86be46f7e9ae45ad850f5c3537378d7b541522b3244948ad6083a23fad1fd4ab

Analysis

max time kernel
148s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/08/2024, 15:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe
Size

57KB
MD5

8af83e36388b6fba76b4b4e7f655f4a1
SHA1

67fe2c88a54939a620850ef533273fd0a5926150
SHA256

86be46f7e9ae45ad850f5c3537378d7b541522b3244948ad6083a23fad1fd4ab
SHA512

3930102c01514f8837b82b839acaf36a0c23ec70fd34ecd65a9f688ab7bf005e2f23bfa84de3f661c5d949afe351441e019915e0f87eed6b8363d3e6783e5ae0
SSDEEP

1536:cItyYSRqKq9OdDMHmG6D2mFR4SLMeo7TCZ5pnF7G6u:VyxRyIG6D2mF5n8TCZ5pZG

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SharedAPPs = "C:\\Windows\\system\\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"	regedit.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\system\winhlp.exe	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe
File opened for modification	C:\Windows\system\winhlp.exe	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe
File created	C:\Windows\system\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe
File opened for modification	C:\Windows\system\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe
File created	C:\Windows\sharedapp.reg	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe
File created	C:\Windows\svchost	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe
File created	C:\Windows\svchost_	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe

Runs .reg file with regedit 64 IoCs

pid	Process
1352	regedit.exe
4340	regedit.exe
5024	regedit.exe
3636	regedit.exe
4860	regedit.exe
2896	regedit.exe
232	regedit.exe
2004	regedit.exe
3948	regedit.exe
2168	regedit.exe
3060	regedit.exe
332	regedit.exe
4272	regedit.exe
1484	regedit.exe
1556	regedit.exe
4408	regedit.exe
2280	regedit.exe
4660	regedit.exe
3668	regedit.exe
1176	regedit.exe
3172	regedit.exe
3024	regedit.exe
2484	regedit.exe
460	regedit.exe
116	regedit.exe
2452	regedit.exe
3632	regedit.exe
5000	regedit.exe
996	regedit.exe
5080	regedit.exe
1464	regedit.exe
5072	regedit.exe
1484	regedit.exe
4460	regedit.exe
3336	regedit.exe
1848	regedit.exe
1708	regedit.exe
3176	regedit.exe
1140	regedit.exe
3552	regedit.exe
696	regedit.exe
700	regedit.exe
760	regedit.exe
920	regedit.exe
3564	regedit.exe
1852	regedit.exe
4992	regedit.exe
5008	regedit.exe
4100	regedit.exe
2584	regedit.exe
2784	regedit.exe
2560	regedit.exe
2756	regedit.exe
1980	regedit.exe
4976	regedit.exe
232	regedit.exe
1676	regedit.exe
3336	regedit.exe
1984	regedit.exe
4608	regedit.exe
876	regedit.exe
1312	regedit.exe
2432	regedit.exe
2716	regedit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1436 wrote to memory of 232	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	87
PID 1436 wrote to memory of 232	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	87
PID 1436 wrote to memory of 232	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	87
PID 1436 wrote to memory of 1556	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	92
PID 1436 wrote to memory of 1556	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	92
PID 1436 wrote to memory of 1556	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	92
PID 1436 wrote to memory of 3552	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	93
PID 1436 wrote to memory of 3552	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	93
PID 1436 wrote to memory of 3552	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	93
PID 1436 wrote to memory of 3636	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	95
PID 1436 wrote to memory of 3636	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	95
PID 1436 wrote to memory of 3636	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	95
PID 1436 wrote to memory of 1352	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	97
PID 1436 wrote to memory of 1352	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	97
PID 1436 wrote to memory of 1352	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	97
PID 1436 wrote to memory of 2432	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	98
PID 1436 wrote to memory of 2432	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	98
PID 1436 wrote to memory of 2432	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	98
PID 1436 wrote to memory of 5072	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	100
PID 1436 wrote to memory of 5072	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	100
PID 1436 wrote to memory of 5072	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	100
PID 1436 wrote to memory of 4340	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	101
PID 1436 wrote to memory of 4340	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	101
PID 1436 wrote to memory of 4340	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	101
PID 1436 wrote to memory of 2004	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	102
PID 1436 wrote to memory of 2004	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	102
PID 1436 wrote to memory of 2004	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	102
PID 1436 wrote to memory of 5008	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	103
PID 1436 wrote to memory of 5008	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	103
PID 1436 wrote to memory of 5008	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	103
PID 1436 wrote to memory of 4408	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	104
PID 1436 wrote to memory of 4408	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	104
PID 1436 wrote to memory of 4408	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	104
PID 1436 wrote to memory of 1484	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	105
PID 1436 wrote to memory of 1484	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	105
PID 1436 wrote to memory of 1484	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	105
PID 1436 wrote to memory of 1980	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	106
PID 1436 wrote to memory of 1980	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	106
PID 1436 wrote to memory of 1980	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	106
PID 1436 wrote to memory of 1984	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	107
PID 1436 wrote to memory of 1984	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	107
PID 1436 wrote to memory of 1984	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	107
PID 1436 wrote to memory of 3948	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	110
PID 1436 wrote to memory of 3948	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	110
PID 1436 wrote to memory of 3948	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	110
PID 1436 wrote to memory of 2168	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	111
PID 1436 wrote to memory of 2168	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	111
PID 1436 wrote to memory of 2168	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	111
PID 1436 wrote to memory of 4100	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	114
PID 1436 wrote to memory of 4100	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	114
PID 1436 wrote to memory of 4100	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	114
PID 1436 wrote to memory of 4660	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	115
PID 1436 wrote to memory of 4660	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	115
PID 1436 wrote to memory of 4660	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	115
PID 1436 wrote to memory of 696	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	116
PID 1436 wrote to memory of 696	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	116
PID 1436 wrote to memory of 696	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	116
PID 1436 wrote to memory of 3632	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	117
PID 1436 wrote to memory of 3632	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	117
PID 1436 wrote to memory of 3632	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	117
PID 1436 wrote to memory of 2716	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	118
PID 1436 wrote to memory of 2716	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	118
PID 1436 wrote to memory of 2716	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	118
PID 1436 wrote to memory of 4968	1436	8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe	119

C:\Users\Admin\AppData\Local\Temp\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8af83e36388b6fba76b4b4e7f655f4a1_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:232
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:1556
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:3552
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:3636
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:1352
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:2432
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:5072
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:4340
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:2004
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:5008
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:4408
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:1484
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:1980
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:1984
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:3948
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:2168
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:4100
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:4660
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:696
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:3632
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:2716
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  PID:4968
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:4460
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:700
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:116
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:5024
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:2584
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1096
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:2280
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1808
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:4608
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:3336
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:760
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:1676
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:3668
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2340
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3176
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:4860
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:1848
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:3060
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:332
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:4976
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:2896
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:232
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:1176
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:1708
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:3172
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:920
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:4272
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:3564
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:1852
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:3024
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:5000
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3928
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:1484
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2332
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:996
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:1140
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:2784
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:3336
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:5080
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:1464
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:4992
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:2484
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:3176
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:876
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:460
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Runs .reg file with regedit
  PID:2452
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:2560
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1740
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Runs .reg file with regedit
  PID:1312
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Windows\sharedapp.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\oqwieu.$$$

Filesize
856B

MD5
22bd7858df1ae05cadb816542636bd88

SHA1
a8967e6d43ad0e852c5c79a2dc381fe6cc46b466

SHA256
020ae3e4dc3347868ffecb0243e436c65e1c43e39fbf84c74aa1858279c7fc0b

SHA512
82db51d2ede8d82d879d04d810f5f7227d6d3f1e20ea63aee2e2226294728e6b154a00be88fdc56131e4059d629b9cf17e7ec15e0971d99f3d2fbc9b4bf1f380

Download Submit
C:\Windows\System\winhlp.exe

Filesize
114B

MD5
e89f75f918dbdcee28604d4e09dd71d7

SHA1
f9d9055e9878723a12063b47d4a1a5f58c3eb1e9

SHA256
6dc9c7fc93bb488bb0520a6c780a8d3c0fb5486a4711aca49b4c53fac7393023

SHA512
8df0ab2e3679b64a6174deff4259ae5680f88e3ae307e0ea2dfff88ec4ba14f3477c9fe3a5aa5da3a8e857601170a5108ed75f6d6975958ac7a314e4a336aed0

Download Submit
C:\Windows\sharedapp.reg

Filesize
196B

MD5
2655cc0615c58da2daaa0ff4be958f40

SHA1
608e1534b2b12e261a2c88b920f94d8982a28ed8

SHA256
e724dc653c7875610c13655410826def66ba978fc7f9cb746080cf4f23a601b4

SHA512
822d9dae06a54969661515f6cf979d91c47bac72fadf971017348be474dcee9d184c6c7f892779e29fe017a657e5dec1e3da00a5f1b57d2c4e64653221040e75

Download Submit
C:\Windows\svchost

Filesize
1KB

MD5
51a54673cd40cf9d5fa4088930c59394

SHA1
8106e8b8f5549e0684f3ef7563d245a4152bda20

SHA256
562066a6bc508085e44125821abc0f37d4535aead4689cb2d5ce14c61c9eacff

SHA512
51df05219492da517adf4573be063e636e33d843f9bb6bd8eff415bc8fcc0b115c11fd9fae4d728357fc19b97c6043820967188554baaf916ab39a84ce8e8d46

Download Submit
C:\Windows\svchost_

Filesize
1KB

MD5
8850e4d2792a72e704aa10899e4b4a41

SHA1
ebf9e51e413cb7cfbe2c774f831e982234f72fd5

SHA256
a122d5ca963ed5cea884bacb67bbc14ec50b9f75b9cbe18ea374bc01e176c01f

SHA512
2052599cc714fa378fb2d28604e2340b071094e66630aacc82dad4c1bb9a4362c02161a0f10eaec236abe22d99bcb10b05addc6ca6398a79d57593f3df2b3874

Download Submit
memory/1436-503-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1436-982-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1436-352-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1436-125-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1436-604-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1436-730-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1436-831-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1436-226-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1436-1108-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1436-1209-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1436-1360-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1436-1462-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1436-1587-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1436-1709-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads