xtremerat | 32b110314b0940b544b4594403ec3968c9827423757ba9d09064467402016c26

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30/01/2025, 06:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe
Size

316KB
MD5

5fe86862c9b4695ad9d48b95d980e44c
SHA1

f6d32f059a6d5975804fd311235c4d170c32d5c5
SHA256

32b110314b0940b544b4594403ec3968c9827423757ba9d09064467402016c26
SHA512

402b4d723c9414b51d714c2345fac054a4a2d428044cf1e2af411c808eaa101989f539f07f672975108716b6c4a5214ae119374f050cfce1cca374f1147ff21c
SSDEEP

3072:kmqzv/Ek0NBYAkafaUqTgLW+diiV4Co8kHoyA/xmpuHWmj3iHNk9PLeRQjVSzaQR:kmq4bhWlAo8khoH9zerM/K

Score

10^/10

xtremerat discovery persistence rat spyware upx

Malware Config

Signatures

Detect XtremeRAT payload 13 IoCs

resource	yara_rule
behavioral2/memory/2344-6-0x0000000000C80000-0x0000000000CAB000-memory.dmp	family_xtremerat
behavioral2/memory/2344-5-0x0000000000C80000-0x0000000000CAB000-memory.dmp	family_xtremerat
behavioral2/memory/2344-20-0x0000000000C80000-0x0000000000CAB000-memory.dmp	family_xtremerat
behavioral2/memory/1788-28-0x0000000000C80000-0x0000000000CAB000-memory.dmp	family_xtremerat
behavioral2/memory/1788-27-0x0000000000C80000-0x0000000000CAB000-memory.dmp	family_xtremerat
behavioral2/memory/1788-33-0x0000000000C80000-0x0000000000CAB000-memory.dmp	family_xtremerat
behavioral2/memory/1240-39-0x0000000000C80000-0x0000000000CAB000-memory.dmp	family_xtremerat
behavioral2/memory/4836-49-0x0000000000C80000-0x0000000000CAB000-memory.dmp	family_xtremerat
behavioral2/memory/3112-59-0x0000000000C80000-0x0000000000CAB000-memory.dmp	family_xtremerat
behavioral2/memory/2704-163-0x0000000000C80000-0x0000000000CAB000-memory.dmp	family_xtremerat
behavioral2/memory/3984-193-0x0000000000C80000-0x0000000000CAB000-memory.dmp	family_xtremerat
behavioral2/memory/560-203-0x0000000000C80000-0x0000000000CAB000-memory.dmp	family_xtremerat
behavioral2/memory/860-213-0x0000000000C80000-0x0000000000CAB000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 62 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}\StubPath = "C:\\Windows\\InstallDir\\hkml.exe restart"	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}\StubPath = "C:\\Windows\\InstallDir\\hkml.exe restart"	hkml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}\StubPath = "C:\\Windows\\InstallDir\\hkml.exe restart"	hkml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}\StubPath = "C:\\Windows\\InstallDir\\hkml.exe restart"	hkml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}	hkml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}\StubPath = "C:\\Windows\\InstallDir\\hkml.exe restart"	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}\StubPath = "C:\\Windows\\InstallDir\\hkml.exe restart"	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}\StubPath = "C:\\Windows\\InstallDir\\hkml.exe restart"	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}\StubPath = "C:\\Windows\\InstallDir\\hkml.exe restart"	hkml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}\StubPath = "C:\\Windows\\InstallDir\\hkml.exe restart"	hkml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}\StubPath = "C:\\Windows\\InstallDir\\hkml.exe restart"	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}\StubPath = "C:\\Windows\\InstallDir\\hkml.exe restart"	hkml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}	hkml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}	hkml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}\StubPath = "C:\\Windows\\InstallDir\\hkml.exe restart"	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}\StubPath = "C:\\Windows\\InstallDir\\hkml.exe restart"	hkml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}\StubPath = "C:\\Windows\\InstallDir\\hkml.exe restart"	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}\StubPath = "C:\\Windows\\InstallDir\\hkml.exe restart"	hkml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}	hkml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}\StubPath = "C:\\Windows\\InstallDir\\hkml.exe restart"	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}\StubPath = "C:\\Windows\\InstallDir\\hkml.exe restart"	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}\StubPath = "C:\\Windows\\InstallDir\\hkml.exe restart"	hkml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}	hkml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}	JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}	hkml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}	hkml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}	hkml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}	hkml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}	hkml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}	hkml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}	hkml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}	hkml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}\StubPath = "C:\\Windows\\InstallDir\\hkml.exe restart"	hkml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}\StubPath = "C:\\Windows\\InstallDir\\hkml.exe restart"	hkml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}\StubPath = "C:\\Windows\\InstallDir\\hkml.exe restart"	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}\StubPath = "C:\\Windows\\InstallDir\\hkml.exe restart"	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}\StubPath = "C:\\Windows\\InstallDir\\hkml.exe restart"	hkml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}\StubPath = "C:\\Windows\\InstallDir\\hkml.exe restart"	hkml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}	hkml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}\StubPath = "C:\\Windows\\InstallDir\\hkml.exe restart"	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}\StubPath = "C:\\Windows\\InstallDir\\hkml.exe restart"	hkml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}\StubPath = "C:\\Windows\\InstallDir\\hkml.exe restart"	hkml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}\StubPath = "C:\\Windows\\InstallDir\\hkml.exe restart"	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}\StubPath = "C:\\Windows\\InstallDir\\hkml.exe restart"	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}\StubPath = "C:\\Windows\\InstallDir\\hkml.exe restart"	JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6IV005R-V7PM-QQ7S-MD4P-V6S8P3NWLRX2}\StubPath = "C:\\Windows\\InstallDir\\hkml.exe restart"	hkml.exe

