cybergate | a39b8da727ffc57b6041c0541dd99403b3c0cd9c5ea1e5b9d7f2ff47f13083ba

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-01-2025 03:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Size

441KB
MD5

1fcb1a649415ffb9e1251ae36243edb6
SHA1

b9e54ab8d6ffcf386b35554fa45291e87c0f4f99
SHA256

a39b8da727ffc57b6041c0541dd99403b3c0cd9c5ea1e5b9d7f2ff47f13083ba
SHA512

303863d331ff1ff53b6edb5eca0919f1895c28f839441638e4010332bc6fbbcb36d1cde277612f8b03c49980a564b388cf6aef0c1fe0afbf4cc2a88673833f33
SSDEEP

6144:ZHalw9yxcx8J5uybal9CJig2df73ADCq82yY9+9Qc7OmXwkdPivua4jORLcgCY7B:RpyqxKMybOtwL79vc9Xwsi2rORs3I

Score

10^/10

cybergate zzzzz discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.0

Botnet

zzzzz

esam2at.no-ip.biz:246

Mutex

6332F08D06F2O6

Attributes

enable_keylogger
false
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
iexplore.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
1234567
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 62 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2856-5-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral2/memory/2856-6-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral2/memory/2856-4-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral2/memory/2856-7-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral2/memory/2856-10-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/2856-13-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/2856-70-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/428-75-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/2856-77-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral2/memory/428-83-0x0000000010480000-0x00000000104E5000-memory.dmp	upx

Program crash 58 IoCs

pid	pid_target	Process	procid_target
912	2856	WerFault.exe	82
2320	2856	WerFault.exe	82
4980	4820	WerFault.exe	89
3672	4820	WerFault.exe	89
3756	4584	WerFault.exe	102
3824	4584	WerFault.exe	102
4520	1000	WerFault.exe	110
1444	1000	WerFault.exe	110
2232	1644	WerFault.exe	115
4540	1644	WerFault.exe	115
1252	1204	WerFault.exe	120
1200	1204	WerFault.exe	120
1216	3916	WerFault.exe	127
112	3916	WerFault.exe	127
392	3600	WerFault.exe	133
3088	3600	WerFault.exe	133
2740	2932	WerFault.exe	138
2696	2932	WerFault.exe	138
4304	2964	WerFault.exe	143
1564	2964	WerFault.exe	143
2628	3972	WerFault.exe	148
4288	3972	WerFault.exe	148
3820	4000	WerFault.exe	153
2924	4000	WerFault.exe	153
1336	4540	WerFault.exe	159
2592	4540	WerFault.exe	159
3080	2720	WerFault.exe	164
1064	2720	WerFault.exe	164
4244	1580	WerFault.exe	169
2416	1580	WerFault.exe	169
2984	3916	WerFault.exe	174
4980	3916	WerFault.exe	174
812	3600	WerFault.exe	179
2780	3600	WerFault.exe	179
4308	2188	WerFault.exe	184
4596	2188	WerFault.exe	184
1752	1968	WerFault.exe	189
4716	1968	WerFault.exe	189
840	4288	WerFault.exe	194
4396	4288	WerFault.exe	194
3724	1168	WerFault.exe	199
2612	1168	WerFault.exe	199
3424	1336	WerFault.exe	204
4864	1336	WerFault.exe	204
1788	1860	WerFault.exe	209
1584	1860	WerFault.exe	209
3108	4220	WerFault.exe	214
3636	4220	WerFault.exe	214
2068	2076	WerFault.exe	219
2116	2076	WerFault.exe	219
3956	2080	WerFault.exe	224
2984	2080	WerFault.exe	224
1068	1196	WerFault.exe	229
3204	1196	WerFault.exe	229
3964	2932	WerFault.exe	234
5044	2932	WerFault.exe	234
4056	1892	WerFault.exe	239
2008	1892	WerFault.exe	239

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
4820	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
4820	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
4584	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
4584	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
1000	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
1000	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
1644	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
1644	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
1204	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
1204	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
3916	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
3916	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
3600	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
3600	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
2932	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
2932	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
2964	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
2964	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
3972	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
3972	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
4000	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
4000	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
4540	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
4540	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
2720	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
2720	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
1580	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
1580	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
3916	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
3916	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
3600	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
3600	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
2188	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
2188	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
1968	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
1968	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
4288	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
4288	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
1168	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
1168	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
1336	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
1336	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
1860	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
1860	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
4220	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
4220	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
2076	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
2076	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
2080	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
2080	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
1196	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
1196	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
2932	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
2932	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
1892	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
1892	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
1896	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
1896	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	428	explorer.exe
Token: SeRestorePrivilege	428	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56
PID 2856 wrote to memory of 3524	2856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3524
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:428
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4820
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 520
        5⤵
        Program crash
        
        PID:4980
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 528
        5⤵
        Program crash
        
        PID:3672
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4584
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 524
        5⤵
        Program crash
        
        PID:3756
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 532
        5⤵
        Program crash
        
        PID:3824
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1000
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1000 -s 520
        5⤵
        Program crash
        
        PID:4520
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1000 -s 528
        5⤵
        Program crash
        
        PID:1444
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1644
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 528
        5⤵
        Program crash
        
        PID:2232
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 536
        5⤵
        Program crash
        
        PID:4540
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1204
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 520
        5⤵
        Program crash
        
        PID:1252
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 540
        5⤵
        Program crash
        
        PID:1200
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3916
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 520
        5⤵
        Program crash
        
        PID:1216
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 528
        5⤵
        Program crash
        
        PID:112
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3600
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 528
        5⤵
        Program crash
        
        PID:392
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 536
        5⤵
        Program crash
        
        PID:3088
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2932
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 520
        5⤵
        Program crash
        
        PID:2740
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 528
        5⤵
        Program crash
        
        PID:2696
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2964
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 520
        5⤵
        Program crash
        
        PID:4304
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 528
        5⤵
        Program crash
        
        PID:1564
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3972
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 520
        5⤵
        Program crash
        
        PID:2628
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 528
        5⤵
        Program crash
        
        PID:4288
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4000
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4000 -s 528
        5⤵
        Program crash
        
        PID:3820
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4000 -s 536
        5⤵
        Program crash
        
        PID:2924
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4540
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 524
        5⤵
        Program crash
        
        PID:1336
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 532
        5⤵
        Program crash
        
        PID:2592
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2720
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 520
        5⤵
        Program crash
        
        PID:3080
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 528
        5⤵
        Program crash
        
        PID:1064
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1580
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 520
        5⤵
        Program crash
        
        PID:4244
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 528
        5⤵
        Program crash
        
        PID:2416
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3916
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 520
        5⤵
        Program crash
        
        PID:2984
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 564
        5⤵
        Program crash
        
        PID:4980
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3600
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 520
        5⤵
        Program crash
        
        PID:812
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 540
        5⤵
        Program crash
        
        PID:2780
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2188
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 528
        5⤵
        Program crash
        
        PID:4308
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 520
        5⤵
        Program crash
        
        PID:4596
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1968
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 520
        5⤵
        Program crash
        
        PID:1752
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 544
        5⤵
        Program crash
        
        PID:4716
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4288
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 520
        5⤵
        Program crash
        
        PID:840
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 540
        5⤵
        Program crash
        
        PID:4396
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1168
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 528
        5⤵
        Program crash
        
        PID:3724
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 536
        5⤵
        Program crash
        
        PID:2612
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1336
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 520
        5⤵
        Program crash
        
        PID:3424
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 540
        5⤵
        Program crash
        
        PID:4864
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1860
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 520
        5⤵
        Program crash
        
        PID:1788
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 528
        5⤵
        Program crash
        
        PID:1584
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4220
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 528
        5⤵
        Program crash
        
        PID:3108
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 536
        5⤵
        Program crash
        
        PID:3636
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2076
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 528
        5⤵
        Program crash
        
        PID:2068
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 520
        5⤵
        Program crash
        
        PID:2116
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2080
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 520
        5⤵
        Program crash
        
        PID:3956
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 528
        5⤵
        Program crash
        
        PID:2984
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1196
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 192
        5⤵
        Program crash
        
        PID:1068
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 528
        5⤵
        Program crash
        
        PID:3204
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2932
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 520
        5⤵
        Program crash
        
        PID:3964
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 540
        5⤵
        Program crash
        
        PID:5044
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1892
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 520
        5⤵
        Program crash
        
        PID:4056
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 560
        5⤵
        Program crash
        
        PID:2008
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1896
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 656
    3⤵
    - Program crash
    PID:912
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 664
    3⤵
    - Program crash
    PID:2320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2856 -ip 2856
1⤵
PID:1524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2856 -ip 2856
1⤵
PID:668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4820 -ip 4820
1⤵
PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4820 -ip 4820
1⤵
PID:3984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4584 -ip 4584
1⤵
PID:536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4584 -ip 4584
1⤵
PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1000 -ip 1000
1⤵
PID:992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1000 -ip 1000
1⤵
PID:772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1644 -ip 1644
1⤵
PID:5084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1644 -ip 1644
1⤵
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1204 -ip 1204
1⤵
PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1204 -ip 1204
1⤵
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3916 -ip 3916
1⤵
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3916 -ip 3916
1⤵
PID:1184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3600 -ip 3600
1⤵
PID:2692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3600 -ip 3600
1⤵
PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2932 -ip 2932
1⤵
PID:2936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2932 -ip 2932
1⤵
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2964 -ip 2964
1⤵
PID:1936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2964 -ip 2964
1⤵
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3972 -ip 3972
1⤵
PID:1900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3972 -ip 3972
1⤵
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4000 -ip 4000
1⤵
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4000 -ip 4000
1⤵
PID:2316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4540 -ip 4540
1⤵
PID:2600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4540 -ip 4540
1⤵
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2720 -ip 2720
1⤵
PID:3100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2720 -ip 2720
1⤵
PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1580 -ip 1580
1⤵
PID:1408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1580 -ip 1580
1⤵
PID:2108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3916 -ip 3916
1⤵
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3916 -ip 3916
1⤵
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3600 -ip 3600
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3600 -ip 3600
1⤵
PID:1876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2188 -ip 2188
1⤵
PID:2932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2188 -ip 2188
1⤵
PID:2020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1968 -ip 1968
1⤵
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1968 -ip 1968
1⤵
PID:1172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4288 -ip 4288
1⤵
PID:1444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4288 -ip 4288
1⤵
PID:232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1168 -ip 1168
1⤵
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1168 -ip 1168
1⤵
PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 1336 -ip 1336
1⤵
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 1336 -ip 1336
1⤵
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1860 -ip 1860
1⤵
PID:2860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1860 -ip 1860
1⤵
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4220 -ip 4220
1⤵
PID:4160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4220 -ip 4220
1⤵
PID:2640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 2076 -ip 2076
1⤵
PID:1628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 2076 -ip 2076
1⤵
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2080 -ip 2080
1⤵
PID:2804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 2080 -ip 2080
1⤵
PID:392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 1196 -ip 1196
1⤵
PID:812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1196 -ip 1196
1⤵
PID:684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2932 -ip 2932
1⤵
PID:1536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2932 -ip 2932
1⤵
PID:3372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1892 -ip 1892
1⤵
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1892 -ip 1892
1⤵
PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
7c4422ceda2be4843828ad1dc3542be6

SHA1
2fdfe398161871d1a610ba8c57a42e6fe4d7d566

SHA256
89a4532806e101577e01f1fb50c63222883b44d7b486dd220fc480f1f2aaaa87

SHA512
4c57b0454a4fd99b3c401408e60a27d3df78fb1d57ffde6f513e4e23a85dbe3ed0c31fecb338a521caafdd79c19cf1e6a306e5be617747c5c1262f3521464d96

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe-up.txt

Filesize
1KB

MD5
7671227ca77de8e971391388cac739c6

SHA1
4d2c55eaddf0018330b25b3b9d3f5f86040e26f6

SHA256
3847195ea1519c4971a53af4108f9d00715bda16fdf615afbba1a7e311b73bc0

SHA512
81cc10a8c050aac0fab8cd9abefc743aac6a697a4c25f5e65b7a379bc6d043d39084d7b5b2ffaa62f09c2943a242323e1bb09499c191343182316114864dda3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe-up.txt

Filesize
1KB

MD5
38c8e142b3133dd7b4cc1fcaae15015f

SHA1
9dd85f4084991a34e882cf7bcb66ac475ffe4a9a

SHA256
78c9681bb37f55c4d24c0b3ad79df9e37836b5eeded03ebc218e8f9dd8902344

SHA512
381cf2e84b19662e4f1c80b5cc20e73a524924d5e5193923aa1ee44ba034f514243627bdf5ac8c4757035e2ff22c5e85d737bf87a72f0e044f5493500b5aa9d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe-up.txt

Filesize
1KB

MD5
831777c2f7d42a706752849064474035

SHA1
efaea7f48633feca44a468a8b969acfa454a1b45

SHA256
e72ef983f2f423a305c1ca88a0d9888c553f0bff36f58bf6f4240fdf9f3b227d

SHA512
a18bc7eea35ede2301a2d04b93801015f7cf3c3a340cb65812fed2a43da70e54a11a9f38c7cee4019bfad6ca9a381d891b16b44c494cb0d3703b0d14c6185b30

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe-up.txt

Filesize
1KB

MD5
6dbc240cc7d20293f79730f462cd3ae7

SHA1
b7f9c75e176719fde19e5cdbdac59e03fa51f869

SHA256
f3a99b8cf79f9f547d0ba589841bbc5dd232dfd4bebdcfbba39a0a8a56b29200

SHA512
0fbb991711c7b54c5e2e709b9c3abe48f33bd59cccf78651187e3c8535ebfdaa0b226153ad3274b36ef7720ecaa2e199c4b0cf6943d4fa4468343f2a08ce0759

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe-up.txt

Filesize
1KB

MD5
acd915f0acd99da59bfc2d38bf240e03

SHA1
bda053c67348c0c98b68b9f682a8c953759beb79

SHA256
8b0ee79ee92478741964131b2aa06216f109132830fd3a915095ed1a9afe71cd

SHA512
62caed5097585d841fba936269b779f4603848a85840873efa1e58a3ba5e4e2711c56e1a2eff394bb7a199a219dd36d19eb98378d71e4520bda8d4adc0827764

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe-up.txt

Filesize
535B

MD5
526fdbaab635360b7bfc8ca57f9dd142

SHA1
95efacb29e9dc98d1f765163bc87435975aead69

SHA256
f9417cf2ddae16f8ed591f8aa451d6927a4a76217c6ea226019824c2c406a225

SHA512
faf576b2e870fb0e17c57cdfb4fb313dc03759703bb7cea54acf72b879fb72cf3a0d0137a6ceb06175585947f526f4f118b464063ba2ee867048f4a6249cfff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe-up.txt

Filesize
1KB

MD5
6c941f1fc75834706c85c6301a7c7f39

SHA1
4d707039fce14fc2fb1bea7f0b8ac3d8c11ade3e

SHA256
e249a27a232948bca6f2c70db9d43d8b5432115fad47c35b2b9d16b3c94c58a7

SHA512
4c1572d3740a072562fdad214a05b1a05a57491dd9d6d997a4abf16bb12612448ccac6b093aaf9fc562858d7655550feb05e053adca5bfd55addcf31ded5c704

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe-up.txt

Filesize
1KB

MD5
a4da131a9e25b8fb6d9a3228228e80b1

SHA1
1d9e2d092f0ee9541c5d0a5e9d77842a2aef23f1

SHA256
e1310128e114d4539e01c4631e93ea0315515508634444c6fa1ef732aba00a83

SHA512
45a308f34a7078bc2cad7f365753c9528f6f550ee91ee6353e013db9bdd6d1c7cf8e9d964a6fbff61703ff1c701e87207de599a2564b8d4ec81a29f3a2e501b7

Download Submit
memory/428-73-0x00000000035D0000-0x00000000035D1000-memory.dmp

Filesize
4KB

Download
memory/428-15-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/428-14-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/428-75-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/428-83-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2856-13-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2856-77-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2856-70-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2856-0-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download
memory/2856-10-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/2856-7-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2856-4-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2856-6-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2856-5-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2856-2-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2856-1-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download