysWOW64\Eflgccbp.exe Ebpkce32.exe File opened for modification C:\Windows\SysWOW64\Dfamcogo.exe Dogefd32.exe File created C:\Windows\SysWOW64\Coelaaoi.exe Ckjpacfp.exe File created C:\Windows\SysWOW64\Dgjclbdi.exe Cdlgpgef.exe File created C:\Windows\SysWOW64\Pelipl32.exe Pbmmcq32.exe File created C:\Windows\SysWOW64\Kjjndgdk.dll Kihqkagp.exe File created C:\Windows\SysWOW64\Pmdjdh32.exe Pjenhm32.exe File created C:\Windows\SysWOW64\Bafidiio.exe Bmkmdk32.exe File created C:\Windows\SysWOW64\Djmicm32.exe Dfamcogo.exe File created C:\Windows\SysWOW64\Ofhick32.exe Ocimgp32.exe File created C:\Windows\SysWOW64\Gbolehjh.dll Epfhbign.exe File created C:\Windows\SysWOW64\Hdfflm32.exe Hpkjko32.exe File created C:\Windows\SysWOW64\Kjnifgah.dll Hnagjbdf.exe File opened for modification C:\Windows\SysWOW64\Lbqabkql.exe Llfifq32.exe File created C:\Windows\SysWOW64\Bgagbb32.dll Mpdnkb32.exe File created C:\Windows\SysWOW64\Mcegmm32.exe Mpfkqb32.exe File opened for modification C:\Windows\SysWOW64\Lmiipi32.exe Lodlom32.exe File created C:\Windows\SysWOW64\Dhdcji32.exe Dfffnn32.exe File created C:\Windows\SysWOW64\Fqmmidel.dll Monhhk32.exe File created C:\Windows\SysWOW64\Ajfaqa32.dll Djmicm32.exe File created C:\Windows\SysWOW64\Egjpkffe.exe Edkcojga.exe File opened for modification C:\Windows\SysWOW64\Amndem32.exe Ajphib32.exe File created C:\Windows\SysWOW64\Kpeliikc.dll Aoffmd32.exe File created C:\Windows\SysWOW64\Konojnki.dll Kpmlkp32.exe File opened for modification C:\Windows\SysWOW64\Gegfdb32.exe Gfefiemq.exe File opened for modification C:\Windows\SysWOW64\Hkkalk32.exe Hjjddchg.exe File created C:\Windows\SysWOW64\Gljilnja.dll Pgeefbhm.exe File created C:\Windows\SysWOW64\Oqhiplaj.dll Ahikqd32.exe File created C:\Windows\SysWOW64\Fmcqoe32.dll Pchpbded.exe File created C:\Windows\SysWOW64\Fkahhbbj.dll Ddcdkl32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5260 6116 WerFault.exe 560 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbpodagk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jofiln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcdbbloa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cojema32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhkdeggl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apomfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abpfhcje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hejoiedd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocgpappk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofpfnqjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbjochdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lchkpi32.dll" Ekhhadmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bokphdld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojopmqk.dll" Hellne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icmlam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddgjdk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iggkllpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alqkcl32.dll" Ncmdhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Piehkkcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmloladn.dll" Fjdbnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjdijm32.dll" Jicgpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbeknj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejbgljdk.dll" Abhimnma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoogfn32.dll" Ebjglbml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqcnfjli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gieojq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmjjea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkpgfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gegfdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lldlqakb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjpmgg32.dll" Djhphncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lednakhd.dll" Dookgcij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aabagnfc.dll" Ejhlgaeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njgpdbgm.dll" Nfmmin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aoffmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqmnhocj.dll" Fnpnndgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ieqeidnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hknach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpfph32.dll" Ihoafpmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bloqah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhjgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eiaiqn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejbfhfaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gooqhm32.dll" Okoomd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmcfdad.dll" Dgfjbgmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dinhacjp.dll" Eqbddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Piblek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Incpoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmjaic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebjglbml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocindg32.dll" Nceclqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdakgibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmopod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pflomnkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngkmnacm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdjgej32.dll" Piehkkcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahakmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njgcpp32.dll" Ghmiam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebhepm32.dll" Ncjgbcoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afldcl32.dll" Kkgmgmfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nemacb32.dll" Afohaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcenlceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkhgfq32.dll" Dggcffhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dchali32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2928 wrote to memory of 2304 2928 bdf698f665e97cc0b6c617c54f54a5b6_JaffaCakes118.exe 28 PID 2928 wrote to memory of 2304 2928 bdf698f665e97cc0b6c617c54f54a5b6_JaffaCakes118.exe 28 PID 2928 wrote to memory of 2304 2928 bdf698f665e97cc0b6c617c54f54a5b6_JaffaCakes118.exe 28 PID 2928 wrote to memory of 2304 2928 bdf698f665e97cc0b6c617c54f54a5b6_JaffaCakes118.exe 28 PID 2304 wrote to memory of 2128 2304 Lfmdnp32.exe 29 PID 2304 wrote to memory of 2128 2304 Lfmdnp32.exe 29 PID 2304 wrote to memory of 2128 2304 Lfmdnp32.exe 29 PID 2304 wrote to memory of 2128 2304 Lfmdnp32.exe 29 PID 2128 wrote to memory of 2608 2128 Lodlom32.exe 30 PID 2128 wrote to memory of 2608 2128 Lodlom32.exe 30 PID 2128 wrote to memory of 2608 2128 Lodlom32.exe 30 PID 2128 wrote to memory of 2608 2128 Lodlom32.exe 30 PID 2608 wrote to memory of 2080 2608 Lmiipi32.exe 31 PID 2608 wrote to memory of 2080 2608 Lmiipi32.exe 31 PID 2608 wrote to memory of 2080 2608 Lmiipi32.exe 31 PID 2608 wrote to memory of 2080 2608 Lmiipi32.exe 31 PID 2080 wrote to memory of 2828 2080 Lganiohl.exe 32 PID 2080 wrote to memory of 2828 2080 Lganiohl.exe 32 PID 2080 wrote to memory of 2828 2080 Lganiohl.exe 32 PID 2080 wrote to memory of 2828 2080 Lganiohl.exe 32 PID 2828 wrote to memory of 2472 2828 Llnfaffc.exe 33 PID 2828 wrote to memory of 2472 2828 Llnfaffc.exe 33 PID 2828 wrote to memory of 2472 2828 Llnfaffc.exe 33 PID 2828 wrote to memory of 2472 2828 Llnfaffc.exe 33 PID 2472 wrote to memory of 2248 2472 Lgdjnofi.exe 34 PID 2472 wrote to memory of 2248 2472 Lgdjnofi.exe 34 PID 2472 wrote to memory of 2248 2472 Lgdjnofi.exe 34 PID 2472 wrote to memory of 2248 2472 Lgdjnofi.exe 34 PID 2248 wrote to memory of 2924 2248 Lplogdmj.exe 35 PID 2248 wrote to memory of 2924 2248 Lplogdmj.exe 35 PID 2248 wrote to memory of 2924 2248 Lplogdmj.exe 35 PID 2248 wrote to memory of 2924 2248 Lplogdmj.exe 35 PID 2924 wrote to memory of 556 2924 Mcjkcplm.exe 36 PID 2924 wrote to memory of 556 2924 Mcjkcplm.exe 36 PID 2924 wrote to memory of 556 2924 Mcjkcplm.exe 36 PID 2924 wrote to memory of 556 2924 Mcjkcplm.exe 36 PID 556 wrote to memory of 1936 556 Mcmhiojk.exe 37 PID 556 wrote to memory of 1936 556 Mcmhiojk.exe 37 PID 556 wrote to memory of 1936 556 Mcmhiojk.exe 37 PID 556 wrote to memory of 1936 556 Mcmhiojk.exe 37 PID 1936 wrote to memory of 1624 1936 Migpeiag.exe 38 PID 1936 wrote to memory of 1624 1936 Migpeiag.exe 38 PID 1936 wrote to memory of 1624 1936 Migpeiag.exe 38 PID 1936 wrote to memory of 1624 1936 Migpeiag.exe 38 PID 1624 wrote to memory of 2696 1624 Mabejlob.exe 39 PID 1624 wrote to memory of 2696 1624 Mabejlob.exe 39 PID 1624 wrote to memory of 2696 1624 Mabejlob.exe 39 PID 1624 wrote to memory of 2696 1624 Mabejlob.exe 39 PID 2696 wrote to memory of 2796 2696 Mlgigdoh.exe 40 PID 2696 wrote to memory of 2796 2696 Mlgigdoh.exe 40 PID 2696 wrote to memory of 2796 2696 Mlgigdoh.exe 40 PID 2696 wrote to memory of 2796 2696 Mlgigdoh.exe 40 PID 2796 wrote to memory of 1712 2796 Mdcnlglc.exe 41 PID 2796 wrote to memory of 1712 2796 Mdcnlglc.exe 41 PID 2796 wrote to memory of 1712 2796 Mdcnlglc.exe 41 PID 2796 wrote to memory of 1712 2796 Mdcnlglc.exe 41 PID 1712 wrote to memory of 1040 1712 Magnek32.exe 42 PID 1712 wrote to memory of 1040 1712 Magnek32.exe 42 PID 1712 wrote to memory of 1040 1712 Magnek32.exe 42 PID 1712 wrote to memory of 1040 1712 Magnek32.exe 42 PID 1040 wrote to memory of 1872 1040 Nnnojlpa.exe 43 PID 1040 wrote to memory of 1872 1040 Nnnojlpa.exe 43 PID 1040 wrote to memory of 1872 1040 Nnnojlpa.exe 43 PID 1040 wrote to memory of 1872 1040 Nnnojlpa.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\bdf698f665e97cc0b6c617c54f54a5b6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bdf698f665e97cc0b6c617c54f54a5b6_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Lfmdnp32.exeC:\Windows\system32\Lfmdnp32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Lodlom32.exeC:\Windows\system32\Lodlom32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Lmiipi32.exeC:\Windows\system32\Lmiipi32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Lganiohl.exeC:\Windows\system32\Lganiohl.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Llnfaffc.exeC:\Windows\system32\Llnfaffc.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Lplogdmj.exeC:\Windows\system32\Lplogdmj.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\SysWOW64\Migpeiag.exeC:\Windows\system32\Migpeiag.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\Mabejlob.exeC:\Windows\system32\Mabejlob.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Mdcnlglc.exeC:\Windows\system32\Mdcnlglc.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1872 -
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:472 -
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2404 -
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1360 -
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:620 -
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1748 -
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:708 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1772 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2312 -
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1804 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1580 -
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2548 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2664 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2112 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2600 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2624 -
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe33⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe34⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe35⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe36⤵
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe37⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1932 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe39⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2804 -
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2436 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2356 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe43⤵
- Executes dropped EXE
PID:796 -
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe44⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1832 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe46⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe47⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe48⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:3060 -
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe50⤵
- Executes dropped EXE
PID:1308 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:988 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe52⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2292 -
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe54⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe55⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2592 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe57⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe58⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe60⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe61⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe62⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe63⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe64⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:584 -
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe66⤵PID:356
-
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe67⤵PID:640
-
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe68⤵PID:852
-
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe69⤵
- Modifies registry class
PID:1252 -
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe70⤵
- Drops file in System32 directory
PID:912 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1708 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe72⤵PID:880
-
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe73⤵PID:2980
-
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2964 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe75⤵PID:2460
-
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe76⤵
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe77⤵PID:2952
-
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe78⤵PID:1768
-
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1284 -
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe80⤵
- Modifies registry class
PID:2412 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe81⤵PID:2876
-
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe82⤵PID:324
-
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe83⤵
- Drops file in System32 directory
- Modifies registry class
PID:2328 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe84⤵PID:1136
-
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe85⤵PID:2316
-
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe86⤵PID:2124
-
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2220 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe88⤵PID:2584
-
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe89⤵PID:2720
-
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe90⤵
- Modifies registry class
PID:2476 -
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe91⤵PID:2528
-
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe92⤵PID:2268
-
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe93⤵
- Modifies registry class
PID:1540 -
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe94⤵PID:2808
-
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe95⤵PID:2504
-
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe96⤵PID:2272
-
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe97⤵PID:2228
-
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe98⤵PID:2420
-
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe99⤵PID:1788
-
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe100⤵PID:1192
-
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe101⤵PID:3016
-
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe102⤵PID:1636
-
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe103⤵PID:1520
-
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe104⤵PID:296
-
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe105⤵PID:2968
-
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe106⤵PID:1428
-
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe107⤵PID:2260
-
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe108⤵PID:1940
-
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:836 -
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1660 -
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe111⤵PID:1752
-
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe112⤵PID:1588
-
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe113⤵PID:1628
-
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe114⤵PID:2032
-
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe115⤵PID:2296
-
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe116⤵PID:1612
-
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe117⤵PID:2012
-
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe118⤵PID:2508
-
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2552 -
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe120⤵PID:1324
-
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe121⤵PID:2896
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-