97fa16c0e60ac6685412fc705e6a2dea33be89b1d3b999b5e675741a9f27bb32

Analysis

max time kernel
149s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
28/07/2024, 01:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0497546b77d039b398f1862b6054bd44_JaffaCakes118.exe
Size

321KB
MD5

0497546b77d039b398f1862b6054bd44
SHA1

e2818e53821d7e80a01cb87adeb1915ee29ddaa8
SHA256

97fa16c0e60ac6685412fc705e6a2dea33be89b1d3b999b5e675741a9f27bb32
SHA512

7cae6b064f6530643dbc2ca6d7706bd3c8704440362ce3baa97fd6520420bdbd256e85ea2b866a2266a4c29ad0b40e52ec4be0e2842a696cea167dff9e343f83
SSDEEP

6144:rqppuGRYx4H712f/SBTpzZA6rXD40b+7TJAq:rqpNtb1YIp9AI4FAq

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
4980	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202.exe
4552	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202a.exe
1520	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202b.exe
2744	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202c.exe
2452	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202d.exe
1864	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202e.exe
2192	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202f.exe
2116	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202g.exe
2648	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202h.exe
4340	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202i.exe
3524	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202j.exe
4740	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202k.exe
3028	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202l.exe
3144	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202m.exe
2896	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202n.exe
3432	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202o.exe
2968	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202p.exe
3120	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202q.exe
4832	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202r.exe
216	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202s.exe
4228	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202t.exe
3104	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202u.exe
3748	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202v.exe
4484	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202w.exe
3980	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202x.exe
4952	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202y.exe

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202g.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202x.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202h.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202j.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202u.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202q.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202r.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202t.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202k.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202m.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202v.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202w.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202y.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202n.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202l.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202i.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202o.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202s.exe

Modifies registry class 54 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 89a66df15591bfdb	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202a.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202l.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 89a66df15591bfdb	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202h.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 89a66df15591bfdb	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 89a66df15591bfdb	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 89a66df15591bfdb	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 89a66df15591bfdb	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202q.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 89a66df15591bfdb	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202p.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202r.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 89a66df15591bfdb	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 89a66df15591bfdb	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202y.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 89a66df15591bfdb	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202b.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 89a66df15591bfdb	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 89a66df15591bfdb	0497546b77d039b398f1862b6054bd44_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 89a66df15591bfdb	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 89a66df15591bfdb	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 89a66df15591bfdb	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202v.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 89a66df15591bfdb	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 89a66df15591bfdb	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202m.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 89a66df15591bfdb	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202g.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202i.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 89a66df15591bfdb	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 89a66df15591bfdb	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 89a66df15591bfdb	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202q.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202h.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 89a66df15591bfdb	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202m.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202o.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 89a66df15591bfdb	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 89a66df15591bfdb	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202i.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 89a66df15591bfdb	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 89a66df15591bfdb	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 89a66df15591bfdb	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202g.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202n.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4964 wrote to memory of 4980	4964	0497546b77d039b398f1862b6054bd44_JaffaCakes118.exe	87
PID 4964 wrote to memory of 4980	4964	0497546b77d039b398f1862b6054bd44_JaffaCakes118.exe	87
PID 4964 wrote to memory of 4980	4964	0497546b77d039b398f1862b6054bd44_JaffaCakes118.exe	87
PID 4980 wrote to memory of 4552	4980	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202.exe	88
PID 4980 wrote to memory of 4552	4980	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202.exe	88
PID 4980 wrote to memory of 4552	4980	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202.exe	88
PID 4552 wrote to memory of 1520	4552	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202a.exe	89
PID 4552 wrote to memory of 1520	4552	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202a.exe	89
PID 4552 wrote to memory of 1520	4552	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202a.exe	89
PID 1520 wrote to memory of 2744	1520	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202b.exe	90
PID 1520 wrote to memory of 2744	1520	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202b.exe	90
PID 1520 wrote to memory of 2744	1520	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202b.exe	90
PID 2744 wrote to memory of 2452	2744	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202c.exe	91
PID 2744 wrote to memory of 2452	2744	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202c.exe	91
PID 2744 wrote to memory of 2452	2744	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202c.exe	91
PID 2452 wrote to memory of 1864	2452	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202d.exe	92
PID 2452 wrote to memory of 1864	2452	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202d.exe	92
PID 2452 wrote to memory of 1864	2452	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202d.exe	92
PID 1864 wrote to memory of 2192	1864	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202e.exe	93
PID 1864 wrote to memory of 2192	1864	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202e.exe	93
PID 1864 wrote to memory of 2192	1864	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202e.exe	93
PID 2192 wrote to memory of 2116	2192	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202f.exe	94
PID 2192 wrote to memory of 2116	2192	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202f.exe	94
PID 2192 wrote to memory of 2116	2192	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202f.exe	94
PID 2116 wrote to memory of 2648	2116	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202g.exe	95
PID 2116 wrote to memory of 2648	2116	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202g.exe	95
PID 2116 wrote to memory of 2648	2116	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202g.exe	95
PID 2648 wrote to memory of 4340	2648	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202h.exe	96
PID 2648 wrote to memory of 4340	2648	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202h.exe	96
PID 2648 wrote to memory of 4340	2648	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202h.exe	96
PID 4340 wrote to memory of 3524	4340	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202i.exe	97
PID 4340 wrote to memory of 3524	4340	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202i.exe	97
PID 4340 wrote to memory of 3524	4340	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202i.exe	97
PID 3524 wrote to memory of 4740	3524	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202j.exe	98
PID 3524 wrote to memory of 4740	3524	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202j.exe	98
PID 3524 wrote to memory of 4740	3524	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202j.exe	98
PID 4740 wrote to memory of 3028	4740	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202k.exe	99
PID 4740 wrote to memory of 3028	4740	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202k.exe	99
PID 4740 wrote to memory of 3028	4740	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202k.exe	99
PID 3028 wrote to memory of 3144	3028	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202l.exe	100
PID 3028 wrote to memory of 3144	3028	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202l.exe	100
PID 3028 wrote to memory of 3144	3028	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202l.exe	100
PID 3144 wrote to memory of 2896	3144	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202m.exe	101
PID 3144 wrote to memory of 2896	3144	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202m.exe	101
PID 3144 wrote to memory of 2896	3144	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202m.exe	101
PID 2896 wrote to memory of 3432	2896	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202n.exe	102
PID 2896 wrote to memory of 3432	2896	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202n.exe	102
PID 2896 wrote to memory of 3432	2896	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202n.exe	102
PID 3432 wrote to memory of 2968	3432	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202o.exe	103
PID 3432 wrote to memory of 2968	3432	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202o.exe	103
PID 3432 wrote to memory of 2968	3432	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202o.exe	103
PID 2968 wrote to memory of 3120	2968	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202p.exe	104
PID 2968 wrote to memory of 3120	2968	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202p.exe	104
PID 2968 wrote to memory of 3120	2968	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202p.exe	104
PID 3120 wrote to memory of 4832	3120	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202q.exe	105
PID 3120 wrote to memory of 4832	3120	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202q.exe	105
PID 3120 wrote to memory of 4832	3120	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202q.exe	105
PID 4832 wrote to memory of 216	4832	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202r.exe	106
PID 4832 wrote to memory of 216	4832	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202r.exe	106
PID 4832 wrote to memory of 216	4832	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202r.exe	106
PID 216 wrote to memory of 4228	216	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202s.exe	107
PID 216 wrote to memory of 4228	216	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202s.exe	107
PID 216 wrote to memory of 4228	216	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202s.exe	107
PID 4228 wrote to memory of 3104	4228	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202t.exe	108

C:\Users\Admin\AppData\Local\Temp\0497546b77d039b398f1862b6054bd44_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0497546b77d039b398f1862b6054bd44_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4964
- \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202.exe
  c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4980
- - \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202a.exe
    c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202a.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4552
  - - \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202b.exe
      c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202b.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1520
    - - \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202c.exe
        
        c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202c.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2744
      - \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202d.exe
        
        c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202d.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202e.exe
        
        c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202e.exe
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202f.exe
        
        c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202f.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202g.exe
        
        c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202g.exe
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202h.exe
        
        c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202h.exe
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202i.exe
        
        c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202i.exe
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202j.exe
        
        c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202j.exe
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202k.exe
        
        c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202k.exe
        13⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202l.exe
        
        c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202l.exe
        14⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202m.exe
        
        c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202m.exe
        15⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202n.exe
        
        c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202n.exe
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202o.exe
        
        c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202o.exe
        17⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202p.exe
        
        c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202p.exe
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202q.exe
        
        c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202q.exe
        19⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3120
        
        \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202r.exe
        
        c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202r.exe
        20⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202s.exe
        
        c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202s.exe
        21⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202t.exe
        
        c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202t.exe
        22⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4228
        
        \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202u.exe
        
        c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202u.exe
        23⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3104
        
        \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202v.exe
        
        c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202v.exe
        24⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3748
        
        \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202w.exe
        
        c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202w.exe
        25⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4484
        
        \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202x.exe
        
        c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202x.exe
        26⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3980
        
        \??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202y.exe
        
        c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202y.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202.exe

Filesize
321KB

MD5
2c354a8c2931b9340774b2f0eb41c6e5

SHA1
e51124143fbb5bd3ab6297c2038fa66e8fb21750

SHA256
363de743b8416da8d71ad468a3819da8519ebb38f16665b2e7e8815eb83e7bcf

SHA512
daf13534f87a368469ea3cc3d67da88a53f24b8c957a039792b14a182239f2d3a4c262032d484f8dba8e31538c405bc7102cebd9fd626229119b9121c39f8df4

Download Submit
C:\Users\Admin\AppData\Local\Temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202c.exe

Filesize
322KB

MD5
4b82268b36ea439e39e74b69f7cf1eb1

SHA1
adde0b48731a60d0738b347db91b205b459ca08c

SHA256
cba360c27eff35fff3c2bfbe8cd1db4939544ee168aadad3bda271f08b2ab64c

SHA512
4074fc5b840cfd15b08669d3254ae39b04a2b21d567ae0cbd2b2b52fb2acc132dfd635b4c19e8a7769034045e7eb28437c6eef93a1423a9982b903bfa232755f

Download Submit
C:\Users\Admin\AppData\Local\Temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202d.exe

Filesize
322KB

MD5
a8ce206b5bdfbb05fa1c84df9e98bb55

SHA1
a406aac20f4f6fb873d20e5185080fa24647607f

SHA256
18bf5a7a8dba82dfebe5fedeeeaa14be54c8d06e361b5415b2f1616738ebfafc

SHA512
888dc8c51ce22f2303bb63367130f6875b001d71e10906263bb76992943ab46e46bbfdfd3462f301702c14ddc166b48e32feb77618bb53fbec99158773f205ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202f.exe

Filesize
322KB

MD5
998b8b0076ecc93a833425fa7b0e5779

SHA1
4550cf777927fe44c97215f79c0267db3ec640ea

SHA256
beeb2d50aa7afc69e8d8b69d0d30394464cdbc972774ab50760fc90995f3af48

SHA512
8ef4d0679fa553e2c25e72dd805e81a3b4896a3c8872708568edac86547fbb6e69b71f9171f0bfdf19efafaae566995e439acbe536fb1a760ebecdb66a6a4161

Download Submit
C:\Users\Admin\AppData\Local\Temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202g.exe

Filesize
322KB

MD5
2a337c2b7bb5b6584d4fe56d0589fb97

SHA1
2b0badabe7605cd8f900789c9001d8104976e12b

SHA256
2116591ef90403ff18e6bf8273e10dd1a5384145c61cd9be56b0a9511ba79edd

SHA512
6aa190d09508aacc7e23360ef92c39b4dbf846e8c95bbfac801920f6bbf5af54db7a3dd77aa1b0ddf35ca2ca3586f93a0eeb297544835752ddfb7166d4ef2eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202i.exe

Filesize
323KB

MD5
86d86e8da04389938465e43834becc3e

SHA1
7f179495183e61e0213f302893c5d23fdd3f56af

SHA256
5d1304ef049b1dad649e86b29925735a21145535c6626c2de8a54d108cf61bd9

SHA512
6daed38ec0be92018bd7a1c0c4f769125adf7a3bf525f4a626ddd3932a50918aff2cb1ea533882ab1fd334a28e5419a58e7a6381abc3c775f2e4d3b82719efbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202k.exe

Filesize
323KB

MD5
55f2165fe7ab458f5b1ac019b98dd6ca

SHA1
fbf033795fb0e587ef89e29dcf0ba512a76836f7

SHA256
c11c9bb28d81efe8ac6d9bc16e68313ac47ab45bbb4e14e5aa478850316af10b

SHA512
a4f689b6cf7883e8830e8b66be996080bb84535adc37215372f6d8e7d27c9a0981f0322fa7b1d2fc38aa925c22e6181314e3c92741dca202926d1278c1b5866b

Download Submit
C:\Users\Admin\AppData\Local\Temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202l.exe

Filesize
324KB

MD5
51e3aa15b8296d451e4f1addaae83d8e

SHA1
bbfe0b19e194b7314e3da0300e93b597e16674da

SHA256
40429571b56fda5a6fdcfda7fbb1023d8d014829e94c3917f281e4cdb7bf1131

SHA512
a34240b6e2cb771d5d257af6426435257b8867ed368109b584b3c35b3b202adab6ebbe53414acc468f88328c00f5f502f24f86a21d1782ad8b49513177d2a0ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202r.exe

Filesize
325KB

MD5
def0df42d10e734700bc509b5ae9eab5

SHA1
b8c13dc2e80735a7724e4cbe91f9344244b15527

SHA256
6a7f22c2288dab1c70b35e2a88157cfb86b56687eee48d44170fbc5bacf50b79

SHA512
625bc1582d07e497e6c553b7c0cec0e22595368b7b7ba694c1a487ec547a60cab4d8e3b529bc583586f6e0a4f77268b05cd3d04170b16f7986458690f22b12b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202s.exe

Filesize
325KB

MD5
fd5f832ae4d27426f8ea1cee90172d8f

SHA1
d22f00f906a82fdfeb004319767c83900d0bcf68

SHA256
f7ddb218f46165121954a098846aeb36f23ae41ce9b8f59b6aaadd62ded3198b

SHA512
ed3fc8a89dbe39af4648b95c9739978045235b477b054a6f6035feab430b5259cffe3006acc252d98119245c0c56884eb0854b97ea3f441250dc3eec7929f30c

Download Submit
C:\Users\Admin\AppData\Local\Temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202t.exe

Filesize
325KB

MD5
dfdeedf4967b8c881263c43f405fd290

SHA1
08a975dc9aabc142a468118dab7c35234be8df7b

SHA256
023b4c365da0f38638b11da76f9ea2051573061686e820998f5d77e08550b85f

SHA512
3ae500af1882e12c8bc4217cf103d6ce4a6689d9113f377d550c057416d19d069f2ec83567aebbf0768fde3c5f27f3eef4952abc95b583811942d45db9eb8502

Download Submit
C:\Users\Admin\AppData\Local\Temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202v.exe

Filesize
326KB

MD5
d58eeef61c2223a3da8a3c4d8fb57309

SHA1
764324278e4262abdb74ed1bcc9035377a3170a0

SHA256
fcb735145a358efa71d226c35c459532db4f279328f6b955c0b6ad4cc358bf70

SHA512
5a3d9f3651d6ef51ca02a347fb22bc12631dda2d5954c4f86306aaafa235d4b73d68a5722ef92f96b27f6864d33fc6010c8ab9b43dbec3c51ab0da4d9925035e

Download Submit
\??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202a.exe

Filesize
321KB

MD5
52898e14aa39ac3ff4a96fad1f200e03

SHA1
535661becba622946492788f72764442868d8dbf

SHA256
a09b809ac3d96f0e6cf7ddb013602a73693772b3e3385e0dce56e48b5cd6b112

SHA512
a663b306f000bd1672aa5b9a859881d2115dd53604d7f6b74a969bcab5edfa23ef7a72a03f305857f83ace891bcd57d7588c91942606451980427260bc38e953

Download Submit
\??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202b.exe

Filesize
321KB

MD5
5dee6f15a966b87828845cb4c94a2214

SHA1
1591880b8461bf0830b9824fa5564904ecca7365

SHA256
a6f322450bcdde55752273368395cbeacbcd218d9df976d4c820cc55cc4edca2

SHA512
32c3eebaa04ff9873fefe3e4b0c294687bde8f9da9080be5090015e8a3d44b86a3363b4ef474208d25de4a06d05b1956eca56019d47c96711ea0359fed9b07ab

Download Submit
\??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202e.exe

Filesize
322KB

MD5
a8312343db93780139faa4397118d1c6

SHA1
92bd3b7eae76b10f2ed05581052696dfe5fa22ce

SHA256
6c91f69851f773c8991794c09c2ba0a9ad1e6257946821b4b6a98f4bd3f316eb

SHA512
dc4481c6a73e9588490e9b0e3ce2b6a3d09fd02aec8009b5f55bb7459c75897355eeca0e086ef78630b2914e74bfb8314ff7f1a00231dde4bc178c0c5103ccc6

Download Submit
\??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202h.exe

Filesize
323KB

MD5
eb7b0f9e6b11c54de8865abed9246317

SHA1
3ccb0fec2e3daed7ecb396ff2375ac0fdbbef693

SHA256
5a7f4ae29aeec1d49b7ada5087d035c629a7bf7de1b17bc46838f0f98f5e4d14

SHA512
76d91ac851e7856ed73f9a9991fe2be06bc14c44d05764d69be0f2ee39cc7aa86f691cc393f4d7e0b4eacc98f0be158c0640fa9f444bbb57796f105745ff6de8

Download Submit
\??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202j.exe

Filesize
323KB

MD5
ef00a89aac76d4042782b0c54660d428

SHA1
aaf2d6558d121d109c6455650d0a4eadd300b5ae

SHA256
e885a9c652cc4fd28fe1b0d1b094eceb69a6674ddbf449a3402a95c1c11f2c67

SHA512
e42fd7eae93db7f69bde3ac129860dd9dc26fb535d821feb4733ce56da65c37c592f3abcd3b4e6cf45b2766bb6fad39cd41f2e245377f55f3d5bd65396f6de53

Download Submit
\??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202m.exe

Filesize
324KB

MD5
cb12146cea494bba540b1a257ee6d686

SHA1
b536854e8e456a40f2a8c52a1aa2294410b6e6c5

SHA256
bfacf2b6d7dd2a88fa09390ed847132bc5b95f81d6a72665bbd7e6197b6b825d

SHA512
19b6f2efef969c6af6df519a9858b40e07ad035c92c60f97b6bb3360f4af1cc1c0e2f6d11ec41083d42c7e998223c8cca28a92130434f5e1f055ffe59534cce4

Download Submit
\??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202n.exe

Filesize
324KB

MD5
ce62c969574d7f76b8c4709956a18821

SHA1
162fac9dd322013ee4f48e9a43648fad4bd5e17d

SHA256
703c28decf8740dd6b250c041467fba0d88ab2b8ca8e64b9eb436f5317e6cf39

SHA512
27c95a67c1de22bc19e2e0a92d2e3feccc5ca0088696c060543cae419ccb3d61e5d129676110d1d622548ef3e39c823966cf332852dd0a8ce56ef2e2c1a374f1

Download Submit
\??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202o.exe

Filesize
324KB

MD5
c00c4e469989caac4e4730ef392e98c0

SHA1
d9ebc634b470b57c4a4901d60dd48cef9a3c9ef7

SHA256
6bfe1dbb15dbdf2b07eb7c518f5e3ae68928b4842131715648f1a78cbfc82f9b

SHA512
fd1aacf9a83117b57eb0b7edaf1324c9ebede95f31f9643391b37a8235190ecb11c230cca6c881162949a8df67e602a9367bb6c61a0ba17e56cc12157a76e250

Download Submit
\??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202p.exe

Filesize
325KB

MD5
fa8ac5e1c2b8ffece74b6f1c2b6caacc

SHA1
109e42c2c6c8530a0f5a3d4faf386b28d62865e6

SHA256
94df687abad9b3a04c594f1bf572268a0bf1cc2fefdb1e9256f34f646648b513

SHA512
0cf598ffccb7cad74b51906a889d0a15b0d52de500a53c26e6375086d542025dc427b0508de6a8b08909b16320d8b0438a52eb0a496693641f6e1a7d6149b978

Download Submit
\??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202q.exe

Filesize
325KB

MD5
4cfd3df997da4aaf75f9e63836d31f31

SHA1
118e125b5e810b9b66a5d8a3840afe7b255ca68c

SHA256
36fe5275459c9b2cbfaa8d4fd392414d41f5c77ff627f7f99ae43686628a05ba

SHA512
188daf223fcb6443a25ed10e6719308312cb2ba13134ab345e2e6b45b94d01599fc92f6d2ab95dd8bd0ac3a8d174d7c491c08ac3c34b2b818d3525a943b5f3ee

Download Submit
\??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202u.exe

Filesize
326KB

MD5
fb80e97a4dc51f3109d075a757e06c7f

SHA1
f949ef8e5bbedd60d0264a51b83a6236edc79b38

SHA256
038eb230c200621945713540759b455e7de43806013bb20c408d652a9496199d

SHA512
7f44825f7dfef318589d736aa3513a58af02ba58895f811d33eb7a0c1a90211ac2ba217ea0787a7e031c915f98f2eacf46637ace577e6608b76e3107b27645ea

Download Submit
\??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202w.exe

Filesize
326KB

MD5
89904781553b91d039a5c2b45fd56f53

SHA1
e85ccb9ed489e543745360e1eb740d240493dcde

SHA256
e81df20b04f2f8729a839b168e0c2ffe90f3356103a8fda95ca5d89c578e5aa1

SHA512
cbd3b57e5e424555528d36e8762fef09db4f3f859764f0586c133819d415ede4fda84ae215a6ba4343d2ad96d1e7d6f2d147c368e97aa960bbe1be03ee4cc2f6

Download Submit
\??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202x.exe

Filesize
326KB

MD5
d1d83a094aff6848b35cf289f0eff7e2

SHA1
af79f16893e8e0e644376c0b8d0ce67e9d623afb

SHA256
c0330592862056ab853c7087d54f6acf1338a285cec2aca237caa6652bb0691b

SHA512
c935f4e75759a751975425e9c4acedf6c8b9deee94ce8fe097ebe79ec07ef3951703acb8b339be2260610b90be0226def8f9028b5966c3d7ea9d45d530304162

Download Submit
\??\c:\users\admin\appdata\local\temp\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202y.exe

Filesize
327KB

MD5
cf969ff7ff6946da4c672c50adae6705

SHA1
a826bf484844c921aac57986d7c7d1cd133f6a49

SHA256
8b124fd78edf99069bc889e05708e3fcea3260ba83a2f863928b454acb7f1100

SHA512
6c5e741e3d667c00d69524d553fb08b7bbf7eaf5de1d3055eb24403c3e25417b4cbd93075b902a524200702e3b9f087a0fe18f0a472749dd0cf14d94ff47da62

Download Submit
memory/216-219-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1520-41-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1520-29-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1864-71-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2116-97-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2192-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2452-61-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2648-90-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2648-100-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2744-50-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2896-156-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2896-167-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2968-188-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2968-176-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3028-145-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3104-237-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3120-189-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3120-199-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3144-155-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3432-165-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3432-178-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3524-125-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3524-117-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3748-249-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3980-266-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4228-229-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4340-103-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4340-119-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4484-259-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4552-31-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4740-135-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4740-123-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4832-209-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4952-270-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4964-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4964-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4980-9-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4980-25-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202i.exe\""	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202h.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202p.exe\""	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202t.exe\""	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202w.exe\""	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202v.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202a.exe\""	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202h.exe\""	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202g.exe\""	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202o.exe\""	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202e.exe\""	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202f.exe\""	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202l.exe\""	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202q.exe\""	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202u.exe\""	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202v.exe\""	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202x.exe\""	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202w.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202y.exe\""	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202b.exe\""	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202c.exe\""	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202j.exe\""	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202i.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202r.exe\""	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202k.exe\""	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202j.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202m.exe\""	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202n.exe\""	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202s.exe\""	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202.exe\""	0497546b77d039b398f1862b6054bd44_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0497546b77d039b398f1862b6054bd44_jaffacakes118_3202d.exe\""	0497546b77d039b398f1862b6054bd44_jaffacakes118_3202c.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads