Analysis
-
max time kernel
140s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
25/06/2024, 23:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0fef89500d8c02824ae4109802a8923b_JaffaCakes118.exe
Resource
win7-20240419-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
0fef89500d8c02824ae4109802a8923b_JaffaCakes118.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
0fef89500d8c02824ae4109802a8923b_JaffaCakes118.exe
-
Size
529KB
-
MD5
0fef89500d8c02824ae4109802a8923b
-
SHA1
61d219317ab3bf02bf795a08f83160fdff5aaf15
-
SHA256
7ac61d6f1c9d8005b163676dbfaeec7cf4c252747a47550178183c5d7bdc4559
-
SHA512
9da2a8ebebaefc7ad8556df5f6844816bdd7139e2bd4f0d808f3a2f528be0d3b4bebd7657e3961501284ee6f9655e7b6dde9308f952e851f01d569d7c203c2ef
-
SSDEEP
12288:2kLOJtpV6yYPHRiGbZhpV6yYPiniPEpV6yYPHRiGbZhpV6yYPm:2aEWQGfWSiMWQGfWm
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kfaajlfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Madapkmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pndniaop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiedjneg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Adjigg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cngcjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjgoce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joepio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlfdkoin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdamqndn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbflib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dcfdgiid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qjmkcbcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njgldmdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dfijnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mcmhiojk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nocemcbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahchbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnippoha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gelppaof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Henidd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nleiqhcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bingpmnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fmcoja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iigoqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ofpfnqjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ccfhhffh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jiigehkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Emhlfmgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmnhfjmg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpjiajeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eihfjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdejaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cngcjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gicbeald.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hiqbndpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icbimi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qaefjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ekklaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmgdddmq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abmibdlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pmnhfjmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chcqpmep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fjgoce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Filldb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdapak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpmgqnfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Icbimi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pfbccp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dchali32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Efppoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ghoegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Odgcfijj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Obkdonic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ankdiqih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gopkmhjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkhpnnej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ennaieib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlakpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeqdep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pjpkjond.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejgcdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Flabbihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fiaeoang.exe -
Executes dropped EXE 64 IoCs
pid Process 2176 Hheelbjj.exe 1812 Hoakolod.exe 2672 Hbbcpg32.exe 840 Inhdehbj.exe 2264 Icemmopa.exe 2548 Impnldeo.exe 2272 Iigoqe32.exe 2840 Ifkojiim.exe 2904 Joepio32.exe 1796 Jagmpg32.exe 1416 Jgcabqic.exe 2556 Jpqclb32.exe 2100 Jiigehkl.exe 2296 Kfoedl32.exe 2148 Kfaajlfp.exe 1548 Kipnfged.exe 2416 Kdlkld32.exe 1744 Llccmb32.exe 2292 Lhjdbcef.exe 1648 Lfmdnp32.exe 1140 Lkhpnnej.exe 908 Ldqegd32.exe 2144 Lhlqhb32.exe 1972 Lmiipi32.exe 2392 Lbfahp32.exe 884 Lkmjin32.exe 3040 Lpjbad32.exe 1556 Lchnnp32.exe 2700 Lefkjkmc.exe 2740 Libgjj32.exe 2800 Moalhq32.exe 2688 Mcmhiojk.exe 2196 Mcodno32.exe 3012 Mdqafgnf.exe 2864 Madapkmp.exe 2856 Mepnpj32.exe 1152 Mpjoqhah.exe 2588 Mdejaf32.exe 1860 Naikkk32.exe 2492 Ndgggf32.exe 1388 Npnhlg32.exe 2108 Njgldmdc.exe 1268 Nleiqhcg.exe 320 Nocemcbj.exe 468 Nqcagfim.exe 844 Nbdnoo32.exe 1976 Nmjblg32.exe 1032 Nohnhc32.exe 1044 Odegpj32.exe 2080 Omloag32.exe 2432 Oojknblb.exe 2204 Ofdcjm32.exe 1688 Odgcfijj.exe 2720 Okalbc32.exe 1576 Obkdonic.exe 2836 Odjpkihg.exe 3052 Obnqem32.exe 2580 Oqqapjnk.exe 2832 Ocomlemo.exe 2860 Ojieip32.exe 3024 Omgaek32.exe 756 Oenifh32.exe 836 Ofpfnqjp.exe 2944 Paejki32.exe -
Loads dropped DLL 64 IoCs
pid Process 1680 0fef89500d8c02824ae4109802a8923b_JaffaCakes118.exe 1680 0fef89500d8c02824ae4109802a8923b_JaffaCakes118.exe 2176 Hheelbjj.exe 2176 Hheelbjj.exe 1812 Hoakolod.exe 1812 Hoakolod.exe 2672 Hbbcpg32.exe 2672 Hbbcpg32.exe 840 Inhdehbj.exe 840 Inhdehbj.exe 2264 Icemmopa.exe 2264 Icemmopa.exe 2548 Impnldeo.exe 2548 Impnldeo.exe 2272 Iigoqe32.exe 2272 Iigoqe32.exe 2840 Ifkojiim.exe 2840 Ifkojiim.exe 2904 Joepio32.exe 2904 Joepio32.exe 1796 Jagmpg32.exe 1796 Jagmpg32.exe 1416 Jgcabqic.exe 1416 Jgcabqic.exe 2556 Jpqclb32.exe 2556 Jpqclb32.exe 2100 Jiigehkl.exe 2100 Jiigehkl.exe 2296 Kfoedl32.exe 2296 Kfoedl32.exe 2148 Kfaajlfp.exe 2148 Kfaajlfp.exe 1548 Kipnfged.exe 1548 Kipnfged.exe 2416 Kdlkld32.exe 2416 Kdlkld32.exe 1744 Llccmb32.exe 1744 Llccmb32.exe 2292 Lhjdbcef.exe 2292 Lhjdbcef.exe 1648 Lfmdnp32.exe 1648 Lfmdnp32.exe 1140 Lkhpnnej.exe 1140 Lkhpnnej.exe 908 Ldqegd32.exe 908 Ldqegd32.exe 2144 Lhlqhb32.exe 2144 Lhlqhb32.exe 1972 Lmiipi32.exe 1972 Lmiipi32.exe 2392 Lbfahp32.exe 2392 Lbfahp32.exe 884 Lkmjin32.exe 884 Lkmjin32.exe 3040 Lpjbad32.exe 3040 Lpjbad32.exe 1556 Lchnnp32.exe 1556 Lchnnp32.exe 2700 Lefkjkmc.exe 2700 Lefkjkmc.exe 2740 Libgjj32.exe 2740 Libgjj32.exe 2800 Moalhq32.exe 2800 Moalhq32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Naikkk32.exe Mdejaf32.exe File created C:\Windows\SysWOW64\Gmdecfpj.dll Banepo32.exe File created C:\Windows\SysWOW64\Dbbkja32.exe Dodonf32.exe File created C:\Windows\SysWOW64\Doobajme.exe Djbiicon.exe File created C:\Windows\SysWOW64\Gicbeald.exe Gbijhg32.exe File created C:\Windows\SysWOW64\Henidd32.exe Henidd32.exe File created C:\Windows\SysWOW64\Endaal32.dll Iigoqe32.exe File created C:\Windows\SysWOW64\Pgpdbiho.dll Jgcabqic.exe File created C:\Windows\SysWOW64\Inljnfkg.exe Ihoafpmp.exe File created C:\Windows\SysWOW64\Ognnoaka.dll Cngcjo32.exe File opened for modification C:\Windows\SysWOW64\Enkece32.exe Epieghdk.exe File opened for modification C:\Windows\SysWOW64\Faagpp32.exe Fjgoce32.exe File created C:\Windows\SysWOW64\Glfhll32.exe Gelppaof.exe File created C:\Windows\SysWOW64\Lkiklhim.dll Mpjoqhah.exe File opened for modification C:\Windows\SysWOW64\Bpafkknm.exe Banepo32.exe File created C:\Windows\SysWOW64\Ooahdmkl.dll Bjijdadm.exe File created C:\Windows\SysWOW64\Naikkk32.exe Mdejaf32.exe File opened for modification C:\Windows\SysWOW64\Bdjefj32.exe Balijo32.exe File opened for modification C:\Windows\SysWOW64\Pmnhfjmg.exe Pjpkjond.exe File created C:\Windows\SysWOW64\Ailkjmpo.exe Afmonbqk.exe File created C:\Windows\SysWOW64\Alihbgdo.dll Bpafkknm.exe File opened for modification C:\Windows\SysWOW64\Dnilobkm.exe Dhmcfkme.exe File opened for modification C:\Windows\SysWOW64\Fdapak32.exe Filldb32.exe File opened for modification C:\Windows\SysWOW64\Fjlhneio.exe Fdapak32.exe File created C:\Windows\SysWOW64\Hoakolod.exe Hheelbjj.exe File created C:\Windows\SysWOW64\Hbbcpg32.exe Hoakolod.exe File created C:\Windows\SysWOW64\Hacmcfge.exe Hcplhi32.exe File opened for modification C:\Windows\SysWOW64\Ofpfnqjp.exe Oenifh32.exe File opened for modification C:\Windows\SysWOW64\Aenbdoii.exe Admemg32.exe File created C:\Windows\SysWOW64\Bkaqmeah.exe Beehencq.exe File opened for modification C:\Windows\SysWOW64\Efppoc32.exe Ekklaj32.exe File created C:\Windows\SysWOW64\Lpdhmlbj.dll Eiomkn32.exe File created C:\Windows\SysWOW64\Ihoafpmp.exe Idceea32.exe File created C:\Windows\SysWOW64\Cddjolah.dll Lpjbad32.exe File created C:\Windows\SysWOW64\Oojknblb.exe Omloag32.exe File created C:\Windows\SysWOW64\Aenbdoii.exe Admemg32.exe File created C:\Windows\SysWOW64\Ojdngl32.dll Blmdlhmp.exe File opened for modification C:\Windows\SysWOW64\Ecmkghcl.exe Eqonkmdh.exe File created C:\Windows\SysWOW64\Epdkli32.exe Emeopn32.exe File opened for modification C:\Windows\SysWOW64\Emhlfmgj.exe Eeqdep32.exe File created C:\Windows\SysWOW64\Pnnclg32.dll Gieojq32.exe File opened for modification C:\Windows\SysWOW64\Kipnfged.exe Kfaajlfp.exe File created C:\Windows\SysWOW64\Aiedjneg.exe Ahchbf32.exe File created C:\Windows\SysWOW64\Iaeiieeb.exe Icbimi32.exe File opened for modification C:\Windows\SysWOW64\Cpjiajeb.exe Chcqpmep.exe File created C:\Windows\SysWOW64\Cndbcc32.exe Clcflkic.exe File created C:\Windows\SysWOW64\Epgnljad.dll Dcfdgiid.exe File created C:\Windows\SysWOW64\Dchali32.exe Dqjepm32.exe File created C:\Windows\SysWOW64\Henidd32.exe Hacmcfge.exe File created C:\Windows\SysWOW64\Mdqafgnf.exe Mcodno32.exe File created C:\Windows\SysWOW64\Nohnhc32.exe Nmjblg32.exe File created C:\Windows\SysWOW64\Cmbmkg32.dll Ffbicfoc.exe File created C:\Windows\SysWOW64\Mcodno32.exe Mcmhiojk.exe File created C:\Windows\SysWOW64\Memeaofm.dll Dhjgal32.exe File created C:\Windows\SysWOW64\Aofqfokm.dll Aenbdoii.exe File created C:\Windows\SysWOW64\Ofpfnqjp.exe Oenifh32.exe File created C:\Windows\SysWOW64\Kfqpfb32.dll Ahchbf32.exe File opened for modification C:\Windows\SysWOW64\Hcplhi32.exe Hpapln32.exe File created C:\Windows\SysWOW64\Ofdcjm32.exe Oojknblb.exe File opened for modification C:\Windows\SysWOW64\Gpknlk32.exe Fiaeoang.exe File opened for modification C:\Windows\SysWOW64\Epdkli32.exe Emeopn32.exe File created C:\Windows\SysWOW64\Flabbihl.exe Fckjalhj.exe File opened for modification C:\Windows\SysWOW64\Hpkjko32.exe Hiqbndpb.exe File opened for modification C:\Windows\SysWOW64\Nocemcbj.exe Nleiqhcg.exe -
Program crash 1 IoCs
pid pid_target Process 3824 3800 WerFault.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Naikkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ofdcjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fdapak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831} 0fef89500d8c02824ae4109802a8923b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljpojo32.dll" Pmlkpjpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aplpai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqpjbf32.dll" Cljcelan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flcnijgi.dll" Dchali32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elpbcapg.dll" Gmgdddmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iddckpim.dll" Pfbccp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oojimd32.dll" Libgjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pjpkjond.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pabjem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qecoqk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bpfcgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ennaieib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gbnccfpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Inhdehbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hogmmjfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgpdbiho.dll" Jgcabqic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lmiipi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oqqapjnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ccfhhffh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Geolea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ghoegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Impnldeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kfaajlfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lkhpnnej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqeihfll.dll" Nocemcbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nmjblg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lanfmb32.dll" Efppoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lghegkoc.dll" Fjdbnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hpmgqnfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" 0fef89500d8c02824ae4109802a8923b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahch32.dll" Fjgoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aloeodfi.dll" Fdapak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmibbifn.dll" Icbimi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Djbiicon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bkaqmeah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ckignd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Epieghdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qecoqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kfoedl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nqcagfim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ambmpmln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Joepio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pmlkpjpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bdjefj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ldqegd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ofpfnqjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edgoiebg.dll" Pmqdkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dobkmdfq.dll" Bpfcgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkjapnke.dll" Dodonf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjnifgah.dll" Hnagjbdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hbbcpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgdmei32.dll" Gicbeald.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hkpnhgge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiqpkfmo.dll" Hbbcpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lchnnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gdamqndn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klealkpf.dll" Llccmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pndniaop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qhmbagfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bingpmnl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1680 wrote to memory of 2176 1680 0fef89500d8c02824ae4109802a8923b_JaffaCakes118.exe 28 PID 1680 wrote to memory of 2176 1680 0fef89500d8c02824ae4109802a8923b_JaffaCakes118.exe 28 PID 1680 wrote to memory of 2176 1680 0fef89500d8c02824ae4109802a8923b_JaffaCakes118.exe 28 PID 1680 wrote to memory of 2176 1680 0fef89500d8c02824ae4109802a8923b_JaffaCakes118.exe 28 PID 2176 wrote to memory of 1812 2176 Hheelbjj.exe 29 PID 2176 wrote to memory of 1812 2176 Hheelbjj.exe 29 PID 2176 wrote to memory of 1812 2176 Hheelbjj.exe 29 PID 2176 wrote to memory of 1812 2176 Hheelbjj.exe 29 PID 1812 wrote to memory of 2672 1812 Hoakolod.exe 30 PID 1812 wrote to memory of 2672 1812 Hoakolod.exe 30 PID 1812 wrote to memory of 2672 1812 Hoakolod.exe 30 PID 1812 wrote to memory of 2672 1812 Hoakolod.exe 30 PID 2672 wrote to memory of 840 2672 Hbbcpg32.exe 31 PID 2672 wrote to memory of 840 2672 Hbbcpg32.exe 31 PID 2672 wrote to memory of 840 2672 Hbbcpg32.exe 31 PID 2672 wrote to memory of 840 2672 Hbbcpg32.exe 31 PID 840 wrote to memory of 2264 840 Inhdehbj.exe 32 PID 840 wrote to memory of 2264 840 Inhdehbj.exe 32 PID 840 wrote to memory of 2264 840 Inhdehbj.exe 32 PID 840 wrote to memory of 2264 840 Inhdehbj.exe 32 PID 2264 wrote to memory of 2548 2264 Icemmopa.exe 33 PID 2264 wrote to memory of 2548 2264 Icemmopa.exe 33 PID 2264 wrote to memory of 2548 2264 Icemmopa.exe 33 PID 2264 wrote to memory of 2548 2264 Icemmopa.exe 33 PID 2548 wrote to memory of 2272 2548 Impnldeo.exe 34 PID 2548 wrote to memory of 2272 2548 Impnldeo.exe 34 PID 2548 wrote to memory of 2272 2548 Impnldeo.exe 34 PID 2548 wrote to memory of 2272 2548 Impnldeo.exe 34 PID 2272 wrote to memory of 2840 2272 Iigoqe32.exe 35 PID 2272 wrote to memory of 2840 2272 Iigoqe32.exe 35 PID 2272 wrote to memory of 2840 2272 Iigoqe32.exe 35 PID 2272 wrote to memory of 2840 2272 Iigoqe32.exe 35 PID 2840 wrote to memory of 2904 2840 Ifkojiim.exe 36 PID 2840 wrote to memory of 2904 2840 Ifkojiim.exe 36 PID 2840 wrote to memory of 2904 2840 Ifkojiim.exe 36 PID 2840 wrote to memory of 2904 2840 Ifkojiim.exe 36 PID 2904 wrote to memory of 1796 2904 Joepio32.exe 37 PID 2904 wrote to memory of 1796 2904 Joepio32.exe 37 PID 2904 wrote to memory of 1796 2904 Joepio32.exe 37 PID 2904 wrote to memory of 1796 2904 Joepio32.exe 37 PID 1796 wrote to memory of 1416 1796 Jagmpg32.exe 38 PID 1796 wrote to memory of 1416 1796 Jagmpg32.exe 38 PID 1796 wrote to memory of 1416 1796 Jagmpg32.exe 38 PID 1796 wrote to memory of 1416 1796 Jagmpg32.exe 38 PID 1416 wrote to memory of 2556 1416 Jgcabqic.exe 39 PID 1416 wrote to memory of 2556 1416 Jgcabqic.exe 39 PID 1416 wrote to memory of 2556 1416 Jgcabqic.exe 39 PID 1416 wrote to memory of 2556 1416 Jgcabqic.exe 39 PID 2556 wrote to memory of 2100 2556 Jpqclb32.exe 40 PID 2556 wrote to memory of 2100 2556 Jpqclb32.exe 40 PID 2556 wrote to memory of 2100 2556 Jpqclb32.exe 40 PID 2556 wrote to memory of 2100 2556 Jpqclb32.exe 40 PID 2100 wrote to memory of 2296 2100 Jiigehkl.exe 41 PID 2100 wrote to memory of 2296 2100 Jiigehkl.exe 41 PID 2100 wrote to memory of 2296 2100 Jiigehkl.exe 41 PID 2100 wrote to memory of 2296 2100 Jiigehkl.exe 41 PID 2296 wrote to memory of 2148 2296 Kfoedl32.exe 42 PID 2296 wrote to memory of 2148 2296 Kfoedl32.exe 42 PID 2296 wrote to memory of 2148 2296 Kfoedl32.exe 42 PID 2296 wrote to memory of 2148 2296 Kfoedl32.exe 42 PID 2148 wrote to memory of 1548 2148 Kfaajlfp.exe 43 PID 2148 wrote to memory of 1548 2148 Kfaajlfp.exe 43 PID 2148 wrote to memory of 1548 2148 Kfaajlfp.exe 43 PID 2148 wrote to memory of 1548 2148 Kfaajlfp.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\0fef89500d8c02824ae4109802a8923b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0fef89500d8c02824ae4109802a8923b_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Hheelbjj.exeC:\Windows\system32\Hheelbjj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Hoakolod.exeC:\Windows\system32\Hoakolod.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\Hbbcpg32.exeC:\Windows\system32\Hbbcpg32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Inhdehbj.exeC:\Windows\system32\Inhdehbj.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\Icemmopa.exeC:\Windows\system32\Icemmopa.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Impnldeo.exeC:\Windows\system32\Impnldeo.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Iigoqe32.exeC:\Windows\system32\Iigoqe32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Ifkojiim.exeC:\Windows\system32\Ifkojiim.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Joepio32.exeC:\Windows\system32\Joepio32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Jagmpg32.exeC:\Windows\system32\Jagmpg32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Jgcabqic.exeC:\Windows\system32\Jgcabqic.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\Jpqclb32.exeC:\Windows\system32\Jpqclb32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Jiigehkl.exeC:\Windows\system32\Jiigehkl.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Kfoedl32.exeC:\Windows\system32\Kfoedl32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Kfaajlfp.exeC:\Windows\system32\Kfaajlfp.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Kipnfged.exeC:\Windows\system32\Kipnfged.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1548 -
C:\Windows\SysWOW64\Kdlkld32.exeC:\Windows\system32\Kdlkld32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2416 -
C:\Windows\SysWOW64\Llccmb32.exeC:\Windows\system32\Llccmb32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Lhjdbcef.exeC:\Windows\system32\Lhjdbcef.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2292 -
C:\Windows\SysWOW64\Lfmdnp32.exeC:\Windows\system32\Lfmdnp32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1648 -
C:\Windows\SysWOW64\Lkhpnnej.exeC:\Windows\system32\Lkhpnnej.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1140 -
C:\Windows\SysWOW64\Ldqegd32.exeC:\Windows\system32\Ldqegd32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:908 -
C:\Windows\SysWOW64\Lhlqhb32.exeC:\Windows\system32\Lhlqhb32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2144 -
C:\Windows\SysWOW64\Lmiipi32.exeC:\Windows\system32\Lmiipi32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1972 -
C:\Windows\SysWOW64\Lbfahp32.exeC:\Windows\system32\Lbfahp32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2392 -
C:\Windows\SysWOW64\Lkmjin32.exeC:\Windows\system32\Lkmjin32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:884 -
C:\Windows\SysWOW64\Lpjbad32.exeC:\Windows\system32\Lpjbad32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3040 -
C:\Windows\SysWOW64\Lchnnp32.exeC:\Windows\system32\Lchnnp32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1556 -
C:\Windows\SysWOW64\Lefkjkmc.exeC:\Windows\system32\Lefkjkmc.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2700 -
C:\Windows\SysWOW64\Libgjj32.exeC:\Windows\system32\Libgjj32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Moalhq32.exeC:\Windows\system32\Moalhq32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2800 -
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2688 -
C:\Windows\SysWOW64\Mcodno32.exeC:\Windows\system32\Mcodno32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2196 -
C:\Windows\SysWOW64\Mdqafgnf.exeC:\Windows\system32\Mdqafgnf.exe35⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Madapkmp.exeC:\Windows\system32\Madapkmp.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Mepnpj32.exeC:\Windows\system32\Mepnpj32.exe37⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Mpjoqhah.exeC:\Windows\system32\Mpjoqhah.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1152 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2588 -
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1860 -
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe41⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe42⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1268 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:320 -
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:468 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe47⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1976 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe49⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe50⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2080 -
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2432 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2204 -
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe55⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe57⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe58⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe60⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe61⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe62⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:756 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:836 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe65⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2996 -
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe67⤵
- Modifies registry class
PID:2412 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe68⤵PID:1464
-
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe69⤵PID:2268
-
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2180 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe72⤵PID:1696
-
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe73⤵PID:2360
-
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe74⤵PID:1588
-
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe75⤵
- Modifies registry class
PID:2020 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe76⤵PID:2228
-
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe77⤵PID:2712
-
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe78⤵PID:2584
-
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe80⤵
- Modifies registry class
PID:1524 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe81⤵
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2576 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe83⤵PID:1996
-
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2932 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe85⤵
- Modifies registry class
PID:1484 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1888 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe87⤵
- Modifies registry class
PID:400 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2964 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2604 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2988 -
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2708 -
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe92⤵PID:2244
-
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe93⤵
- Modifies registry class
PID:3028 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe94⤵
- Drops file in System32 directory
PID:1840 -
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe95⤵
- Drops file in System32 directory
PID:1276 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe96⤵PID:1984
-
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe97⤵
- Drops file in System32 directory
PID:2068 -
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe98⤵PID:604
-
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe99⤵
- Modifies registry class
PID:668 -
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe100⤵PID:1312
-
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2916 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe102⤵
- Drops file in System32 directory
PID:556 -
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1836 -
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe104⤵
- Drops file in System32 directory
PID:2480 -
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe105⤵
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe106⤵
- Drops file in System32 directory
PID:3048 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe107⤵
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe108⤵PID:2644
-
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe109⤵
- Drops file in System32 directory
PID:1020 -
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe110⤵
- Drops file in System32 directory
PID:2876 -
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe111⤵
- Drops file in System32 directory
PID:1420 -
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe112⤵PID:1504
-
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe113⤵
- Modifies registry class
PID:2164 -
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:584 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe115⤵
- Modifies registry class
PID:988 -
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1048 -
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe118⤵PID:2084
-
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1736 -
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2072 -
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe121⤵PID:2632
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-