Malware Analysis Report

2025-08-05 10:00

Sample ID 240403-xpvabsac53
Target a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118
SHA256 59822012b04406a3df0f5893619e6129398134fc922d53ff1f1c9a6daf803f5b
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

59822012b04406a3df0f5893619e6129398134fc922d53ff1f1c9a6daf803f5b

Threat Level: Shows suspicious behavior

The file a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-03 19:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-03 19:02

Reported

2024-04-03 19:04

Platform

win7-20240221-en

Max time kernel

140s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe" C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe" C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1720 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 1720 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 1720 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 1720 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 1720 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 1720 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 1720 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 1720 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 2192 wrote to memory of 2608 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 2192 wrote to memory of 2608 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 2192 wrote to memory of 2608 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 2192 wrote to memory of 2608 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 2608 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 2608 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 2608 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 2608 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 2672 wrote to memory of 2256 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 2672 wrote to memory of 2256 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 2672 wrote to memory of 2256 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 2672 wrote to memory of 2256 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 2256 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 2256 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 2256 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 2256 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 2620 wrote to memory of 2480 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 2620 wrote to memory of 2480 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 2620 wrote to memory of 2480 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 2620 wrote to memory of 2480 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 2480 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 2480 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 2480 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 2480 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 2624 wrote to memory of 2476 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 2624 wrote to memory of 2476 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 2624 wrote to memory of 2476 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 2624 wrote to memory of 2476 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 2476 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 2476 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 2476 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 2476 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 2532 wrote to memory of 2908 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 2532 wrote to memory of 2908 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 2532 wrote to memory of 2908 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 2532 wrote to memory of 2908 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 2908 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 2908 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 2908 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 2908 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 1108 wrote to memory of 2268 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 1108 wrote to memory of 2268 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 1108 wrote to memory of 2268 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 1108 wrote to memory of 2268 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 2268 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 2268 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 2268 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 2268 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 2716 wrote to memory of 1988 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 2716 wrote to memory of 1988 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 2716 wrote to memory of 1988 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 2716 wrote to memory of 1988 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 1988 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 1988 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 1988 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 1988 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"

C:\Users\Public\Microsoft Build\Isass.exe

"C:\Users\Public\Microsoft Build\Isass.exe"

C:\Users\Public\Microsoft Build\Isass.exe

"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"

C:\Users\Public\Microsoft Build\Isass.exe

"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"

C:\Users\Public\Microsoft Build\Isass.exe

"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"

C:\Users\Public\Microsoft Build\Isass.exe

"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"

C:\Users\Public\Microsoft Build\Isass.exe

"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"

C:\Users\Public\Microsoft Build\Isass.exe

"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"

C:\Users\Public\Microsoft Build\Isass.exe

"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"

C:\Users\Public\Microsoft Build\Isass.exe

"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"

C:\Users\Public\Microsoft Build\Isass.exe

"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"

Network

N/A

Files

C:\Users\Public\Microsoft Build\Isass.exe

MD5 dedd8708721873baf3d803c3554dc7dd
SHA1 070047ee6b6fe52be226009c817370f6e69f9d31
SHA256 529b1a8217a932c507302ad85cd050d294316c7155122026ea11ef0233397685
SHA512 913bac5400e1fcdff288521a1832330566d2c136e899f4a60874509dd0837d09b3b474af57da951fd50f1a8abdad2edfd0a463827b4f1b7dbbfd5a9cf7d3fd92

memory/1720-14-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/2192-15-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/2608-20-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/2672-23-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/2256-28-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/2480-34-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/2624-37-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/2476-42-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/2908-45-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/1108-50-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/1108-51-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/2268-52-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/2716-56-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/2268-54-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/1988-61-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/308-62-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/308-63-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/1988-58-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/1824-68-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/1584-66-0x0000000000400000-0x00000000016A3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

MD5 276c1b7f46b8488344e85387c9ce6e80
SHA1 2901f43aa439f48baf786018696546e580ba9880
SHA256 608c5265075bacf05353a4d816fe815ec1ba2e95bb88313d5cf38655274841be
SHA512 5e02be9cfd27c3de2e17618958c5b82b38ef402ca59c260a1c93e2b0ac30871be29f43b3f160c8adb9c56061f5138db33a07e172c7c445c62fe0cd78f5fd1c8f

memory/1824-75-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/1584-64-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/2716-57-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/2908-48-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/2532-44-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/2532-43-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/2476-38-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/2624-36-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/2480-31-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/2620-30-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/2620-29-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2256-24-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/2672-22-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2608-17-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/2192-16-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/2384-9-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/1720-0-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/2384-76-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/2384-79-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/2384-80-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/2384-87-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/2384-88-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/2384-96-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/2384-97-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/2384-103-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/2384-104-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/2384-113-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/2384-114-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/2384-125-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/2384-126-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/2384-138-0x0000000000400000-0x00000000016A3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-03 19:02

Reported

2024-04-03 19:04

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Public\Microsoft Build\Isass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Public\Microsoft Build\Isass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Public\Microsoft Build\Isass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Public\Microsoft Build\Isass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Public\Microsoft Build\Isass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Public\Microsoft Build\Isass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Public\Microsoft Build\Isass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Public\Microsoft Build\Isass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Public\Microsoft Build\Isass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Public\Microsoft Build\Isass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Public\Microsoft Build\Isass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Public\Microsoft Build\Isass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Public\Microsoft Build\Isass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Public\Microsoft Build\Isass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Public\Microsoft Build\Isass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Public\Microsoft Build\Isass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Public\Microsoft Build\Isass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Public\Microsoft Build\Isass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe" C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe" C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A
N/A N/A C:\Users\Public\Microsoft Build\Isass.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5020 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 5020 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 5020 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 5020 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 5020 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 5020 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 2564 wrote to memory of 2324 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 2564 wrote to memory of 2324 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 2564 wrote to memory of 2324 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 2324 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 2324 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 2324 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 3108 wrote to memory of 3292 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 3108 wrote to memory of 3292 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 3108 wrote to memory of 3292 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 3292 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 3292 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 3292 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 4544 wrote to memory of 5080 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 4544 wrote to memory of 5080 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 4544 wrote to memory of 5080 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 5080 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 5080 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 5080 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 4064 wrote to memory of 4476 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 4064 wrote to memory of 4476 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 4064 wrote to memory of 4476 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 4476 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 4476 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 4476 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 4408 wrote to memory of 4692 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 4408 wrote to memory of 4692 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 4408 wrote to memory of 4692 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 4692 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 4692 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 4692 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 824 wrote to memory of 4932 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 824 wrote to memory of 4932 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 824 wrote to memory of 4932 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 4932 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 4932 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 4932 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 5048 wrote to memory of 4576 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 5048 wrote to memory of 4576 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 5048 wrote to memory of 4576 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 4576 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 4576 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 4576 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 4368 wrote to memory of 4676 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 4368 wrote to memory of 4676 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 4368 wrote to memory of 4676 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 4676 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 4676 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 4676 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 2344 wrote to memory of 4600 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 2344 wrote to memory of 4600 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 2344 wrote to memory of 4600 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 4600 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 4600 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 4600 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe
PID 2616 wrote to memory of 2124 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 2616 wrote to memory of 2124 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 2616 wrote to memory of 2124 N/A C:\Users\Public\Microsoft Build\Isass.exe C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
PID 2124 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe C:\Users\Public\Microsoft Build\Isass.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"

C:\Users\Public\Microsoft Build\Isass.exe

"C:\Users\Public\Microsoft Build\Isass.exe"

C:\Users\Public\Microsoft Build\Isass.exe

"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"

C:\Users\Public\Microsoft Build\Isass.exe

"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"

C:\Users\Public\Microsoft Build\Isass.exe

"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"

C:\Users\Public\Microsoft Build\Isass.exe

"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"

C:\Users\Public\Microsoft Build\Isass.exe

"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"

C:\Users\Public\Microsoft Build\Isass.exe

"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"

C:\Users\Public\Microsoft Build\Isass.exe

"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"

C:\Users\Public\Microsoft Build\Isass.exe

"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"

C:\Users\Public\Microsoft Build\Isass.exe

"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"

C:\Users\Public\Microsoft Build\Isass.exe

"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"

C:\Users\Public\Microsoft Build\Isass.exe

"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"

C:\Users\Public\Microsoft Build\Isass.exe

"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"

C:\Users\Public\Microsoft Build\Isass.exe

"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"

C:\Users\Public\Microsoft Build\Isass.exe

"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"

C:\Users\Public\Microsoft Build\Isass.exe

"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"

C:\Users\Public\Microsoft Build\Isass.exe

"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"

C:\Users\Public\Microsoft Build\Isass.exe

"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"

C:\Users\Public\Microsoft Build\Isass.exe

"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 227.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 3.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 213.122.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

memory/5020-0-0x0000000001AA0000-0x0000000001AA1000-memory.dmp

C:\Users\Public\Microsoft Build\Isass.exe

MD5 dedd8708721873baf3d803c3554dc7dd
SHA1 070047ee6b6fe52be226009c817370f6e69f9d31
SHA256 529b1a8217a932c507302ad85cd050d294316c7155122026ea11ef0233397685
SHA512 913bac5400e1fcdff288521a1832330566d2c136e899f4a60874509dd0837d09b3b474af57da951fd50f1a8abdad2edfd0a463827b4f1b7dbbfd5a9cf7d3fd92

memory/4352-5-0x0000000001A50000-0x0000000001A51000-memory.dmp

memory/2564-8-0x0000000001A70000-0x0000000001A71000-memory.dmp

memory/5020-7-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/2324-10-0x0000000001B00000-0x0000000001B01000-memory.dmp

memory/2564-9-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/2324-12-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/3108-13-0x0000000003710000-0x0000000003711000-memory.dmp

memory/3292-15-0x0000000003800000-0x0000000003801000-memory.dmp

memory/3108-14-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/4544-18-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/3292-17-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/4544-19-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/5080-20-0x0000000001A50000-0x0000000001A51000-memory.dmp

memory/4064-23-0x0000000001A60000-0x0000000001A61000-memory.dmp

memory/5080-22-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/4064-24-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/4476-25-0x0000000001B50000-0x0000000001B51000-memory.dmp

memory/4408-28-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/4476-27-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/4692-30-0x0000000001A60000-0x0000000001A61000-memory.dmp

memory/4408-29-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/824-33-0x00000000024A0000-0x00000000024A1000-memory.dmp

memory/4692-32-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/4932-35-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/824-34-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/5048-38-0x0000000001B70000-0x0000000001B71000-memory.dmp

memory/4932-37-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/5048-39-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/4576-40-0x0000000001A30000-0x0000000001A31000-memory.dmp

memory/4368-43-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4576-42-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/4676-45-0x0000000001A00000-0x0000000001A01000-memory.dmp

memory/4368-44-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/2344-48-0x0000000001C70000-0x0000000001C71000-memory.dmp

memory/4600-50-0x0000000001A80000-0x0000000001A81000-memory.dmp

memory/4676-47-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/2344-49-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/4600-52-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/2616-53-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/2616-54-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/2124-55-0x0000000002160000-0x0000000002161000-memory.dmp

memory/644-58-0x0000000001A40000-0x0000000001A41000-memory.dmp

memory/2124-57-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/644-59-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/1440-60-0x0000000001B70000-0x0000000001B71000-memory.dmp

memory/1440-62-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/4524-63-0x0000000001A30000-0x0000000001A31000-memory.dmp

memory/4328-65-0x0000000001A60000-0x0000000001A61000-memory.dmp

memory/4524-64-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/2408-68-0x0000000001A00000-0x0000000001A01000-memory.dmp

memory/4328-67-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/2408-69-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/4996-70-0x0000000003810000-0x0000000003811000-memory.dmp

memory/1100-73-0x0000000001A30000-0x0000000001A31000-memory.dmp

memory/4996-72-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/628-75-0x0000000001A50000-0x0000000001A51000-memory.dmp

memory/1100-74-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/628-77-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/4684-78-0x0000000001A70000-0x0000000001A71000-memory.dmp

memory/4684-79-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/1696-80-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/1696-82-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/4352-83-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/4104-84-0x0000000001A60000-0x0000000001A61000-memory.dmp

memory/4476-86-0x0000000001A00000-0x0000000001A01000-memory.dmp

memory/4104-85-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/1516-89-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4476-88-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/852-91-0x0000000001A60000-0x0000000001A61000-memory.dmp

memory/1516-90-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/852-93-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/5024-94-0x0000000000170000-0x0000000000171000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

MD5 276c1b7f46b8488344e85387c9ce6e80
SHA1 2901f43aa439f48baf786018696546e580ba9880
SHA256 608c5265075bacf05353a4d816fe815ec1ba2e95bb88313d5cf38655274841be
SHA512 5e02be9cfd27c3de2e17618958c5b82b38ef402ca59c260a1c93e2b0ac30871be29f43b3f160c8adb9c56061f5138db33a07e172c7c445c62fe0cd78f5fd1c8f

memory/5024-105-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/4352-111-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/4352-112-0x0000000000400000-0x00000000016A3000-memory.dmp

C:\odt\office2016setup.exe

MD5 d8055cda69331f4f37c18884d24833de
SHA1 ac89e8d5a454621904706379a23eb239fbf13de0
SHA256 06855835067e1e441ae668647e35c8118993b24356bc00b03c0744d88dbc419d
SHA512 a1849831a5c160e2d023fe09af4cccad39ac0725315f6936c8858e9315769a05bd59a91db6c7493b1a208f5c86cd833e95715a1fa853c1aed39608fcd2ab9445

memory/4352-116-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/4352-117-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/4352-122-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/4352-123-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/4352-132-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/4352-133-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/4352-140-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/4352-141-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/4352-153-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/4352-154-0x0000000000400000-0x00000000016A3000-memory.dmp

memory/4352-163-0x0000000000400000-0x00000000016A3000-memory.dmp