Checks computer location settings 2 TTPs 30 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	hkml.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	hkml.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	hkml.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	hkml.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	hkml.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	hkml.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	hkml.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	hkml.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	hkml.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	hkml.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	hkml.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	hkml.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	hkml.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	hkml.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	hkml.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	hkml.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	hkml.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	hkml.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	hkml.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	hkml.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	hkml.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	hkml.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	hkml.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	hkml.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	hkml.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	hkml.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	hkml.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	hkml.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	hkml.exe

Executes dropped EXE 60 IoCs

pid	Process
5064	hkml.exe
1788	hkml.exe
4668	hkml.exe
1240	hkml.exe
4780	hkml.exe
4836	hkml.exe
2844	hkml.exe
3112	hkml.exe
3040	hkml.exe
1564	hkml.exe
892	hkml.exe
2604	hkml.exe
3500	hkml.exe
3684	hkml.exe
3896	hkml.exe
1788	hkml.exe
4780	hkml.exe
1104	hkml.exe
4836	hkml.exe
2776	hkml.exe
5096	hkml.exe
672	hkml.exe
4852	hkml.exe
3592	hkml.exe
1732	hkml.exe
3140	hkml.exe
1572	hkml.exe
2568	hkml.exe
1608	hkml.exe
2704	hkml.exe
4860	hkml.exe
1628	hkml.exe
456	hkml.exe
4196	hkml.exe
1572	hkml.exe
3984	hkml.exe
2384	hkml.exe
560	hkml.exe
1628	hkml.exe
860	hkml.exe
5076	hkml.exe
4008	hkml.exe
2848	hkml.exe
2480	hkml.exe
3680	hkml.exe
4992	hkml.exe
1236	hkml.exe
560	hkml.exe
5180	hkml.exe
5208	hkml.exe
5428	hkml.exe
5456	hkml.exe
5624	hkml.exe
5652	hkml.exe
5800	hkml.exe
5828	hkml.exe
5976	hkml.exe
6004	hkml.exe
560	hkml.exe
5228	hkml.exe

Adds Run key to start application 2 TTPs 62 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\hkml.exe"	JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\hkml.exe"	JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\hkml.exe"	hkml.exe

Maps connected drives based on registry 3 TTPs 62 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	hkml.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	hkml.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	hkml.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	hkml.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	hkml.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	hkml.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	hkml.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	hkml.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	hkml.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	hkml.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	hkml.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	hkml.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	hkml.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	hkml.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	hkml.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	hkml.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	hkml.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	hkml.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	hkml.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	hkml.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	hkml.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	hkml.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	hkml.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	hkml.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	hkml.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	hkml.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	hkml.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	hkml.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	hkml.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	hkml.exe

Suspicious use of SetThreadContext 31 IoCs

description	pid	Process	procid_target
PID 2792 set thread context of 2344	2792	JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe	82
PID 5064 set thread context of 1788	5064	hkml.exe	93
PID 4668 set thread context of 1240	4668	hkml.exe	108
PID 4780 set thread context of 4836	4780	hkml.exe	122
PID 2844 set thread context of 3112	2844	hkml.exe	133
PID 3040 set thread context of 1564	3040	hkml.exe	144
PID 892 set thread context of 2604	892	hkml.exe	156
PID 3500 set thread context of 3684	3500	hkml.exe	168
PID 3896 set thread context of 1788	3896	hkml.exe	179
PID 4780 set thread context of 1104	4780	hkml.exe	190
PID 4836 set thread context of 2776	4836	hkml.exe	201
PID 5096 set thread context of 672	5096	hkml.exe	212
PID 4852 set thread context of 3592	4852	hkml.exe	223
PID 1732 set thread context of 3140	1732	hkml.exe	234
PID 1572 set thread context of 2568	1572	hkml.exe	245
PID 1608 set thread context of 2704	1608	hkml.exe	256
PID 4860 set thread context of 1628	4860	hkml.exe	267
PID 456 set thread context of 4196	456	hkml.exe	278
PID 1572 set thread context of 3984	1572	hkml.exe	289
PID 2384 set thread context of 560	2384	hkml.exe	300
PID 1628 set thread context of 860	1628	hkml.exe	311
PID 5076 set thread context of 4008	5076	hkml.exe	322
PID 2848 set thread context of 2480	2848	hkml.exe	333
PID 3680 set thread context of 4992	3680	hkml.exe	344
PID 1236 set thread context of 560	1236	hkml.exe	355
PID 5180 set thread context of 5208	5180	hkml.exe	366
PID 5428 set thread context of 5456	5428	hkml.exe	377
PID 5624 set thread context of 5652	5624	hkml.exe	388
PID 5800 set thread context of 5828	5800	hkml.exe	399
PID 5976 set thread context of 6004	5976	hkml.exe	410
PID 560 set thread context of 5228	560	hkml.exe	421

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2344-2-0x0000000000C80000-0x0000000000CAB000-memory.dmp	upx
behavioral2/memory/2344-4-0x0000000000C80000-0x0000000000CAB000-memory.dmp	upx
behavioral2/memory/2344-6-0x0000000000C80000-0x0000000000CAB000-memory.dmp	upx
behavioral2/memory/2344-5-0x0000000000C80000-0x0000000000CAB000-memory.dmp	upx
behavioral2/memory/2344-20-0x0000000000C80000-0x0000000000CAB000-memory.dmp	upx
behavioral2/memory/1788-26-0x0000000000C80000-0x0000000000CAB000-memory.dmp	upx
behavioral2/memory/1788-28-0x0000000000C80000-0x0000000000CAB000-memory.dmp	upx
behavioral2/memory/1788-27-0x0000000000C80000-0x0000000000CAB000-memory.dmp	upx
behavioral2/memory/1788-33-0x0000000000C80000-0x0000000000CAB000-memory.dmp	upx
behavioral2/memory/1240-38-0x0000000000C80000-0x0000000000CAB000-memory.dmp	upx
behavioral2/memory/1240-39-0x0000000000C80000-0x0000000000CAB000-memory.dmp	upx
behavioral2/memory/4836-48-0x0000000000C80000-0x0000000000CAB000-memory.dmp	upx
behavioral2/memory/4836-49-0x0000000000C80000-0x0000000000CAB000-memory.dmp	upx
behavioral2/memory/3112-59-0x0000000000C80000-0x0000000000CAB000-memory.dmp	upx
behavioral2/memory/3112-58-0x0000000000C80000-0x0000000000CAB000-memory.dmp	upx
behavioral2/memory/2704-162-0x0000000000C80000-0x0000000000CAB000-memory.dmp	upx
behavioral2/memory/2704-163-0x0000000000C80000-0x0000000000CAB000-memory.dmp	upx
behavioral2/memory/3984-192-0x0000000000C80000-0x0000000000CAB000-memory.dmp	upx
behavioral2/memory/3984-193-0x0000000000C80000-0x0000000000CAB000-memory.dmp	upx
behavioral2/memory/560-203-0x0000000000C80000-0x0000000000CAB000-memory.dmp	upx
behavioral2/memory/560-202-0x0000000000C80000-0x0000000000CAB000-memory.dmp	upx
behavioral2/memory/860-213-0x0000000000C80000-0x0000000000CAB000-memory.dmp	upx
behavioral2/memory/860-212-0x0000000000C80000-0x0000000000CAB000-memory.dmp	upx

Drops file in Windows directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\InstallDir\hkml.exe	hkml.exe
File opened for modification	C:\Windows\InstallDir\hkml.exe	hkml.exe
File opened for modification	C:\Windows\InstallDir\hkml.exe	hkml.exe
File opened for modification	C:\Windows\InstallDir\hkml.exe	hkml.exe
File opened for modification	C:\Windows\InstallDir\hkml.exe	hkml.exe
File created	C:\Windows\InstallDir\hkml.exe	JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe
File opened for modification	C:\Windows\InstallDir\hkml.exe	hkml.exe
File opened for modification	C:\Windows\InstallDir\hkml.exe	hkml.exe
File opened for modification	C:\Windows\InstallDir\hkml.exe	hkml.exe
File opened for modification	C:\Windows\InstallDir\hkml.exe	hkml.exe
File opened for modification	C:\Windows\InstallDir\hkml.exe	hkml.exe
File opened for modification	C:\Windows\InstallDir\hkml.exe	hkml.exe
File opened for modification	C:\Windows\InstallDir\hkml.exe	hkml.exe
File opened for modification	C:\Windows\InstallDir\hkml.exe	hkml.exe
File opened for modification	C:\Windows\InstallDir\hkml.exe	hkml.exe
File opened for modification	C:\Windows\InstallDir\hkml.exe	hkml.exe
File opened for modification	C:\Windows\InstallDir\hkml.exe	hkml.exe
File opened for modification	C:\Windows\InstallDir\hkml.exe	hkml.exe
File opened for modification	C:\Windows\InstallDir\hkml.exe	hkml.exe
File opened for modification	C:\Windows\InstallDir\hkml.exe	hkml.exe
File opened for modification	C:\Windows\InstallDir\hkml.exe	hkml.exe
File opened for modification	C:\Windows\InstallDir\hkml.exe	hkml.exe
File opened for modification	C:\Windows\InstallDir\hkml.exe	hkml.exe
File opened for modification	C:\Windows\InstallDir\hkml.exe	hkml.exe
File opened for modification	C:\Windows\InstallDir\hkml.exe	hkml.exe
File opened for modification	C:\Windows\InstallDir\hkml.exe	hkml.exe
File opened for modification	C:\Windows\InstallDir\hkml.exe	hkml.exe
File opened for modification	C:\Windows\InstallDir\hkml.exe	JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe
File opened for modification	C:\Windows\InstallDir\hkml.exe	hkml.exe
File opened for modification	C:\Windows\InstallDir\hkml.exe	hkml.exe
File opened for modification	C:\Windows\InstallDir\hkml.exe	hkml.exe
File opened for modification	C:\Windows\InstallDir\hkml.exe	hkml.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 62 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkml.exe

Suspicious use of SetWindowsHookEx 31 IoCs

pid	Process
2792	JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe
5064	hkml.exe
4668	hkml.exe
4780	hkml.exe
2844	hkml.exe
3040	hkml.exe
892	hkml.exe
3500	hkml.exe
3896	hkml.exe
4780	hkml.exe
4836	hkml.exe
5096	hkml.exe
4852	hkml.exe
1732	hkml.exe
1572	hkml.exe
1608	hkml.exe
4860	hkml.exe
456	hkml.exe
1572	hkml.exe
2384	hkml.exe
1628	hkml.exe
5076	hkml.exe
2848	hkml.exe
3680	hkml.exe
1236	hkml.exe
5180	hkml.exe
5428	hkml.exe
5624	hkml.exe
5800	hkml.exe
5976	hkml.exe
560	hkml.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2344	2792	JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe	82
PID 2792 wrote to memory of 2344	2792	JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe	82
PID 2792 wrote to memory of 2344	2792	JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe	82
PID 2792 wrote to memory of 2344	2792	JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe	82
PID 2792 wrote to memory of 2344	2792	JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe	82
PID 2792 wrote to memory of 2344	2792	JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe	82
PID 2792 wrote to memory of 2344	2792	JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe	82
PID 2792 wrote to memory of 2344	2792	JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe	82
PID 2344 wrote to memory of 4100	2344	JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe	83
PID 2344 wrote to memory of 4100	2344	JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe	83
PID 2344 wrote to memory of 4100	2344	JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe	83
PID 2344 wrote to memory of 3032	2344	JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe	84
PID 2344 wrote to memory of 3032	2344	JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe	84
PID 2344 wrote to memory of 3032	2344	JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe	84
PID 2344 wrote to memory of 3620	2344	JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe	85
PID 2344 wrote to memory of 3620	2344	JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe	85
PID 2344 wrote to memory of 3620	2344	JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe	85
PID 2344 wrote to memory of 2932	2344	JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe	86
PID 2344 wrote to memory of 2932	2344	JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe	86
PID 2344 wrote to memory of 2932	2344	JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe	86
PID 2344 wrote to memory of 2544	2344	JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe	87
PID 2344 wrote to memory of 2544	2344	JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe	87
PID 2344 wrote to memory of 2544	2344	JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe	87
PID 2344 wrote to memory of 4328	2344	JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe	88
PID 2344 wrote to memory of 4328	2344	JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe	88
PID 2344 wrote to memory of 4328	2344	JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe	88
PID 2344 wrote to memory of 4892	2344	JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe	89
PID 2344 wrote to memory of 4892	2344	JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe	89
PID 2344 wrote to memory of 4892	2344	JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe	89
PID 2344 wrote to memory of 2208	2344	JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe	90
PID 2344 wrote to memory of 2208	2344	JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe	90
PID 2344 wrote to memory of 2208	2344	JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe	90
PID 2344 wrote to memory of 2532	2344	JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe	91
PID 2344 wrote to memory of 2532	2344	JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe	91
PID 2344 wrote to memory of 5064	2344	JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe	92
PID 2344 wrote to memory of 5064	2344	JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe	92
PID 2344 wrote to memory of 5064	2344	JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe	92
PID 5064 wrote to memory of 1788	5064	hkml.exe	93
PID 5064 wrote to memory of 1788	5064	hkml.exe	93
PID 5064 wrote to memory of 1788	5064	hkml.exe	93
PID 5064 wrote to memory of 1788	5064	hkml.exe	93
PID 5064 wrote to memory of 1788	5064	hkml.exe	93
PID 5064 wrote to memory of 1788	5064	hkml.exe	93
PID 5064 wrote to memory of 1788	5064	hkml.exe	93
PID 5064 wrote to memory of 1788	5064	hkml.exe	93
PID 1788 wrote to memory of 1344	1788	hkml.exe	94
PID 1788 wrote to memory of 1344	1788	hkml.exe	94
PID 1788 wrote to memory of 1344	1788	hkml.exe	94
PID 1788 wrote to memory of 2916	1788	hkml.exe	95
PID 1788 wrote to memory of 2916	1788	hkml.exe	95
PID 1788 wrote to memory of 2916	1788	hkml.exe	95
PID 1788 wrote to memory of 4024	1788	hkml.exe	96
PID 1788 wrote to memory of 4024	1788	hkml.exe	96
PID 1788 wrote to memory of 4024	1788	hkml.exe	96
PID 1788 wrote to memory of 2976	1788	hkml.exe	99
PID 1788 wrote to memory of 2976	1788	hkml.exe	99
PID 1788 wrote to memory of 2976	1788	hkml.exe	99
PID 1788 wrote to memory of 3132	1788	hkml.exe	100
PID 1788 wrote to memory of 3132	1788	hkml.exe	100
PID 1788 wrote to memory of 3132	1788	hkml.exe	100
PID 1788 wrote to memory of 4404	1788	hkml.exe	103
PID 1788 wrote to memory of 4404	1788	hkml.exe	103
PID 1788 wrote to memory of 4404	1788	hkml.exe	103
PID 1788 wrote to memory of 4060	1788	hkml.exe	104

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe"
1⤵
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5fe86862c9b4695ad9d48b95d980e44c.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:4100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:3032
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:3620
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:2932
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:2544
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4328
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4892
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:2208
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:2532
- - C:\Windows\InstallDir\hkml.exe
    "C:\Windows\InstallDir\hkml.exe"
    3⤵
    - Executes dropped EXE
    - Maps connected drives based on registry
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5064
  - - C:\Windows\InstallDir\hkml.exe
      C:\Windows\InstallDir\hkml.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1788
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        
        PID:1344
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2916
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4024
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2976
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3132
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4404
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4060
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4828
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3252
    - - C:\Windows\InstallDir\hkml.exe
        
        "C:\Windows\InstallDir\hkml.exe"
        5⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4668
      - C:\Windows\InstallDir\hkml.exe
        
        C:\Windows\InstallDir\hkml.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1240
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        7⤵
        
        PID:3828
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:3572
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:1188
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:540
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:4596
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:2496
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:1740
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:3524
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:3152
        
        C:\Windows\InstallDir\hkml.exe
        
        "C:\Windows\InstallDir\hkml.exe"
        7⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4780
        
        C:\Windows\InstallDir\hkml.exe
        
        C:\Windows\InstallDir\hkml.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4836
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        9⤵
        
        PID:912
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:1764
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:472
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:3644
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:4244
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:1052
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:3196
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:2040
        
        C:\Windows\InstallDir\hkml.exe
        
        "C:\Windows\InstallDir\hkml.exe"
        9⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2844
        
        C:\Windows\InstallDir\hkml.exe
        
        C:\Windows\InstallDir\hkml.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3112
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        11⤵
        
        PID:852
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:1172
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:3980
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:2124
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:2104
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:5012
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:2920
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:2008
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:3356
        
        C:\Windows\InstallDir\hkml.exe
        
        "C:\Windows\InstallDir\hkml.exe"
        11⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3040
        
        C:\Windows\InstallDir\hkml.exe
        
        C:\Windows\InstallDir\hkml.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        13⤵
        
        PID:1116
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:4800
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:3120
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:3784
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:5116
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:3496
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:4644
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:4332
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:4884
        
        C:\Windows\InstallDir\hkml.exe
        
        "C:\Windows\InstallDir\hkml.exe"
        13⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:892
        
        C:\Windows\InstallDir\hkml.exe
        
        C:\Windows\InstallDir\hkml.exe
        14⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2604
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        15⤵
        
        PID:4872
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        15⤵
        
        PID:4284
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        15⤵
        
        PID:1760
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        15⤵
        
        PID:4296
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        15⤵
        
        PID:3976
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        15⤵
        
        PID:216
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        15⤵
        
        PID:2740
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        15⤵
        
        PID:2832
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        15⤵
        
        PID:4228
        
        C:\Windows\InstallDir\hkml.exe
        
        "C:\Windows\InstallDir\hkml.exe"
        15⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3500
        
        C:\Windows\InstallDir\hkml.exe
        
        C:\Windows\InstallDir\hkml.exe
        16⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3684
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        17⤵
        
        PID:4436
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:1520
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:936
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:1752
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:1612
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:5092
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:1776
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:3360
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:4384
        
        C:\Windows\InstallDir\hkml.exe
        
        "C:\Windows\InstallDir\hkml.exe"
        17⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3896
        
        C:\Windows\InstallDir\hkml.exe
        
        C:\Windows\InstallDir\hkml.exe
        18⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1788
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        19⤵
        
        PID:2944
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        19⤵
        
        PID:1380
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        19⤵
        
        PID:1048
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        19⤵
        
        PID:5044
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        19⤵
        
        PID:4392
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        19⤵
        
        PID:180
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        19⤵
        
        PID:3420
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        19⤵
        
        PID:1488
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        19⤵
        
        PID:3392
        
        C:\Windows\InstallDir\hkml.exe
        
        "C:\Windows\InstallDir\hkml.exe"
        19⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4780
        
        C:\Windows\InstallDir\hkml.exe
        
        C:\Windows\InstallDir\hkml.exe
        20⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1104
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        21⤵
        
        PID:4420
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        21⤵
        
        PID:4640
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        21⤵
        
        PID:1540
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        21⤵
        
        PID:3764
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        21⤵
        
        PID:4280
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        21⤵
        
        PID:60
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        21⤵
        
        PID:1944
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        21⤵
        
        PID:3460
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        21⤵
        
        PID:4572
        
        C:\Windows\InstallDir\hkml.exe
        
        "C:\Windows\InstallDir\hkml.exe"
        21⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4836
        
        C:\Windows\InstallDir\hkml.exe
        
        C:\Windows\InstallDir\hkml.exe
        22⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        23⤵
        
        PID:2276
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:4600
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:2404
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:4372
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:2264
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:4148
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:4176
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:3376
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:2212
        
        C:\Windows\InstallDir\hkml.exe
        
        "C:\Windows\InstallDir\hkml.exe"
        23⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5096
        
        C:\Windows\InstallDir\hkml.exe
        
        C:\Windows\InstallDir\hkml.exe
        24⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:672
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        25⤵
        
        PID:1620
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        25⤵
        
        PID:2340
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        25⤵
        
        PID:856
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        25⤵
        
        PID:2980
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        25⤵
        
        PID:892
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        25⤵
        
        PID:2800
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        25⤵
        
        PID:3964
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        25⤵
        
        PID:4300
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        25⤵
        
        PID:4304
        
        C:\Windows\InstallDir\hkml.exe
        
        "C:\Windows\InstallDir\hkml.exe"
        25⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4852
        
        C:\Windows\InstallDir\hkml.exe
        
        C:\Windows\InstallDir\hkml.exe
        26⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3592
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        27⤵
        
        PID:3080
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        27⤵
        
        PID:3608
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        27⤵
        
        PID:4112
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        27⤵
        
        PID:648
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        27⤵
        
        PID:3500
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        27⤵
        
        PID:4408
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        27⤵
        
        PID:2400
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        27⤵
        
        PID:696
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        27⤵
        
        PID:4236
        
        C:\Windows\InstallDir\hkml.exe
        
        "C:\Windows\InstallDir\hkml.exe"
        27⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1732
        
        C:\Windows\InstallDir\hkml.exe
        
        C:\Windows\InstallDir\hkml.exe
        28⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3140
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        29⤵
        
        PID:4736
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        29⤵
        
        PID:4652
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        29⤵
        
        PID:3972
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        29⤵
        
        PID:5112
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        29⤵
        
        PID:8
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        29⤵
        
        PID:1296
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        29⤵
        
        PID:1788
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        29⤵
        
        PID:1140
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        29⤵
        
        PID:2888
        
        C:\Windows\InstallDir\hkml.exe
        
        "C:\Windows\InstallDir\hkml.exe"
        29⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1572
        
        C:\Windows\InstallDir\hkml.exe
        
        C:\Windows\InstallDir\hkml.exe
        30⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2568
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        31⤵
        
        PID:4044
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        31⤵
        
        PID:1220
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        31⤵
        
        PID:4604
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        31⤵
        
        PID:2768
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        31⤵
        
        PID:4592
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        31⤵
        
        PID:4836
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        31⤵
        
        PID:460
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        31⤵
        
        PID:3716
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        31⤵
        
        PID:2100
        
        C:\Windows\InstallDir\hkml.exe
        
        "C:\Windows\InstallDir\hkml.exe"
        31⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1608
        
        C:\Windows\InstallDir\hkml.exe
        
        C:\Windows\InstallDir\hkml.exe
        32⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        33⤵
        
        PID:1476
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        33⤵
        
        PID:1624
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        33⤵
        
        PID:3780
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        33⤵
        
        PID:4548
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        33⤵
        
        PID:4520
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        33⤵
        
        PID:4656
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        33⤵
        
        PID:4564
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        33⤵
        
        PID:1404
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        33⤵
        
        PID:4292
        
        C:\Windows\InstallDir\hkml.exe
        
        "C:\Windows\InstallDir\hkml.exe"
        33⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4860
        
        C:\Windows\InstallDir\hkml.exe
        
        C:\Windows\InstallDir\hkml.exe
        34⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        35⤵
        
        PID:3260
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        35⤵
        
        PID:2748
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        35⤵
        
        PID:2436
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        35⤵
        
        PID:3304
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        35⤵
        
        PID:4784
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        35⤵
        
        PID:3592
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        35⤵
        
        PID:440
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        35⤵
        
        PID:1356
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        35⤵
        
        PID:4628
        
        C:\Windows\InstallDir\hkml.exe
        
        "C:\Windows\InstallDir\hkml.exe"
        35⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:456
        
        C:\Windows\InstallDir\hkml.exe
        
        C:\Windows\InstallDir\hkml.exe
        36⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4196
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        37⤵
        
        PID:3100
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        37⤵
        
        PID:5100
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        37⤵
        
        PID:5080
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        37⤵
        
        PID:2616
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        37⤵
        
        PID:4492
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        37⤵
        
        PID:544
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        37⤵
        
        PID:4780
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        37⤵
        
        PID:1940
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        37⤵
        
        PID:2084
        
        C:\Windows\InstallDir\hkml.exe
        
        "C:\Windows\InstallDir\hkml.exe"
        37⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1572
        
        C:\Windows\InstallDir\hkml.exe
        
        C:\Windows\InstallDir\hkml.exe
        38⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3984
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        39⤵
        
        PID:4660
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        39⤵
        
        PID:1828
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        39⤵
        
        PID:2728
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        39⤵
        
        PID:2352
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        39⤵
        
        PID:5028
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        39⤵
        
        PID:4552
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        39⤵
        
        PID:4956
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        39⤵
        
        PID:3548
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        39⤵
        
        PID:2632
        
        C:\Windows\InstallDir\hkml.exe
        
        "C:\Windows\InstallDir\hkml.exe"
        39⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2384
        
        C:\Windows\InstallDir\hkml.exe
        
        C:\Windows\InstallDir\hkml.exe
        40⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:560
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        41⤵
        
        PID:4272
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        41⤵
        
        PID:3116
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        41⤵
        
        PID:928
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        41⤵
        
        PID:4860
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        41⤵
        
        PID:3560
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        41⤵
        
        PID:4748
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        41⤵
        
        PID:4400
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        41⤵
        
        PID:3684
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        41⤵
        
        PID:1680
        
        C:\Windows\InstallDir\hkml.exe
        
        "C:\Windows\InstallDir\hkml.exe"
        41⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1628
        
        C:\Windows\InstallDir\hkml.exe
        
        C:\Windows\InstallDir\hkml.exe
        42⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:860
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        43⤵
        
        PID:2368
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        43⤵
        
        PID:1664
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        43⤵
        
        PID:1508
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        43⤵
        
        PID:2760
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        43⤵
        
        PID:4196
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        43⤵
        
        PID:3136
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        43⤵
        
        PID:1672
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        43⤵
        
        PID:3128
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        43⤵
        
        PID:2460
        
        C:\Windows\InstallDir\hkml.exe
        
        "C:\Windows\InstallDir\hkml.exe"
        43⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5076
        
        C:\Windows\InstallDir\hkml.exe
        
        C:\Windows\InstallDir\hkml.exe
        44⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4008
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        45⤵
        
        PID:3832
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        45⤵
        
        PID:4456
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        45⤵
        
        PID:1692
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        45⤵
        
        PID:3740
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        45⤵
        
        PID:3440
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        45⤵
        
        PID:2704
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        45⤵
        
        PID:1016
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        45⤵
        
        PID:2096
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        45⤵
        
        PID:324
        
        C:\Windows\InstallDir\hkml.exe
        
        "C:\Windows\InstallDir\hkml.exe"
        45⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2848
        
        C:\Windows\InstallDir\hkml.exe
        
        C:\Windows\InstallDir\hkml.exe
        46⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2480
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        47⤵
        
        PID:3300
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        47⤵
        
        PID:3140
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        47⤵
        
        PID:4056
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        47⤵
        
        PID:5016
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        47⤵
        
        PID:4324
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        47⤵
        
        PID:3656
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        47⤵
        
        PID:1544
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        47⤵
        
        PID:2904
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        47⤵
        
        PID:5060
        
        C:\Windows\InstallDir\hkml.exe
        
        "C:\Windows\InstallDir\hkml.exe"
        47⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3680
        
        C:\Windows\InstallDir\hkml.exe
        
        C:\Windows\InstallDir\hkml.exe
        48⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4992
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        49⤵
        
        PID:3228
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        49⤵
        
        PID:4852
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        49⤵
        
        PID:2176
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        49⤵
        
        PID:1628
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        49⤵
        
        PID:1368
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        49⤵
        
        PID:4396
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        49⤵
        
        PID:3020
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        49⤵
        
        PID:848
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        49⤵
        
        PID:3984
        
        C:\Windows\InstallDir\hkml.exe
        
        "C:\Windows\InstallDir\hkml.exe"
        49⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1236
        
        C:\Windows\InstallDir\hkml.exe
        
        C:\Windows\InstallDir\hkml.exe
        50⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:560
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        51⤵
        
        PID:1596
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        51⤵
        
        PID:3936
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        51⤵
        
        PID:3952
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        51⤵
        
        PID:116
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        51⤵
        
        PID:2880
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        51⤵
        
        PID:4008
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        51⤵
        
        PID:1236
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        51⤵
        
        PID:5148
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        51⤵
        
        PID:5156
        
        C:\Windows\InstallDir\hkml.exe
        
        "C:\Windows\InstallDir\hkml.exe"
        51⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5180
        
        C:\Windows\InstallDir\hkml.exe
        
        C:\Windows\InstallDir\hkml.exe
        52⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5208
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        53⤵
        
        PID:5252
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        53⤵
        
        PID:5260
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        53⤵
        
        PID:5300
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        53⤵
        
        PID:5316
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        53⤵
        
        PID:5348
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        53⤵
        
        PID:5364
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        53⤵
        
        PID:5380
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        53⤵
        
        PID:5396
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        53⤵
        
        PID:5404
        
        C:\Windows\InstallDir\hkml.exe
        
        "C:\Windows\InstallDir\hkml.exe"
        53⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5428
        
        C:\Windows\InstallDir\hkml.exe
        
        C:\Windows\InstallDir\hkml.exe
        54⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5456
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        55⤵
        
        PID:5500
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        55⤵
        
        PID:5508
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        55⤵
        
        PID:5524
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        55⤵
        
        PID:5536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        55⤵
        
        PID:5544
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        55⤵
        
        PID:5556
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        55⤵
        
        PID:5568
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        55⤵
        
        PID:5584
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        55⤵
        
        PID:5600
        
        C:\Windows\InstallDir\hkml.exe
        
        "C:\Windows\InstallDir\hkml.exe"
        55⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5624
        
        C:\Windows\InstallDir\hkml.exe
        
        C:\Windows\InstallDir\hkml.exe
        56⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5652
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        57⤵
        
        PID:5696
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        57⤵
        
        PID:5704
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        57⤵
        
        PID:5712
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        57⤵
        
        PID:5724
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        57⤵
        
        PID:5732
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        57⤵
        
        PID:5748
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        57⤵
        
        PID:5756
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        57⤵
        
        PID:5768
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        57⤵
        
        PID:5776
        
        C:\Windows\InstallDir\hkml.exe
        
        "C:\Windows\InstallDir\hkml.exe"
        57⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5800
        
        C:\Windows\InstallDir\hkml.exe
        
        C:\Windows\InstallDir\hkml.exe
        58⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5828
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        59⤵
        
        PID:5872
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        59⤵
        
        PID:5880
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        59⤵
        
        PID:5888
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        59⤵
        
        PID:5900
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        59⤵
        
        PID:5908
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        59⤵
        
        PID:5924
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        59⤵
        
        PID:5932
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        59⤵
        
        PID:5944
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        59⤵
        
        PID:5952
        
        C:\Windows\InstallDir\hkml.exe
        
        "C:\Windows\InstallDir\hkml.exe"
        59⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5976
        
        C:\Windows\InstallDir\hkml.exe
        
        C:\Windows\InstallDir\hkml.exe
        60⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:6004
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        61⤵
        
        PID:6048
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        61⤵
        
        PID:6056
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        61⤵
        
        PID:6064
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        61⤵
        
        PID:6076
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        61⤵
        
        PID:6084
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        61⤵
        
        PID:6096
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        61⤵
        
        PID:6108
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        61⤵
        
        PID:6120
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        61⤵
        
        PID:2480
        
        C:\Windows\InstallDir\hkml.exe
        
        "C:\Windows\InstallDir\hkml.exe"
        61⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:560
        
        C:\Windows\InstallDir\hkml.exe
        
        C:\Windows\InstallDir\hkml.exe
        62⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5228
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        63⤵
        
        PID:1772
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        63⤵
        
        PID:412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\pHmqFjJz.cfg

Filesize
1KB

MD5
a3089466b241b348888122064b436e70

SHA1
7b0a97818f02d01d76da084a3ec0a53130138228

SHA256
f78aecf92ceef60e9793bfcdc1ab2ea61dddd14c36bef183dbcad3f718c889ef

SHA512
51481c1e2143ed88b3760ebc7c155c42ce7ac820a168b719613eb35dc3e642725e0350922e76a7a2247d0e878931b2187ef1d31f1eb9bf214656c78d779ed1e5

Download Submit
C:\Windows\InstallDir\hkml.exe

Filesize
316KB

MD5
5fe86862c9b4695ad9d48b95d980e44c

SHA1
f6d32f059a6d5975804fd311235c4d170c32d5c5

SHA256
32b110314b0940b544b4594403ec3968c9827423757ba9d09064467402016c26

SHA512
402b4d723c9414b51d714c2345fac054a4a2d428044cf1e2af411c808eaa101989f539f07f672975108716b6c4a5214ae119374f050cfce1cca374f1147ff21c

Download Submit
memory/560-202-0x0000000000C80000-0x0000000000CAB000-memory.dmp

Filesize
172KB

Download
memory/560-203-0x0000000000C80000-0x0000000000CAB000-memory.dmp

Filesize
172KB

Download
memory/860-212-0x0000000000C80000-0x0000000000CAB000-memory.dmp

Filesize
172KB

Download
memory/860-213-0x0000000000C80000-0x0000000000CAB000-memory.dmp

Filesize
172KB

Download
memory/1240-39-0x0000000000C80000-0x0000000000CAB000-memory.dmp

Filesize
172KB

Download
memory/1240-38-0x0000000000C80000-0x0000000000CAB000-memory.dmp

Filesize
172KB

Download
memory/1788-26-0x0000000000C80000-0x0000000000CAB000-memory.dmp

Filesize
172KB

Download
memory/1788-27-0x0000000000C80000-0x0000000000CAB000-memory.dmp

Filesize
172KB

Download
memory/1788-33-0x0000000000C80000-0x0000000000CAB000-memory.dmp

Filesize
172KB

Download
memory/1788-28-0x0000000000C80000-0x0000000000CAB000-memory.dmp

Filesize
172KB

Download
memory/2344-2-0x0000000000C80000-0x0000000000CAB000-memory.dmp

Filesize
172KB

Download
memory/2344-4-0x0000000000C80000-0x0000000000CAB000-memory.dmp

Filesize
172KB

Download
memory/2344-6-0x0000000000C80000-0x0000000000CAB000-memory.dmp

Filesize
172KB

Download
memory/2344-5-0x0000000000C80000-0x0000000000CAB000-memory.dmp

Filesize
172KB

Download
memory/2344-20-0x0000000000C80000-0x0000000000CAB000-memory.dmp

Filesize
172KB

Download
memory/2704-162-0x0000000000C80000-0x0000000000CAB000-memory.dmp

Filesize
172KB

Download
memory/2704-163-0x0000000000C80000-0x0000000000CAB000-memory.dmp

Filesize
172KB

Download
memory/3112-58-0x0000000000C80000-0x0000000000CAB000-memory.dmp

Filesize
172KB

Download
memory/3112-59-0x0000000000C80000-0x0000000000CAB000-memory.dmp

Filesize
172KB

Download
memory/3984-192-0x0000000000C80000-0x0000000000CAB000-memory.dmp

Filesize
172KB

Download
memory/3984-193-0x0000000000C80000-0x0000000000CAB000-memory.dmp

Filesize
172KB

Download
memory/4836-49-0x0000000000C80000-0x0000000000CAB000-memory.dmp

Filesize
172KB

Download
memory/4836-48-0x0000000000C80000-0x0000000000CAB000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads