86be46f7e9ae45ad850f5c3537378d7b541522b3244948ad6083a23fad1fd4ab

Analysis

max time kernel
149s
max time network
126s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11-08-2024 15:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe
Size

57KB
MD5

8af83e36388b6fba76b4b4e7f655f4a1
SHA1

67fe2c88a54939a620850ef533273fd0a5926150
SHA256

86be46f7e9ae45ad850f5c3537378d7b541522b3244948ad6083a23fad1fd4ab
SHA512

3930102c01514f8837b82b839acaf36a0c23ec70fd34ecd65a9f688ab7bf005e2f23bfa84de3f661c5d949afe351441e019915e0f87eed6b8363d3e6783e5ae0
SSDEEP

1536:cItyYSRqKq9OdDMHmG6D2mFR4SLMeo7TCZ5pnF7G6u:VyxRyIG6D2mF5n8TCZ5pZG

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\system\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe
File opened for modification	C:\Windows\system\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe
File created	C:\Windows\sharedapp.reg	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe
File created	C:\Windows\svchost	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe
File created	C:\Windows\svchost_	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe
File created	C:\Windows\system\winhlp.exe	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe
File opened for modification	C:\Windows\system\winhlp.exe	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe

Runs .reg file with regedit 64 IoCs

pid	Process
408	regedit.exe
1932	regedit.exe
3012	regedit.exe
1560	regedit.exe
2248	regedit.exe
2516	regedit.exe
1908	regedit.exe
552	regedit.exe
1336	regedit.exe
2700	regedit.exe
1616	regedit.exe
1572	regedit.exe
1948	regedit.exe
2884	regedit.exe
476	regedit.exe
1068	regedit.exe
2660	regedit.exe
2808	regedit.exe
2592	regedit.exe
2156	regedit.exe
2388	regedit.exe
1004	regedit.exe
2068	regedit.exe
2136	regedit.exe
2324	regedit.exe
1988	regedit.exe
3004	regedit.exe
1268	regedit.exe
948	regedit.exe
2036	regedit.exe
2388	regedit.exe
2968	regedit.exe
1288	regedit.exe
2124	regedit.exe
1648	regedit.exe
2748	regedit.exe
2552	regedit.exe
2584	regedit.exe
1808	regedit.exe
2088	regedit.exe
868	regedit.exe
2676	regedit.exe
1132	regedit.exe
2612	regedit.exe
864	regedit.exe
1960	regedit.exe
2728	regedit.exe
2068	regedit.exe
2600	regedit.exe
1520	regedit.exe
1672	regedit.exe
1200	regedit.exe
1252	regedit.exe
2708	regedit.exe
2280	regedit.exe
3052	regedit.exe
1600	regedit.exe
3048	regedit.exe
2520	regedit.exe
560	regedit.exe
2128	regedit.exe
2856	regedit.exe
2812	regedit.exe
3068	regedit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 3012	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	30
PID 2244 wrote to memory of 3012	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	30
PID 2244 wrote to memory of 3012	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	30
PID 2244 wrote to memory of 3012	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	30
PID 2244 wrote to memory of 2856	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	32
PID 2244 wrote to memory of 2856	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	32
PID 2244 wrote to memory of 2856	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	32
PID 2244 wrote to memory of 2856	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	32
PID 2244 wrote to memory of 2640	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	34
PID 2244 wrote to memory of 2640	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	34
PID 2244 wrote to memory of 2640	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	34
PID 2244 wrote to memory of 2640	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	34
PID 2244 wrote to memory of 552	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	35
PID 2244 wrote to memory of 552	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	35
PID 2244 wrote to memory of 552	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	35
PID 2244 wrote to memory of 552	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	35
PID 2244 wrote to memory of 2388	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	36
PID 2244 wrote to memory of 2388	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	36
PID 2244 wrote to memory of 2388	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	36
PID 2244 wrote to memory of 2388	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	36
PID 2244 wrote to memory of 1268	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	37
PID 2244 wrote to memory of 1268	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	37
PID 2244 wrote to memory of 1268	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	37
PID 2244 wrote to memory of 1268	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	37
PID 2244 wrote to memory of 2812	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	38
PID 2244 wrote to memory of 2812	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	38
PID 2244 wrote to memory of 2812	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	38
PID 2244 wrote to memory of 2812	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	38
PID 2244 wrote to memory of 2280	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	39
PID 2244 wrote to memory of 2280	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	39
PID 2244 wrote to memory of 2280	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	39
PID 2244 wrote to memory of 2280	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	39
PID 2244 wrote to memory of 1948	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	40
PID 2244 wrote to memory of 1948	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	40
PID 2244 wrote to memory of 1948	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	40
PID 2244 wrote to memory of 1948	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	40
PID 2244 wrote to memory of 1336	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	41
PID 2244 wrote to memory of 1336	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	41
PID 2244 wrote to memory of 1336	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	41
PID 2244 wrote to memory of 1336	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	41
PID 2244 wrote to memory of 1200	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	42
PID 2244 wrote to memory of 1200	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	42
PID 2244 wrote to memory of 1200	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	42
PID 2244 wrote to memory of 1200	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	42
PID 2244 wrote to memory of 2516	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	43
PID 2244 wrote to memory of 2516	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	43
PID 2244 wrote to memory of 2516	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	43
PID 2244 wrote to memory of 2516	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	43
PID 2244 wrote to memory of 3068	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	44
PID 2244 wrote to memory of 3068	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	44
PID 2244 wrote to memory of 3068	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	44
PID 2244 wrote to memory of 3068	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	44
PID 2244 wrote to memory of 2884	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	45
PID 2244 wrote to memory of 2884	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	45
PID 2244 wrote to memory of 2884	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	45
PID 2244 wrote to memory of 2884	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	45
PID 2244 wrote to memory of 1808	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	46
PID 2244 wrote to memory of 1808	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	46
PID 2244 wrote to memory of 1808	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	46
PID 2244 wrote to memory of 1808	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	46
PID 2244 wrote to memory of 3052	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	47
PID 2244 wrote to memory of 3052	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	47
PID 2244 wrote to memory of 3052	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	47
PID 2244 wrote to memory of 3052	2244	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	47

C:\Users\Admin\AppData\Local\Temp\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:3012
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:2856
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  PID:2640
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:552
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:2388
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:1268
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:2812
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:2280
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:1948
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:1336
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:1200
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:2516
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:3068
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:2884
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:1808
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:3052
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:1252
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:476
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:1600
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:2088
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:1004
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:948
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  PID:1760
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:864
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:868
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:1616
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:2708
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:2600
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:3048
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:1560
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:2520
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:1648
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:2068
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:2968
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:1960
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:1520
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:560
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:1572
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:2728
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:2700
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:1288
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:1908
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2008
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:2036
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:2748
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:2068
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:2136
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:1068
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:2124
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:2248
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:2552
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:2676
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:2592
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:2660
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:2128
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:2388
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2520
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:1672
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:2324
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:1132
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:408
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:1932
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2332
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:1988
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:3004
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:2156
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:2612
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:2584
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1588
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:576
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:2808
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\oqwieu.$$$

Filesize
856B

MD5
22bd7858df1ae05cadb816542636bd88

SHA1
a8967e6d43ad0e852c5c79a2dc381fe6cc46b466

SHA256
020ae3e4dc3347868ffecb0243e436c65e1c43e39fbf84c74aa1858279c7fc0b

SHA512
82db51d2ede8d82d879d04d810f5f7227d6d3f1e20ea63aee2e2226294728e6b154a00be88fdc56131e4059d629b9cf17e7ec15e0971d99f3d2fbc9b4bf1f380

Download Submit
C:\Windows\sharedapp.reg

Filesize
196B

MD5
2655cc0615c58da2daaa0ff4be958f40

SHA1
608e1534b2b12e261a2c88b920f94d8982a28ed8

SHA256
e724dc653c7875610c13655410826def66ba978fc7f9cb746080cf4f23a601b4

SHA512
822d9dae06a54969661515f6cf979d91c47bac72fadf971017348be474dcee9d184c6c7f892779e29fe017a657e5dec1e3da00a5f1b57d2c4e64653221040e75

Download Submit
C:\Windows\svchost

Filesize
1KB

MD5
51a54673cd40cf9d5fa4088930c59394

SHA1
8106e8b8f5549e0684f3ef7563d245a4152bda20

SHA256
562066a6bc508085e44125821abc0f37d4535aead4689cb2d5ce14c61c9eacff

SHA512
51df05219492da517adf4573be063e636e33d843f9bb6bd8eff415bc8fcc0b115c11fd9fae4d728357fc19b97c6043820967188554baaf916ab39a84ce8e8d46

Download Submit
C:\Windows\svchost_

Filesize
1KB

MD5
8850e4d2792a72e704aa10899e4b4a41

SHA1
ebf9e51e413cb7cfbe2c774f831e982234f72fd5

SHA256
a122d5ca963ed5cea884bacb67bbc14ec50b9f75b9cbe18ea374bc01e176c01f

SHA512
2052599cc714fa378fb2d28604e2340b071094e66630aacc82dad4c1bb9a4362c02161a0f10eaec236abe22d99bcb10b05addc6ca6398a79d57593f3df2b3874

Download Submit
C:\Windows\system\winhlp.exe

Filesize
114B

MD5
e89f75f918dbdcee28604d4e09dd71d7

SHA1
f9d9055e9878723a12063b47d4a1a5f58c3eb1e9

SHA256
6dc9c7fc93bb488bb0520a6c780a8d3c0fb5486a4711aca49b4c53fac7393023

SHA512
8df0ab2e3679b64a6174deff4259ae5680f88e3ae307e0ea2dfff88ec4ba14f3477c9fe3a5aa5da3a8e857601170a5108ed75f6d6975958ac7a314e4a336aed0

Download Submit
memory/2244-478-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2244-957-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2244-327-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2244-100-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2244-579-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2244-705-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2244-806-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2244-201-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2244-1083-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2244-1184-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2244-1335-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2244-1461-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2244-1562-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2244-1685-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads