8cd885efa1e84385e6c3434f0fd896b86a78de283c3003df72fd5d5f7dbdb0ed

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 21:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2bc7b1d65ad8afc16d1177eedcbf72f0_JaffaCakes118.exe
Size

630KB
MD5

2bc7b1d65ad8afc16d1177eedcbf72f0
SHA1

382474ba5f3addce3ee1f531cf0d55bbead35821
SHA256

8cd885efa1e84385e6c3434f0fd896b86a78de283c3003df72fd5d5f7dbdb0ed
SHA512

b800ab241a8a0d9a286aec4258500b72c8958a17f36fbca501b04a50dd6c93f85b271234e02a429d4fcb98b740178f14c9545311dd27074ac59d140319de5578
SSDEEP

6144:WacxGfTMfQrjoziJJHI6BDcTd9hCovAYmn32PA:GfQgzAHI6BDd32PA

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2780	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202.exe
2560	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202a.exe
2668	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202b.exe
2476	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202c.exe
2452	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202d.exe
1880	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202e.exe
1608	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202f.exe
2696	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202g.exe
1512	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202h.exe
1884	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202i.exe
2284	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202j.exe
1304	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202k.exe
2628	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202l.exe
1996	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202m.exe
1040	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202n.exe
1832	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202o.exe
2112	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202p.exe
1652	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202q.exe
1016	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202r.exe
904	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202s.exe
2844	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202t.exe
2856	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202u.exe
1752	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202v.exe
1340	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202w.exe
1872	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202x.exe
2932	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202y.exe

Loads dropped DLL 52 IoCs

pid	Process
1688	2bc7b1d65ad8afc16d1177eedcbf72f0_JaffaCakes118.exe
1688	2bc7b1d65ad8afc16d1177eedcbf72f0_JaffaCakes118.exe
2780	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202.exe
2780	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202.exe
2560	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202a.exe
2560	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202a.exe
2668	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202b.exe
2668	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202b.exe
2476	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202c.exe
2476	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202c.exe
2452	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202d.exe
2452	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202d.exe
1880	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202e.exe
1880	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202e.exe
1608	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202f.exe
1608	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202f.exe
2696	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202g.exe
2696	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202g.exe
1512	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202h.exe
1512	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202h.exe
1884	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202i.exe
1884	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202i.exe
2284	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202j.exe
2284	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202j.exe
1304	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202k.exe
1304	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202k.exe
2628	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202l.exe
2628	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202l.exe
1996	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202m.exe
1996	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202m.exe
1040	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202n.exe
1040	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202n.exe
1832	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202o.exe
1832	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202o.exe
2112	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202p.exe
2112	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202p.exe
1652	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202q.exe
1652	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202q.exe
1016	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202r.exe
1016	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202r.exe
904	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202s.exe
904	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202s.exe
2844	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202t.exe
2844	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202t.exe
2856	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202u.exe
2856	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202u.exe
1752	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202v.exe
1752	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202v.exe
1340	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202w.exe
1340	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202w.exe
1872	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202x.exe
1872	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202x.exe

UPX packed file 61 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1688-0-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x000d000000012334-5.dat	upx
behavioral1/memory/1688-7-0x00000000005D0000-0x000000000060A000-memory.dmp	upx
behavioral1/memory/1688-14-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2780-15-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x002f0000000146e6-22.dat	upx
behavioral1/memory/2780-29-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x0008000000014971-38.dat	upx
behavioral1/memory/2560-46-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2668-47-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2668-62-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x0007000000014b27-61.dat	upx
behavioral1/files/0x002f000000014708-69.dat	upx
behavioral1/memory/2452-80-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2452-94-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x0007000000014b63-93.dat	upx
behavioral1/memory/2476-78-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x0007000000014baa-107.dat	upx
behavioral1/memory/1880-109-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x0009000000014e51-119.dat	upx
behavioral1/memory/1608-125-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x0008000000015ce1-132.dat	upx
behavioral1/memory/1608-110-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1512-143-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2696-141-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x0006000000015ceb-157.dat	upx
behavioral1/memory/1512-156-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x0006000000015d07-164.dat	upx
behavioral1/files/0x0006000000015d28-190.dat	upx
behavioral1/memory/1304-189-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2284-187-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2284-173-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x0006000000015d56-213.dat	upx
behavioral1/memory/1996-222-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2628-221-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x0006000000015d4a-207.dat	upx
behavioral1/memory/2628-206-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1304-205-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1884-172-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1040-244-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x0006000000015d67-255.dat	upx
behavioral1/memory/1832-254-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1832-266-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2112-267-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1040-253-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2112-278-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1996-237-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x0006000000015d5e-238.dat	upx
behavioral1/memory/1016-290-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1016-301-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2856-335-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2844-324-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2844-318-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1752-345-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1872-357-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1872-369-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2932-371-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2932-370-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1340-356-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/904-312-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1652-289-0x0000000000400000-0x000000000043A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Modifies registry class 54 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 532c6ea50b6470a3	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 532c6ea50b6470a3	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202n.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 532c6ea50b6470a3	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202q.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 532c6ea50b6470a3	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 532c6ea50b6470a3	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202o.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 532c6ea50b6470a3	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202s.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 532c6ea50b6470a3	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202k.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202n.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202j.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 532c6ea50b6470a3	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 532c6ea50b6470a3	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 532c6ea50b6470a3	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202x.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202y.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 532c6ea50b6470a3	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 532c6ea50b6470a3	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 532c6ea50b6470a3	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202u.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 532c6ea50b6470a3	2bc7b1d65ad8afc16d1177eedcbf72f0_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 532c6ea50b6470a3	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202r.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2bc7b1d65ad8afc16d1177eedcbf72f0_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 532c6ea50b6470a3	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 532c6ea50b6470a3	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 532c6ea50b6470a3	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 532c6ea50b6470a3	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202k.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 532c6ea50b6470a3	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 532c6ea50b6470a3	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 532c6ea50b6470a3	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 532c6ea50b6470a3	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 532c6ea50b6470a3	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 532c6ea50b6470a3	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 532c6ea50b6470a3	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202a.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 532c6ea50b6470a3	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202m.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202a.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2780	1688	2bc7b1d65ad8afc16d1177eedcbf72f0_JaffaCakes118.exe	28
PID 1688 wrote to memory of 2780	1688	2bc7b1d65ad8afc16d1177eedcbf72f0_JaffaCakes118.exe	28
PID 1688 wrote to memory of 2780	1688	2bc7b1d65ad8afc16d1177eedcbf72f0_JaffaCakes118.exe	28
PID 1688 wrote to memory of 2780	1688	2bc7b1d65ad8afc16d1177eedcbf72f0_JaffaCakes118.exe	28
PID 2780 wrote to memory of 2560	2780	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202.exe	29
PID 2780 wrote to memory of 2560	2780	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202.exe	29
PID 2780 wrote to memory of 2560	2780	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202.exe	29
PID 2780 wrote to memory of 2560	2780	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202.exe	29
PID 2560 wrote to memory of 2668	2560	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202a.exe	30
PID 2560 wrote to memory of 2668	2560	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202a.exe	30
PID 2560 wrote to memory of 2668	2560	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202a.exe	30
PID 2560 wrote to memory of 2668	2560	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202a.exe	30
PID 2668 wrote to memory of 2476	2668	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202b.exe	31
PID 2668 wrote to memory of 2476	2668	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202b.exe	31
PID 2668 wrote to memory of 2476	2668	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202b.exe	31
PID 2668 wrote to memory of 2476	2668	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202b.exe	31
PID 2476 wrote to memory of 2452	2476	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202c.exe	32
PID 2476 wrote to memory of 2452	2476	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202c.exe	32
PID 2476 wrote to memory of 2452	2476	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202c.exe	32
PID 2476 wrote to memory of 2452	2476	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202c.exe	32
PID 2452 wrote to memory of 1880	2452	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202d.exe	33
PID 2452 wrote to memory of 1880	2452	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202d.exe	33
PID 2452 wrote to memory of 1880	2452	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202d.exe	33
PID 2452 wrote to memory of 1880	2452	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202d.exe	33
PID 1880 wrote to memory of 1608	1880	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202e.exe	34
PID 1880 wrote to memory of 1608	1880	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202e.exe	34
PID 1880 wrote to memory of 1608	1880	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202e.exe	34
PID 1880 wrote to memory of 1608	1880	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202e.exe	34
PID 1608 wrote to memory of 2696	1608	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202f.exe	35
PID 1608 wrote to memory of 2696	1608	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202f.exe	35
PID 1608 wrote to memory of 2696	1608	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202f.exe	35
PID 1608 wrote to memory of 2696	1608	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202f.exe	35
PID 2696 wrote to memory of 1512	2696	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202g.exe	36
PID 2696 wrote to memory of 1512	2696	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202g.exe	36
PID 2696 wrote to memory of 1512	2696	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202g.exe	36
PID 2696 wrote to memory of 1512	2696	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202g.exe	36
PID 1512 wrote to memory of 1884	1512	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202h.exe	37
PID 1512 wrote to memory of 1884	1512	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202h.exe	37
PID 1512 wrote to memory of 1884	1512	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202h.exe	37
PID 1512 wrote to memory of 1884	1512	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202h.exe	37
PID 1884 wrote to memory of 2284	1884	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202i.exe	38
PID 1884 wrote to memory of 2284	1884	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202i.exe	38
PID 1884 wrote to memory of 2284	1884	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202i.exe	38
PID 1884 wrote to memory of 2284	1884	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202i.exe	38
PID 2284 wrote to memory of 1304	2284	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202j.exe	39
PID 2284 wrote to memory of 1304	2284	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202j.exe	39
PID 2284 wrote to memory of 1304	2284	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202j.exe	39
PID 2284 wrote to memory of 1304	2284	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202j.exe	39
PID 1304 wrote to memory of 2628	1304	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202k.exe	40
PID 1304 wrote to memory of 2628	1304	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202k.exe	40
PID 1304 wrote to memory of 2628	1304	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202k.exe	40
PID 1304 wrote to memory of 2628	1304	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202k.exe	40
PID 2628 wrote to memory of 1996	2628	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202l.exe	41
PID 2628 wrote to memory of 1996	2628	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202l.exe	41
PID 2628 wrote to memory of 1996	2628	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202l.exe	41
PID 2628 wrote to memory of 1996	2628	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202l.exe	41
PID 1996 wrote to memory of 1040	1996	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202m.exe	42
PID 1996 wrote to memory of 1040	1996	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202m.exe	42
PID 1996 wrote to memory of 1040	1996	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202m.exe	42
PID 1996 wrote to memory of 1040	1996	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202m.exe	42
PID 1040 wrote to memory of 1832	1040	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202n.exe	43
PID 1040 wrote to memory of 1832	1040	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202n.exe	43
PID 1040 wrote to memory of 1832	1040	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202n.exe	43
PID 1040 wrote to memory of 1832	1040	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202n.exe	43

C:\Users\Admin\AppData\Local\Temp\2bc7b1d65ad8afc16d1177eedcbf72f0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2bc7b1d65ad8afc16d1177eedcbf72f0_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1688
- \??\c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202.exe
  c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2780
- - \??\c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202a.exe
    c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202a.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - \??\c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202b.exe
      c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202b.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2668
    - - \??\c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202c.exe
        
        c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202c.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2476
      - \??\c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202d.exe
        
        c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202d.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        \??\c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202e.exe
        
        c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202e.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        \??\c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202f.exe
        
        c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202f.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        \??\c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202g.exe
        
        c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202g.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        \??\c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202h.exe
        
        c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202h.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        \??\c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202i.exe
        
        c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202i.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        \??\c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202j.exe
        
        c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202j.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        \??\c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202k.exe
        
        c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202k.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        \??\c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202l.exe
        
        c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202l.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        \??\c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202m.exe
        
        c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202m.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        \??\c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202n.exe
        
        c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202n.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        \??\c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202o.exe
        
        c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202o.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1832
        
        \??\c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202p.exe
        
        c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202p.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2112
        
        \??\c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202q.exe
        
        c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202q.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1652
        
        \??\c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202r.exe
        
        c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202r.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1016
        
        \??\c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202s.exe
        
        c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202s.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:904
        
        \??\c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202t.exe
        
        c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202t.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2844
        
        \??\c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202u.exe
        
        c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202u.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2856
        
        \??\c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202v.exe
        
        c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202v.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1752
        
        \??\c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202w.exe
        
        c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202w.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1340
        
        \??\c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202x.exe
        
        c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202x.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1872
        
        \??\c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202y.exe
        
        c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202y.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202.exe

Filesize
630KB

MD5
76db41d514d98ff4ee8986a08aa9a6db

SHA1
a7e5e1fd05b6807811e2d69e8f36994299310f70

SHA256
aa874f90aa908cd193ee54e48fe31b765b9da3e7b852a17d2bae4291002119ba

SHA512
8cfb420b65f5a88e6dd40a7585e3da80ed2a1777dbd6181d17f7340312df5a60403eaeef3b902566c91bb69c1f37ebd343bd1d5bd0b68cf5aaa1cb512d3020a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202c.exe

Filesize
631KB

MD5
508fed326d49704c2aedbe8854c662b4

SHA1
4eeed79297ef1ba8d9d69041d55cec19c91815a0

SHA256
634d4e0143a9f8b4e93d7f677bd2bd5b0242e115a844c078093733b768940654

SHA512
76e3dd405d915adcad68a52bf09a6160d531be8c726550d4574a3af4e616a608cb0857da1a53d1c059323e11ecedb66a118385bc28f2ed2b3a12cbac52fcacf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202e.exe

Filesize
631KB

MD5
dbb89fdc405a26b7160b46e4f9dd8ced

SHA1
448e510dd05e5e289d059d3239d82b155be6e7dc

SHA256
cc499cd6187a82f1a7875320d35e55f65113665da94c6546d727fd4f35529ac8

SHA512
31712d9b6187c72fb8c88e44d7acc36b6591f71439753bd51a0ca965494697ed18bdb3ecb018f2a78e8ff8be4650f81ae4ae02121e64ed58e604b06f976ee2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202f.exe

Filesize
632KB

MD5
da7b144a043e767a0545fbec23208cf4

SHA1
b157b1c766b58c3eb86f5af80dd8ac9ed590dce5

SHA256
2d79348324d63b7638f73696959425092008e36097d763fbf2075be1377cd2a2

SHA512
418d288effaa91245251d6f665821f8bfca135749e694812a59330a7ab8ebd6c5a860af3cac2d6036a5b27b3ed3b7c4f45eb8e3fb929986a25185aec3d119af4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202i.exe

Filesize
632KB

MD5
439372b53688e8bd1aa8772fbdbf9461

SHA1
1f409cd318faf33631b81ff930d8496fab3c786c

SHA256
e572d7b3f9792b375e4091513a8c2e7ef4a9200a6041117204cb1bba3aa78688

SHA512
9d6367859db7005f040f763353456a194a2f0670ee1a52aeb7a70d3efb02abf5f03e0b70c6fa37cf089853b81edaa0d893ea974488bd19ea59658612bb3195c9

Download Submit
\??\c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202k.exe

Filesize
633KB

MD5
5b640558893637966ed13e2f0b566fa4

SHA1
fccacdb805caee180e7ce7a9469094b6a5800d02

SHA256
8f2ac455c992766d46d68da9993e8489bf1d415609f5114552ce9c11279339da

SHA512
0ae30cbe0d23dbc30af65bf66ec3729408a0054d4d0a17d14b1d77ce692f18af2740148b51f17b212d4cee4eca2881f1a90253d68ec1198cf564abf3dde4bb99

Download Submit
\??\c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202l.exe

Filesize
633KB

MD5
dbe5c72d387015f53f61f8b91f0890d1

SHA1
689d2cbe67221dd0e13ecc819ae340979e733ccd

SHA256
462900a88f96246ece7472169e9dbc0360b71e5daf3db9fec6e62eda1d373038

SHA512
e53e5e22f9510403f43b3c576c4b8f86eef656e1947a6da7a25ad96be3fd5dd5b04b7f7035e72a2dbe9a10fddb5fa42f9dcd5df0a0dfb014237c57763d69077b

Download Submit
\??\c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202n.exe

Filesize
633KB

MD5
7530a6517b09d51e8d1eebfe1d7304a1

SHA1
68c7f77d2e930f08e362b06d17ebac5979c171df

SHA256
392a85888b1d86848599cb07095654cb54ae29b22fb054856fb9084142d2f150

SHA512
4f08baf3187269ea0ce45bf2ede4461525e4330ad9e558c472d823ff4c3c3e37f9f00424478ec77b179856b131ef214ad7a2ddafce9bfedf4b4c5122b2d35e0c

Download Submit
\??\c:\users\admin\appdata\local\temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202o.exe

Filesize
634KB

MD5
878721e5b1906795b2b931913112a141

SHA1
fe7c056321e79883dfb0007ff0a6ece8386b2627

SHA256
cdd2c4fd9b917f5801eced5fd412c5f534fbb73828102e3b53c71e3959ef92ce

SHA512
33915e5b1dcc1fa80da6682ea0529a75858cde1dfc7cf6d16cc1ef977230d69fb5f4dd33c302998b736d647b9d6892e79eb826edbf7602285b784462d405f418

Download Submit
\Users\Admin\AppData\Local\Temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202a.exe

Filesize
630KB

MD5
9a3fa43af125bdd4fb021146f921e807

SHA1
5ca431bd4e70e51abafa895ec101a24f3755882e

SHA256
b9a48773197c6159e8a3b85f1ca81fe0bb9ae7db483b686ace5c468ee753bd4e

SHA512
40ceb81dd4069e5f98f9b8734a377b89d04b3af8ffc02ca5bc142e1f9ee8e4e3e3255b694213576086c781c2e1fb09ffa34f38c3c9e86863ac342e233328ee30

Download Submit
\Users\Admin\AppData\Local\Temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202b.exe

Filesize
631KB

MD5
031c241c2ecd3233e46239710f75175e

SHA1
094d17a0b849f7baf1c12c341ade8e0542c8172e

SHA256
9267289b99e2c4c26ee4f948fdfb8e3442608ebde0ee574c6d01bfb35b4e8cb3

SHA512
f3e41877e6255ce19bf6ad33f4357cbf9f90fbd30d7183b4673002242dacb478a1b7141bab5b1dd8f51ac3dd4566d14e138b66689603e2f99407bf73f7273df2

Download Submit
\Users\Admin\AppData\Local\Temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202d.exe

Filesize
631KB

MD5
fc3a6e12a3069c9896ba2565dd161b07

SHA1
842ab8ffca91335bb0330844ac5a0324082cdfbe

SHA256
93d482467365d26b4f89be49ad1ab15e00be94d422dd75cc7704712a05c95266

SHA512
b1af2684458562f3091092b20437516aa632829a7fd55f4f1bdb44ce4f6f3c7bf7938d3d7f5f380e7f669bd204abc885fe095e42deb9e57cd1eb075a66a9946f

Download Submit
\Users\Admin\AppData\Local\Temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202g.exe

Filesize
632KB

MD5
b455eb56bb2b5922a529b1c59eb324ce

SHA1
5fe293fcc01413b360041db0f4259c65a48d911c

SHA256
e084905e77874044285f495b8c8b8b4e1645490ceac46e93c9f6fc6ee8cb1ac9

SHA512
34be07ee914a6f9fd906627b8ab2bf2972b8dc3e795e28a3b2913a526675789534d62f0a1ea6c265852adbda056eceb37eb9ef3bd3cbdd126703dc6025b1e064

Download Submit
\Users\Admin\AppData\Local\Temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202h.exe

Filesize
632KB

MD5
519b52e7acc717a493fa2534b266c3cd

SHA1
72faab5dbbe764719f75122afc0e5c4bab13fdf7

SHA256
8ec8f5c259522b642f4605ff15275d4d79fa0b1e6f806d0908c6fa52b310918f

SHA512
d1622ac607cc69661a12c474713376b57f8a7c11218b09be736112a885f673f23ea39b4123133592c482e8b105599578798fb1b155f44cb91b4437bd90383242

Download Submit
\Users\Admin\AppData\Local\Temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202j.exe

Filesize
633KB

MD5
ae8a5e4e81ecfa3adbec4057dcccc9a8

SHA1
a57839417f74a452d1c0b48861361f09efb10417

SHA256
62c23d94f9f670c7dfcfbbb5aa68165941ee609e132356cfcffa0d2818c57c41

SHA512
4ede509ea341beeabc2126e250300052fff804cf942582eb326a3c49e8c2680e72aca1d1992bf900071526b54249b5e2894b5365c7b64eb11689d3717195ac21

Download Submit
\Users\Admin\AppData\Local\Temp\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202m.exe

Filesize
633KB

MD5
df6cab7202253f2c4d64ce866f30ef78

SHA1
d4f6f6b629977d298f6fb5d2cbe445ed430f7327

SHA256
cbe36529d39494a234b15c01f0ef458901cf9bf92f708c3e24c7a8ae9d287ba5

SHA512
27124e12c8e95f9d960f21930365388b78e05929918fd996119b2f83508397366bdd3461b0127a21d86a0aa20052f88375b87877dd3b90928b876f2bd3c42980

Download Submit
memory/904-312-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1016-301-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1016-290-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1040-253-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1040-244-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1304-189-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1304-205-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1304-198-0x00000000002D0000-0x000000000030A000-memory.dmp

Filesize
232KB

Download
memory/1340-356-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1512-156-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1512-143-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1608-110-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1608-125-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1652-289-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1688-14-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1688-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1688-7-0x00000000005D0000-0x000000000060A000-memory.dmp

Filesize
232KB

Download
memory/1752-345-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1832-254-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1832-266-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1872-369-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1872-357-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1872-368-0x0000000000280000-0x00000000002BA000-memory.dmp

Filesize
232KB

Download
memory/1880-109-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1884-172-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1996-222-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1996-237-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2112-267-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2112-278-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2284-173-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2284-187-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2452-94-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2452-80-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2476-71-0x00000000002B0000-0x00000000002EA000-memory.dmp

Filesize
232KB

Download
memory/2476-78-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2560-46-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2628-221-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2628-206-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2668-47-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2668-62-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2696-134-0x00000000002E0000-0x000000000031A000-memory.dmp

Filesize
232KB

Download
memory/2696-141-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2780-29-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2780-30-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2780-15-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2844-324-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2844-318-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2856-335-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2932-371-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2932-370-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202w.exe\""	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202v.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202.exe\""	2bc7b1d65ad8afc16d1177eedcbf72f0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202i.exe\""	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202h.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202k.exe\""	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202j.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202d.exe\""	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202y.exe\""	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202h.exe\""	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202j.exe\""	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202i.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202a.exe\""	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202l.exe\""	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202p.exe\""	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202b.exe\""	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202t.exe\""	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202v.exe\""	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202q.exe\""	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202x.exe\""	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202w.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202g.exe\""	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202n.exe\""	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202o.exe\""	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202m.exe\""	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202r.exe\""	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202s.exe\""	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202u.exe\""	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202c.exe\""	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202e.exe\""	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202f.exe\""	2bc7b1d65ad8afc16d1177eedcbf72f0_jaffacakes118_3202e.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads