948c86963297e2205832ac277670b13c69d20f773ff902cbea76e246c3f67b92

Analysis

max time kernel
147s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 02:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e9060a0a007df330b71f45d199af22e7_JaffaCakes118.exe
Size

1.9MB
MD5

e9060a0a007df330b71f45d199af22e7
SHA1

d200e2d67908bec0f54719af45eca843b905cddb
SHA256

948c86963297e2205832ac277670b13c69d20f773ff902cbea76e246c3f67b92
SHA512

3591b49e5c710f9f9d883b89a7e0f8ed3ed4a5b3a82eb084ec1929e02f14b380e4b2498ea16433d011a28908247af04e90f77c97062579f92b45cb3480a63cde
SSDEEP

24576:GJ5Aoem0BmmvFimm0Xnm0BmmvFimm0jiYxBqm0BmmvFimm0Xnm0BmmvFimm0G:GHAoKiqiHiqiz

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ickchq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibcmom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmhale32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iikhfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmgfda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iikhfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfoafi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	e9060a0a007df330b71f45d199af22e7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imdgqfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmgfda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kfoafi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imdgqfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmhale32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e9060a0a007df330b71f45d199af22e7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ickchq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibcmom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmannhhj.exe

Executes dropped EXE 17 IoCs

pid	Process
1452	Ickchq32.exe
4044	Imdgqfbd.exe
2944	Iikhfg32.exe
3088	Ibcmom32.exe
1884	Jmhale32.exe
4932	Kfoafi32.exe
3172	Lmgfda32.exe
2304	Pmannhhj.exe
3992	Pnakhkol.exe
2440	Pgnilpah.exe
3096	Ambgef32.exe
2592	Afmhck32.exe
2136	Acqimo32.exe
2052	Anfmjhmd.exe
932	Chokikeb.exe
4164	Deagdn32.exe
1328	Dmllipeg.exe

Drops file in System32 directory 51 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ickchq32.exe	e9060a0a007df330b71f45d199af22e7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Gnchkk32.dll	Ickchq32.exe
File created	C:\Windows\SysWOW64\Hdoemjgn.dll	Lmgfda32.exe
File created	C:\Windows\SysWOW64\Mglncdoj.dll	Afmhck32.exe
File opened for modification	C:\Windows\SysWOW64\Anfmjhmd.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Acqimo32.exe
File created	C:\Windows\SysWOW64\Eifbkgjd.dll	Ibcmom32.exe
File created	C:\Windows\SysWOW64\Jjhijoaa.dll	Kfoafi32.exe
File created	C:\Windows\SysWOW64\Imdgqfbd.exe	Ickchq32.exe
File created	C:\Windows\SysWOW64\Pgnilpah.exe	Pnakhkol.exe
File opened for modification	C:\Windows\SysWOW64\Pmannhhj.exe	Lmgfda32.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Ambgef32.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Aaqfok32.dll	Imdgqfbd.exe
File opened for modification	C:\Windows\SysWOW64\Pgnilpah.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Ccdlci32.dll	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Imdgqfbd.exe	Ickchq32.exe
File created	C:\Windows\SysWOW64\Iikhfg32.exe	Imdgqfbd.exe
File opened for modification	C:\Windows\SysWOW64\Acqimo32.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Jmhale32.exe	Ibcmom32.exe
File created	C:\Windows\SysWOW64\Kfoafi32.exe	Jmhale32.exe
File created	C:\Windows\SysWOW64\Pnakhkol.exe	Pmannhhj.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Iledokkp.dll	e9060a0a007df330b71f45d199af22e7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Lmgfda32.exe	Kfoafi32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Ickchq32.exe	e9060a0a007df330b71f45d199af22e7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Ibaabn32.dll	Pgnilpah.exe
File opened for modification	C:\Windows\SysWOW64\Ibcmom32.exe	Iikhfg32.exe
File opened for modification	C:\Windows\SysWOW64\Kfoafi32.exe	Jmhale32.exe
File created	C:\Windows\SysWOW64\Pmannhhj.exe	Lmgfda32.exe
File created	C:\Windows\SysWOW64\Qamhhedg.dll	Jmhale32.exe
File created	C:\Windows\SysWOW64\Gjgfjhqm.dll	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Dlkhie32.dll	Iikhfg32.exe
File opened for modification	C:\Windows\SysWOW64\Ambgef32.exe	Pgnilpah.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Lmgfda32.exe	Kfoafi32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Jmhale32.exe	Ibcmom32.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Iikhfg32.exe	Imdgqfbd.exe
File created	C:\Windows\SysWOW64\Ibcmom32.exe	Iikhfg32.exe
File opened for modification	C:\Windows\SysWOW64\Pnakhkol.exe	Pmannhhj.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Chokikeb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4408	1328	WerFault.exe	104

Modifies registry class 54 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	e9060a0a007df330b71f45d199af22e7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	e9060a0a007df330b71f45d199af22e7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaqfok32.dll"	Imdgqfbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ibcmom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlkhie32.dll"	Iikhfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmgfda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	e9060a0a007df330b71f45d199af22e7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	e9060a0a007df330b71f45d199af22e7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qamhhedg.dll"	Jmhale32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iikhfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgfjhqm.dll"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoddikd.dll"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnchkk32.dll"	Ickchq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ickchq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjhijoaa.dll"	Kfoafi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmhale32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iikhfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kfoafi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll"	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifbkgjd.dll"	Ibcmom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ambgef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iledokkp.dll"	e9060a0a007df330b71f45d199af22e7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kfoafi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	e9060a0a007df330b71f45d199af22e7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Imdgqfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Imdgqfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibcmom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdoemjgn.dll"	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ickchq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmhale32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 208 wrote to memory of 1452	208	e9060a0a007df330b71f45d199af22e7_JaffaCakes118.exe	86
PID 208 wrote to memory of 1452	208	e9060a0a007df330b71f45d199af22e7_JaffaCakes118.exe	86
PID 208 wrote to memory of 1452	208	e9060a0a007df330b71f45d199af22e7_JaffaCakes118.exe	86
PID 1452 wrote to memory of 4044	1452	Ickchq32.exe	87
PID 1452 wrote to memory of 4044	1452	Ickchq32.exe	87
PID 1452 wrote to memory of 4044	1452	Ickchq32.exe	87
PID 4044 wrote to memory of 2944	4044	Imdgqfbd.exe	88
PID 4044 wrote to memory of 2944	4044	Imdgqfbd.exe	88
PID 4044 wrote to memory of 2944	4044	Imdgqfbd.exe	88
PID 2944 wrote to memory of 3088	2944	Iikhfg32.exe	89
PID 2944 wrote to memory of 3088	2944	Iikhfg32.exe	89
PID 2944 wrote to memory of 3088	2944	Iikhfg32.exe	89
PID 3088 wrote to memory of 1884	3088	Ibcmom32.exe	90
PID 3088 wrote to memory of 1884	3088	Ibcmom32.exe	90
PID 3088 wrote to memory of 1884	3088	Ibcmom32.exe	90
PID 1884 wrote to memory of 4932	1884	Jmhale32.exe	92
PID 1884 wrote to memory of 4932	1884	Jmhale32.exe	92
PID 1884 wrote to memory of 4932	1884	Jmhale32.exe	92
PID 4932 wrote to memory of 3172	4932	Kfoafi32.exe	93
PID 4932 wrote to memory of 3172	4932	Kfoafi32.exe	93
PID 4932 wrote to memory of 3172	4932	Kfoafi32.exe	93
PID 3172 wrote to memory of 2304	3172	Lmgfda32.exe	95
PID 3172 wrote to memory of 2304	3172	Lmgfda32.exe	95
PID 3172 wrote to memory of 2304	3172	Lmgfda32.exe	95
PID 2304 wrote to memory of 3992	2304	Pmannhhj.exe	96
PID 2304 wrote to memory of 3992	2304	Pmannhhj.exe	96
PID 2304 wrote to memory of 3992	2304	Pmannhhj.exe	96
PID 3992 wrote to memory of 2440	3992	Pnakhkol.exe	97
PID 3992 wrote to memory of 2440	3992	Pnakhkol.exe	97
PID 3992 wrote to memory of 2440	3992	Pnakhkol.exe	97
PID 2440 wrote to memory of 3096	2440	Pgnilpah.exe	98
PID 2440 wrote to memory of 3096	2440	Pgnilpah.exe	98
PID 2440 wrote to memory of 3096	2440	Pgnilpah.exe	98
PID 3096 wrote to memory of 2592	3096	Ambgef32.exe	99
PID 3096 wrote to memory of 2592	3096	Ambgef32.exe	99
PID 3096 wrote to memory of 2592	3096	Ambgef32.exe	99
PID 2592 wrote to memory of 2136	2592	Afmhck32.exe	100
PID 2592 wrote to memory of 2136	2592	Afmhck32.exe	100
PID 2592 wrote to memory of 2136	2592	Afmhck32.exe	100
PID 2136 wrote to memory of 2052	2136	Acqimo32.exe	101
PID 2136 wrote to memory of 2052	2136	Acqimo32.exe	101
PID 2136 wrote to memory of 2052	2136	Acqimo32.exe	101
PID 2052 wrote to memory of 932	2052	Anfmjhmd.exe	102
PID 2052 wrote to memory of 932	2052	Anfmjhmd.exe	102
PID 2052 wrote to memory of 932	2052	Anfmjhmd.exe	102
PID 932 wrote to memory of 4164	932	Chokikeb.exe	103
PID 932 wrote to memory of 4164	932	Chokikeb.exe	103
PID 932 wrote to memory of 4164	932	Chokikeb.exe	103
PID 4164 wrote to memory of 1328	4164	Deagdn32.exe	104
PID 4164 wrote to memory of 1328	4164	Deagdn32.exe	104
PID 4164 wrote to memory of 1328	4164	Deagdn32.exe	104

C:\Users\Admin\AppData\Local\Temp\e9060a0a007df330b71f45d199af22e7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e9060a0a007df330b71f45d199af22e7_JaffaCakes118.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:208
- C:\Windows\SysWOW64\Ickchq32.exe
  C:\Windows\system32\Ickchq32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Windows\SysWOW64\Imdgqfbd.exe
    C:\Windows\system32\Imdgqfbd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4044
  - - C:\Windows\SysWOW64\Iikhfg32.exe
      C:\Windows\system32\Iikhfg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2944
    - - C:\Windows\SysWOW64\Ibcmom32.exe
        
        C:\Windows\system32\Ibcmom32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3088
      - C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3172
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3096
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:932
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4164
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        18⤵
        Executes dropped EXE
        
        PID:1328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 408
        19⤵
        Program crash
        
        PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1328 -ip 1328
1⤵
PID:3324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acqimo32.exe

Filesize
1.9MB

MD5
81d6786941c4a660dceb05ec1663e5bc

SHA1
7d8611d3f031fecc31168806144f94c4b52185e9

SHA256
62b1d7074ab988ed4eebc9552216cdf3f1fbd0bfdac0b53e5bac509b1a5cb624

SHA512
ae35a817d19637f9124ec7eeae61be6f4a955b6fed9e59c357275f96f5a6c14ebab2f56652b7f2d2b541000bdef7d0a74cdca566e3f3dda5a376e0d9b628ea4e

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
1.9MB

MD5
a72258d1d96c8c570df686cb4dcb5537

SHA1
f16c5a9e4151a6151cb41f3bdf055c60e0f34c45

SHA256
28aee3d4bb9d96531e4e9aea3aaf6cfeeef2be8077cbeeceec63948ad7edf78a

SHA512
c860ac71d382b0a96907c76afbbf165d882a2e35f8a1ba9f1f3ed55f3e831e9d81dfb31cc6d8c79afebd1086e0cb6b95323a0565d8041f9d9498f1f3512020f7

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
1.9MB

MD5
a8f30d3b1791493ce2860be0f0c1a852

SHA1
c77c3a4ee44a25927315d18ce1397be1ca6304c4

SHA256
828334111072448489a4473265d6cccda530ed65888af8caae2bc27934eca54a

SHA512
8ecc1b6b0badc7c30b7e1979cfe85631b38a86b5716b0a30261ffa2548edc702c1052dd4b1228beac0a63ffd934946c426f7718501ca82d71824bf8d22d201fc

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
1.9MB

MD5
c49f21bd0fc638991ae436725db72872

SHA1
39d618cf3b66f8a9ce45c04a0cf1d2f4f3d8117c

SHA256
0851669d3425ae272f1a5c34b208db7b518d3ee4103e18f11cb18c645153859d

SHA512
03bf3aeb64cf7c92f5517a23b44358361904a61689b37973fbc4d8bb351264ea1ce5cd3cbd55846374f92a735291e3cfc25369eb435aed33e829d905fac1da9c

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
1.9MB

MD5
caa988b9611df933bf1bfcf391177ccf

SHA1
a5e8d7cde99a5616345a78479fc864ae2690da3b

SHA256
cf650e93c278d56293514b290a3575d64fdde01358fe17cf8d21e1c1c606eb45

SHA512
2b56550506f0fea8c79ab9096a7a972c27105978604388b8ed54774347744e54a0d00b39603211b13dd5c247a9c45994c1a924149117e11a077cb8e962956e0b

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
1.9MB

MD5
7094ef0b94086f1dd6956ab12872714f

SHA1
5b6d0d0777026a8c7971c28c0dcb4c879c2bf043

SHA256
9755ddda242af1743c47774d5d43e47f8b565d1809736614bae9da8731b2ad22

SHA512
0b82695a5978fcbbf217deca9ba3fa91f23fda0c4f1d7744cb369efb75243f1d667bb38db9bf0c1cdb80b6cc65fcc9dbb92dcb40d0967a0928943cc5fbf34681

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
1.9MB

MD5
3e8908dc1b56569f34d4d05ba263f945

SHA1
3591649d4abe283671c65cd7db93512f45ec45d9

SHA256
9531e5c4e866a825096b4099f81a4b2c29427d70f1567e47863c3bd5d3254e56

SHA512
43543cb356f2f9334814a60c08d18b4c03cd164047e7834a147007d9f0aad2a63daaad1e0f6c9d2b867939ec26b353240a2be8543cf353eb45387ab658cccf98

Download Submit
C:\Windows\SysWOW64\Eifbkgjd.dll

Filesize
7KB

MD5
9bd2fb16285c8e91ef966cfa98931148

SHA1
bb8441cc6f9f5aa130b4c762c6eb2adb44a98854

SHA256
cb4da01c8397d8bef7ea6e352c1ee91429a49f7b9e326c1b73b2a34cf8e7a179

SHA512
f2288fac3d009219c926f290c40a3e78227ffbf49961649437a1dacb49993cb848ee7a661952338ddec871c06ede640a7107d93b7590a57f2639335d2bec3475

Download Submit
C:\Windows\SysWOW64\Ibcmom32.exe

Filesize
1.9MB

MD5
8618932fdf44684430d5b62fa68c1d2d

SHA1
781d16c9128d855e287a819a730b5d2a0c95642e

SHA256
198d7e6d9f7edc290be312bdd5eb56ca1b8f799a937823361b09506ab8f936ab

SHA512
32c9c05e1a122108cbacb0170f63ae23dba1009edfe06e0fba0f0de9db9d4b7c57f5663c5c2e9db4500baa53d2a5924bd5e3519f93b5e128e8f4e89da4f7ac1f

Download Submit
C:\Windows\SysWOW64\Ickchq32.exe

Filesize
1.9MB

MD5
cb2794f69b51d9c1958a602de18dd571

SHA1
0628b697457d174084e25b6c537c9e710da88294

SHA256
1f412040d10a9099b953ef7bcdb3c4085081b7edcb71424b0d8eac2346bb40b4

SHA512
2b63fcef0845011a973e6c93dcb351b188972d595ae3876cba3eb385ac51df70d8d405875b610e3c225e01500660ee4f1152bffb219d3cb01cfaf5664468b254

Download Submit
C:\Windows\SysWOW64\Iikhfg32.exe

Filesize
1.9MB

MD5
4d7eed1d80b354573646404727392c85

SHA1
ed751edcfd1fc00a9c65f67c4ce15f9bc08cf546

SHA256
d40e4c42fbdca7259932de9e154393430267b47acbf9b92ad588f5e4747bc7d1

SHA512
e6fcf2282fbf298fd69035802ef14f1e08c30a82713eca1bdf7ef4f974b23020410ece651cd7502235bc108b206a80d46330383d31e10d6c99148efba7fff846

Download Submit
C:\Windows\SysWOW64\Imdgqfbd.exe

Filesize
1.9MB

MD5
f94a9d73e032acc8e1642aefe928c115

SHA1
704f7ad0394c1de09a2cd0e574adc6308060638d

SHA256
dc338ddc50bdbb472394e5112c668f0a3fe5ddc2a4052d04673d486f16892a18

SHA512
a8a9c5ab8e53d6a013913c47f28488b9dbd03066dd54637a1689fd97aae2b9e3a3553b4923381e5d9f5fb9991f5eb8388b6b2df01ac1dc3d5cd5e42e937f8c9b

Download Submit
C:\Windows\SysWOW64\Jmhale32.exe

Filesize
1.9MB

MD5
cf7bd23fc44b29308bc359cab34933d3

SHA1
0c4a6ddc57e322df4aa47af78842c444a3f48624

SHA256
cf5082cfe621bec05fa23cbf13e3e1981904cda16ef9497d0cd425000fa12c49

SHA512
d13d230641e4fa745549afa34b32cd3b0774892c1a340793b0e828f260f907041888d76caa41842e7a060936dce2115aea468efb1bfb20df8be5fe8eca5eeb1c

Download Submit
C:\Windows\SysWOW64\Kfoafi32.exe

Filesize
1.9MB

MD5
1f094db6603dc7c59988276d34544162

SHA1
2a73e4c56419a29ecfa51164b9379aa2e6502a91

SHA256
fa5252eee425a6933e6983d39825b291e23d0bf1684acafc9556b313ad941fd4

SHA512
165f09fe5f1b62c4fbe5b498602c9ff98944212b704e19b6c6f98fea5ab6631b86e5d578f392c108ec697dc0edd00d27fcbfe26f7b6ee208ceadbc7b35b28cc8

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
1.9MB

MD5
068d95944dd360b3482ba186f9a4517f

SHA1
5ae3033c529d6a6f611133e984b1bfb28e48680d

SHA256
6de8412d2f73cb4eadb92c7e15bdd168e4674755991297dc83c0de4f2b32de08

SHA512
0fb700a02c703e56c89a6dbb6c78d458d6caf06ee6532c8e3a9ea86b104b1b0e3c590ad7fdb25008bce8305f577fc5d63cec0cfa1bfc5b0dd1fb28fa353d839c

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
1.9MB

MD5
b8e77015aabef121ab4e610894d3c621

SHA1
898b05ad30211d714b52d0545af103c378d9201d

SHA256
ef04228e50d4dcdd6787781573fc1db18eb0e7cbdcb2390adac9491c911559bf

SHA512
dfb9c1a7f305276a6cdd32a94b2be6369755e39ec00e01e03a8ee7c5c8acd7f74a7c36d164ef7ba7c7562047a575834cc885a40f7b2939576057dc9fdd0e83ca

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
1.9MB

MD5
14186da483e3633b8043258a2e1c4a2a

SHA1
440fd840d75911fbe7d6b6caee08a4fe3c6ad010

SHA256
8cc6a03626c85a6d84bedd56d12f8bb832f1b5eaa50bbe4281173cec4faf98fc

SHA512
5d6b77f4153149b60f33e5a0935afccbf26f0015000e232eb2395d12e0138858062887a6f90cd37bb9beeae4967e17852dcd0efa6c28ecc461882074d5fb8eb3

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
1.9MB

MD5
fdabdaa8d74964c12c17c9e3df6401e1

SHA1
ccdc499443df2c7f8c8b6e9adc5e7244b68fb455

SHA256
318e6b23bdb496e26453a61b01cbccae83e791d2561fe7b725e83ec410485ada

SHA512
9f7131276063fdf1eec6bd703fa4452e1f678c595f1c55bf1ec29d4a9c9ed34ad57cc7177357a7e7ccd350ab2672cb716ffe68032d9c97580a9b833eb12cc894

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
1.9MB

MD5
2ded04bcdbfa48d253383e1b23bd202a

SHA1
3105d78e46ff54324b686cc1168d957a86d6901d

SHA256
0a77b439d3a96e38970dd126f0043c255301977a855a054dd32c1e58ec3ccd0b

SHA512
4983bab6e1f3ae3f95f00338eefa64ca46c68223699cebeb8832078aa7d0f0ede7d20a16e40601be66fbeca1e42f26305863ee8a3b88af9305735138e7dbab6f

Download Submit
memory/208-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/208-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/932-145-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/932-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1328-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1328-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1452-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1452-138-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1884-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1884-142-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2052-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2052-146-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2136-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2304-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2304-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2440-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2440-150-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2592-100-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2944-140-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2944-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3088-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3096-149-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3096-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3172-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3172-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3992-74-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3992-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4044-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4164-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4164-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4932-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4932-154-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads