d46d599d0e3c35af86e70d0b9d0633fe735def84ac997637862069d61a08e667

Analysis

max time kernel
149s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
04-04-2024 21:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
Size

1.2MB
MD5

c31df3d8b2b8f9368e7957d0033af4e1
SHA1

ca78c2b18414a92a2303e34d35f8d03bec4fbc61
SHA256

d46d599d0e3c35af86e70d0b9d0633fe735def84ac997637862069d61a08e667
SHA512

2c3f40743c6f5b86fc4d0330bedc676a84c236721a230b06d6dd71d492a1e867f076bea1134a7e68d0d78fda477d5c4a6a366f906fb0e31e746dcc8be9e384f3
SSDEEP

24576:8uPmLDUMihIXCE58ow3HAr8KXIE5rbc918VQAPM1mFJ:8u+LIIX7Rw3HAr8KXIE9bc917AeQJ

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	Isass.exe

Executes dropped EXE 37 IoCs

pid	Process
2060	Isass.exe
4352	Isass.exe
3788	Isass.exe
4972	Isass.exe
1312	Isass.exe
4332	Isass.exe
5020	Isass.exe
5064	Isass.exe
2696	Isass.exe
3840	Isass.exe
3068	Isass.exe
4496	Isass.exe
3112	Isass.exe
4324	Isass.exe
3244	Isass.exe
4284	Isass.exe
3804	Isass.exe
4020	Isass.exe
4424	Isass.exe
4376	Isass.exe
2696	Isass.exe
3064	Isass.exe
436	Isass.exe
4844	Isass.exe
384	Isass.exe
4352	Isass.exe
2064	Isass.exe
4640	Isass.exe
3264	Isass.exe
1880	Isass.exe
4868	Isass.exe
4988	Isass.exe
228	Isass.exe
624	Isass.exe
2512	Isass.exe
4104	Isass.exe
3032	Isass.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe"	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe"	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4348	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
4348	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
2060	Isass.exe
2060	Isass.exe
4352	Isass.exe
4352	Isass.exe
4352	Isass.exe
4352	Isass.exe
4352	Isass.exe
4352	Isass.exe
4168	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
4168	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
3788	Isass.exe
3788	Isass.exe
3788	Isass.exe
3788	Isass.exe
3788	Isass.exe
3788	Isass.exe
2524	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
2524	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
4972	Isass.exe
4972	Isass.exe
4972	Isass.exe
4972	Isass.exe
4972	Isass.exe
4972	Isass.exe
4292	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
4292	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
1312	Isass.exe
1312	Isass.exe
1312	Isass.exe
1312	Isass.exe
1312	Isass.exe
1312	Isass.exe
2904	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
2904	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
4332	Isass.exe
4332	Isass.exe
4332	Isass.exe
4332	Isass.exe
4332	Isass.exe
4332	Isass.exe
2408	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
2408	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
5020	Isass.exe
5020	Isass.exe
5020	Isass.exe
5020	Isass.exe
5020	Isass.exe
5020	Isass.exe
3192	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
3192	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
5064	Isass.exe
5064	Isass.exe
5064	Isass.exe
5064	Isass.exe
5064	Isass.exe
5064	Isass.exe
1880	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
1880	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
2696	Isass.exe
2696	Isass.exe
2696	Isass.exe
2696	Isass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4348 wrote to memory of 2060	4348	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	86
PID 4348 wrote to memory of 2060	4348	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	86
PID 4348 wrote to memory of 2060	4348	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	86
PID 4348 wrote to memory of 4352	4348	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	89
PID 4348 wrote to memory of 4352	4348	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	89
PID 4348 wrote to memory of 4352	4348	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	89
PID 4352 wrote to memory of 4168	4352	Isass.exe	90
PID 4352 wrote to memory of 4168	4352	Isass.exe	90
PID 4352 wrote to memory of 4168	4352	Isass.exe	90
PID 4168 wrote to memory of 3788	4168	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	91
PID 4168 wrote to memory of 3788	4168	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	91
PID 4168 wrote to memory of 3788	4168	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	91
PID 3788 wrote to memory of 2524	3788	Isass.exe	92
PID 3788 wrote to memory of 2524	3788	Isass.exe	92
PID 3788 wrote to memory of 2524	3788	Isass.exe	92
PID 2524 wrote to memory of 4972	2524	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	93
PID 2524 wrote to memory of 4972	2524	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	93
PID 2524 wrote to memory of 4972	2524	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	93
PID 4972 wrote to memory of 4292	4972	Isass.exe	94
PID 4972 wrote to memory of 4292	4972	Isass.exe	94
PID 4972 wrote to memory of 4292	4972	Isass.exe	94
PID 4292 wrote to memory of 1312	4292	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	95
PID 4292 wrote to memory of 1312	4292	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	95
PID 4292 wrote to memory of 1312	4292	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	95
PID 1312 wrote to memory of 2904	1312	Isass.exe	96
PID 1312 wrote to memory of 2904	1312	Isass.exe	96
PID 1312 wrote to memory of 2904	1312	Isass.exe	96
PID 2904 wrote to memory of 4332	2904	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	97
PID 2904 wrote to memory of 4332	2904	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	97
PID 2904 wrote to memory of 4332	2904	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	97
PID 4332 wrote to memory of 2408	4332	Isass.exe	98
PID 4332 wrote to memory of 2408	4332	Isass.exe	98
PID 4332 wrote to memory of 2408	4332	Isass.exe	98
PID 2408 wrote to memory of 5020	2408	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	99
PID 2408 wrote to memory of 5020	2408	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	99
PID 2408 wrote to memory of 5020	2408	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	99
PID 5020 wrote to memory of 3192	5020	Isass.exe	101
PID 5020 wrote to memory of 3192	5020	Isass.exe	101
PID 5020 wrote to memory of 3192	5020	Isass.exe	101
PID 3192 wrote to memory of 5064	3192	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	152
PID 3192 wrote to memory of 5064	3192	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	152
PID 3192 wrote to memory of 5064	3192	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	152
PID 5064 wrote to memory of 1880	5064	Isass.exe	153
PID 5064 wrote to memory of 1880	5064	Isass.exe	153
PID 5064 wrote to memory of 1880	5064	Isass.exe	153
PID 1880 wrote to memory of 2696	1880	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	154
PID 1880 wrote to memory of 2696	1880	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	154
PID 1880 wrote to memory of 2696	1880	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	154
PID 2696 wrote to memory of 4024	2696	Isass.exe	105
PID 2696 wrote to memory of 4024	2696	Isass.exe	105
PID 2696 wrote to memory of 4024	2696	Isass.exe	105
PID 4024 wrote to memory of 3840	4024	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	106
PID 4024 wrote to memory of 3840	4024	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	106
PID 4024 wrote to memory of 3840	4024	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	106
PID 3840 wrote to memory of 532	3840	Isass.exe	107
PID 3840 wrote to memory of 532	3840	Isass.exe	107
PID 3840 wrote to memory of 532	3840	Isass.exe	107
PID 532 wrote to memory of 3068	532	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	136
PID 532 wrote to memory of 3068	532	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	136
PID 532 wrote to memory of 3068	532	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	136
PID 3068 wrote to memory of 5072	3068	Isass.exe	109
PID 3068 wrote to memory of 5072	3068	Isass.exe	109
PID 3068 wrote to memory of 5072	3068	Isass.exe	109
PID 5072 wrote to memory of 4496	5072	c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe	110

C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4348
- C:\Users\Public\Microsoft Build\Isass.exe
  "C:\Users\Public\Microsoft Build\Isass.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2060
- C:\Users\Public\Microsoft Build\Isass.exe
  "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4352
- - C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4168
  - - C:\Users\Public\Microsoft Build\Isass.exe
      "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3788
    - - C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        5⤵
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2524
      - C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        7⤵
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        9⤵
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        11⤵
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        13⤵
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3192
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        15⤵
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        17⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        19⤵
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        21⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        22⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        23⤵
        Checks computer location settings
        
        PID:4568
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        24⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        25⤵
        Checks computer location settings
        
        PID:3764
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        26⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        27⤵
        
        PID:896
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        28⤵
        Executes dropped EXE
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        29⤵
        Checks computer location settings
        
        PID:4920
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        30⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        31⤵
        Checks computer location settings
        
        PID:3288
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        32⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        33⤵
        Checks computer location settings
        
        PID:3752
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        34⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        35⤵
        Checks computer location settings
        
        PID:1604
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        36⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        37⤵
        Checks computer location settings
        
        PID:3724
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        38⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        39⤵
        Checks computer location settings
        
        PID:1880
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        40⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        41⤵
        Checks computer location settings
        
        PID:3000
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        42⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        43⤵
        Checks computer location settings
        
        PID:3068
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        44⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        45⤵
        Checks computer location settings
        
        PID:3608
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        46⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        47⤵
        Checks computer location settings
        
        PID:4408
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        48⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        49⤵
        Checks computer location settings
        
        PID:4716
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        50⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        51⤵
        Checks computer location settings
        
        PID:2632
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        52⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        53⤵
        
        PID:4996
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        54⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        55⤵
        Checks computer location settings
        
        PID:4020
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        56⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        57⤵
        Checks computer location settings
        
        PID:5064
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        58⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        59⤵
        Checks computer location settings
        
        PID:2696
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        60⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        61⤵
        Checks computer location settings
        
        PID:2388
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        62⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        63⤵
        
        PID:3176
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        64⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        65⤵
        Checks computer location settings
        
        PID:1440
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        66⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        67⤵
        Checks computer location settings
        
        PID:1364
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        68⤵
        Executes dropped EXE
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        69⤵
        Checks computer location settings
        
        PID:4920
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        70⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe"
        71⤵
        Checks computer location settings
        
        PID:3752
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe
        72⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c31df3d8b2b8f9368e7957d0033af4e1_JaffaCakes118.exe

Filesize
524KB

MD5
25833df880df030d5ef536273d1eb341

SHA1
43e86ae135fe5456287fa71712a1e27867b02193

SHA256
081dc59cc46bb97d20568013ae6007be41b9c1e8ff7e8327ea91e0edca32f862

SHA512
ae2efa715fa92cd280cad38194cf4fe8f50481b97cbcd8c89f0e56db5ecd7726bcd2e7e57c73c9473e05fc12059d21ec56737747452019b18e3a3f9d8c402e09

Download Submit
C:\Users\Public\Microsoft Build\Isass.exe

Filesize
624KB

MD5
1dd29920d53ec6d8215c9668a90d0a34

SHA1
cc2c4a1abeeab01b3eaf201d66cc0f86b48acfcb

SHA256
62b51132132d1aa915e4b1fea6073a49a10560fbd9bf78aabd740dd20f5bd7ac

SHA512
c99ebe656d200c8cc55b31995ec74a1a482c21a7c7c6b5b90ae782d247e9ca858d9e79227e8882beb5a766eed78f75ce41025a119ed2172c08f77fed8ad3c124

Download Submit
C:\odt\office2016setup.exe

Filesize
5.7MB

MD5
29d86a632fe3fe3f663dcbbca1afbb92

SHA1
55f1d5e98a94a693a0423b774b1fa0ce15f1a678

SHA256
d631e52d758950e85d23fb41c3bd9b556d91dacb77a9fdd296628386ee8f547d

SHA512
9e616281a5c9939966c88dadf837fbf8bd15f2ce2efcec783fff0ffc400607c2ee75637e1b75e135891b438a6c0b3746b119a7c38ae16755a37cf7ae4958c81d

Download Submit
memory/228-161-0x0000000001A50000-0x0000000001A51000-memory.dmp

Filesize
4KB

Download
memory/384-124-0x0000000001A70000-0x0000000001A71000-memory.dmp

Filesize
4KB

Download
memory/384-123-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/436-115-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/436-114-0x0000000001A60000-0x0000000001A61000-memory.dmp

Filesize
4KB

Download
memory/532-52-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/532-50-0x0000000001A40000-0x0000000001A41000-memory.dmp

Filesize
4KB

Download
memory/624-165-0x00000000019F0000-0x00000000019F1000-memory.dmp

Filesize
4KB

Download
memory/896-70-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download
memory/896-72-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/1312-23-0x0000000001C60000-0x0000000001C61000-memory.dmp

Filesize
4KB

Download
memory/1312-24-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/1364-167-0x00000000019F0000-0x00000000019F1000-memory.dmp

Filesize
4KB

Download
memory/1604-93-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/1604-92-0x0000000001A70000-0x0000000001A71000-memory.dmp

Filesize
4KB

Download
memory/1880-103-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/1880-149-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/1880-42-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/1880-148-0x0000000001A70000-0x0000000001A71000-memory.dmp

Filesize
4KB

Download
memory/1880-101-0x0000000001B80000-0x0000000001B81000-memory.dmp

Filesize
4KB

Download
memory/1880-40-0x0000000001A70000-0x0000000001A71000-memory.dmp

Filesize
4KB

Download
memory/2060-5-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2060-90-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2064-134-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2064-133-0x0000000003620000-0x0000000003621000-memory.dmp

Filesize
4KB

Download
memory/2388-156-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2408-32-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2408-30-0x0000000003810000-0x0000000003811000-memory.dmp

Filesize
4KB

Download
memory/2524-15-0x0000000003710000-0x0000000003711000-memory.dmp

Filesize
4KB

Download
memory/2524-17-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2632-132-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2632-130-0x0000000002070000-0x0000000002071000-memory.dmp

Filesize
4KB

Download
memory/2696-150-0x0000000003610000-0x0000000003611000-memory.dmp

Filesize
4KB

Download
memory/2696-43-0x0000000001A70000-0x0000000001A71000-memory.dmp

Filesize
4KB

Download
memory/2696-152-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2696-104-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2696-105-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2696-44-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/2904-25-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

Filesize
4KB

Download
memory/2904-27-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/3000-108-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/3000-106-0x0000000001A70000-0x0000000001A71000-memory.dmp

Filesize
4KB

Download
memory/3064-109-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3064-110-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/3068-53-0x0000000001A00000-0x0000000001A01000-memory.dmp

Filesize
4KB

Download
memory/3068-113-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/3068-54-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/3068-111-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/3112-63-0x0000000001A00000-0x0000000001A01000-memory.dmp

Filesize
4KB

Download
memory/3112-64-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/3176-160-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/3176-158-0x00000000019F0000-0x00000000019F1000-memory.dmp

Filesize
4KB

Download
memory/3192-35-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/3192-37-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/3244-73-0x0000000001A60000-0x0000000001A61000-memory.dmp

Filesize
4KB

Download
memory/3244-74-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/3264-144-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/3264-143-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3288-80-0x0000000001B60000-0x0000000001B61000-memory.dmp

Filesize
4KB

Download
memory/3288-82-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/3608-117-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/3724-98-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/3724-96-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/3752-85-0x0000000003800000-0x0000000003801000-memory.dmp

Filesize
4KB

Download
memory/3752-87-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/3764-65-0x0000000001A50000-0x0000000001A51000-memory.dmp

Filesize
4KB

Download
memory/3764-67-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/3788-13-0x0000000001A40000-0x0000000001A41000-memory.dmp

Filesize
4KB

Download
memory/3788-14-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/3804-83-0x0000000001A50000-0x0000000001A51000-memory.dmp

Filesize
4KB

Download
memory/3804-84-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/3840-49-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/3840-48-0x0000000001F40000-0x0000000001F41000-memory.dmp

Filesize
4KB

Download
memory/4020-89-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4020-88-0x0000000001E60000-0x0000000001E61000-memory.dmp

Filesize
4KB

Download
memory/4020-140-0x0000000001A40000-0x0000000001A41000-memory.dmp

Filesize
4KB

Download
memory/4020-142-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4024-47-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4024-45-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4168-10-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4168-12-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4284-78-0x0000000001E70000-0x0000000001E71000-memory.dmp

Filesize
4KB

Download
memory/4284-79-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4292-22-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4292-20-0x0000000003720000-0x0000000003721000-memory.dmp

Filesize
4KB

Download
memory/4324-68-0x0000000001A00000-0x0000000001A01000-memory.dmp

Filesize
4KB

Download
memory/4324-69-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4332-28-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4332-29-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4348-0-0x0000000001A60000-0x0000000001A61000-memory.dmp

Filesize
4KB

Download
memory/4348-7-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4352-128-0x0000000001A00000-0x0000000001A01000-memory.dmp

Filesize
4KB

Download
memory/4352-129-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4352-9-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4352-8-0x0000000001B60000-0x0000000001B61000-memory.dmp

Filesize
4KB

Download
memory/4376-100-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4376-99-0x0000000001A60000-0x0000000001A61000-memory.dmp

Filesize
4KB

Download
memory/4408-122-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4408-120-0x0000000003810000-0x0000000003811000-memory.dmp

Filesize
4KB

Download
memory/4424-94-0x0000000001A60000-0x0000000001A61000-memory.dmp

Filesize
4KB

Download
memory/4424-95-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4496-58-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/4496-59-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4568-60-0x0000000001A40000-0x0000000001A41000-memory.dmp

Filesize
4KB

Download
memory/4568-62-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4640-139-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4640-138-0x0000000001A60000-0x0000000001A61000-memory.dmp

Filesize
4KB

Download
memory/4716-127-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4716-125-0x0000000001E60000-0x0000000001E61000-memory.dmp

Filesize
4KB

Download
memory/4844-118-0x0000000001B50000-0x0000000001B51000-memory.dmp

Filesize
4KB

Download
memory/4844-119-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4868-154-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4868-153-0x0000000001F60000-0x0000000001F61000-memory.dmp

Filesize
4KB

Download
memory/4920-77-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4920-75-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/4972-18-0x00000000019F0000-0x00000000019F1000-memory.dmp

Filesize
4KB

Download
memory/4972-19-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4988-157-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4996-137-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/4996-135-0x0000000003720000-0x0000000003721000-memory.dmp

Filesize
4KB

Download
memory/5020-33-0x0000000003610000-0x0000000003611000-memory.dmp

Filesize
4KB

Download
memory/5020-34-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/5064-147-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/5064-145-0x0000000001A60000-0x0000000001A61000-memory.dmp

Filesize
4KB

Download
memory/5064-38-0x0000000003810000-0x0000000003811000-memory.dmp

Filesize
4KB

Download
memory/5064-39-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/5072-57-0x0000000000400000-0x00000000016A3000-memory.dmp

Filesize
18.6MB

Download
memory/5072-55-0x0000000001A80000-0x0000000001A81000-memory.dmp

Filesize
4KB

Download