Analysis Overview
SHA256
6985bcee389298aeeb0fdf6067f48749c309cd97750d41dfb192f4cfbc96b54b
Threat Level: Shows suspicious behavior
The file JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Installs/modifies Browser Helper Object
Drops file in System32 directory
System Location Discovery: System Language Discovery
Unsigned PE
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-15 16:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-15 16:33
Reported
2025-01-15 16:35
Platform
win7-20240903-en
Max time kernel
150s
Max time network
117s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\dmutil32.exe | N/A |
| N/A | N/A | C:\ProgramData\api-ms-win-core-localization-l1-2-032.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dmutil32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dmutil32.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0F09AE11-BE12-4098-BB5E-92E856FF0BB6} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\api-ms-win-core-localization-l1-2-032.dll | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\2045796327 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
| File created | C:\Windows\SysWOW64\dmutil32.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dmutil32.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\2045796327 | C:\Windows\SysWOW64\dmutil32.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\api-ms-win-core-localization-l1-2-032.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\dmutil32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\XMLHTTP_UUID_Default = 11ae090f12be9840bb5e92e856ff0bb6 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
Modifies data under HKEY_USERS
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Tnsbjvyajo | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8ea8361b-554b-4884-bcaf-c204afc9d680} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Software\Tnsbjvyajo | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F09AE11-BE12-4098-BB5E-92E856FF0BB6}\InprocServer32\ = "C:\\Windows\\SysWow64\\api-ms-win-core-localization-l1-2-032.dll" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F09AE11-BE12-4098-BB5E-92E856FF0BB6} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F09AE11-BE12-4098-BB5E-92E856FF0BB6}\InprocServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Tnsbjvyajo\CLSID\ = "{8ea8361b-554b-4884-bcaf-c204afc9d680}" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Software\Tnsbjvyajo\CLSID | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Software\Tnsbjvyajo\CLSID\ = "{8ea8361b-554b-4884-bcaf-c204afc9d680}" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.fsharproj | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Software\Tnsbjvyajo\CLSID | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F09AE11-BE12-4098-BB5E-92E856FF0BB6}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Tnsbjvyajo\CLSID | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Software | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.fsharproj\PersistentHandler | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.fsharproj\PersistentHandler\ = "{c45e9028-2985-4bf5-8b13-8eeb9a25296f}" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2556 wrote to memory of 2728 | N/A | C:\Windows\SysWOW64\dmutil32.exe | C:\ProgramData\api-ms-win-core-localization-l1-2-032.exe |
| PID 2556 wrote to memory of 2728 | N/A | C:\Windows\SysWOW64\dmutil32.exe | C:\ProgramData\api-ms-win-core-localization-l1-2-032.exe |
| PID 2556 wrote to memory of 2728 | N/A | C:\Windows\SysWOW64\dmutil32.exe | C:\ProgramData\api-ms-win-core-localization-l1-2-032.exe |
| PID 2556 wrote to memory of 2728 | N/A | C:\Windows\SysWOW64\dmutil32.exe | C:\ProgramData\api-ms-win-core-localization-l1-2-032.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe"
C:\Windows\SysWOW64\dmutil32.exe
C:\Windows\SysWOW64\dmutil32.exe
C:\ProgramData\api-ms-win-core-localization-l1-2-032.exe
schutz
Network
Files
C:\Windows\SysWOW64\2045796327
| MD5 | ecd882f2dbfd7625915551727ddce092 |
| SHA1 | ecdbc1cefaaa0f5ef78016c4531b9eb74f195f9c |
| SHA256 | dbe196113fe07ebc7650c6b9e57fd7376a286b0137b9dd821ac5c103b6cc04a5 |
| SHA512 | 83b76814cb9a69909449c20c3cd77599a8b75d8203ae85d7534e2675f5b13c09904fd86cdcd6361b8d34ed66eb8ed2f4a2406dfc9412df90a16b4664e1cc7e2e |
C:\ProgramData\api-ms-win-core-localization-l1-2-032.exe
| MD5 | 5c4bc26caed4fbeca8026e18b58eb0d9 |
| SHA1 | b325151aa6e6ba2155c4b81e51fa36aea9e62588 |
| SHA256 | 6985bcee389298aeeb0fdf6067f48749c309cd97750d41dfb192f4cfbc96b54b |
| SHA512 | 992131fa20161a0a22fdc1fb0d7e34fb268aa7aedce9c7e6a2ff5501edea01447ab77b926323733413ad74d133d4d1eee78f4ae2fa4dc404891af2fd749e4c10 |
memory/2812-28-0x0000000000489000-0x000000000048C000-memory.dmp
memory/2812-27-0x0000000000400000-0x0000000000492000-memory.dmp
C:\Windows\SysWOW64\2045796327
| MD5 | dda01966a5980b296846651a96adaa6f |
| SHA1 | 8443bdcf0db537846a54f96317a6d1b1fa0917a9 |
| SHA256 | e7f5aabc475c6736833d079010b0775caa3928d529d5f2a2a3071cf470cffe86 |
| SHA512 | 9b0e685cf3807f0ac4271c53475bd0a8236b3ba630d75788743991db8d29f0daa9c8dc770757f8c9f1431d1f04fb0d367302b75212548443622d2bfca5667816 |
memory/2556-24-0x0000000000400000-0x0000000000492000-memory.dmp
memory/2812-5-0x0000000000400000-0x0000000000492000-memory.dmp
memory/2812-6-0x0000000010000000-0x000000001008F000-memory.dmp
\Windows\SysWOW64\api-ms-win-core-localization-l1-2-032.dll
| MD5 | 039a15a688868e70e8f524dd085de889 |
| SHA1 | 696707392807a8a12a186eace7f2988fa99d0410 |
| SHA256 | 9df4737585de117e0de9b51cc4c047caf818cd3568c94b87a003a40ad99992fa |
| SHA512 | 8e6c40cf4241cf66adf0bd0cd5efb8621b92b2c444e3ec20daa02b36268a5aa9a70577ef8d480e3b6fea7b72f9c31657cddf5d4d652bc2403637dbdb9d0decd7 |
memory/2812-1-0x0000000000400000-0x0000000000492000-memory.dmp
memory/2812-0-0x0000000000489000-0x000000000048C000-memory.dmp
memory/2556-41-0x0000000000400000-0x0000000000492000-memory.dmp
memory/2728-44-0x0000000000400000-0x0000000000492000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-15 16:33
Reported
2025-01-15 16:35
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\odbctrac32.exe | N/A |
| N/A | N/A | C:\ProgramData\agentactivationruntimewindows32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{136971C9-FED1-4571-9D36-A175B4E90C42} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\974975309 | C:\Windows\SysWOW64\odbctrac32.exe | N/A |
| File created | C:\Windows\SysWOW64\agentactivationruntimewindows32.dll | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\974975309 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
| File created | C:\Windows\SysWOW64\odbctrac32.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\odbctrac32.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\agentactivationruntimewindows32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\odbctrac32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\XMLHTTP_UUID_Default = c9716913d1fe71459d36a175b4e90c42 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
Modifies data under HKEY_USERS
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45d14cf6-0937-49bd-8298-07e84fc532fa} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Software\Hbsatpnuwd\CLSID\ = "{45d14cf6-0937-49bd-8298-07e84fc532fa}" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.fsharproj\PersistentHandler | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{136971C9-FED1-4571-9D36-A175B4E90C42} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Hbsatpnuwd | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Hbsatpnuwd\CLSID\ = "{45d14cf6-0937-49bd-8298-07e84fc532fa}" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Software | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.fsharproj\PersistentHandler\ = "{a35d3dea-816c-4752-80f2-6fb0e4f6396a}" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{136971C9-FED1-4571-9D36-A175B4E90C42}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Software\Hbsatpnuwd\CLSID | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.fsharproj | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{136971C9-FED1-4571-9D36-A175B4E90C42}\InprocServer32\ = "C:\\Windows\\SysWow64\\agentactivationruntimewindows32.dll" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{136971C9-FED1-4571-9D36-A175B4E90C42}\InprocServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Hbsatpnuwd\CLSID | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Software\Hbsatpnuwd | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4492 wrote to memory of 2432 | N/A | C:\Windows\SysWOW64\odbctrac32.exe | C:\ProgramData\agentactivationruntimewindows32.exe |
| PID 4492 wrote to memory of 2432 | N/A | C:\Windows\SysWOW64\odbctrac32.exe | C:\ProgramData\agentactivationruntimewindows32.exe |
| PID 4492 wrote to memory of 2432 | N/A | C:\Windows\SysWOW64\odbctrac32.exe | C:\ProgramData\agentactivationruntimewindows32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4bc26caed4fbeca8026e18b58eb0d9.exe"
C:\Windows\SysWOW64\odbctrac32.exe
C:\Windows\SysWOW64\odbctrac32.exe
C:\ProgramData\agentactivationruntimewindows32.exe
schutz
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.167.79.40.in-addr.arpa | udp |
Files
memory/640-0-0x0000000000489000-0x000000000048C000-memory.dmp
memory/640-1-0x0000000000400000-0x0000000000492000-memory.dmp
C:\Windows\SysWOW64\agentactivationruntimewindows32.dll
| MD5 | 039a15a688868e70e8f524dd085de889 |
| SHA1 | 696707392807a8a12a186eace7f2988fa99d0410 |
| SHA256 | 9df4737585de117e0de9b51cc4c047caf818cd3568c94b87a003a40ad99992fa |
| SHA512 | 8e6c40cf4241cf66adf0bd0cd5efb8621b92b2c444e3ec20daa02b36268a5aa9a70577ef8d480e3b6fea7b72f9c31657cddf5d4d652bc2403637dbdb9d0decd7 |
memory/640-6-0x0000000010000000-0x000000001008F000-memory.dmp
memory/640-10-0x0000000000400000-0x0000000000492000-memory.dmp
C:\Windows\SysWOW64\odbctrac32.exe
| MD5 | 5c4bc26caed4fbeca8026e18b58eb0d9 |
| SHA1 | b325151aa6e6ba2155c4b81e51fa36aea9e62588 |
| SHA256 | 6985bcee389298aeeb0fdf6067f48749c309cd97750d41dfb192f4cfbc96b54b |
| SHA512 | 992131fa20161a0a22fdc1fb0d7e34fb268aa7aedce9c7e6a2ff5501edea01447ab77b926323733413ad74d133d4d1eee78f4ae2fa4dc404891af2fd749e4c10 |
C:\Windows\SysWOW64\974975309
| MD5 | 71723132c62124e5dd0d4e39bc72ece8 |
| SHA1 | 338a09b62eea797f4335cf6019fbfdbaa410997d |
| SHA256 | 0d33358e318803c05f591c107ca9d8575635ccffcf3b33cfe5c44168ee5756de |
| SHA512 | fc8827b5b1887127be940bf01e2db816f1a60263830e0b916e92e27f9c6a23b56bb0035004297778fe5a6554d5686cbb4894205b59a3f32a90bcd67eb1157baa |
memory/4492-27-0x0000000000400000-0x0000000000492000-memory.dmp
memory/640-31-0x0000000000400000-0x0000000000492000-memory.dmp
memory/640-30-0x0000000000489000-0x000000000048C000-memory.dmp
C:\Windows\SysWOW64\974975309
| MD5 | 3670d2494d8baec069f3a068668fd463 |
| SHA1 | 1a68de1762b920fbe19385fb3d1a262a30bb1ceb |
| SHA256 | 1451f3e2dca6c70601925d813f52b7c84988c702ccb2c07c57a598126a23ea56 |
| SHA512 | 9ef097bd95428bff95d3a9cfb0f93538d664f9908e74420980ba5fe289fefcb78f19349d2dabe7d907c1614c112d5a5355dccfcc82466eb9f6813adec49ac74c |
memory/2432-38-0x0000000000400000-0x0000000000492000-memory.dmp
memory/4492-40-0x0000000000400000-0x0000000000492000-memory.dmp
memory/2432-42-0x0000000000400000-0x0000000000492000-memory.dmp