a0484390275835b8c462aad34d811fcafbed7c033a21ced84c7c66dbe8ca268e

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/04/2024, 04:13 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

026531a5a8d9eff0e2f21fea6473aa22_JaffaCakes118.exe
Size

310KB
MD5

026531a5a8d9eff0e2f21fea6473aa22
SHA1

a31dd409c72de42f90d3a475e0a8896700232a6c
SHA256

a0484390275835b8c462aad34d811fcafbed7c033a21ced84c7c66dbe8ca268e
SHA512

17d6510a268be4d00fd79dc2b4acbeb995dae7ff583effbe3bb7725404b59ff7b6dc433885ed183997417acc3f404c6a77f07dc1310c1be54280b6154bf4063c
SSDEEP

3072:Wae7OubpGGErCbuZM4EQrjo7vgHJJPPIg5OC843RVR6:WacxGfTMfQrjoziJJHIe843RW

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2732	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202.exe
2580	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202a.exe
2624	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202b.exe
2484	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202c.exe
2400	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202d.exe
2840	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202e.exe
112	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202f.exe
2644	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202g.exe
1408	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202h.exe
1912	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202i.exe
1680	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202j.exe
1964	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202k.exe
2096	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202l.exe
2772	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202m.exe
2076	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202n.exe
2952	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202o.exe
968	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202p.exe
2348	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202q.exe
2800	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202r.exe
2876	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202s.exe
1676	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202t.exe
2752	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202u.exe
1564	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202v.exe
1880	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202w.exe
2932	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202x.exe
2612	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202y.exe

Loads dropped DLL 52 IoCs

pid	Process
2256	026531a5a8d9eff0e2f21fea6473aa22_JaffaCakes118.exe
2256	026531a5a8d9eff0e2f21fea6473aa22_JaffaCakes118.exe
2732	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202.exe
2732	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202.exe
2580	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202a.exe
2580	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202a.exe
2624	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202b.exe
2624	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202b.exe
2484	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202c.exe
2484	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202c.exe
2400	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202d.exe
2400	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202d.exe
2840	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202e.exe
2840	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202e.exe
112	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202f.exe
112	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202f.exe
2644	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202g.exe
2644	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202g.exe
1408	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202h.exe
1408	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202h.exe
1912	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202i.exe
1912	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202i.exe
1680	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202j.exe
1680	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202j.exe
1964	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202k.exe
1964	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202k.exe
2096	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202l.exe
2096	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202l.exe
2772	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202m.exe
2772	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202m.exe
2076	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202n.exe
2076	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202n.exe
2952	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202o.exe
2952	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202o.exe
968	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202p.exe
968	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202p.exe
2348	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202q.exe
2348	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202q.exe
2800	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202r.exe
2800	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202r.exe
2876	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202s.exe
2876	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202s.exe
1676	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202t.exe
1676	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202t.exe
2752	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202u.exe
2752	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202u.exe
1564	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202v.exe
1564	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202v.exe
1880	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202w.exe
1880	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202w.exe
2932	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202x.exe
2932	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202x.exe

UPX packed file 52 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2256-0-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x000c00000001445e-5.dat	upx
behavioral1/memory/2256-16-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2256-12-0x00000000002A0000-0x00000000002DA000-memory.dmp	upx
behavioral1/files/0x002d000000014909-23.dat	upx
behavioral1/memory/2732-31-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2580-47-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x002d000000014a55-46.dat	upx
behavioral1/files/0x0009000000014c67-54.dat	upx
behavioral1/files/0x000e000000014a94-70.dat	upx
behavioral1/memory/2484-78-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2484-69-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2624-61-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x0007000000014ec4-86.dat	upx
behavioral1/memory/2400-95-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2840-96-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2840-111-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/112-112-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x0007000000014fe1-110.dat	upx
behavioral1/files/0x0009000000015264-119.dat	upx
behavioral1/memory/112-128-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x0009000000015364-135.dat	upx
behavioral1/memory/2644-142-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x0006000000016ccf-150.dat	upx
behavioral1/memory/1408-157-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x0006000000016cd4-166.dat	upx
behavioral1/memory/1912-174-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x0006000000016cf0-189.dat	upx
behavioral1/memory/1680-192-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x0006000000016d01-199.dat	upx
behavioral1/memory/1964-206-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x0006000000016d11-214.dat	upx
behavioral1/memory/2772-223-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2096-222-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x0006000000016d24-238.dat	upx
behavioral1/memory/2076-239-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2772-237-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x0006000000016d36-246.dat	upx
behavioral1/memory/2076-255-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2952-267-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/968-279-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2348-280-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2348-291-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2800-302-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2876-313-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1676-314-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1676-326-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2752-337-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1564-350-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1880-361-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2612-374-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2932-372-0x0000000000400000-0x000000000043A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Modifies registry class 54 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fad9543f3fd38f4a	026531a5a8d9eff0e2f21fea6473aa22_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fad9543f3fd38f4a	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202r.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202v.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fad9543f3fd38f4a	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202a.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fad9543f3fd38f4a	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202r.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fad9543f3fd38f4a	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fad9543f3fd38f4a	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fad9543f3fd38f4a	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202q.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202i.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fad9543f3fd38f4a	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fad9543f3fd38f4a	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fad9543f3fd38f4a	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fad9543f3fd38f4a	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fad9543f3fd38f4a	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fad9543f3fd38f4a	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fad9543f3fd38f4a	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202o.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fad9543f3fd38f4a	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202p.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fad9543f3fd38f4a	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fad9543f3fd38f4a	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202g.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202h.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fad9543f3fd38f4a	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fad9543f3fd38f4a	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202k.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fad9543f3fd38f4a	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fad9543f3fd38f4a	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202n.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fad9543f3fd38f4a	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fad9543f3fd38f4a	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fad9543f3fd38f4a	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	026531a5a8d9eff0e2f21fea6473aa22_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fad9543f3fd38f4a	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202j.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202q.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fad9543f3fd38f4a	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fad9543f3fd38f4a	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202x.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2732	2256	026531a5a8d9eff0e2f21fea6473aa22_JaffaCakes118.exe	28
PID 2256 wrote to memory of 2732	2256	026531a5a8d9eff0e2f21fea6473aa22_JaffaCakes118.exe	28
PID 2256 wrote to memory of 2732	2256	026531a5a8d9eff0e2f21fea6473aa22_JaffaCakes118.exe	28
PID 2256 wrote to memory of 2732	2256	026531a5a8d9eff0e2f21fea6473aa22_JaffaCakes118.exe	28
PID 2732 wrote to memory of 2580	2732	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202.exe	29
PID 2732 wrote to memory of 2580	2732	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202.exe	29
PID 2732 wrote to memory of 2580	2732	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202.exe	29
PID 2732 wrote to memory of 2580	2732	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202.exe	29
PID 2580 wrote to memory of 2624	2580	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202a.exe	30
PID 2580 wrote to memory of 2624	2580	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202a.exe	30
PID 2580 wrote to memory of 2624	2580	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202a.exe	30
PID 2580 wrote to memory of 2624	2580	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202a.exe	30
PID 2624 wrote to memory of 2484	2624	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202b.exe	31
PID 2624 wrote to memory of 2484	2624	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202b.exe	31
PID 2624 wrote to memory of 2484	2624	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202b.exe	31
PID 2624 wrote to memory of 2484	2624	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202b.exe	31
PID 2484 wrote to memory of 2400	2484	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202c.exe	32
PID 2484 wrote to memory of 2400	2484	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202c.exe	32
PID 2484 wrote to memory of 2400	2484	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202c.exe	32
PID 2484 wrote to memory of 2400	2484	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202c.exe	32
PID 2400 wrote to memory of 2840	2400	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202d.exe	33
PID 2400 wrote to memory of 2840	2400	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202d.exe	33
PID 2400 wrote to memory of 2840	2400	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202d.exe	33
PID 2400 wrote to memory of 2840	2400	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202d.exe	33
PID 2840 wrote to memory of 112	2840	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202e.exe	34
PID 2840 wrote to memory of 112	2840	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202e.exe	34
PID 2840 wrote to memory of 112	2840	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202e.exe	34
PID 2840 wrote to memory of 112	2840	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202e.exe	34
PID 112 wrote to memory of 2644	112	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202f.exe	35
PID 112 wrote to memory of 2644	112	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202f.exe	35
PID 112 wrote to memory of 2644	112	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202f.exe	35
PID 112 wrote to memory of 2644	112	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202f.exe	35
PID 2644 wrote to memory of 1408	2644	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202g.exe	36
PID 2644 wrote to memory of 1408	2644	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202g.exe	36
PID 2644 wrote to memory of 1408	2644	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202g.exe	36
PID 2644 wrote to memory of 1408	2644	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202g.exe	36
PID 1408 wrote to memory of 1912	1408	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202h.exe	37
PID 1408 wrote to memory of 1912	1408	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202h.exe	37
PID 1408 wrote to memory of 1912	1408	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202h.exe	37
PID 1408 wrote to memory of 1912	1408	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202h.exe	37
PID 1912 wrote to memory of 1680	1912	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202i.exe	38
PID 1912 wrote to memory of 1680	1912	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202i.exe	38
PID 1912 wrote to memory of 1680	1912	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202i.exe	38
PID 1912 wrote to memory of 1680	1912	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202i.exe	38
PID 1680 wrote to memory of 1964	1680	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202j.exe	39
PID 1680 wrote to memory of 1964	1680	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202j.exe	39
PID 1680 wrote to memory of 1964	1680	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202j.exe	39
PID 1680 wrote to memory of 1964	1680	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202j.exe	39
PID 1964 wrote to memory of 2096	1964	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202k.exe	40
PID 1964 wrote to memory of 2096	1964	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202k.exe	40
PID 1964 wrote to memory of 2096	1964	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202k.exe	40
PID 1964 wrote to memory of 2096	1964	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202k.exe	40
PID 2096 wrote to memory of 2772	2096	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202l.exe	41
PID 2096 wrote to memory of 2772	2096	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202l.exe	41
PID 2096 wrote to memory of 2772	2096	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202l.exe	41
PID 2096 wrote to memory of 2772	2096	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202l.exe	41
PID 2772 wrote to memory of 2076	2772	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202m.exe	42
PID 2772 wrote to memory of 2076	2772	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202m.exe	42
PID 2772 wrote to memory of 2076	2772	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202m.exe	42
PID 2772 wrote to memory of 2076	2772	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202m.exe	42
PID 2076 wrote to memory of 2952	2076	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202n.exe	43
PID 2076 wrote to memory of 2952	2076	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202n.exe	43
PID 2076 wrote to memory of 2952	2076	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202n.exe	43
PID 2076 wrote to memory of 2952	2076	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202n.exe	43

C:\Users\Admin\AppData\Local\Temp\026531a5a8d9eff0e2f21fea6473aa22_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\026531a5a8d9eff0e2f21fea6473aa22_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2256
- \??\c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202.exe
  c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2732
- - \??\c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202a.exe
    c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202a.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - \??\c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202b.exe
      c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202b.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2624
    - - \??\c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202c.exe
        
        c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202c.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2484
      - \??\c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202d.exe
        
        c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202d.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        \??\c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202e.exe
        
        c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202e.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        \??\c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202f.exe
        
        c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202f.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:112
        
        \??\c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202g.exe
        
        c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202g.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        \??\c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202h.exe
        
        c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202h.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        \??\c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202i.exe
        
        c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202i.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        \??\c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202j.exe
        
        c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202j.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        \??\c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202k.exe
        
        c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202k.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        \??\c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202l.exe
        
        c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202l.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        \??\c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202m.exe
        
        c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202m.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        \??\c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202n.exe
        
        c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202n.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        \??\c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202o.exe
        
        c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202o.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2952
        
        \??\c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202p.exe
        
        c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202p.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:968
        
        \??\c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202q.exe
        
        c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202q.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2348
        
        \??\c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202r.exe
        
        c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202r.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2800
        
        \??\c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202s.exe
        
        c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202s.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2876
        
        \??\c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202t.exe
        
        c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202t.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1676
        
        \??\c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202u.exe
        
        c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202u.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2752
        
        \??\c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202v.exe
        
        c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202v.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1564
        
        \??\c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202w.exe
        
        c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202w.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1880
        
        \??\c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202x.exe
        
        c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202x.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2932
        
        \??\c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202y.exe
        
        c:\users\admin\appdata\local\temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202y.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202.exe

Filesize
310KB

MD5
67e69b1f399b6dc9b9770726434d6e5f

SHA1
9c759250cc50e8c90f434936d54913b1702bcf58

SHA256
c34368e16a0897e0d74616d77ed260624fdfea61edc36c8b863d114c9d2ba0c3

SHA512
9ab9c0d3f897e97d72f030bb8def34e28279416669ee20f05d4c6f985778a597c3c2ceb4dae6bea7bcb041b167d7899575933ca3ba557b37f120778a03a60065

Download Submit
C:\Users\Admin\AppData\Local\Temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202b.exe

Filesize
310KB

MD5
ca9bdb4ce09e9f908a1d0bd2960cc496

SHA1
302c37b21355a27472620ec4f72765a88dab0ca3

SHA256
60bdff8ca9877da3b52184fc51c38e42d9541dbf7b8e3a5c53dfa4484bf0b36c

SHA512
522f064c20fa32bec458529a42d81ef835138b2f8910f4033a098f08068593c22b80d2f4f6493dfe794af99ca2abb5f15aa90218d80289a21632748793e905c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202f.exe

Filesize
310KB

MD5
c841bc43f2cd0d122ea9a4eb7bde7cb9

SHA1
45b2ae23a2460d0f7ac2ae40be8eef8cfd818357

SHA256
9d30673f62a7b80a1cd036e0aecb913c7baed1c48b458be5e79f2d1da6f6d710

SHA512
50764c029dba2a57bb621a91ec7ba84fa77077b44d2de2698f49ed4de55f16e40224ea7aca889cf53566343f86723c77444ddcc34f53af5dc7bbcfd39693b252

Download Submit
C:\Users\Admin\AppData\Local\Temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202k.exe

Filesize
310KB

MD5
bc96d278e5745c1a8433916adaa1920d

SHA1
077cdccfdfb94ac9d8b18e7764818f93ac8214de

SHA256
93f14b6369ab6907c5e9c492567b5e4480cd4b2d14849b5642475752ba1fbda6

SHA512
33efca7a3ccb99331f5c05a368d016f0ce251c725039619cd48b793fecd606ab6373ca6cb1cb3621d9e3bc0dedf5ca25b4b4bae17bc35be22c8bca45037591fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202n.exe

Filesize
310KB

MD5
df84e4e501613e5c1234fa1629f4c72d

SHA1
baa88527a3fc0635d1ccb590f6079dc3db20e75d

SHA256
ec4124b4712224e7c303ae85318c3fb9ca7d84adcfff761b4733a3fb8477988b

SHA512
85e3f031640036f6416685c4e4bf3c8029ebe2b57b7a469468829194cb428893f57bd7036d82da5ca358fc247d850f9b99c57d5bb8b1aa934b84a99ccf48a9bd

Download Submit
\Users\Admin\AppData\Local\Temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202a.exe

Filesize
310KB

MD5
4e7bec763aa191060a61886b7bc6f1c7

SHA1
4e31cb12484c6ed648eb2c6dd09ad8080a5ed1fe

SHA256
1b3ac3753c173fe6796b0369a158417729c655d56905eca878acc294f89adcbf

SHA512
b335bde3a54882dcd0afe6d08fe06e687771e39a2b7d770a301c3d0da598393705204128bd2a0d7fb6f6a4989d2ad9cf6b36f0bc7422e91d8b68113af1bccc31

Download Submit
\Users\Admin\AppData\Local\Temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202c.exe

Filesize
310KB

MD5
238a5a63009671ad36e39ae16b07356e

SHA1
f4241ec620397e96cb045bb427b581e1956bbc02

SHA256
17f386de98f46160a4791dc71f8691e0c266eb5e94ad918eaced7a651a62bcd1

SHA512
6cafc2bedf28ceaf9abea7d84810466da8488a8b2de394aac61472011538bf8351c12b315a2bb629decaff92d5939a14ba52db9ac9b1f9cea6673cdb31e112e7

Download Submit
\Users\Admin\AppData\Local\Temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202d.exe

Filesize
310KB

MD5
64783ec52ce05630d232873e6aa7ca88

SHA1
f1101fff44b0a1b80076e3158e3a64777831eb6f

SHA256
51f1dbf3ac4ef8ef97005c3490e506bee3c889d9061a473852d2108a53ff59f0

SHA512
71a51c8cba85e6ece85abb7e5166e89d5d4dd5d98c3247b93a88317be90d231321568a6d70f30bed9b1306d2b8e2700e9fd5816c259c8237b6689d02c8c1d1ba

Download Submit
\Users\Admin\AppData\Local\Temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202e.exe

Filesize
310KB

MD5
7136426cc80b77c662b2f176aee09b54

SHA1
4724f25d7f75085ccc5fbae997d9521d8be6c57c

SHA256
e4d5e720a754609fced2ee66b459d17e5c5777dd144ee04fd44f17eb100c9f24

SHA512
5dfd835cae7adf3ae9b20c2143ff9f44965f0d00ec3fb7eca6331858304d90c144e8017f4707e11e80eac755953055899f7389eb5ca82164c6fec3773df769d9

Download Submit
\Users\Admin\AppData\Local\Temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202g.exe

Filesize
310KB

MD5
45cd35996c1d91902894a6ab41463357

SHA1
373f69a055561799cfcc51c9b494127cac3580ba

SHA256
d7b7721ae7385fc6139995318ff80f89a24d6e71b44de45db4bdc8b163b80c6e

SHA512
9b6134cf92c32ee48e50afb490552b49ea89ba0fe5b22778783acb9c67905bf64428803f526e979961f4acdc285d1e850daf5848cf3e06d44be02346764bc24f

Download Submit
\Users\Admin\AppData\Local\Temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202h.exe

Filesize
310KB

MD5
9de9662a28b800378209e560a699da76

SHA1
ea69d7c5ea37d5a74aff10d8dc2abf6c0b306fb7

SHA256
daf7e7f021299af2c4d9be41800505d176a0d4377408a9c7a7b92e4d3a32e500

SHA512
7440fa03226c373f9fb1a46eb24eae473834c6e297df87f428b0f348ec9fe0379194d1d988ed3a8fa922f3e23586cc1672715fc5d5b52b49ce16241da7076c52

Download Submit
\Users\Admin\AppData\Local\Temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202i.exe

Filesize
310KB

MD5
99500d82b98aeb519075a503455b8be8

SHA1
9ac3c5433428eb7347621fefd5cabd7bb87138f8

SHA256
4bdd6d2de48e404163d7ba8ed9ddcb71e6570163b937e533438c0d5bf0bdcf32

SHA512
0717c979e050d12774b3e4e58b469d82b0fb4f25b2d798431d61f50942baf1193f39d5e0d3ba6dccef9b492b34bd69b558959a567011cc646839381f42c82951

Download Submit
\Users\Admin\AppData\Local\Temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202j.exe

Filesize
310KB

MD5
bab8eb71acd9b0139695b61f82f16ed2

SHA1
4a41c4b9cbfbda06e46d2d9d77a170658d015052

SHA256
c2830442cc66b4000dd7e1c5d8a2c23fb32b9eea120f68fc6f38b7398a675b8f

SHA512
71702e7fadd9a5ae3b8a0aa3366dd601c6252c1f5c24520ea2135eb7ef4e426e8939feb7cc69c0bc4756cbe35e5714f916fb847ed5c06af3da8709e89448bd75

Download Submit
\Users\Admin\AppData\Local\Temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202l.exe

Filesize
310KB

MD5
6464099af71dcdc1a2fd7f523b60a102

SHA1
844c1db1820e4b5b9bd77fc13146cbd99cc660c8

SHA256
96f1e4be49ff143533c06d1984bc8e6831395a2db82cd468291fb3323e21c6c7

SHA512
df9ebc66e0f936ec98fb55df13dbac065264a1854f8ad5661686404cad875791aea60de6de8a9c33eadb4c0cfd46b790b9b491854412c427026ee859da3f8b09

Download Submit
\Users\Admin\AppData\Local\Temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202m.exe

Filesize
310KB

MD5
8457703a4438fe7e44e06edc656f127d

SHA1
75bc367d52e1c32ff70964b5d95dd3f19be6f360

SHA256
853ea582be2050d44736a982492964a9b4651bc57f4f3c1452b48bc0413b3a28

SHA512
cfce1bb739c014843c3a6b1450bb1ff230cae10caa9779d767a1b168eea15e4131b9f6cf283518a86b6d9bc568dbb143e57cc33949e0c83c0e61ae7f61e03b98

Download Submit
\Users\Admin\AppData\Local\Temp\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202o.exe

Filesize
310KB

MD5
c282778e8bcadb5cf05b5c7c7b84e062

SHA1
cd8a26bdee16fb71ee92310a535e59c680f5a729

SHA256
a51561b35a8b8c4bfda6ba438604f573c5399da72b3f180c7ffb0a11de671d53

SHA512
fd3375330df9e20dc0167fe46c1317e43fcbd9b5b9187c4717b03025c93809640a9712baebf6be930bbddc9f2fdfcc4adac37aa828e552cbd199e2c192fae9dc

Download Submit
memory/112-121-0x0000000000260000-0x000000000029A000-memory.dmp

Filesize
232KB

Download
memory/112-128-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/112-112-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/968-279-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1408-158-0x00000000003C0000-0x00000000003FA000-memory.dmp

Filesize
232KB

Download
memory/1408-159-0x00000000003C0000-0x00000000003FA000-memory.dmp

Filesize
232KB

Download
memory/1408-157-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1564-349-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1564-348-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1564-350-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1676-314-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1676-326-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1680-190-0x0000000000310000-0x000000000034A000-memory.dmp

Filesize
232KB

Download
memory/1680-192-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1680-188-0x0000000000310000-0x000000000034A000-memory.dmp

Filesize
232KB

Download
memory/1880-361-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1912-168-0x0000000000220000-0x000000000025A000-memory.dmp

Filesize
232KB

Download
memory/1912-174-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1964-206-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2076-255-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2076-253-0x0000000000360000-0x000000000039A000-memory.dmp

Filesize
232KB

Download
memory/2076-239-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2096-222-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2256-14-0x00000000002A0000-0x00000000002DA000-memory.dmp

Filesize
232KB

Download
memory/2256-12-0x00000000002A0000-0x00000000002DA000-memory.dmp

Filesize
232KB

Download
memory/2256-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2256-16-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2348-291-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2348-280-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2400-95-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2400-92-0x00000000004C0000-0x00000000004FA000-memory.dmp

Filesize
232KB

Download
memory/2484-72-0x0000000000390000-0x00000000003CA000-memory.dmp

Filesize
232KB

Download
memory/2484-69-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2484-78-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2580-47-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2612-374-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2624-61-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2644-142-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2732-31-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2732-25-0x00000000002A0000-0x00000000002DA000-memory.dmp

Filesize
232KB

Download
memory/2752-337-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2772-237-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2772-223-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2800-302-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2840-96-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2840-111-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2876-313-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2932-372-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2952-325-0x00000000005D0000-0x000000000060A000-memory.dmp

Filesize
232KB

Download
memory/2952-268-0x00000000005D0000-0x000000000060A000-memory.dmp

Filesize
232KB

Download
memory/2952-267-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202h.exe\""	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202s.exe\""	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202n.exe\""	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202e.exe\""	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202k.exe\""	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202j.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202f.exe\""	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202w.exe\""	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202v.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202a.exe\""	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202j.exe\""	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202i.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202x.exe\""	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202w.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202b.exe\""	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202v.exe\""	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202y.exe\""	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202d.exe\""	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202g.exe\""	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202l.exe\""	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202m.exe\""	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202p.exe\""	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202q.exe\""	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202.exe\""	026531a5a8d9eff0e2f21fea6473aa22_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202c.exe\""	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202r.exe\""	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202t.exe\""	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202u.exe\""	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202i.exe\""	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202h.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202o.exe\""	026531a5a8d9eff0e2f21fea6473aa22_jaffacakes118_3202n.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.