Description	Indicator	Process	Target
Destination IP	37.235.1.174	N/A	N/A
Destination IP	37.235.1.177	N/A	N/A
Destination IP	37.235.1.174	N/A	N/A
Destination IP	37.235.1.177	N/A	N/A
Destination IP	37.235.1.174	N/A	N/A
Destination IP	37.235.1.177	N/A	N/A
Destination IP	37.235.1.174	N/A	N/A
Destination IP	37.235.1.174	N/A	N/A
Destination IP	37.235.1.177	N/A	N/A
Destination IP	37.235.1.177	N/A	N/A

Adds Run key to start application

persistence

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Manager = "C:\\Program Files (x86)\\DOS Manager\\dosmgr.exe"	C:\Users\Admin\AppData\Roaming\filename.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A

Checks whether UAC is enabled

evasion trojan

Description	Indicator	Process	Target
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	C:\Users\Admin\AppData\Roaming\filename.exe	N/A

Suspicious use of SetThreadContext

Description	Indicator	Process	Target
PID 2768 set thread context of 2684	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Users\Admin\AppData\Roaming\filename.exe

Drops file in Program Files directory

Description	Indicator	Process	Target
File created	C:\Program Files (x86)\DOS Manager\dosmgr.exe	C:\Users\Admin\AppData\Roaming\filename.exe	N/A
File opened for modification	C:\Program Files (x86)\DOS Manager\dosmgr.exe	C:\Users\Admin\AppData\Roaming\filename.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	N/A

Suspicious behavior: GetForegroundWindowSpam

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\15fbf5c441a3a705ec430d6a1519cf8b_JaffaCakes118.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2396 wrote to memory of 2572	N/A	C:\Users\Admin\AppData\Local\Temp\15fbf5c441a3a705ec430d6a1519cf8b_JaffaCakes118.exe	C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2572	N/A	C:\Users\Admin\AppData\Local\Temp\15fbf5c441a3a705ec430d6a1519cf8b_JaffaCakes118.exe	C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2572	N/A	C:\Users\Admin\AppData\Local\Temp\15fbf5c441a3a705ec430d6a1519cf8b_JaffaCakes118.exe	C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2572	N/A	C:\Users\Admin\AppData\Local\Temp\15fbf5c441a3a705ec430d6a1519cf8b_JaffaCakes118.exe	C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2768	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\filename.exe
PID 2572 wrote to memory of 2768	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\filename.exe
PID 2572 wrote to memory of 2768	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\filename.exe
PID 2572 wrote to memory of 2768	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\filename.exe
PID 2768 wrote to memory of 2700	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2700	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2700	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2700	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 2880	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 2880	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 2880	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 2880	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 2768 wrote to memory of 2684	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Users\Admin\AppData\Roaming\filename.exe
PID 2768 wrote to memory of 2684	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Users\Admin\AppData\Roaming\filename.exe
PID 2768 wrote to memory of 2684	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Users\Admin\AppData\Roaming\filename.exe
PID 2768 wrote to memory of 2684	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Users\Admin\AppData\Roaming\filename.exe
PID 2768 wrote to memory of 2684	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Users\Admin\AppData\Roaming\filename.exe
PID 2768 wrote to memory of 2684	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Users\Admin\AppData\Roaming\filename.exe
PID 2768 wrote to memory of 2684	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Users\Admin\AppData\Roaming\filename.exe
PID 2768 wrote to memory of 2684	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Users\Admin\AppData\Roaming\filename.exe
PID 2768 wrote to memory of 2684	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Users\Admin\AppData\Roaming\filename.exe
PID 2768 wrote to memory of 2784	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2784	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2784	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2784	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2980	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 2784 wrote to memory of 2980	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 2784 wrote to memory of 2980	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 2784 wrote to memory of 2980	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 2768 wrote to memory of 2172	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2172	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2172	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2172	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Windows\SysWOW64\cmd.exe
PID 2172 wrote to memory of 2500	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 2172 wrote to memory of 2500	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 2172 wrote to memory of 2500	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 2172 wrote to memory of 2500	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 2768 wrote to memory of 2540	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2540	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2540	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2540	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Windows\SysWOW64\cmd.exe
PID 2540 wrote to memory of 2956	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 2540 wrote to memory of 2956	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 2540 wrote to memory of 2956	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 2540 wrote to memory of 2956	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 2768 wrote to memory of 2144	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2144	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2144	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2144	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Windows\SysWOW64\cmd.exe
PID 2144 wrote to memory of 1044	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 2144 wrote to memory of 1044	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 2144 wrote to memory of 1044	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 2144 wrote to memory of 1044	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 2768 wrote to memory of 1892	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 1892	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 1892	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 1892	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 2772	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 1892 wrote to memory of 2772	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 1892 wrote to memory of 2772	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\15fbf5c441a3a705ec430d6a1519cf8b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\15fbf5c441a3a705ec430d6a1519cf8b_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Users\Admin\AppData\Roaming\filename.exe

"C:\Users\Admin\AppData\Roaming\filename.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\AppData\Roaming\filename.exe

"C:\Users\Admin\AppData\Roaming\filename.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

Network

Country	Destination	Domain	Proto
AT	37.235.1.174:53	lewisshh.ddns.net	udp
AT	37.235.1.177:53	lewisshh.ddns.net	udp
US	8.8.8.8:53	lewisshh.ddns.net	udp
AT	37.235.1.174:53	lewisshh.ddns.net	udp
AT	37.235.1.177:53	lewisshh.ddns.net	udp
AT	37.235.1.174:53	lewisshh.ddns.net	udp
AT	37.235.1.177:53	lewisshh.ddns.net	udp
N/A	127.0.0.1:2059		tcp
N/A	127.0.0.1:2059		tcp
N/A	127.0.0.1:2059		tcp
AT	37.235.1.174:53	lewisshh.ddns.net	udp
AT	37.235.1.177:53	lewisshh.ddns.net	udp
AT	37.235.1.174:53	lewisshh.ddns.net	udp
AT	37.235.1.177:53	lewisshh.ddns.net	udp

Files

memory/2396-0-0x0000000074521000-0x0000000074522000-memory.dmp

memory/2396-1-0x0000000074520000-0x0000000074ACB000-memory.dmp

memory/2396-2-0x0000000074520000-0x0000000074ACB000-memory.dmp

\Users\Admin\AppData\Roaming\filename.exe

MD5	15fbf5c441a3a705ec430d6a1519cf8b
SHA1	7aa237162fbffbfdb0b3a525e65c3a3e2554fe61
SHA256	5863913433ca1a0aff0ceb63ab3ba5ca4982659bca1b0b8af45a1f5be088d121
SHA512	ed66a459be4bc82b581ce754d6dbfd0a0fa374ba936e17eb715e054aea992fa8bb37c11f4456f19f5b7e36bb852badc3e25fd00a55196c1d766aa95538be13a9

memory/2768-9-0x0000000074520000-0x0000000074ACB000-memory.dmp

memory/2396-8-0x0000000074520000-0x0000000074ACB000-memory.dmp

memory/2768-11-0x0000000074520000-0x0000000074ACB000-memory.dmp

memory/2768-10-0x0000000074520000-0x0000000074ACB000-memory.dmp

memory/2684-15-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2684-19-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2684-28-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2684-26-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2684-23-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2684-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2684-17-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2684-13-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Update.txt

MD5	9fa63bc1c3e14f3681eaa6a8e3cb520f
SHA1	e09533153a5c8c9eed0e2f4fc3d640c58553e17b
SHA256	1c7939bb6d60f70680c3a861bf8ad56ac7453b552c5bc8339908df427442d8d2
SHA512	ed4a0c39606edfdd0a94c55718587058eb499640c052d8f6758177d0aba84ac6562fab30727071d10eeadc6d3aacfbc3e3b443f51c48d4b45ea08fdad720c1f6

memory/2768-43-0x0000000074520000-0x0000000074ACB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-27 12:20

Reported

2024-06-27 12:22

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\15fbf5c441a3a705ec430d6a1519cf8b_JaffaCakes118.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	N/A

Unexpected DNS network traffic destination

Description	Indicator	Process	Target
Destination IP	37.235.1.177	N/A	N/A
Destination IP	37.235.1.174	N/A	N/A
Destination IP	37.235.1.177	N/A	N/A
Destination IP	37.235.1.174	N/A	N/A
Destination IP	37.235.1.174	N/A	N/A
Destination IP	37.235.1.174	N/A	N/A
Destination IP	37.235.1.177	N/A	N/A
Destination IP	37.235.1.174	N/A	N/A
Destination IP	37.235.1.177	N/A	N/A
Destination IP	37.235.1.177	N/A	N/A

Adds Run key to start application

persistence

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Service = "C:\\Program Files (x86)\\DHCP Service\\dhcpsv.exe"	C:\Users\Admin\AppData\Roaming\filename.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	C:\Windows\SysWOW64\reg.exe	N/A

Checks whether UAC is enabled

evasion trojan

Description	Indicator	Process	Target
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	C:\Users\Admin\AppData\Roaming\filename.exe	N/A

Suspicious use of SetThreadContext

Description	Indicator	Process	Target
PID 3292 set thread context of 4564	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Users\Admin\AppData\Roaming\filename.exe

Drops file in Program Files directory

Description	Indicator	Process	Target
File created	C:\Program Files (x86)\DHCP Service\dhcpsv.exe	C:\Users\Admin\AppData\Roaming\filename.exe	N/A
File opened for modification	C:\Program Files (x86)\DHCP Service\dhcpsv.exe	C:\Users\Admin\AppData\Roaming\filename.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	N/A

Suspicious behavior: GetForegroundWindowSpam

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\15fbf5c441a3a705ec430d6a1519cf8b_JaffaCakes118.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1648 wrote to memory of 208	N/A	C:\Users\Admin\AppData\Local\Temp\15fbf5c441a3a705ec430d6a1519cf8b_JaffaCakes118.exe	C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 208	N/A	C:\Users\Admin\AppData\Local\Temp\15fbf5c441a3a705ec430d6a1519cf8b_JaffaCakes118.exe	C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 208	N/A	C:\Users\Admin\AppData\Local\Temp\15fbf5c441a3a705ec430d6a1519cf8b_JaffaCakes118.exe	C:\Windows\SysWOW64\cmd.exe
PID 208 wrote to memory of 3292	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\filename.exe
PID 208 wrote to memory of 3292	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\filename.exe
PID 208 wrote to memory of 3292	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\filename.exe
PID 3292 wrote to memory of 4512	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Windows\SysWOW64\cmd.exe
PID 3292 wrote to memory of 4512	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Windows\SysWOW64\cmd.exe
PID 3292 wrote to memory of 4512	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Windows\SysWOW64\cmd.exe
PID 4512 wrote to memory of 1044	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 4512 wrote to memory of 1044	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 4512 wrote to memory of 1044	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 3292 wrote to memory of 4564	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Users\Admin\AppData\Roaming\filename.exe
PID 3292 wrote to memory of 4564	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Users\Admin\AppData\Roaming\filename.exe
PID 3292 wrote to memory of 4564	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Users\Admin\AppData\Roaming\filename.exe
PID 3292 wrote to memory of 4564	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Users\Admin\AppData\Roaming\filename.exe
PID 3292 wrote to memory of 4564	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Users\Admin\AppData\Roaming\filename.exe
PID 3292 wrote to memory of 4564	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Users\Admin\AppData\Roaming\filename.exe
PID 3292 wrote to memory of 4564	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Users\Admin\AppData\Roaming\filename.exe
PID 3292 wrote to memory of 4564	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Users\Admin\AppData\Roaming\filename.exe
PID 3292 wrote to memory of 1580	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Windows\SysWOW64\cmd.exe
PID 3292 wrote to memory of 1580	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Windows\SysWOW64\cmd.exe
PID 3292 wrote to memory of 1580	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Windows\SysWOW64\cmd.exe
PID 1580 wrote to memory of 1888	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 1580 wrote to memory of 1888	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 1580 wrote to memory of 1888	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 3292 wrote to memory of 3780	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Windows\SysWOW64\cmd.exe
PID 3292 wrote to memory of 3780	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Windows\SysWOW64\cmd.exe
PID 3292 wrote to memory of 3780	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Windows\SysWOW64\cmd.exe
PID 3780 wrote to memory of 64	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 3780 wrote to memory of 64	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 3780 wrote to memory of 64	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 3292 wrote to memory of 3280	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Windows\SysWOW64\cmd.exe
PID 3292 wrote to memory of 3280	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Windows\SysWOW64\cmd.exe
PID 3292 wrote to memory of 3280	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Windows\SysWOW64\cmd.exe
PID 3280 wrote to memory of 3896	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 3280 wrote to memory of 3896	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 3280 wrote to memory of 3896	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 3292 wrote to memory of 3036	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Windows\SysWOW64\cmd.exe
PID 3292 wrote to memory of 3036	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Windows\SysWOW64\cmd.exe
PID 3292 wrote to memory of 3036	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 440	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 3036 wrote to memory of 440	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 3036 wrote to memory of 440	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 3292 wrote to memory of 4856	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Windows\SysWOW64\cmd.exe
PID 3292 wrote to memory of 4856	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Windows\SysWOW64\cmd.exe
PID 3292 wrote to memory of 4856	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Windows\SysWOW64\cmd.exe
PID 4856 wrote to memory of 4984	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 4856 wrote to memory of 4984	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 4856 wrote to memory of 4984	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 3292 wrote to memory of 1576	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Windows\SysWOW64\cmd.exe
PID 3292 wrote to memory of 1576	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Windows\SysWOW64\cmd.exe
PID 3292 wrote to memory of 1576	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Windows\SysWOW64\cmd.exe
PID 1576 wrote to memory of 3208	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 1576 wrote to memory of 3208	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 1576 wrote to memory of 3208	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 3292 wrote to memory of 1424	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Windows\SysWOW64\cmd.exe
PID 3292 wrote to memory of 1424	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Windows\SysWOW64\cmd.exe
PID 3292 wrote to memory of 1424	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Windows\SysWOW64\cmd.exe
PID 1424 wrote to memory of 1188	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 1424 wrote to memory of 1188	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 1424 wrote to memory of 1188	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 3292 wrote to memory of 4972	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Windows\SysWOW64\cmd.exe
PID 3292 wrote to memory of 4972	N/A	C:\Users\Admin\AppData\Roaming\filename.exe	C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\15fbf5c441a3a705ec430d6a1519cf8b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\15fbf5c441a3a705ec430d6a1519cf8b_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Users\Admin\AppData\Roaming\filename.exe

"C:\Users\Admin\AppData\Roaming\filename.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\AppData\Roaming\filename.exe

"C:\Users\Admin\AppData\Roaming\filename.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	217.106.137.52.in-addr.arpa	udp
US	8.8.8.8:53	97.90.14.23.in-addr.arpa	udp
US	8.8.8.8:53	17.160.190.20.in-addr.arpa	udp
US	8.8.8.8:53	232.168.11.51.in-addr.arpa	udp
AT	37.235.1.174:53	lewisshh.ddns.net	udp
US	8.8.8.8:53	174.1.235.37.in-addr.arpa	udp
US	8.8.8.8:53	183.142.211.20.in-addr.arpa	udp
AT	37.235.1.177:53	lewisshh.ddns.net	udp
US	8.8.8.8:53	177.1.235.37.in-addr.arpa	udp
US	8.8.8.8:53	lewisshh.ddns.net	udp
US	8.8.8.8:53	50.23.12.20.in-addr.arpa	udp
AT	37.235.1.174:53	lewisshh.ddns.net	udp
US	8.8.8.8:53	35.15.31.184.in-addr.arpa	udp
US	8.8.8.8:53	56.126.166.20.in-addr.arpa	udp
AT	37.235.1.177:53	lewisshh.ddns.net	udp
US	8.8.8.8:53	lewisshh.ddns.net	udp
AT	37.235.1.174:53	lewisshh.ddns.net	udp
US	8.8.8.8:53	107.90.14.23.in-addr.arpa	udp
AT	37.235.1.177:53	lewisshh.ddns.net	udp
US	8.8.8.8:53	lewisshh.ddns.net	udp
N/A	127.0.0.1:2059		tcp
US	8.8.8.8:53	29.243.111.52.in-addr.arpa	udp
US	8.8.8.8:53	172.214.232.199.in-addr.arpa	udp
N/A	127.0.0.1:2059		tcp
N/A	127.0.0.1:2059		tcp
AT	37.235.1.174:53	lewisshh.ddns.net	udp
AT	37.235.1.177:53	lewisshh.ddns.net	udp
US	8.8.8.8:53	lewisshh.ddns.net	udp
AT	37.235.1.174:53	lewisshh.ddns.net	udp
AT	37.235.1.177:53	lewisshh.ddns.net	udp
US	8.8.8.8:53	170.117.168.52.in-addr.arpa	udp

Files

memory/1648-0-0x0000000074A02000-0x0000000074A03000-memory.dmp

memory/1648-1-0x0000000074A00000-0x0000000074FB1000-memory.dmp

memory/1648-2-0x0000000074A00000-0x0000000074FB1000-memory.dmp

C:\Users\Admin\AppData\Roaming\filename.exe

MD5	15fbf5c441a3a705ec430d6a1519cf8b
SHA1	7aa237162fbffbfdb0b3a525e65c3a3e2554fe61
SHA256	5863913433ca1a0aff0ceb63ab3ba5ca4982659bca1b0b8af45a1f5be088d121
SHA512	ed66a459be4bc82b581ce754d6dbfd0a0fa374ba936e17eb715e054aea992fa8bb37c11f4456f19f5b7e36bb852badc3e25fd00a55196c1d766aa95538be13a9

memory/1648-8-0x0000000074A00000-0x0000000074FB1000-memory.dmp

memory/3292-9-0x0000000074A00000-0x0000000074FB1000-memory.dmp

memory/3292-10-0x0000000074A00000-0x0000000074FB1000-memory.dmp

memory/3292-11-0x0000000074A00000-0x0000000074FB1000-memory.dmp

memory/4564-13-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4564-16-0x0000000074A00000-0x0000000074FB1000-memory.dmp

memory/4564-17-0x0000000074A00000-0x0000000074FB1000-memory.dmp

memory/4564-18-0x0000000074A00000-0x0000000074FB1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Update.txt

MD5	9fa63bc1c3e14f3681eaa6a8e3cb520f
SHA1	e09533153a5c8c9eed0e2f4fc3d640c58553e17b
SHA256	1c7939bb6d60f70680c3a861bf8ad56ac7453b552c5bc8339908df427442d8d2
SHA512	ed4a0c39606edfdd0a94c55718587058eb499640c052d8f6758177d0aba84ac6562fab30727071d10eeadc6d3aacfbc3e3b443f51c48d4b45ea08fdad720c1f6

memory/3292-31-0x0000000074A00000-0x0000000074FB1000-memory.dmp

memory/4564-33-0x0000000074A00000-0x0000000074FB1000-memory.dmp

Sample ID	240627-phw7ca1crb
Target	15fbf5c441a3a705ec430d6a1519cf8b_JaffaCakes118
SHA256	5863913433ca1a0aff0ceb63ab3ba5ca4982659bca1b0b8af45a1f5be088d121
Tags	nanocore evasion keylogger persistence spyware stealer trojan

Malware Analysis Report

2024-08-06 14:44

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files