9bce5a2e3466526d5bb9f235aea5fa41288e5149c2fb50b78421a49068c3fbd0

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04-05-2024 20:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ead2afbe89df3d16ab79ca4714a56e67_JaffaCakes118.exe
Size

80KB
MD5

ead2afbe89df3d16ab79ca4714a56e67
SHA1

ab9e08b2670daabfc8a0f01b352c9be342ba6392
SHA256

9bce5a2e3466526d5bb9f235aea5fa41288e5149c2fb50b78421a49068c3fbd0
SHA512

5c8ee1a8e91ed2ff0564bb0225e1160ccd8cbd3445bb26b79e3d052b905ed61976d3d776f13ac1a414c522d07da50c228f5750ff8420fabd4a66ed8ec80c205e
SSDEEP

1536:yG/xh9KQMgy8gWhICLfGpQgIKwPN8zZ2LwS5DUHRbPa9b6i+sIk:yG/xThIaeGewcSwS5DSCopsIk

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qflhbhgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qflhbhgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmjbhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cphndc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ead2afbe89df3d16ab79ca4714a56e67_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aajbne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amcpie32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpfeppop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdnko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qbbhgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acmhepko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abbeflpf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biojif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biojif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkglameg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbbhgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Annbhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amcpie32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acmhepko.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgechbh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmjbhh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbdnko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cphndc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ead2afbe89df3d16ab79ca4714a56e67_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aajbne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abbeflpf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Behgcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgechbh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaheie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaheie32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Annbhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blobjaba.exe

Executes dropped EXE 20 IoCs

pid	Process
1384	Qflhbhgg.exe
2628	Qbbhgi32.exe
2796	Aaheie32.exe
2576	Aajbne32.exe
2568	Annbhi32.exe
2464	Amcpie32.exe
2888	Acmhepko.exe
1192	Abbeflpf.exe
1360	Bpfeppop.exe
924	Biojif32.exe
2040	Blobjaba.exe
1700	Behgcf32.exe
1860	Bjdplm32.exe
1640	Bkglameg.exe
2096	Cfnmfn32.exe
1312	Cmgechbh.exe
1032	Cbdnko32.exe
2276	Cmjbhh32.exe
1364	Cphndc32.exe
1780	Ceegmj32.exe

Loads dropped DLL 44 IoCs

pid	Process
2216	ead2afbe89df3d16ab79ca4714a56e67_JaffaCakes118.exe
2216	ead2afbe89df3d16ab79ca4714a56e67_JaffaCakes118.exe
1384	Qflhbhgg.exe
1384	Qflhbhgg.exe
2628	Qbbhgi32.exe
2628	Qbbhgi32.exe
2796	Aaheie32.exe
2796	Aaheie32.exe
2576	Aajbne32.exe
2576	Aajbne32.exe
2568	Annbhi32.exe
2568	Annbhi32.exe
2464	Amcpie32.exe
2464	Amcpie32.exe
2888	Acmhepko.exe
2888	Acmhepko.exe
1192	Abbeflpf.exe
1192	Abbeflpf.exe
1360	Bpfeppop.exe
1360	Bpfeppop.exe
924	Biojif32.exe
924	Biojif32.exe
2040	Blobjaba.exe
2040	Blobjaba.exe
1700	Behgcf32.exe
1700	Behgcf32.exe
1860	Bjdplm32.exe
1860	Bjdplm32.exe
1640	Bkglameg.exe
1640	Bkglameg.exe
2096	Cfnmfn32.exe
2096	Cfnmfn32.exe
1312	Cmgechbh.exe
1312	Cmgechbh.exe
1032	Cbdnko32.exe
1032	Cbdnko32.exe
2276	Cmjbhh32.exe
2276	Cmjbhh32.exe
1364	Cphndc32.exe
1364	Cphndc32.exe
1352	WerFault.exe
1352	WerFault.exe
1352	WerFault.exe
1352	WerFault.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Idlgcclp.dll	Qbbhgi32.exe
File created	C:\Windows\SysWOW64\Bpfeppop.exe	Abbeflpf.exe
File created	C:\Windows\SysWOW64\Fpcopobi.dll	Behgcf32.exe
File created	C:\Windows\SysWOW64\Mdqfkmom.dll	Bjdplm32.exe
File opened for modification	C:\Windows\SysWOW64\Qflhbhgg.exe	ead2afbe89df3d16ab79ca4714a56e67_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Abbeflpf.exe	Acmhepko.exe
File opened for modification	C:\Windows\SysWOW64\Biojif32.exe	Bpfeppop.exe
File opened for modification	C:\Windows\SysWOW64\Cmgechbh.exe	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Cbdnko32.exe	Cmgechbh.exe
File created	C:\Windows\SysWOW64\Ckpfcfnm.dll	Cbdnko32.exe
File created	C:\Windows\SysWOW64\Lopdpdmj.dll	Cmjbhh32.exe
File opened for modification	C:\Windows\SysWOW64\Blobjaba.exe	Biojif32.exe
File created	C:\Windows\SysWOW64\Cmjbhh32.exe	Cbdnko32.exe
File opened for modification	C:\Windows\SysWOW64\Annbhi32.exe	Aajbne32.exe
File created	C:\Windows\SysWOW64\Qflhbhgg.exe	ead2afbe89df3d16ab79ca4714a56e67_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Ghmnek32.dll	Aaheie32.exe
File opened for modification	C:\Windows\SysWOW64\Abbeflpf.exe	Acmhepko.exe
File created	C:\Windows\SysWOW64\Gmfkdm32.dll	Acmhepko.exe
File created	C:\Windows\SysWOW64\Behgcf32.exe	Blobjaba.exe
File created	C:\Windows\SysWOW64\Aaheie32.exe	Qbbhgi32.exe
File opened for modification	C:\Windows\SysWOW64\Behgcf32.exe	Blobjaba.exe
File opened for modification	C:\Windows\SysWOW64\Cphndc32.exe	Cmjbhh32.exe
File created	C:\Windows\SysWOW64\Aajbne32.exe	Aaheie32.exe
File created	C:\Windows\SysWOW64\Bkglameg.exe	Bjdplm32.exe
File created	C:\Windows\SysWOW64\Aoogfhfp.dll	Cphndc32.exe
File created	C:\Windows\SysWOW64\Gcnmkd32.dll	Qflhbhgg.exe
File created	C:\Windows\SysWOW64\Annbhi32.exe	Aajbne32.exe
File opened for modification	C:\Windows\SysWOW64\Acmhepko.exe	Amcpie32.exe
File opened for modification	C:\Windows\SysWOW64\Bpfeppop.exe	Abbeflpf.exe
File created	C:\Windows\SysWOW64\Pqncgcah.dll	Abbeflpf.exe
File created	C:\Windows\SysWOW64\Blobjaba.exe	Biojif32.exe
File created	C:\Windows\SysWOW64\Bjdplm32.exe	Behgcf32.exe
File created	C:\Windows\SysWOW64\Ceegmj32.exe	Cphndc32.exe
File opened for modification	C:\Windows\SysWOW64\Bjdplm32.exe	Behgcf32.exe
File created	C:\Windows\SysWOW64\Gfpifm32.dll	Cmgechbh.exe
File opened for modification	C:\Windows\SysWOW64\Ceegmj32.exe	Cphndc32.exe
File created	C:\Windows\SysWOW64\Gioicn32.dll	Amcpie32.exe
File created	C:\Windows\SysWOW64\Mmdgdp32.dll	Bpfeppop.exe
File created	C:\Windows\SysWOW64\Ihmnkh32.dll	Biojif32.exe
File opened for modification	C:\Windows\SysWOW64\Bkglameg.exe	Bjdplm32.exe
File opened for modification	C:\Windows\SysWOW64\Cfnmfn32.exe	Bkglameg.exe
File opened for modification	C:\Windows\SysWOW64\Cmjbhh32.exe	Cbdnko32.exe
File created	C:\Windows\SysWOW64\Cphndc32.exe	Cmjbhh32.exe
File created	C:\Windows\SysWOW64\Plnfdigq.dll	ead2afbe89df3d16ab79ca4714a56e67_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Qbbhgi32.exe	Qflhbhgg.exe
File opened for modification	C:\Windows\SysWOW64\Qbbhgi32.exe	Qflhbhgg.exe
File opened for modification	C:\Windows\SysWOW64\Aaheie32.exe	Qbbhgi32.exe
File created	C:\Windows\SysWOW64\Biojif32.exe	Bpfeppop.exe
File created	C:\Windows\SysWOW64\Cfnmfn32.exe	Bkglameg.exe
File created	C:\Windows\SysWOW64\Gnnffg32.dll	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Amcpie32.exe	Annbhi32.exe
File opened for modification	C:\Windows\SysWOW64\Amcpie32.exe	Annbhi32.exe
File created	C:\Windows\SysWOW64\Oilpcd32.dll	Annbhi32.exe
File created	C:\Windows\SysWOW64\Acmhepko.exe	Amcpie32.exe
File created	C:\Windows\SysWOW64\Dhnook32.dll	Blobjaba.exe
File created	C:\Windows\SysWOW64\Cmgechbh.exe	Cfnmfn32.exe
File opened for modification	C:\Windows\SysWOW64\Cbdnko32.exe	Cmgechbh.exe
File opened for modification	C:\Windows\SysWOW64\Aajbne32.exe	Aaheie32.exe
File created	C:\Windows\SysWOW64\Jbdipkfe.dll	Aajbne32.exe
File created	C:\Windows\SysWOW64\Mabanhgg.dll	Bkglameg.exe

Program crash 1 IoCs

pid	pid_target	Process
1352	1780	WerFault.exe

Modifies registry class 63 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Annbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mabanhgg.dll"	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmjbhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	ead2afbe89df3d16ab79ca4714a56e67_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaheie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcnmkd32.dll"	Qflhbhgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acmhepko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihmnkh32.dll"	Biojif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdqfkmom.dll"	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbdnko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	ead2afbe89df3d16ab79ca4714a56e67_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqncgcah.dll"	Abbeflpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idlgcclp.dll"	Qbbhgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qbbhgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfpifm32.dll"	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	ead2afbe89df3d16ab79ca4714a56e67_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gioicn32.dll"	Amcpie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amcpie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lopdpdmj.dll"	Cmjbhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll"	Cphndc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plnfdigq.dll"	ead2afbe89df3d16ab79ca4714a56e67_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qflhbhgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qflhbhgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qbbhgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmnek32.dll"	Aaheie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdgdp32.dll"	Bpfeppop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Biojif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkglameg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	ead2afbe89df3d16ab79ca4714a56e67_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmfkdm32.dll"	Acmhepko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abbeflpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	ead2afbe89df3d16ab79ca4714a56e67_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnnffg32.dll"	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cphndc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cphndc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhnook32.dll"	Blobjaba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Annbhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Behgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aaheie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abbeflpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpcopobi.dll"	Behgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aajbne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbdnko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Biojif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckpfcfnm.dll"	Cbdnko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmjbhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oilpcd32.dll"	Annbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acmhepko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aajbne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amcpie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbdipkfe.dll"	Aajbne32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 1384	2216	ead2afbe89df3d16ab79ca4714a56e67_JaffaCakes118.exe	28
PID 2216 wrote to memory of 1384	2216	ead2afbe89df3d16ab79ca4714a56e67_JaffaCakes118.exe	28
PID 2216 wrote to memory of 1384	2216	ead2afbe89df3d16ab79ca4714a56e67_JaffaCakes118.exe	28
PID 2216 wrote to memory of 1384	2216	ead2afbe89df3d16ab79ca4714a56e67_JaffaCakes118.exe	28
PID 1384 wrote to memory of 2628	1384	Qflhbhgg.exe	29
PID 1384 wrote to memory of 2628	1384	Qflhbhgg.exe	29
PID 1384 wrote to memory of 2628	1384	Qflhbhgg.exe	29
PID 1384 wrote to memory of 2628	1384	Qflhbhgg.exe	29
PID 2628 wrote to memory of 2796	2628	Qbbhgi32.exe	30
PID 2628 wrote to memory of 2796	2628	Qbbhgi32.exe	30
PID 2628 wrote to memory of 2796	2628	Qbbhgi32.exe	30
PID 2628 wrote to memory of 2796	2628	Qbbhgi32.exe	30
PID 2796 wrote to memory of 2576	2796	Aaheie32.exe	31
PID 2796 wrote to memory of 2576	2796	Aaheie32.exe	31
PID 2796 wrote to memory of 2576	2796	Aaheie32.exe	31
PID 2796 wrote to memory of 2576	2796	Aaheie32.exe	31
PID 2576 wrote to memory of 2568	2576	Aajbne32.exe	32
PID 2576 wrote to memory of 2568	2576	Aajbne32.exe	32
PID 2576 wrote to memory of 2568	2576	Aajbne32.exe	32
PID 2576 wrote to memory of 2568	2576	Aajbne32.exe	32
PID 2568 wrote to memory of 2464	2568	Annbhi32.exe	33
PID 2568 wrote to memory of 2464	2568	Annbhi32.exe	33
PID 2568 wrote to memory of 2464	2568	Annbhi32.exe	33
PID 2568 wrote to memory of 2464	2568	Annbhi32.exe	33
PID 2464 wrote to memory of 2888	2464	Amcpie32.exe	34
PID 2464 wrote to memory of 2888	2464	Amcpie32.exe	34
PID 2464 wrote to memory of 2888	2464	Amcpie32.exe	34
PID 2464 wrote to memory of 2888	2464	Amcpie32.exe	34
PID 2888 wrote to memory of 1192	2888	Acmhepko.exe	35
PID 2888 wrote to memory of 1192	2888	Acmhepko.exe	35
PID 2888 wrote to memory of 1192	2888	Acmhepko.exe	35
PID 2888 wrote to memory of 1192	2888	Acmhepko.exe	35
PID 1192 wrote to memory of 1360	1192	Abbeflpf.exe	36
PID 1192 wrote to memory of 1360	1192	Abbeflpf.exe	36
PID 1192 wrote to memory of 1360	1192	Abbeflpf.exe	36
PID 1192 wrote to memory of 1360	1192	Abbeflpf.exe	36
PID 1360 wrote to memory of 924	1360	Bpfeppop.exe	37
PID 1360 wrote to memory of 924	1360	Bpfeppop.exe	37
PID 1360 wrote to memory of 924	1360	Bpfeppop.exe	37
PID 1360 wrote to memory of 924	1360	Bpfeppop.exe	37
PID 924 wrote to memory of 2040	924	Biojif32.exe	38
PID 924 wrote to memory of 2040	924	Biojif32.exe	38
PID 924 wrote to memory of 2040	924	Biojif32.exe	38
PID 924 wrote to memory of 2040	924	Biojif32.exe	38
PID 2040 wrote to memory of 1700	2040	Blobjaba.exe	39
PID 2040 wrote to memory of 1700	2040	Blobjaba.exe	39
PID 2040 wrote to memory of 1700	2040	Blobjaba.exe	39
PID 2040 wrote to memory of 1700	2040	Blobjaba.exe	39
PID 1700 wrote to memory of 1860	1700	Behgcf32.exe	40
PID 1700 wrote to memory of 1860	1700	Behgcf32.exe	40
PID 1700 wrote to memory of 1860	1700	Behgcf32.exe	40
PID 1700 wrote to memory of 1860	1700	Behgcf32.exe	40
PID 1860 wrote to memory of 1640	1860	Bjdplm32.exe	41
PID 1860 wrote to memory of 1640	1860	Bjdplm32.exe	41
PID 1860 wrote to memory of 1640	1860	Bjdplm32.exe	41
PID 1860 wrote to memory of 1640	1860	Bjdplm32.exe	41
PID 1640 wrote to memory of 2096	1640	Bkglameg.exe	42
PID 1640 wrote to memory of 2096	1640	Bkglameg.exe	42
PID 1640 wrote to memory of 2096	1640	Bkglameg.exe	42
PID 1640 wrote to memory of 2096	1640	Bkglameg.exe	42
PID 2096 wrote to memory of 1312	2096	Cfnmfn32.exe	43
PID 2096 wrote to memory of 1312	2096	Cfnmfn32.exe	43
PID 2096 wrote to memory of 1312	2096	Cfnmfn32.exe	43
PID 2096 wrote to memory of 1312	2096	Cfnmfn32.exe	43

C:\Users\Admin\AppData\Local\Temp\ead2afbe89df3d16ab79ca4714a56e67_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ead2afbe89df3d16ab79ca4714a56e67_JaffaCakes118.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\SysWOW64\Qflhbhgg.exe
  C:\Windows\system32\Qflhbhgg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1384
- - C:\Windows\SysWOW64\Qbbhgi32.exe
    C:\Windows\system32\Qbbhgi32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\SysWOW64\Aaheie32.exe
      C:\Windows\system32\Aaheie32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\Windows\SysWOW64\Aajbne32.exe
        
        C:\Windows\system32\Aajbne32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2576
      - C:\Windows\SysWOW64\Annbhi32.exe
        
        C:\Windows\system32\Annbhi32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\Amcpie32.exe
        
        C:\Windows\system32\Amcpie32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\Acmhepko.exe
        
        C:\Windows\system32\Acmhepko.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\SysWOW64\Abbeflpf.exe
        
        C:\Windows\system32\Abbeflpf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Windows\SysWOW64\Bpfeppop.exe
        
        C:\Windows\system32\Bpfeppop.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\SysWOW64\Biojif32.exe
        
        C:\Windows\system32\Biojif32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:924
        
        C:\Windows\SysWOW64\Blobjaba.exe
        
        C:\Windows\system32\Blobjaba.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Behgcf32.exe
        
        C:\Windows\system32\Behgcf32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\Bjdplm32.exe
        
        C:\Windows\system32\Bjdplm32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\SysWOW64\Bkglameg.exe
        
        C:\Windows\system32\Bkglameg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SysWOW64\Cfnmfn32.exe
        
        C:\Windows\system32\Cfnmfn32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Cmgechbh.exe
        
        C:\Windows\system32\Cmgechbh.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1312
        
        C:\Windows\SysWOW64\Cbdnko32.exe
        
        C:\Windows\system32\Cbdnko32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1032
        
        C:\Windows\SysWOW64\Cmjbhh32.exe
        
        C:\Windows\system32\Cmjbhh32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Cphndc32.exe
        
        C:\Windows\system32\Cphndc32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1364
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        21⤵
        Executes dropped EXE
        
        PID:1780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 140
        22⤵
        Loads dropped DLL
        Program crash
        
        PID:1352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cbdnko32.exe

Filesize
80KB

MD5
0216c177519e472d80f48158225e2a34

SHA1
f3e83d01453cae7f4df985fe8b076c28f90a9c63

SHA256
2bbc715fd5e2c775356c1edef090472c599881fa70e33c9d279f8988d09cb64e

SHA512
73770d61b55d7e1a6a1784010639a23c9257103f3ce1abd6c44a82336b2a328ed4e8b48088ca38cf7102dd6809aa3feb9d4998d2d9d6ddfee6f458473a3d0b46

Download Submit
C:\Windows\SysWOW64\Ceegmj32.exe

Filesize
80KB

MD5
b719eb66bbc959cc81ee99d57dc806f5

SHA1
f8c338aef8c4d4dcf44bc28a2e4732220f264fab

SHA256
dfa35f190133ecb3084c5135beb64aad3d61d90fb39c542173b692368874ce21

SHA512
d70647300fe54423dc2d15211fb2c20d04a12184245abb96d9a287ed4039d8478392717701094be9f0042031ad975a828d0f6597f91281674a26f6bacb5c3392

Download Submit
C:\Windows\SysWOW64\Cmjbhh32.exe

Filesize
80KB

MD5
12bb7ba31dce8efcbba4db079e2ba054

SHA1
7a978d1341ed34c33781a79ce4b42309931e1cc1

SHA256
96ba29038c5077ca15820240cb87a13bcfe5814a4bc9361b1d2b79addd33448b

SHA512
fcf98313a3b0230d2618e5bc7a231866adab1e3be7063f6d9a2ea20904df7a8d7f1c3712d21d80b48ee48998225954d56612e5e12d05b9799d3113bbd86272fc

Download Submit
C:\Windows\SysWOW64\Cphndc32.exe

Filesize
80KB

MD5
f7ecf64f701f046512d002390611ba21

SHA1
028f2cb4416c12614652514a6fc2f07ec759a7a4

SHA256
3be1420684870b65b960743bf66c5044108d37ca07739157fa3afd1a19095fce

SHA512
46a4ee4e5ebd59889c66674e51ef933b81f7e9799e27762293af398723453f6862c7718883a789e452257b0b13725070e8d2e00530848c8b8ca9ed9002c11100

Download Submit
C:\Windows\SysWOW64\Qbbhgi32.exe

Filesize
80KB

MD5
604f94094e23a529fb008ae50eaec07a

SHA1
942403a54c50c0401656f621b9f66be8a6f777c6

SHA256
64ce8a1aaacdf8ac7a4664647505848e2dcc020b9cb0d426788f6e514f1d3d08

SHA512
38b54ce0bc426c14110b768011db27ee3fc6d7b41a279de6c9193079b5c5b851b0414490e8e085b3cca63672863c8558421c2f0db66a9a54e56b8ecdeeffc4ea

Download Submit
\Windows\SysWOW64\Aaheie32.exe

Filesize
80KB

MD5
d91dd4a17c525959a7622df03f4624ad

SHA1
04270a8b5d8a1210e39e111e0a473a57aed38b60

SHA256
dbbfd4ddce8c6c1a05a6cc0822e8a814214e41098be1d4b1acf98f94ab3a712c

SHA512
9060926dc28e2a7d0b688deada5ebd505f837a3f9bd73a644f7ee16cf22ce259d4300dc5e4cdc320b488aff521a711af68c53103dba762cfcc1c433d3d87a1b9

Download Submit
\Windows\SysWOW64\Aajbne32.exe

Filesize
80KB

MD5
dd9734583651c1c14964f5cc6c9e0072

SHA1
ac29b730ec345aa63303414486eafe025e89130f

SHA256
f28f2b6a5a0bb39dc4eb7a7282191fdb73da005a60079e74701e3ad8da865f70

SHA512
af1f0acaf98c9dde9e283f0d354373c41b97a50ff5ccf0b91170925b8d39a7ca4444d082516dd2630d44eb3c746df47ab7ccec7e89e528662bb89cc2dd503d33

Download Submit
\Windows\SysWOW64\Abbeflpf.exe

Filesize
80KB

MD5
39ceea2d8ffc7d2a0801b6a767b49ce4

SHA1
4609c50acfd763064253b755139d4978dda85dfc

SHA256
866c454dca3b6f5b9466786d81b3f7f9f3cd5efab355a33bb96fe86e4a814658

SHA512
637212430f8520399fe23ebf136b983f78aa5876c5a65cac9e0cbe9cf073c27ccc69de09c35cb7d6e64b0288f6ad989824a17ed33cfee1e505168ac3aad66b03

Download Submit
\Windows\SysWOW64\Acmhepko.exe

Filesize
80KB

MD5
99aa75fa54cbcbb7aeae4dbca90c5869

SHA1
5545c9faab289aa010855758d4dad1e2de643d5b

SHA256
a89abfe190f28f06d2288b02f27ff9cb0c2fad96338d64f7c7be7d2a28025fd6

SHA512
7dbc856248c8927f203271e180c917391f4753ed0d00bdc7b49d079a3ec77235ec20da0291e817c2fac812acdb37473afda0ff40f73e4b45e85cd99ba7c0db09

Download Submit
\Windows\SysWOW64\Amcpie32.exe

Filesize
80KB

MD5
ce5ac75211607b62a68d57e0e9b1aa47

SHA1
56c1ce1269b9330d71653095417110447085ddf9

SHA256
80b40bc9446e73f5f4ff3246703b2eb7081126bee5688eb0fb649611f1f95bce

SHA512
49cc4270fbea8590060b54ec0cca520d45acfae6017401b56a1d8bb7c1d4f04c85aaf8aa2d74a0333a0d560f5ffdddb33cf8dfee65fcd52211562ce2b7997848

Download Submit
\Windows\SysWOW64\Annbhi32.exe

Filesize
80KB

MD5
e06dc1828dd133ea376eb9534f536be8

SHA1
7bca33f93304f9fe9ae96f96f6de745665bf7c1b

SHA256
a6b2c6ea04e9e67bc91c4707f03efe4a066076dbcacc23ed6343e614da4ab88d

SHA512
11543364176bf3a5b082e2bf50fb38ccc8b093df9b7a55140fff7e90d785879802fed281acd319ce4ae1a3f3456361663d69cc628c5dabc771feb525d9c79ca1

Download Submit
\Windows\SysWOW64\Behgcf32.exe

Filesize
80KB

MD5
b0e955a1bcdd271fdae646b9b840a610

SHA1
a4f84fb8103f7c8512205d1f473ea5e464bba364

SHA256
b9e42e71ff0513a596d71c07b26d6451f8104f32ecbab6fb16a97dfb80b508dc

SHA512
655158287525aac2caf7e82426667e1823e695445f41d221c89e48a80c8f0bacefbb515e1b45ef2eb81839d4ba05cb9145b0dcf56afaa1f4667888fb6d3d01fe

Download Submit
\Windows\SysWOW64\Biojif32.exe

Filesize
80KB

MD5
6d93f029a3788ff2d8f2c8c31d4fa65b

SHA1
4e2e3274f8f19257458598f1e295bb2a7cd5761a

SHA256
34a7db1396a0d79a1db8c92baff518a833722642afcba543818b6e33e46751bd

SHA512
27ad0ea7d333c794a1bf4ee2b91a0fe1d80dee2f00c9cbf83098ea0acd2a9a535f53deefe6db5cb7795a05a3a6353ec30ccd45bc0e99f4fd4468d444188eba44

Download Submit
\Windows\SysWOW64\Bjdplm32.exe

Filesize
80KB

MD5
7e3acbf6ad73a334276be61aa177a9cd

SHA1
fed732413d0a79c48c79ccf18afed817e697a97b

SHA256
f4332ff486ddcda0f2d5c271acc8a441558c9619312a036603180f3e83af0029

SHA512
83cb62f8efa81660c60022a83d4f9422607dd431ef51a3c9842362725dca29d0fd671fbc54eb9ab29e84c2795dfb5ba32c08f85ee85bb71ddfb1716987d8bae1

Download Submit
\Windows\SysWOW64\Bkglameg.exe

Filesize
80KB

MD5
5e3c74aeb9a65e857e16e0d32885a1a7

SHA1
2056fb1eef6d08e5b445fbd71b11212db6c2f506

SHA256
601e64a56a8f9f44e781a62f290a1c5dca53bca088f0d3e3a4ef96a403dbd16f

SHA512
ff2b2cba255cc648fe5bfd641bcea1f37536a464eceffb5e2a1a0189e3d7e10a019f9c46b3c8f269687a4e6bab8aa64a4258bd7b13322696b0c3eb35b94f4fac

Download Submit
\Windows\SysWOW64\Blobjaba.exe

Filesize
80KB

MD5
f3a4185658ed502b0d6ad58aac1b336d

SHA1
b5b93d3048fb36245b0ce7c71e78ac3463a60d4e

SHA256
be5aa6cda8c86be7910a9f1f3944057fb5358bce5af1ad27da1cb8a2ee45570f

SHA512
fcf87d44b11f22186a82440b7b1879add0b6cb6d967d983aa43c097779a38ad307072e4aa7fd27af6985f0716691da18a6f785b3d1aedbeafd6f49de194e9d0d

Download Submit
\Windows\SysWOW64\Bpfeppop.exe

Filesize
80KB

MD5
2a50921d98adba20d94583b7c72235cf

SHA1
14ae1a355621a74eb8d989fe38d3067e92804a30

SHA256
0f68854ef24447f211e3db43ecbe2db866165125fbf9968c2cb07635a7dbe410

SHA512
ebff2b0b6e25c5956a77032aefe468bd971b0763188a5944a146a65454e7c3da13068f9f1fed3e6d6930540bbf819c1f9ccc860a0f57f6eb0adaada98e968427

Download Submit
\Windows\SysWOW64\Cfnmfn32.exe

Filesize
80KB

MD5
e86f56f8487c5f12a9194bd564a4a5fd

SHA1
915bfe9e7c5c79843660d63450851d824c7ffe77

SHA256
d88681aacab8226ac41bc639bbbd72ddec407474760036fd7926c5a431dfebef

SHA512
e3097166e750ec21bbf1fac5d86862b49d669b87237f105042593e93f0cd5ea4d614a10d863607963b8237030bba656945742e7cf39cc3aa59fb392bbb50fefa

Download Submit
\Windows\SysWOW64\Cmgechbh.exe

Filesize
80KB

MD5
9a5b7a080664e5bf45c98781e22516a5

SHA1
23899afc3d15fd0229205286cefabfe09dcff53c

SHA256
82a82ef6a943343bf461bc6b5d092e1772b500f1e460d53cd19271681bc60706

SHA512
b009a46644f5ae081bc47aae1787c91cb40b8edf3748553e136231927ed579b3866513a9ed2bd2ccc788be35b100822fd37a35956cb8c0b143af7f7de47a9d5d

Download Submit
\Windows\SysWOW64\Qflhbhgg.exe

Filesize
80KB

MD5
40451757d9c7dca04e47c11458e62800

SHA1
36cfb92ce1a1fddde75d77f016487fd6c84aa8b3

SHA256
5d4e9f0dcd066ee500abe61d9bb39da839acfee8896d5d3ac7cd6c6c6774b530

SHA512
53dfa9f3afe8bebf180257a3e7754a786c79381e6ba5817e4e02218a4be5de519dcba4f1429ed8b065ff33f692eb616a3ff2cd92b378ef575cf085a2efbac609

Download Submit
memory/924-135-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/924-268-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1032-232-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1032-238-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/1032-275-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1032-234-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/1192-120-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1192-119-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1192-266-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1312-217-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1312-274-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1312-227-0x00000000002B0000-0x00000000002EE000-memory.dmp

Filesize
248KB

Download
memory/1360-121-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1360-133-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1360-267-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1364-257-0x00000000002B0000-0x00000000002EE000-memory.dmp

Filesize
248KB

Download
memory/1364-252-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1384-260-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1384-26-0x00000000003B0000-0x00000000003EE000-memory.dmp

Filesize
248KB

Download
memory/1384-13-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1384-27-0x00000000003B0000-0x00000000003EE000-memory.dmp

Filesize
248KB

Download
memory/1640-190-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1640-272-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1700-270-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1700-170-0x00000000002B0000-0x00000000002EE000-memory.dmp

Filesize
248KB

Download
memory/1700-162-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1780-258-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1860-183-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/1860-189-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/1860-271-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2040-148-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2040-156-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2040-269-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2096-204-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2096-273-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2096-215-0x00000000005D0000-0x000000000060E000-memory.dmp

Filesize
248KB

Download
memory/2216-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2216-259-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2216-11-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2276-276-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2276-242-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2464-93-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2464-87-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2568-264-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2568-67-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2576-54-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2576-263-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2628-28-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2628-261-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2796-41-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2796-262-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2888-265-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2888-101-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads