zgrat | 8f8da0486aaad7e72a762f3c66f64a960a6f6dacbc9f21fb3567a8c0b5be48de

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
12-04-2024 05:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
Size

1.1MB
MD5

ef3767ef13fb990913bd5c1a6b3e096f
SHA1

9b06a00d3e5370a43e9e123235850263857f0270
SHA256

8f8da0486aaad7e72a762f3c66f64a960a6f6dacbc9f21fb3567a8c0b5be48de
SHA512

b2c5c8743ed94b03441404552fcf31d403344dd2546c1b72011b2053dc47b993b98d25c1635f73dfa199fc4fb180b3a3ff8a00cebeba27af1948aa058d1a167c
SSDEEP

12288:wIdgdMqoYBE5gTG2DQy2KibdJBA7gsh9NXsVWgCqGum80deaARreevyq4K6mf:UmdYmCq2DsnZJBAxN8JCqG380KhvVsQ

Score

10^/10

zgrat persistence rat

Malware Config

Signatures

Detect ZGRat V1 34 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2240-10-0x0000000008560000-0x00000000085C8000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-11-0x0000000008560000-0x00000000085C3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-12-0x0000000008560000-0x00000000085C3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-14-0x0000000008560000-0x00000000085C3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-16-0x0000000008560000-0x00000000085C3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-18-0x0000000008560000-0x00000000085C3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-20-0x0000000008560000-0x00000000085C3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-22-0x0000000008560000-0x00000000085C3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-24-0x0000000008560000-0x00000000085C3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-26-0x0000000008560000-0x00000000085C3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-28-0x0000000008560000-0x00000000085C3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-30-0x0000000008560000-0x00000000085C3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-32-0x0000000008560000-0x00000000085C3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-34-0x0000000008560000-0x00000000085C3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-36-0x0000000008560000-0x00000000085C3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-38-0x0000000008560000-0x00000000085C3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-40-0x0000000008560000-0x00000000085C3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-42-0x0000000008560000-0x00000000085C3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-44-0x0000000008560000-0x00000000085C3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-46-0x0000000008560000-0x00000000085C3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-48-0x0000000008560000-0x00000000085C3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-50-0x0000000008560000-0x00000000085C3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-52-0x0000000008560000-0x00000000085C3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-54-0x0000000008560000-0x00000000085C3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-56-0x0000000008560000-0x00000000085C3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-58-0x0000000008560000-0x00000000085C3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-60-0x0000000008560000-0x00000000085C3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-62-0x0000000008560000-0x00000000085C3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-64-0x0000000008560000-0x00000000085C3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-66-0x0000000008560000-0x00000000085C3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-68-0x0000000008560000-0x00000000085C3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-70-0x0000000008560000-0x00000000085C3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-72-0x0000000008560000-0x00000000085C3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-74-0x0000000008560000-0x00000000085C3000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Normal = "\"C:\\Users\\Admin\\AppData\\Roaming\\Normal.exe\""	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exepowershell.exe

pid	process
2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
1292	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2240 ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
Token: SeDebugPrivilege 1292 powershell.exe

description	pid	process
Token: SeDebugPrivilege	2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
Token: SeDebugPrivilege	1292	powershell.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exeWScript.exe

C:\Users\Admin\AppData\Local\Temp\ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Pniglvimulgugfac.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Normal.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1292
- C:\Users\Admin\AppData\Local\Temp\ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
  2⤵
  PID:2956
- C:\Users\Admin\AppData\Local\Temp\ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
  2⤵
  PID:2364
- C:\Users\Admin\AppData\Local\Temp\ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
  2⤵
  PID:1312
- C:\Users\Admin\AppData\Local\Temp\ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
  2⤵
  PID:1476
- C:\Users\Admin\AppData\Local\Temp\ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
  2⤵
  PID:1420
- C:\Users\Admin\AppData\Local\Temp\ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
  2⤵
  PID:1228
- C:\Users\Admin\AppData\Local\Temp\ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
  2⤵
  PID:1300
- C:\Users\Admin\AppData\Local\Temp\ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
  2⤵
  PID:1904
- C:\Users\Admin\AppData\Local\Temp\ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
  2⤵
  PID:756
- C:\Users\Admin\AppData\Local\Temp\ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
  2⤵
  PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_Pniglvimulgugfac.vbs

Filesize
136B

MD5
311c68a158dfff6bf4be0ca469e8e365

SHA1
45ba4bb07de99dd65b0a7606db053623b8661281

SHA256
be6f0c382365cb583292150b9ca236a7ca40651a0cbdbc8672dd51bdd532ddbf

SHA512
4956d0c12303a49baf2c93ea2e03b3863fdad1bbb0e081e9a6d1976a2e6fc97671057b0c6c229ac70856c8d23f94f773f2e4abbf78b7c69a2d4e0195659bd851

Download Submit
memory/1292-1831-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/1292-1832-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/1292-1834-0x0000000002DA0000-0x0000000002DE0000-memory.dmp

Filesize
256KB

Download
memory/1292-1833-0x0000000002DA0000-0x0000000002DE0000-memory.dmp

Filesize
256KB

Download
memory/1292-1835-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/2240-26-0x0000000008560000-0x00000000085C3000-memory.dmp

Filesize
396KB

Download
memory/2240-36-0x0000000008560000-0x00000000085C3000-memory.dmp

Filesize
396KB

Download
memory/2240-3-0x0000000001EC0000-0x0000000001F00000-memory.dmp

Filesize
256KB

Download
memory/2240-4-0x0000000001EC0000-0x0000000001F00000-memory.dmp

Filesize
256KB

Download
memory/2240-5-0x0000000074130000-0x000000007481E000-memory.dmp

Filesize
6.9MB

Download
memory/2240-6-0x0000000001EC0000-0x0000000001F00000-memory.dmp

Filesize
256KB

Download
memory/2240-7-0x0000000001EC0000-0x0000000001F00000-memory.dmp

Filesize
256KB

Download
memory/2240-8-0x0000000001EC0000-0x0000000001F00000-memory.dmp

Filesize
256KB

Download
memory/2240-9-0x0000000004F40000-0x0000000004FC6000-memory.dmp

Filesize
536KB

Download
memory/2240-10-0x0000000008560000-0x00000000085C8000-memory.dmp

Filesize
416KB

Download
memory/2240-11-0x0000000008560000-0x00000000085C3000-memory.dmp

Filesize
396KB

Download
memory/2240-12-0x0000000008560000-0x00000000085C3000-memory.dmp

Filesize
396KB

Download
memory/2240-14-0x0000000008560000-0x00000000085C3000-memory.dmp

Filesize
396KB

Download
memory/2240-16-0x0000000008560000-0x00000000085C3000-memory.dmp

Filesize
396KB

Download
memory/2240-18-0x0000000008560000-0x00000000085C3000-memory.dmp

Filesize
396KB

Download
memory/2240-20-0x0000000008560000-0x00000000085C3000-memory.dmp

Filesize
396KB

Download
memory/2240-22-0x0000000008560000-0x00000000085C3000-memory.dmp

Filesize
396KB

Download
memory/2240-24-0x0000000008560000-0x00000000085C3000-memory.dmp

Filesize
396KB

Download
memory/2240-1-0x0000000074130000-0x000000007481E000-memory.dmp

Filesize
6.9MB

Download
memory/2240-28-0x0000000008560000-0x00000000085C3000-memory.dmp

Filesize
396KB

Download
memory/2240-30-0x0000000008560000-0x00000000085C3000-memory.dmp

Filesize
396KB

Download
memory/2240-32-0x0000000008560000-0x00000000085C3000-memory.dmp

Filesize
396KB

Download
memory/2240-34-0x0000000008560000-0x00000000085C3000-memory.dmp

Filesize
396KB

Download
memory/2240-2-0x0000000001EC0000-0x0000000001F00000-memory.dmp

Filesize
256KB

Download
memory/2240-38-0x0000000008560000-0x00000000085C3000-memory.dmp

Filesize
396KB

Download
memory/2240-40-0x0000000008560000-0x00000000085C3000-memory.dmp

Filesize
396KB

Download
memory/2240-42-0x0000000008560000-0x00000000085C3000-memory.dmp

Filesize
396KB

Download
memory/2240-44-0x0000000008560000-0x00000000085C3000-memory.dmp

Filesize
396KB

Download
memory/2240-46-0x0000000008560000-0x00000000085C3000-memory.dmp

Filesize
396KB

Download
memory/2240-48-0x0000000008560000-0x00000000085C3000-memory.dmp

Filesize
396KB

Download
memory/2240-50-0x0000000008560000-0x00000000085C3000-memory.dmp

Filesize
396KB

Download
memory/2240-52-0x0000000008560000-0x00000000085C3000-memory.dmp

Filesize
396KB

Download
memory/2240-54-0x0000000008560000-0x00000000085C3000-memory.dmp

Filesize
396KB

Download
memory/2240-56-0x0000000008560000-0x00000000085C3000-memory.dmp

Filesize
396KB

Download
memory/2240-58-0x0000000008560000-0x00000000085C3000-memory.dmp

Filesize
396KB

Download
memory/2240-60-0x0000000008560000-0x00000000085C3000-memory.dmp

Filesize
396KB

Download
memory/2240-62-0x0000000008560000-0x00000000085C3000-memory.dmp

Filesize
396KB

Download
memory/2240-64-0x0000000008560000-0x00000000085C3000-memory.dmp

Filesize
396KB

Download
memory/2240-66-0x0000000008560000-0x00000000085C3000-memory.dmp

Filesize
396KB

Download
memory/2240-68-0x0000000008560000-0x00000000085C3000-memory.dmp

Filesize
396KB

Download
memory/2240-0-0x0000000000310000-0x0000000000424000-memory.dmp

Filesize
1.1MB

Download
memory/2240-70-0x0000000008560000-0x00000000085C3000-memory.dmp

Filesize
396KB

Download
memory/2240-72-0x0000000008560000-0x00000000085C3000-memory.dmp

Filesize
396KB

Download
memory/2240-74-0x0000000008560000-0x00000000085C3000-memory.dmp

Filesize
396KB

Download
memory/2240-1828-0x0000000074130000-0x000000007481E000-memory.dmp

Filesize
6.9MB

Download

description	pid	process	target process
PID 2240 wrote to memory of 2344	2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe	WScript.exe
PID 2240 wrote to memory of 2344	2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe	WScript.exe
PID 2240 wrote to memory of 2344	2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe	WScript.exe
PID 2240 wrote to memory of 2344	2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe	WScript.exe
PID 2240 wrote to memory of 2956	2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
PID 2240 wrote to memory of 2956	2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
PID 2240 wrote to memory of 2956	2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
PID 2240 wrote to memory of 2956	2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
PID 2240 wrote to memory of 2364	2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
PID 2240 wrote to memory of 2364	2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
PID 2240 wrote to memory of 2364	2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
PID 2240 wrote to memory of 2364	2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
PID 2240 wrote to memory of 1312	2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
PID 2240 wrote to memory of 1312	2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
PID 2240 wrote to memory of 1312	2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
PID 2240 wrote to memory of 1312	2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
PID 2240 wrote to memory of 1476	2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
PID 2240 wrote to memory of 1476	2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
PID 2240 wrote to memory of 1476	2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
PID 2240 wrote to memory of 1476	2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
PID 2240 wrote to memory of 1420	2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
PID 2240 wrote to memory of 1420	2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
PID 2240 wrote to memory of 1420	2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
PID 2240 wrote to memory of 1420	2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
PID 2240 wrote to memory of 1228	2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
PID 2240 wrote to memory of 1228	2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
PID 2240 wrote to memory of 1228	2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
PID 2240 wrote to memory of 1228	2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
PID 2344 wrote to memory of 1292	2344	WScript.exe	powershell.exe
PID 2344 wrote to memory of 1292	2344	WScript.exe	powershell.exe
PID 2344 wrote to memory of 1292	2344	WScript.exe	powershell.exe
PID 2344 wrote to memory of 1292	2344	WScript.exe	powershell.exe
PID 2240 wrote to memory of 1300	2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
PID 2240 wrote to memory of 1300	2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
PID 2240 wrote to memory of 1300	2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
PID 2240 wrote to memory of 1300	2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
PID 2240 wrote to memory of 1904	2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
PID 2240 wrote to memory of 1904	2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
PID 2240 wrote to memory of 1904	2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
PID 2240 wrote to memory of 1904	2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
PID 2240 wrote to memory of 756	2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
PID 2240 wrote to memory of 756	2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
PID 2240 wrote to memory of 756	2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
PID 2240 wrote to memory of 756	2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
PID 2240 wrote to memory of 2148	2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
PID 2240 wrote to memory of 2148	2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
PID 2240 wrote to memory of 2148	2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe
PID 2240 wrote to memory of 2148	2240	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe	ef3767ef13fb990913bd5c1a6b3e096f_JaffaCakes118.exe