Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
11-07-2024 21:17
Static task
static1
Behavioral task
behavioral1
Sample
3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe
-
Size
794KB
-
MD5
3abe036fb0de2efc32cb6332639fab8a
-
SHA1
45ac81bf31b28f8325b2204ec3577a0731ac41d7
-
SHA256
471c51c333571e7e5a079db176206107ce3cfa5e89534f4007d779ce13508511
-
SHA512
ba79ba90ca78aa940f3f647d591bd5b1f5448a2e949db3e8c56ec87cefc02a750ead5fa60dce3e88be0b339676452cef8ecf1449abecdf290b555b04269d1b58
-
SSDEEP
12288:TeOvpyCRfHsdeU8p0U3Ecr+Oz/l2/nZDcZaj44vqd:Ciy8Hsd+p0CTdzd2/nZDTDG
Malware Config
Extracted
xtremerat
ala.no-ip.biz
Signatures
-
Detect XtremeRAT payload 29 IoCs
Processes:
resource yara_rule behavioral2/memory/3744-15-0x0000000000C80000-0x0000000000DFD000-memory.dmp family_xtremerat behavioral2/memory/1528-36-0x0000000000C80000-0x0000000000DFD000-memory.dmp family_xtremerat behavioral2/memory/4760-43-0x0000000000C80000-0x0000000000DFD000-memory.dmp family_xtremerat behavioral2/memory/3216-49-0x0000000000C80000-0x0000000000DFD000-memory.dmp family_xtremerat behavioral2/memory/4872-55-0x0000000000C80000-0x0000000000DFD000-memory.dmp family_xtremerat behavioral2/memory/976-61-0x0000000000C80000-0x0000000000DFD000-memory.dmp family_xtremerat behavioral2/memory/740-67-0x0000000000C80000-0x0000000000DFD000-memory.dmp family_xtremerat behavioral2/memory/1152-74-0x0000000000C80000-0x0000000000DFD000-memory.dmp family_xtremerat behavioral2/memory/3448-79-0x0000000000C80000-0x0000000000DFD000-memory.dmp family_xtremerat behavioral2/memory/3648-86-0x0000000000C80000-0x0000000000DFD000-memory.dmp family_xtremerat behavioral2/memory/1452-92-0x0000000000C80000-0x0000000000DFD000-memory.dmp family_xtremerat behavioral2/memory/4120-97-0x0000000000C80000-0x0000000000DFD000-memory.dmp family_xtremerat behavioral2/memory/4488-103-0x0000000000C80000-0x0000000000DFD000-memory.dmp family_xtremerat behavioral2/memory/3952-109-0x0000000000C80000-0x0000000000DFD000-memory.dmp family_xtremerat behavioral2/memory/4632-115-0x0000000000C80000-0x0000000000DFD000-memory.dmp family_xtremerat behavioral2/memory/2904-121-0x0000000000C80000-0x0000000000DFD000-memory.dmp family_xtremerat behavioral2/memory/624-128-0x0000000000C80000-0x0000000000DFD000-memory.dmp family_xtremerat behavioral2/memory/2400-134-0x0000000000C80000-0x0000000000DFD000-memory.dmp family_xtremerat behavioral2/memory/744-140-0x0000000000C80000-0x0000000000DFD000-memory.dmp family_xtremerat behavioral2/memory/2484-145-0x0000000000C80000-0x0000000000DFD000-memory.dmp family_xtremerat behavioral2/memory/4380-151-0x0000000000C80000-0x0000000000DFD000-memory.dmp family_xtremerat behavioral2/memory/4056-158-0x0000000000C80000-0x0000000000DFD000-memory.dmp family_xtremerat behavioral2/memory/1188-164-0x0000000000C80000-0x0000000000DFD000-memory.dmp family_xtremerat behavioral2/memory/740-169-0x0000000000C80000-0x0000000000DFD000-memory.dmp family_xtremerat behavioral2/memory/4504-175-0x0000000000C80000-0x0000000000DFD000-memory.dmp family_xtremerat behavioral2/memory/4100-181-0x0000000000C80000-0x0000000000DFD000-memory.dmp family_xtremerat behavioral2/memory/2780-187-0x0000000000C80000-0x0000000000DFD000-memory.dmp family_xtremerat behavioral2/memory/5212-193-0x0000000000C80000-0x0000000000DFD000-memory.dmp family_xtremerat behavioral2/memory/5364-199-0x0000000000C80000-0x0000000000DFD000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 60 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe restart" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe restart" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe restart" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe restart" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe restart" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe restart" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe restart" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe restart" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe restart" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe restart" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe restart" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe restart" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe restart" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe restart" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe restart" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe restart" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe restart" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe restart" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe restart" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe restart" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe restart" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe restart" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe restart" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe restart" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe restart" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe restart" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe restart" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe restart" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe restart" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe restart" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 29 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe -
Executes dropped EXE 29 IoCs
Processes:
3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exepid process 1528 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe 4760 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe 3216 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe 4872 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe 976 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe 740 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe 1152 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe 3448 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe 3648 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe 1452 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe 4120 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe 4488 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe 3952 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe 4632 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe 2904 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe 624 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe 2400 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe 744 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe 2484 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe 4380 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe 4056 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe 1188 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe 740 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe 4504 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe 4100 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe 2780 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe 5212 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe 5364 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe 5524 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe -
Molebox Virtualization software 1 IoCs
Detects file using Molebox Virtualization software.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe molebox -
Processes:
resource yara_rule behavioral2/memory/3744-15-0x0000000000C80000-0x0000000000DFD000-memory.dmp upx behavioral2/memory/1528-36-0x0000000000C80000-0x0000000000DFD000-memory.dmp upx behavioral2/memory/4760-43-0x0000000000C80000-0x0000000000DFD000-memory.dmp upx behavioral2/memory/3216-49-0x0000000000C80000-0x0000000000DFD000-memory.dmp upx behavioral2/memory/4872-55-0x0000000000C80000-0x0000000000DFD000-memory.dmp upx behavioral2/memory/976-61-0x0000000000C80000-0x0000000000DFD000-memory.dmp upx behavioral2/memory/740-67-0x0000000000C80000-0x0000000000DFD000-memory.dmp upx behavioral2/memory/1152-74-0x0000000000C80000-0x0000000000DFD000-memory.dmp upx behavioral2/memory/3448-79-0x0000000000C80000-0x0000000000DFD000-memory.dmp upx behavioral2/memory/3648-86-0x0000000000C80000-0x0000000000DFD000-memory.dmp upx behavioral2/memory/1452-92-0x0000000000C80000-0x0000000000DFD000-memory.dmp upx behavioral2/memory/4120-97-0x0000000000C80000-0x0000000000DFD000-memory.dmp upx behavioral2/memory/4488-103-0x0000000000C80000-0x0000000000DFD000-memory.dmp upx behavioral2/memory/3952-109-0x0000000000C80000-0x0000000000DFD000-memory.dmp upx behavioral2/memory/4632-115-0x0000000000C80000-0x0000000000DFD000-memory.dmp upx behavioral2/memory/2904-121-0x0000000000C80000-0x0000000000DFD000-memory.dmp upx behavioral2/memory/624-128-0x0000000000C80000-0x0000000000DFD000-memory.dmp upx behavioral2/memory/2400-134-0x0000000000C80000-0x0000000000DFD000-memory.dmp upx behavioral2/memory/744-140-0x0000000000C80000-0x0000000000DFD000-memory.dmp upx behavioral2/memory/2484-145-0x0000000000C80000-0x0000000000DFD000-memory.dmp upx behavioral2/memory/4380-151-0x0000000000C80000-0x0000000000DFD000-memory.dmp upx behavioral2/memory/4056-158-0x0000000000C80000-0x0000000000DFD000-memory.dmp upx behavioral2/memory/1188-164-0x0000000000C80000-0x0000000000DFD000-memory.dmp upx behavioral2/memory/740-169-0x0000000000C80000-0x0000000000DFD000-memory.dmp upx behavioral2/memory/4504-175-0x0000000000C80000-0x0000000000DFD000-memory.dmp upx behavioral2/memory/4100-181-0x0000000000C80000-0x0000000000DFD000-memory.dmp upx behavioral2/memory/2780-187-0x0000000000C80000-0x0000000000DFD000-memory.dmp upx behavioral2/memory/5212-193-0x0000000000C80000-0x0000000000DFD000-memory.dmp upx behavioral2/memory/5364-199-0x0000000000C80000-0x0000000000DFD000-memory.dmp upx -
Adds Run key to start application 2 TTPs 60 IoCs
Processes:
3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe" 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exedescription pid process target process PID 3744 wrote to memory of 2364 3744 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe svchost.exe PID 3744 wrote to memory of 2364 3744 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe svchost.exe PID 3744 wrote to memory of 2364 3744 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe svchost.exe PID 3744 wrote to memory of 3036 3744 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe msedge.exe PID 3744 wrote to memory of 3036 3744 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe msedge.exe PID 3744 wrote to memory of 3036 3744 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe msedge.exe PID 3744 wrote to memory of 4992 3744 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe msedge.exe PID 3744 wrote to memory of 4992 3744 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe msedge.exe PID 3744 wrote to memory of 4992 3744 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe msedge.exe PID 3744 wrote to memory of 320 3744 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe msedge.exe PID 3744 wrote to memory of 320 3744 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe msedge.exe PID 3744 wrote to memory of 320 3744 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe msedge.exe PID 3744 wrote to memory of 1884 3744 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe msedge.exe PID 3744 wrote to memory of 1884 3744 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe msedge.exe PID 3744 wrote to memory of 1884 3744 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe msedge.exe PID 3744 wrote to memory of 1340 3744 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe msedge.exe PID 3744 wrote to memory of 1340 3744 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe msedge.exe PID 3744 wrote to memory of 1340 3744 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe msedge.exe PID 3744 wrote to memory of 344 3744 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe msedge.exe PID 3744 wrote to memory of 344 3744 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe msedge.exe PID 3744 wrote to memory of 344 3744 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe msedge.exe PID 3744 wrote to memory of 4376 3744 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe msedge.exe PID 3744 wrote to memory of 4376 3744 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe msedge.exe PID 3744 wrote to memory of 4376 3744 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe msedge.exe PID 3744 wrote to memory of 2384 3744 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe msedge.exe PID 3744 wrote to memory of 2384 3744 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe msedge.exe PID 3744 wrote to memory of 1528 3744 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe PID 3744 wrote to memory of 1528 3744 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe PID 3744 wrote to memory of 1528 3744 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe PID 1528 wrote to memory of 1360 1528 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe svchost.exe PID 1528 wrote to memory of 1360 1528 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe svchost.exe PID 1528 wrote to memory of 1360 1528 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe svchost.exe PID 1528 wrote to memory of 3432 1528 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe msedge.exe PID 1528 wrote to memory of 3432 1528 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe msedge.exe PID 1528 wrote to memory of 3432 1528 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe msedge.exe PID 1528 wrote to memory of 4036 1528 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe msedge.exe PID 1528 wrote to memory of 4036 1528 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe msedge.exe PID 1528 wrote to memory of 4036 1528 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe msedge.exe PID 1528 wrote to memory of 3012 1528 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe msedge.exe PID 1528 wrote to memory of 3012 1528 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe msedge.exe PID 1528 wrote to memory of 3012 1528 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe msedge.exe PID 1528 wrote to memory of 1476 1528 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe msedge.exe PID 1528 wrote to memory of 1476 1528 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe msedge.exe PID 1528 wrote to memory of 1476 1528 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe msedge.exe PID 1528 wrote to memory of 3464 1528 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe msedge.exe PID 1528 wrote to memory of 3464 1528 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe msedge.exe PID 1528 wrote to memory of 3464 1528 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe msedge.exe PID 1528 wrote to memory of 1544 1528 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe msedge.exe PID 1528 wrote to memory of 1544 1528 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe msedge.exe PID 1528 wrote to memory of 1544 1528 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe msedge.exe PID 1528 wrote to memory of 3236 1528 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe msedge.exe PID 1528 wrote to memory of 3236 1528 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe msedge.exe PID 1528 wrote to memory of 3236 1528 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe msedge.exe PID 1528 wrote to memory of 2020 1528 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe msedge.exe PID 1528 wrote to memory of 2020 1528 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe msedge.exe PID 1528 wrote to memory of 4760 1528 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe PID 1528 wrote to memory of 4760 1528 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe PID 1528 wrote to memory of 4760 1528 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe PID 4760 wrote to memory of 3908 4760 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe svchost.exe PID 4760 wrote to memory of 3908 4760 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe svchost.exe PID 4760 wrote to memory of 3908 4760 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe svchost.exe PID 4760 wrote to memory of 1456 4760 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe msedge.exe PID 4760 wrote to memory of 1456 4760 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe msedge.exe PID 4760 wrote to memory of 1456 4760 3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:2364
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"2⤵PID:3036
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"2⤵PID:4992
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"2⤵PID:320
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"2⤵PID:1884
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"2⤵PID:1340
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"2⤵PID:344
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"2⤵PID:4376
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"2⤵PID:2384
-
C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"2⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:1360
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:3432
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:4036
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:3012
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:1476
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:3464
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:1544
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:3236
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:2020
-
C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵PID:3908
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:1456
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:3792
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:3052
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:4560
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:1324
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:2392
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:1312
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:372
-
C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"4⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:3216 -
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵PID:5100
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:4180
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:4176
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:5112
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:4536
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:808
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:4964
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:4256
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:1848
-
C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:4872 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:2868
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5036
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:452
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5020
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:4600
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:4112
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:4452
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:432
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:3380
-
C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"6⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:976 -
C:\Windows\SysWOW64\svchost.exesvchost.exe7⤵PID:3184
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:1860
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:2224
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:456
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:4764
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:3716
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:3544
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:2080
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:3916
-
C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"7⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:740 -
C:\Windows\SysWOW64\svchost.exesvchost.exe8⤵PID:4960
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:3436
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:736
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:2156
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:4020
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:2552
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:3820
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:3092
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:4484
-
C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"8⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:1152 -
C:\Windows\SysWOW64\svchost.exesvchost.exe9⤵PID:2256
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"9⤵PID:8
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"9⤵PID:1468
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"9⤵PID:4124
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"9⤵PID:4800
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"9⤵PID:1624
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"9⤵PID:4696
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"9⤵PID:412
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"9⤵PID:2776
-
C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"9⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:3448 -
C:\Windows\SysWOW64\svchost.exesvchost.exe10⤵PID:3028
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:1048
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:4796
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:4468
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:1808
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:3856
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:2420
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:4348
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:4516
-
C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"10⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:3648 -
C:\Windows\SysWOW64\svchost.exesvchost.exe11⤵PID:4588
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"11⤵PID:208
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"11⤵PID:4544
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"11⤵PID:3976
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"11⤵PID:4388
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"11⤵PID:4760
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"11⤵PID:4276
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"11⤵PID:3632
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"11⤵PID:2056
-
C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"11⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:1452 -
C:\Windows\SysWOW64\svchost.exesvchost.exe12⤵PID:5076
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:4592
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:116
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:732
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:4584
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:644
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:3480
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:4872
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:4084
-
C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"12⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:4120 -
C:\Windows\SysWOW64\svchost.exesvchost.exe13⤵PID:2212
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"13⤵PID:1348
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"13⤵PID:2880
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"13⤵PID:2328
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"13⤵PID:3612
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"13⤵PID:3924
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"13⤵PID:4996
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"13⤵PID:1620
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"13⤵PID:212
-
C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"13⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:4488 -
C:\Windows\SysWOW64\svchost.exesvchost.exe14⤵PID:1252
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:3512
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:5000
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:844
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:3640
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:4792
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:4396
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:1484
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:2488
-
C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"14⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:3952 -
C:\Windows\SysWOW64\svchost.exesvchost.exe15⤵PID:2312
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"15⤵PID:1628
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"15⤵PID:4976
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"15⤵PID:1472
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"15⤵PID:908
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"15⤵PID:2664
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"15⤵PID:1080
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"15⤵PID:4392
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"15⤵PID:1816
-
C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"15⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:4632 -
C:\Windows\SysWOW64\svchost.exesvchost.exe16⤵PID:3728
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:876
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:4172
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:1496
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:2548
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:1864
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:1660
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:1152
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:4384
-
C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"16⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:2904 -
C:\Windows\SysWOW64\svchost.exesvchost.exe17⤵PID:2632
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"17⤵PID:1904
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"17⤵PID:536
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"17⤵PID:428
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"17⤵PID:3448
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"17⤵PID:1940
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"17⤵PID:2796
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"17⤵PID:4148
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"17⤵PID:3540
-
C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"17⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:624 -
C:\Windows\SysWOW64\svchost.exesvchost.exe18⤵PID:3644
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"18⤵PID:2096
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"18⤵PID:2324
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"18⤵PID:956
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"18⤵PID:1756
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"18⤵PID:1568
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"18⤵PID:376
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"18⤵PID:4532
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"18⤵PID:2184
-
C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"18⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:2400 -
C:\Windows\SysWOW64\svchost.exesvchost.exe19⤵PID:4040
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"19⤵PID:3008
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"19⤵PID:1464
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"19⤵PID:1260
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"19⤵PID:4120
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"19⤵PID:3108
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"19⤵PID:640
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"19⤵PID:2636
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"19⤵PID:4288
-
C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"19⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:744 -
C:\Windows\SysWOW64\svchost.exesvchost.exe20⤵PID:4292
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"20⤵PID:1676
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"20⤵PID:3388
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"20⤵PID:4408
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"20⤵PID:1136
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"20⤵PID:4892
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"20⤵PID:4080
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"20⤵PID:1832
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"20⤵PID:5056
-
C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"20⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:2484 -
C:\Windows\SysWOW64\svchost.exesvchost.exe21⤵PID:1876
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"21⤵PID:1888
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"21⤵PID:1896
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"21⤵PID:4496
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"21⤵PID:3032
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"21⤵PID:4804
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"21⤵PID:1192
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"21⤵PID:5072
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"21⤵PID:1276
-
C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"21⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:4380 -
C:\Windows\SysWOW64\svchost.exesvchost.exe22⤵PID:544
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"22⤵PID:4152
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"22⤵PID:1460
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"22⤵PID:1480
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"22⤵PID:2804
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"22⤵PID:3040
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"22⤵PID:4304
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"22⤵PID:4768
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"22⤵PID:3504
-
C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"22⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:4056 -
C:\Windows\SysWOW64\svchost.exesvchost.exe23⤵PID:3352
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"23⤵PID:3296
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"23⤵PID:624
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"23⤵PID:4512
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"23⤵PID:976
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"23⤵PID:3024
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"23⤵PID:1128
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"23⤵PID:3404
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"23⤵PID:4780
-
C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"23⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:1188 -
C:\Windows\SysWOW64\svchost.exesvchost.exe24⤵PID:1056
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"24⤵PID:2800
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"24⤵PID:1900
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"24⤵PID:3688
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"24⤵PID:2692
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"24⤵PID:4352
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"24⤵PID:1368
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"24⤵PID:2768
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"24⤵PID:2344
-
C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"24⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:740 -
C:\Windows\SysWOW64\svchost.exesvchost.exe25⤵PID:3088
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"25⤵PID:4492
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"25⤵PID:2748
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"25⤵PID:2192
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"25⤵PID:1264
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"25⤵PID:3576
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"25⤵PID:2220
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"25⤵PID:4380
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"25⤵PID:696
-
C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"25⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:4504 -
C:\Windows\SysWOW64\svchost.exesvchost.exe26⤵PID:1616
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"26⤵PID:1144
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"26⤵PID:4232
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"26⤵PID:2716
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"26⤵PID:1004
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"26⤵PID:2348
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"26⤵PID:4952
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"26⤵PID:3392
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"26⤵PID:1572
-
C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"26⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:4100 -
C:\Windows\SysWOW64\svchost.exesvchost.exe27⤵PID:5064
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"27⤵PID:4856
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"27⤵PID:4056
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"27⤵PID:4332
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"27⤵PID:4424
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"27⤵PID:1320
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"27⤵PID:4144
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"27⤵PID:3936
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"27⤵PID:2808
-
C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"27⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:2780 -
C:\Windows\SysWOW64\svchost.exesvchost.exe28⤵PID:2788
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"28⤵PID:4100
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"28⤵PID:180
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"28⤵PID:448
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"28⤵PID:5136
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"28⤵PID:5144
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"28⤵PID:5164
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"28⤵PID:5172
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"28⤵PID:5188
-
C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"28⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:5212 -
C:\Windows\SysWOW64\svchost.exesvchost.exe29⤵PID:5260
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"29⤵PID:5268
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"29⤵PID:5280
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"29⤵PID:5288
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"29⤵PID:5300
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"29⤵PID:5308
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"29⤵PID:5320
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"29⤵PID:5332
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"29⤵PID:5340
-
C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"29⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:5364 -
C:\Windows\SysWOW64\svchost.exesvchost.exe30⤵PID:5416
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"30⤵PID:5428
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"30⤵PID:5436
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"30⤵PID:5452
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"30⤵PID:5460
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"30⤵PID:5472
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"30⤵PID:5480
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"30⤵PID:5492
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"30⤵PID:5500
-
C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3abe036fb0de2efc32cb6332639fab8a_JaffaCakes118.exe"30⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:5524 -
C:\Windows\SysWOW64\svchost.exesvchost.exe31⤵PID:5576
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"31⤵PID:5584
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"31⤵PID:5592
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"31⤵PID:5604
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"31⤵PID:5612
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"31⤵PID:5632
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"31⤵PID:5644
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"31⤵PID:5664
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
794KB
MD53abe036fb0de2efc32cb6332639fab8a
SHA145ac81bf31b28f8325b2204ec3577a0731ac41d7
SHA256471c51c333571e7e5a079db176206107ce3cfa5e89534f4007d779ce13508511
SHA512ba79ba90ca78aa940f3f647d591bd5b1f5448a2e949db3e8c56ec87cefc02a750ead5fa60dce3e88be0b339676452cef8ecf1449abecdf290b555b04269d1b58
-
Filesize
1KB
MD556f790849131cc9097bf01d1f0ed1a19
SHA1f08cce747c9c243bd318c8a9419a7e65497de6f9
SHA2565a24b16fd95080f676e66243769ab5a67b02b34a8d1063f6d1834c5127d03c90
SHA512b5591abe11c235ced3031d7fe2f9cc523979939de91b691e27eb9a0387861017ea8232639e5de0210b89987e1482592bdc2bd7f7c22bbfd3b2df032a9307f414