721be9875c385eaf6fbca2a3182d9abbc5c719d5e00053dd4060bb6581e50e06

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
11/07/2024, 14:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe
Size

62KB
MD5

39846b2f9f541ff3720ff0abd4007476
SHA1

4c1a69ce72e45d86449a13397728e63af04ad86d
SHA256

721be9875c385eaf6fbca2a3182d9abbc5c719d5e00053dd4060bb6581e50e06
SHA512

ff909a4eb7c40fdd27bd1d611e15a61ccd4507b039954d797eb4968b8718ae84259787124b008a6d42acede50729b0e246daf694860923dfb362dbe28c039d9b
SSDEEP

768:EKpVTuUU0wKBAvBodq9O9z+ZmV73JjQX+GI6t/K+Skev5V3mmGCY1nApXD/jNiI8:EKpeqAJoL9z+ZstQQHmxMXrjip

Score

7^/10

aspackv2 persistence

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000a0000000190d2-23.dat	aspack_v212_v242

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"	regedit.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GbPluggin\svchost	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\sharedapp.reg	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe
File created	C:\Windows\system\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe
File opened for modification	C:\Windows\system\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe

Runs .reg file with regedit 64 IoCs

pid	Process
2768	regedit.exe
2176	regedit.exe
2488	regedit.exe
1340	regedit.exe
2220	regedit.exe
2112	regedit.exe
2248	regedit.exe
2368	regedit.exe
1532	regedit.exe
2632	regedit.exe
2180	regedit.exe
2648	regedit.exe
2640	regedit.exe
2484	regedit.exe
568	regedit.exe
2632	regedit.exe
1620	regedit.exe
648	regedit.exe
1272	regedit.exe
2332	regedit.exe
540	regedit.exe
2888	regedit.exe
3064	regedit.exe
964	regedit.exe
828	regedit.exe
2556	regedit.exe
1700	regedit.exe
1632	regedit.exe
2396	regedit.exe
2788	regedit.exe
2980	regedit.exe
1492	regedit.exe
268	regedit.exe
872	regedit.exe
1492	regedit.exe
1900	regedit.exe
648	regedit.exe
1676	regedit.exe
2872	regedit.exe
1452	regedit.exe
2532	regedit.exe
2832	regedit.exe
880	regedit.exe
2928	regedit.exe
2800	regedit.exe
828	regedit.exe
1188	regedit.exe
2572	regedit.exe
1184	regedit.exe
1864	regedit.exe
2020	regedit.exe
1540	regedit.exe
1408	regedit.exe
2648	regedit.exe
2664	regedit.exe
300	regedit.exe
2688	regedit.exe
1848	regedit.exe
2544	regedit.exe
2300	regedit.exe
2224	regedit.exe
1820	regedit.exe
2848	regedit.exe
2232	regedit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 1888	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	30
PID 2864 wrote to memory of 1888	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	30
PID 2864 wrote to memory of 1888	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	30
PID 2864 wrote to memory of 1888	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	30
PID 2864 wrote to memory of 2572	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	32
PID 2864 wrote to memory of 2572	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	32
PID 2864 wrote to memory of 2572	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	32
PID 2864 wrote to memory of 2572	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	32
PID 2864 wrote to memory of 2980	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	33
PID 2864 wrote to memory of 2980	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	33
PID 2864 wrote to memory of 2980	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	33
PID 2864 wrote to memory of 2980	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	33
PID 2864 wrote to memory of 2688	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	34
PID 2864 wrote to memory of 2688	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	34
PID 2864 wrote to memory of 2688	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	34
PID 2864 wrote to memory of 2688	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	34
PID 2864 wrote to memory of 2632	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	35
PID 2864 wrote to memory of 2632	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	35
PID 2864 wrote to memory of 2632	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	35
PID 2864 wrote to memory of 2632	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	35
PID 2864 wrote to memory of 2720	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	36
PID 2864 wrote to memory of 2720	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	36
PID 2864 wrote to memory of 2720	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	36
PID 2864 wrote to memory of 2720	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	36
PID 2864 wrote to memory of 2640	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	37
PID 2864 wrote to memory of 2640	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	37
PID 2864 wrote to memory of 2640	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	37
PID 2864 wrote to memory of 2640	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	37
PID 2864 wrote to memory of 2796	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	38
PID 2864 wrote to memory of 2796	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	38
PID 2864 wrote to memory of 2796	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	38
PID 2864 wrote to memory of 2796	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	38
PID 2864 wrote to memory of 2648	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	39
PID 2864 wrote to memory of 2648	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	39
PID 2864 wrote to memory of 2648	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	39
PID 2864 wrote to memory of 2648	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	39
PID 2864 wrote to memory of 2472	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	40
PID 2864 wrote to memory of 2472	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	40
PID 2864 wrote to memory of 2472	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	40
PID 2864 wrote to memory of 2472	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	40
PID 2864 wrote to memory of 2556	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	41
PID 2864 wrote to memory of 2556	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	41
PID 2864 wrote to memory of 2556	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	41
PID 2864 wrote to memory of 2556	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	41
PID 2864 wrote to memory of 2532	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	42
PID 2864 wrote to memory of 2532	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	42
PID 2864 wrote to memory of 2532	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	42
PID 2864 wrote to memory of 2532	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	42
PID 2864 wrote to memory of 2228	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	43
PID 2864 wrote to memory of 2228	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	43
PID 2864 wrote to memory of 2228	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	43
PID 2864 wrote to memory of 2228	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	43
PID 2864 wrote to memory of 1652	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	44
PID 2864 wrote to memory of 1652	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	44
PID 2864 wrote to memory of 1652	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	44
PID 2864 wrote to memory of 1652	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	44
PID 2864 wrote to memory of 316	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	45
PID 2864 wrote to memory of 316	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	45
PID 2864 wrote to memory of 316	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	45
PID 2864 wrote to memory of 316	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	45
PID 2864 wrote to memory of 1388	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	46
PID 2864 wrote to memory of 1388	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	46
PID 2864 wrote to memory of 1388	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	46
PID 2864 wrote to memory of 1388	2864	39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe	46

C:\Users\Admin\AppData\Local\Temp\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  PID:1888
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Runs .reg file with regedit
  PID:2572
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:2980
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:2688
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  PID:2632
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  PID:2720
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Runs .reg file with regedit
  PID:2640
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  PID:2796
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:2648
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  PID:2472
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Runs .reg file with regedit
  PID:2556
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Runs .reg file with regedit
  PID:2532
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  PID:2228
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  PID:1652
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  PID:316
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  PID:1388
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  PID:1612
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:2248
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:540
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  PID:1640
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Runs .reg file with regedit
  PID:1184
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  PID:1704
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  PID:2148
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  PID:832
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Runs .reg file with regedit
  PID:2832
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  PID:1852
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:1700
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:1632
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:1900
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Runs .reg file with regedit
  PID:1272
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  PID:696
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:648
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  PID:3024
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  PID:2308
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Runs .reg file with regedit
  PID:1864
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Runs .reg file with regedit
  PID:828
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:2368
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  PID:3004
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  PID:2136
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:2112
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  PID:3028
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Runs .reg file with regedit
  PID:880
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  PID:2944
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:1532
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:2928
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:2020
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  PID:3040
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  PID:2676
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:2632
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:2484
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  PID:2596
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  PID:2568
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Runs .reg file with regedit
  PID:2232
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  PID:2592
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Runs .reg file with regedit
  PID:2396
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:2888
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  PID:2908
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  PID:2028
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  PID:2268
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Runs .reg file with regedit
  PID:1492
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Runs .reg file with regedit
  PID:568
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  PID:1636
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  PID:2224
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  PID:2548
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  PID:2036
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Runs .reg file with regedit
  PID:2332
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  PID:1132
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Runs .reg file with regedit
  PID:1676
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:2768
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:2176
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Runs .reg file with regedit
  PID:1848
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  PID:2660
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  PID:1664
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  PID:1548
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  PID:932
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Runs .reg file with regedit
  PID:1540
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  PID:888
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Runs .reg file with regedit
  PID:2800
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  PID:2524
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  PID:1200
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  PID:1684
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Runs .reg file with regedit
  PID:1408
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  PID:836
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:2788
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  PID:3048
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  PID:1596
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  PID:1424
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  PID:3028
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:872
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  PID:1952
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  PID:1528
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Runs .reg file with regedit
  PID:2872
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  PID:1172
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  PID:2960
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:2180
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  PID:2676
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  PID:908
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:2632
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  PID:2484
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Runs .reg file with regedit
  PID:2664
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  PID:2796
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  PID:2828
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Runs .reg file with regedit
  PID:2648
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Runs .reg file with regedit
  PID:2488
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Runs .reg file with regedit
  PID:2544
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:3064
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  PID:2508
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  PID:3056
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  PID:2052
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  PID:1924
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:1340
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Runs .reg file with regedit
  PID:1492
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  PID:568
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Runs .reg file with regedit
  PID:2220
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:2300
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Runs .reg file with regedit
  PID:2224
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:964
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Runs .reg file with regedit
  PID:1820
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Runs .reg file with regedit
  PID:1620
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  PID:284
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  PID:1704
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  PID:1344
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  PID:2304
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:2848
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  PID:2192
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  PID:2792
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  PID:2196
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  PID:1928
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  PID:1660
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  PID:1544
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  PID:696
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Runs .reg file with regedit
  PID:648
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  PID:3024
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  PID:968
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  PID:1196
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Runs .reg file with regedit
  PID:1452
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Runs .reg file with regedit
  PID:828
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  PID:2368
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Runs .reg file with regedit
  PID:268
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Runs .reg file with regedit
  PID:1188
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Runs .reg file with regedit
  PID:300
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  PID:1972
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GbPluggin\svchost

Filesize
1KB

MD5
511497554ffb7f0b2cf7bd35e4f45c85

SHA1
a45e14cf56a1264ac1ec54cc06e85f0a73c71586

SHA256
8ff53c25d33156d067aa81e253fef03b5b7dc0c5c3f269c4c84652a73b23fdc4

SHA512
93c57118fddf56435d60a97b0606dabf5238e446ba1976d37592df9b49d9eb9e458e53f268403d5a5c75d6bedb77e9cf648197a8426639a349e5217efe4e25ff

Download Submit
C:\Windows\sharedapp.reg

Filesize
196B

MD5
8b60abe66f0a0358fa6c980de1d544ec

SHA1
935b48ed023b1f8888bf8d427fcfd79138a359a0

SHA256
f15cfdcd108b83ab538feb554a7651b6f2347c7ec1b3273a37ba86a5731c4c00

SHA512
b23548f9be3216d46cca236b97e55d2cd300cabe9861dee784690ee9d6e457006d91d9b1ffc71225286803017c496e39e6fea8ec859e0fd46ff55caafa7954db

Download Submit
C:\Windows\system\39846b2f9f541ff3720ff0abd4007476_JaffaCakes118.exe

Filesize
62KB

MD5
39846b2f9f541ff3720ff0abd4007476

SHA1
4c1a69ce72e45d86449a13397728e63af04ad86d

SHA256
721be9875c385eaf6fbca2a3182d9abbc5c719d5e00053dd4060bb6581e50e06

SHA512
ff909a4eb7c40fdd27bd1d611e15a61ccd4507b039954d797eb4968b8718ae84259787124b008a6d42acede50729b0e246daf694860923dfb362dbe28c039d9b

Download Submit
memory/2864-284-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2864-374-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2864-131-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2864-192-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2864-238-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2864-39-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2864-329-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2864-85-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2864-411-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2864-451-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2864-497-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2864-534-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2864-571-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2864-608-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads