74aee1418c8050e1bc00b22376870d5628fea6b8ccf367b68723d84cb1614128

General

Target

f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
Size

994KB
MD5

f8939c71062f4499eaa8b86a0580dd54
SHA1

897a18893516b0f3d1d3868e0203dcc9db4dd067
SHA256

74aee1418c8050e1bc00b22376870d5628fea6b8ccf367b68723d84cb1614128
SHA512

29c95708c6e9af0266d583847fc96d909160023eb2f9336a60fbcb2cd7bbe3952c536cfe0baa9fc19714688d43067f6be8c773cd0c8c85ef4591c5e68eb5b338
SSDEEP

24576:4fPWR9AV1O+7sgzp+8fdNGzk2EAKn08/24d83T4b66R+BqyJyn59vuFf:4fPJ15GaALK66kq959v8

Score

9^/10

collection evasion themida

Malware Config

Signatures

Nirsoft 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2552-26-0x0000000000400000-0x000000000041E000-memory.dmp	Nirsoft
behavioral1/memory/2552-30-0x0000000000400000-0x000000000041E000-memory.dmp	Nirsoft
behavioral1/memory/2552-32-0x0000000000400000-0x000000000041E000-memory.dmp	Nirsoft
behavioral1/memory/2456-68-0x0000000000400000-0x0000000000414000-memory.dmp	Nirsoft
behavioral1/memory/2456-72-0x0000000000400000-0x0000000000414000-memory.dmp	Nirsoft
behavioral1/memory/1432-179-0x00000000005C0000-0x00000000005C8000-memory.dmp	Nirsoft

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Wine	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1432-0-0x0000000000400000-0x00000000004FB000-memory.dmp	themida
behavioral1/memory/1432-2-0x0000000000400000-0x00000000004FB000-memory.dmp	themida
behavioral1/memory/1432-102-0x0000000000400000-0x00000000004FB000-memory.dmp	themida
behavioral1/memory/1432-182-0x0000000000400000-0x00000000004FB000-memory.dmp	themida

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe

pid process

1432 f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe

pid	process
1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe

description	pid	process	target process
PID 1432 set thread context of 2552	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 set thread context of 2152	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 set thread context of 2456	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 set thread context of 2480	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 set thread context of 2780	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 set thread context of 1848	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 set thread context of 564	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe

pid process

1432 f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe

pid	process
1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exef8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2552	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
Token: SeDebugPrivilege	2456	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe"
1⤵
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1432

C:\Users\Admin\AppData\Local\Temp\f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
/stext C:\Users\Admin\AppData\Local\Temp\temp.txt
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2552

C:\Users\Admin\AppData\Local\Temp\f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
/stext C:\Users\Admin\AppData\Local\Temp\temp.txt
2⤵
PID:2152

C:\Users\Admin\AppData\Local\Temp\f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
/stext C:\Users\Admin\AppData\Local\Temp\temp.txt
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Users\Admin\AppData\Local\Temp\f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
/stext C:\Users\Admin\AppData\Local\Temp\temp.txt
2⤵
- Accesses Microsoft Outlook accounts
PID:2480

C:\Users\Admin\AppData\Local\Temp\f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
/stext C:\Users\Admin\AppData\Local\Temp\temp.txt
2⤵
PID:2780

C:\Users\Admin\AppData\Local\Temp\f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
/stext C:\Users\Admin\AppData\Local\Temp\temp.txt
2⤵
PID:1848

C:\Users\Admin\AppData\Local\Temp\f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
/stext C:\Users\Admin\AppData\Local\Temp\temp.txt
2⤵
PID:564

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kill.bat""
2⤵
PID:1964

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

1

T1012

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kill.bat
Filesize
267B

MD5
5ce3b5ca65c69b5075535d73657f3db6

SHA1
187c15c442ee779d3e77bb3b632d7b2c9cb97f74

SHA256
3407c68bccf64f6e3879a7cc9d50bdd69d31dc3051da7329ce69ac05b781768a

SHA512
3f570975d554b05542c66dbf8052d75cee99fe5c13acb61910b280754f82ac5d2746561f75729b67bf369e7356cfda582c3d2299171cb266a370abcb39286ad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.txt
Filesize
33B

MD5
fec8656dbc9772ee24163ae3d57f41d9

SHA1
4e82071ada9bdc0002decba8b18b22a6dfdd127d

SHA256
7a3295b2c8c4797b8e5b4616bcc19bca30266371a54666855cbc67d443a3e4f4

SHA512
7c5965e41515a34db05c442587607bb51b6a3a8662df39513474f0d12c1236d882989d8c8bc99d24be27531c0e0df76af8c4beaf45e041767ab6ba2c72fc9326

Download Submit
memory/1432-166-0x0000000004580000-0x000000000467B000-memory.dmp

Filesize
1004KB

Download
memory/1432-180-0x0000000002080000-0x0000000002081000-memory.dmp

Filesize
4KB

Download
memory/1432-12-0x0000000004000000-0x0000000004001000-memory.dmp

Filesize
4KB

Download
memory/1432-8-0x0000000003FB0000-0x0000000003FB1000-memory.dmp

Filesize
4KB

Download
memory/1432-2-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/1432-182-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/1432-183-0x00000000005C0000-0x00000000005C8000-memory.dmp

Filesize
32KB

Download
memory/1432-102-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/1432-179-0x00000000005C0000-0x00000000005C8000-memory.dmp

Filesize
32KB

Download
memory/1432-1-0x00000000005C0000-0x00000000005CA000-memory.dmp

Filesize
40KB

Download
memory/1432-56-0x0000000004580000-0x000000000467B000-memory.dmp

Filesize
1004KB

Download
memory/1432-163-0x00000000005C0000-0x00000000005C8000-memory.dmp

Filesize
32KB

Download
memory/1432-6-0x0000000003FC0000-0x0000000003FC2000-memory.dmp

Filesize
8KB

Download
memory/1432-4-0x0000000003FE0000-0x0000000003FE1000-memory.dmp

Filesize
4KB

Download
memory/1432-10-0x0000000003FF0000-0x0000000003FF1000-memory.dmp

Filesize
4KB

Download
memory/1432-0-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2152-35-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2152-37-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2152-40-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2152-43-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2152-46-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2152-51-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2152-52-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2152-53-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2152-33-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2456-72-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2456-57-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2456-59-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2456-62-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2456-65-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2456-68-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2456-54-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2456-73-0x0000000000420000-0x0000000000487000-memory.dmp

Filesize
412KB

Download
memory/2552-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2552-30-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2552-23-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2552-26-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2552-32-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2552-20-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2552-13-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2552-15-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2552-17-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2780-117-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

description	pid	process	target process
PID 1432 wrote to memory of 2552	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 2552	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 2552	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 2552	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 2552	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 2552	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 2552	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 2552	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 2552	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 2552	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 2152	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 2152	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 2152	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 2152	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 2152	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 2152	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 2152	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 2152	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 2152	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 2152	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 2456	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 2456	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 2456	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 2456	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 2456	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 2456	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 2456	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 2456	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 2456	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 2456	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 2480	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 2480	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 2480	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 2480	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 2480	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 2480	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 2480	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 2480	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 2480	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 2480	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 2780	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 2780	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 2780	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 2780	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 2780	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 2780	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 2780	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 2780	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 2780	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 2780	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 1848	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 1848	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 1848	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 1848	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 1848	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 1848	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 1848	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 1848	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 1848	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 1848	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 564	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 564	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 564	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe
PID 1432 wrote to memory of 564	1432	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe	f8939c71062f4499eaa8b86a0580dd54_JaffaCakes118.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads