Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
14/07/2024, 09:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
454d20ca3452c7ccc51da7a0ccb7e55d_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
454d20ca3452c7ccc51da7a0ccb7e55d_JaffaCakes118.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
454d20ca3452c7ccc51da7a0ccb7e55d_JaffaCakes118.exe
-
Size
43KB
-
MD5
454d20ca3452c7ccc51da7a0ccb7e55d
-
SHA1
c218de2d7c18a788f0f655ac2a3db4c729a3d40b
-
SHA256
8e54e6d5ed7ea5338370375a1ed4caa74539389c78cedbcfc3b185354121c5f2
-
SHA512
b754b1a574c274f46d80d2d19932d6298a042d040c7f466cfa2bc40afbca3d55720d51610485bd3640702c4254bbc8425416b6ea67a3998119ad16576352e850
-
SSDEEP
768:3PJadenAqtYQnaXH96rV2kllriFqR7Atmqfvfj7sMC72ZWzFwKF/Kpplc:3PnAClrVLTrEqNAxvXsf7rzV/KpXc
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 2832 scklchk.exe 2512 scklchk.exe 3056 scklchk.exe 3032 scklchk.exe 3028 scklchk.exe 2684 scklchk.exe 2764 scklchk.exe 2760 scklchk.exe 2892 scklchk.exe 2560 scklchk.exe 2672 scklchk.exe 2580 scklchk.exe 2748 scklchk.exe 2668 scklchk.exe 2600 scklchk.exe 3008 scklchk.exe 2228 scklchk.exe 1680 scklchk.exe 1760 scklchk.exe 2044 scklchk.exe 2324 scklchk.exe 536 scklchk.exe 1908 scklchk.exe 1420 scklchk.exe 1620 scklchk.exe 2840 scklchk.exe 2540 scklchk.exe 1260 scklchk.exe 1596 scklchk.exe 1724 scklchk.exe 2404 scklchk.exe 2120 scklchk.exe 2648 scklchk.exe 2160 scklchk.exe 372 scklchk.exe 1148 scklchk.exe 2172 scklchk.exe 2868 scklchk.exe 1076 scklchk.exe 1740 scklchk.exe 1544 scklchk.exe 936 scklchk.exe 1460 scklchk.exe 2264 scklchk.exe 2124 scklchk.exe 876 scklchk.exe 496 scklchk.exe 2536 scklchk.exe 2904 scklchk.exe 1476 scklchk.exe 1788 scklchk.exe 1052 scklchk.exe 2112 scklchk.exe 2496 scklchk.exe 1368 scklchk.exe 2300 scklchk.exe 1660 scklchk.exe 2308 scklchk.exe 892 scklchk.exe 2424 scklchk.exe 560 scklchk.exe 2932 scklchk.exe 2196 scklchk.exe 352 scklchk.exe -
Loads dropped DLL 64 IoCs
pid Process 2988 454d20ca3452c7ccc51da7a0ccb7e55d_JaffaCakes118.exe 2988 454d20ca3452c7ccc51da7a0ccb7e55d_JaffaCakes118.exe 2832 scklchk.exe 2832 scklchk.exe 2512 scklchk.exe 2512 scklchk.exe 3056 scklchk.exe 3056 scklchk.exe 3032 scklchk.exe 3032 scklchk.exe 3028 scklchk.exe 3028 scklchk.exe 2684 scklchk.exe 2684 scklchk.exe 2764 scklchk.exe 2764 scklchk.exe 2760 scklchk.exe 2760 scklchk.exe 2892 scklchk.exe 2892 scklchk.exe 2560 scklchk.exe 2560 scklchk.exe 2672 scklchk.exe 2672 scklchk.exe 2580 scklchk.exe 2580 scklchk.exe 2748 scklchk.exe 2748 scklchk.exe 2668 scklchk.exe 2668 scklchk.exe 2600 scklchk.exe 2600 scklchk.exe 3008 scklchk.exe 3008 scklchk.exe 2228 scklchk.exe 2228 scklchk.exe 1680 scklchk.exe 1680 scklchk.exe 1760 scklchk.exe 1760 scklchk.exe 2044 scklchk.exe 2044 scklchk.exe 2324 scklchk.exe 2324 scklchk.exe 536 scklchk.exe 536 scklchk.exe 1908 scklchk.exe 1908 scklchk.exe 1420 scklchk.exe 1420 scklchk.exe 1620 scklchk.exe 1620 scklchk.exe 2840 scklchk.exe 2840 scklchk.exe 2540 scklchk.exe 2540 scklchk.exe 1260 scklchk.exe 1260 scklchk.exe 1596 scklchk.exe 1596 scklchk.exe 1724 scklchk.exe 1724 scklchk.exe 2404 scklchk.exe 2404 scklchk.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scklchk = "C:\\Windows\\system32\\scklchk.exe" scklchk.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies WinLogon 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\StartScreenSaver = "WLEStartScreenSaver" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\Lock = "WLELock" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\Logon = "WLELogon" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\Unlock = "WLEUnlock" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\Unlock = "WLEUnlock" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\Logon = "WLELogon" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\StartScreenSaver = "WLEStartScreenSaver" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\DllName = "scklchk.dll" scklchk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\Logon = "WLELogon" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\Shutdown = "WLEShutdown" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\Startup = "WLEStartup" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\StopScreenSaver = "WLEStopScreenSaver" scklchk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\Asynchronous = "0" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\StartScreenSaver = "WLEStartScreenSaver" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\DllName = "scklchk.dll" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\Logon = "WLELogon" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\Startup = "WLEStartup" scklchk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\Asynchronous = "0" scklchk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\Impersonate = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\Asynchronous = "0" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\Shutdown = "WLEShutdown" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\DllName = "scklchk.dll" scklchk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\Asynchronous = "0" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\Shutdown = "WLEShutdown" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\Lock = "WLELock" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\Startup = "WLEStartup" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\Lock = "WLELock" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\Impersonate = "0" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\DllName = "scklchk.dll" scklchk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\StartScreenSaver = "WLEStartScreenSaver" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\Logoff = "WLELogoff" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\Logon = "WLELogon" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\Shutdown = "WLEShutdown" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\StartScreenSaver = "WLEStartScreenSaver" scklchk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\Impersonate = "0" scklchk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\Asynchronous = "0" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\Startup = "WLEStartup" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\Lock = "WLELock" scklchk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\Asynchronous = "0" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\Logoff = "WLELogoff" scklchk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\Impersonate = "0" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\DllName = "scklchk.dll" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\StartScreenSaver = "WLEStartScreenSaver" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\DllName = "scklchk.dll" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\Startup = "WLEStartup" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\Shutdown = "WLEShutdown" scklchk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\Startup = "WLEStartup" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\Shutdown = "WLEShutdown" scklchk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\Impersonate = "0" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\DllName = "scklchk.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\Logon = "WLELogon" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\Logon = "WLELogon" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\Logoff = "WLELogoff" scklchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\Logoff = "WLELogoff" scklchk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\Logoff = "WLELogoff" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\scklchk\Lock = "WLELock" scklchk.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\scklchk.exe scklchk.exe File created C:\Windows\SysWOW64\scklchk.exe scklchk.exe File created C:\Windows\SysWOW64\scklchk.exe scklchk.exe File created C:\Windows\SysWOW64\scklchk.exe scklchk.exe File created C:\Windows\SysWOW64\scklchk.exe scklchk.exe File created C:\Windows\SysWOW64\scklchk.exe Process not Found File created C:\Windows\SysWOW64\scklchk.exe Process not Found File created C:\Windows\SysWOW64\scklchk.exe scklchk.exe File created C:\Windows\SysWOW64\scklchk.exe scklchk.exe File created C:\Windows\SysWOW64\scklchk.exe Process not Found File created C:\Windows\SysWOW64\scklchk.exe Process not Found File created C:\Windows\SysWOW64\scklchk.exe scklchk.exe File created C:\Windows\SysWOW64\scklchk.exe Process not Found File created C:\Windows\SysWOW64\scklchk.exe Process not Found File created C:\Windows\SysWOW64\scklchk.exe scklchk.exe File created C:\Windows\SysWOW64\scklchk.exe scklchk.exe File created C:\Windows\SysWOW64\scklchk.exe scklchk.exe File created C:\Windows\SysWOW64\scklchk.exe scklchk.exe File opened for modification C:\Windows\SysWOW64\scklchk.exe 454d20ca3452c7ccc51da7a0ccb7e55d_JaffaCakes118.exe File created C:\Windows\SysWOW64\scklchk.exe Process not Found File created C:\Windows\SysWOW64\scklchk.exe Process not Found File created C:\Windows\SysWOW64\scklchk.exe scklchk.exe File created C:\Windows\SysWOW64\scklchk.exe Process not Found File created C:\Windows\SysWOW64\scklchk.exe Process not Found File created C:\Windows\SysWOW64\scklchk.exe Process not Found File created C:\Windows\SysWOW64\scklchk.exe scklchk.exe File created C:\Windows\SysWOW64\scklchk.exe Process not Found File created C:\Windows\SysWOW64\scklchk.exe Process not Found File created C:\Windows\SysWOW64\scklchk.exe Process not Found File created C:\Windows\SysWOW64\scklchk.exe Process not Found File created C:\Windows\SysWOW64\scklchk.exe Process not Found File created C:\Windows\SysWOW64\scklchk.exe scklchk.exe File created C:\Windows\SysWOW64\scklchk.exe Process not Found File created C:\Windows\SysWOW64\scklchk.exe scklchk.exe File created C:\Windows\SysWOW64\scklchk.exe scklchk.exe File created C:\Windows\SysWOW64\scklchk.exe scklchk.exe File created C:\Windows\SysWOW64\scklchk.exe scklchk.exe File created C:\Windows\SysWOW64\scklchk.exe scklchk.exe File created C:\Windows\SysWOW64\scklchk.exe Process not Found File created C:\Windows\SysWOW64\scklchk.exe scklchk.exe File created C:\Windows\SysWOW64\scklchk.exe scklchk.exe File created C:\Windows\SysWOW64\scklchk.exe Process not Found File created C:\Windows\SysWOW64\scklchk.exe Process not Found File created C:\Windows\SysWOW64\scklchk.exe Process not Found File created C:\Windows\SysWOW64\scklchk.exe scklchk.exe File created C:\Windows\SysWOW64\scklchk.exe scklchk.exe File created C:\Windows\SysWOW64\scklchk.exe Process not Found File created C:\Windows\SysWOW64\scklchk.exe scklchk.exe File created C:\Windows\SysWOW64\scklchk.exe scklchk.exe File created C:\Windows\SysWOW64\scklchk.exe scklchk.exe File created C:\Windows\SysWOW64\scklchk.exe scklchk.exe File created C:\Windows\SysWOW64\scklchk.exe Process not Found File created C:\Windows\SysWOW64\scklchk.exe Process not Found File created C:\Windows\SysWOW64\scklchk.exe scklchk.exe File created C:\Windows\SysWOW64\scklchk.exe scklchk.exe File created C:\Windows\SysWOW64\scklchk.exe scklchk.exe File created C:\Windows\SysWOW64\scklchk.exe scklchk.exe File created C:\Windows\SysWOW64\scklchk.exe scklchk.exe File created C:\Windows\SysWOW64\scklchk.exe Process not Found File created C:\Windows\SysWOW64\scklchk.exe scklchk.exe File created C:\Windows\SysWOW64\scklchk.exe scklchk.exe File created C:\Windows\SysWOW64\scklchk.exe Process not Found File created C:\Windows\SysWOW64\scklchk.exe Process not Found File created C:\Windows\SysWOW64\scklchk.exe scklchk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2988 wrote to memory of 2832 2988 454d20ca3452c7ccc51da7a0ccb7e55d_JaffaCakes118.exe 31 PID 2988 wrote to memory of 2832 2988 454d20ca3452c7ccc51da7a0ccb7e55d_JaffaCakes118.exe 31 PID 2988 wrote to memory of 2832 2988 454d20ca3452c7ccc51da7a0ccb7e55d_JaffaCakes118.exe 31 PID 2988 wrote to memory of 2832 2988 454d20ca3452c7ccc51da7a0ccb7e55d_JaffaCakes118.exe 31 PID 2832 wrote to memory of 2512 2832 scklchk.exe 32 PID 2832 wrote to memory of 2512 2832 scklchk.exe 32 PID 2832 wrote to memory of 2512 2832 scklchk.exe 32 PID 2832 wrote to memory of 2512 2832 scklchk.exe 32 PID 2512 wrote to memory of 3056 2512 scklchk.exe 33 PID 2512 wrote to memory of 3056 2512 scklchk.exe 33 PID 2512 wrote to memory of 3056 2512 scklchk.exe 33 PID 2512 wrote to memory of 3056 2512 scklchk.exe 33 PID 3056 wrote to memory of 3032 3056 scklchk.exe 34 PID 3056 wrote to memory of 3032 3056 scklchk.exe 34 PID 3056 wrote to memory of 3032 3056 scklchk.exe 34 PID 3056 wrote to memory of 3032 3056 scklchk.exe 34 PID 3032 wrote to memory of 3028 3032 scklchk.exe 35 PID 3032 wrote to memory of 3028 3032 scklchk.exe 35 PID 3032 wrote to memory of 3028 3032 scklchk.exe 35 PID 3032 wrote to memory of 3028 3032 scklchk.exe 35 PID 3028 wrote to memory of 2684 3028 scklchk.exe 36 PID 3028 wrote to memory of 2684 3028 scklchk.exe 36 PID 3028 wrote to memory of 2684 3028 scklchk.exe 36 PID 3028 wrote to memory of 2684 3028 scklchk.exe 36 PID 2684 wrote to memory of 2764 2684 scklchk.exe 37 PID 2684 wrote to memory of 2764 2684 scklchk.exe 37 PID 2684 wrote to memory of 2764 2684 scklchk.exe 37 PID 2684 wrote to memory of 2764 2684 scklchk.exe 37 PID 2764 wrote to memory of 2760 2764 scklchk.exe 38 PID 2764 wrote to memory of 2760 2764 scklchk.exe 38 PID 2764 wrote to memory of 2760 2764 scklchk.exe 38 PID 2764 wrote to memory of 2760 2764 scklchk.exe 38 PID 2760 wrote to memory of 2892 2760 scklchk.exe 39 PID 2760 wrote to memory of 2892 2760 scklchk.exe 39 PID 2760 wrote to memory of 2892 2760 scklchk.exe 39 PID 2760 wrote to memory of 2892 2760 scklchk.exe 39 PID 2892 wrote to memory of 2560 2892 scklchk.exe 40 PID 2892 wrote to memory of 2560 2892 scklchk.exe 40 PID 2892 wrote to memory of 2560 2892 scklchk.exe 40 PID 2892 wrote to memory of 2560 2892 scklchk.exe 40 PID 2560 wrote to memory of 2672 2560 scklchk.exe 41 PID 2560 wrote to memory of 2672 2560 scklchk.exe 41 PID 2560 wrote to memory of 2672 2560 scklchk.exe 41 PID 2560 wrote to memory of 2672 2560 scklchk.exe 41 PID 2672 wrote to memory of 2580 2672 scklchk.exe 42 PID 2672 wrote to memory of 2580 2672 scklchk.exe 42 PID 2672 wrote to memory of 2580 2672 scklchk.exe 42 PID 2672 wrote to memory of 2580 2672 scklchk.exe 42 PID 2580 wrote to memory of 2748 2580 scklchk.exe 43 PID 2580 wrote to memory of 2748 2580 scklchk.exe 43 PID 2580 wrote to memory of 2748 2580 scklchk.exe 43 PID 2580 wrote to memory of 2748 2580 scklchk.exe 43 PID 2748 wrote to memory of 2668 2748 scklchk.exe 44 PID 2748 wrote to memory of 2668 2748 scklchk.exe 44 PID 2748 wrote to memory of 2668 2748 scklchk.exe 44 PID 2748 wrote to memory of 2668 2748 scklchk.exe 44 PID 2668 wrote to memory of 2600 2668 scklchk.exe 45 PID 2668 wrote to memory of 2600 2668 scklchk.exe 45 PID 2668 wrote to memory of 2600 2668 scklchk.exe 45 PID 2668 wrote to memory of 2600 2668 scklchk.exe 45 PID 2600 wrote to memory of 3008 2600 scklchk.exe 46 PID 2600 wrote to memory of 3008 2600 scklchk.exe 46 PID 2600 wrote to memory of 3008 2600 scklchk.exe 46 PID 2600 wrote to memory of 3008 2600 scklchk.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\454d20ca3452c7ccc51da7a0ccb7e55d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\454d20ca3452c7ccc51da7a0ccb7e55d_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3008 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2228 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1680 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1760 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2044 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2324 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:536 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1908 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1420 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1620 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2540 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1260 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1596 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1724 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2404 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe33⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe34⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe35⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe36⤵
- Executes dropped EXE
PID:372 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe37⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe38⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe39⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe40⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe41⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe42⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe43⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe44⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe45⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe46⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe47⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe48⤵
- Executes dropped EXE
PID:496 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe49⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe50⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe51⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe52⤵
- Executes dropped EXE
- Modifies WinLogon
- Drops file in System32 directory
PID:1788 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe53⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe54⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe55⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe56⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1368 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe57⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe58⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe59⤵
- Executes dropped EXE
- Modifies WinLogon
PID:2308 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe60⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe61⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe62⤵
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe63⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe64⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe65⤵
- Executes dropped EXE
PID:352 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe66⤵PID:1668
-
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe67⤵PID:896
-
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe68⤵PID:2108
-
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe69⤵PID:292
-
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe70⤵PID:2268
-
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe71⤵PID:1356
-
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe72⤵PID:620
-
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe73⤵PID:1616
-
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe74⤵PID:1244
-
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe75⤵PID:2016
-
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe76⤵PID:2004
-
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe77⤵PID:2056
-
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe78⤵
- Adds Run key to start application
PID:2696 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe79⤵
- Modifies WinLogon
PID:2756 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe80⤵PID:2664
-
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe81⤵PID:2792
-
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe82⤵PID:2744
-
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe83⤵PID:2992
-
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe84⤵PID:2728
-
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe85⤵PID:2628
-
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe86⤵PID:2824
-
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe87⤵PID:1708
-
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe88⤵
- Adds Run key to start application
PID:1592 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe89⤵PID:324
-
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe90⤵
- Drops file in System32 directory
PID:1852 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe91⤵PID:3076
-
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe92⤵PID:3096
-
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe93⤵PID:3108
-
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe94⤵PID:3128
-
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe95⤵
- Drops file in System32 directory
PID:3144 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe96⤵PID:3160
-
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe97⤵PID:3176
-
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe98⤵PID:3192
-
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe99⤵PID:3208
-
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe100⤵PID:3224
-
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe101⤵PID:3240
-
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe102⤵PID:3256
-
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe103⤵PID:3272
-
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe104⤵
- Modifies WinLogon
PID:3288 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe105⤵PID:3304
-
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe106⤵PID:3320
-
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe107⤵PID:3332
-
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe108⤵PID:3352
-
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe109⤵PID:3364
-
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe110⤵PID:3384
-
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe111⤵PID:3396
-
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe112⤵
- Adds Run key to start application
PID:3412 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe113⤵PID:3428
-
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe114⤵PID:3448
-
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe115⤵PID:3460
-
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe116⤵
- Modifies WinLogon
PID:3476 -
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe117⤵PID:3496
-
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe118⤵PID:3512
-
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe119⤵PID:3528
-
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe120⤵PID:3544
-
C:\Windows\SysWOW64\scklchk.exeC:\Windows\system32\scklchk.exe121⤵PID:3556
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-