575954abfded7c11d6b368d0f09f7c14af898cf93f62739444d2781bfa23d3dd

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
25/07/2024, 20:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

713184e197f15dc870a14c0249927eef_JaffaCakes118.exe
Size

287KB
MD5

713184e197f15dc870a14c0249927eef
SHA1

4404b5c7c874aee4edf63974181c3da8cfbce49e
SHA256

575954abfded7c11d6b368d0f09f7c14af898cf93f62739444d2781bfa23d3dd
SHA512

7be56402974eb95979f50c9ae4a804c3a3d409397b0743de0fb986d05df594d895be80d7cd3435424751c017e659c95db00cecb4e76b46d008efe02655bdf0ec
SSDEEP

6144:df6Vwhu/2bKoFKG++a2iKm+am7MGJSrzwws3VDuyzq56lp8mC7J6y:sVCu/2++VXmgLw5wqklamry

Score

8^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2684	netsh.exe

Deletes itself 1 IoCs

pid	Process
2896	api-ms-win-crt-private-l1-1-0.exe

Executes dropped EXE 64 IoCs

pid	Process
2548	api-ms-win-core-localization-l1-1-0.exe
2896	api-ms-win-crt-private-l1-1-0.exe
3068	acledit.exe
2076	AltTab.exe
1912	api-ms-win-crt-filesystem-l1-1-0.exe
1048	AdmTmpl.exe
1828	adprovider.exe
2844	aecache.exe
3024	api-ms-win-core-synch-l1-1-0.exe
988	api-ms-win-downlevel-ole32-l1-1-0.exe
2004	api-ms-win-core-file-l1-2-0.exe
1620	api-ms-win-crt-runtime-l1-1-0.exe
2484	ACCTRES.exe
2284	ActionCenterCPL.exe
2352	appmgmts.exe
2268	ActionCenterCPL.exe
2720	ActionCenter.exe
2240	api-ms-win-core-string-l1-1-0.exe
1072	api-ms-win-core-datetime-l1-1-0.exe
2028	activeds.exe
1232	acledit.exe
1264	accessibilitycpl.exe
1148	amxread.exe
2852	aclui.exe
1956	atl110.exe
1764	AltTab.exe
2272	api-ms-win-core-memory-l1-1-0.exe
2448	adtschema.exe
1692	ACCTRES.exe
1628	adsldpc.exe
2236	adsldp.exe
2776	aclui.exe
2432	acppage.exe
2724	api-ms-win-core-heap-l1-1-0.exe
2220	api-ms-win-core-namedpipe-l1-1-0.exe
2088	acledit.exe
1972	adsldp.exe
2596	advpack.exe
2856	ActionCenter.exe
2952	ACCTRES.exe
3000	aaclient.exe
840	api-ms-win-core-processenvironment-l1-1-0.exe
2476	aclui.exe
1816	AltTab.exe
1372	api-ms-win-core-fibers-l1-1-0.exe
888	api-ms-win-core-errorhandling-l1-1-0.exe
2416	ActionCenter.exe
2772	ACCTRES.exe
2816	adsnt.exe
2728	api-ms-win-core-errorhandling-l1-1-0.exe
2032	advpack.exe
1712	aaclient.exe
2624	AuthFWGP.exe
1812	ActionCenter.exe
2012	AdmTmpl.exe
1640	aeevts.exe
2312	apircl.exe
2492	acledit.exe
1792	amstream.exe
1524	api-ms-win-core-delayload-l1-1-0.exe
812	adsldpc.exe
1860	acledit.exe
2424	advpack.exe
2060	actxprxy.exe

Loads dropped DLL 64 IoCs

pid	Process
2016	713184e197f15dc870a14c0249927eef_JaffaCakes118.exe
2016	713184e197f15dc870a14c0249927eef_JaffaCakes118.exe
2548	api-ms-win-core-localization-l1-1-0.exe
2548	api-ms-win-core-localization-l1-1-0.exe
2896	api-ms-win-crt-private-l1-1-0.exe
2896	api-ms-win-crt-private-l1-1-0.exe
3068	acledit.exe
3068	acledit.exe
2076	AltTab.exe
2076	AltTab.exe
1912	api-ms-win-crt-filesystem-l1-1-0.exe
1912	api-ms-win-crt-filesystem-l1-1-0.exe
1048	AdmTmpl.exe
1048	AdmTmpl.exe
1828	adprovider.exe
1828	adprovider.exe
2844	aecache.exe
2844	aecache.exe
3024	api-ms-win-core-synch-l1-1-0.exe
3024	api-ms-win-core-synch-l1-1-0.exe
988	api-ms-win-downlevel-ole32-l1-1-0.exe
988	api-ms-win-downlevel-ole32-l1-1-0.exe
2004	api-ms-win-core-file-l1-2-0.exe
2004	api-ms-win-core-file-l1-2-0.exe
1620	api-ms-win-crt-runtime-l1-1-0.exe
1620	api-ms-win-crt-runtime-l1-1-0.exe
2484	ACCTRES.exe
2484	ACCTRES.exe
2284	ActionCenterCPL.exe
2284	ActionCenterCPL.exe
2352	appmgmts.exe
2352	appmgmts.exe
2268	ActionCenterCPL.exe
2268	ActionCenterCPL.exe
2720	ActionCenter.exe
2720	ActionCenter.exe
2240	api-ms-win-core-string-l1-1-0.exe
2240	api-ms-win-core-string-l1-1-0.exe
1072	api-ms-win-core-datetime-l1-1-0.exe
1072	api-ms-win-core-datetime-l1-1-0.exe
2028	activeds.exe
2028	activeds.exe
1232	acledit.exe
1232	acledit.exe
1264	accessibilitycpl.exe
1264	accessibilitycpl.exe
1148	amxread.exe
1148	amxread.exe
2852	aclui.exe
2852	aclui.exe
1956	atl110.exe
1956	atl110.exe
1764	AltTab.exe
1764	AltTab.exe
2272	api-ms-win-core-memory-l1-1-0.exe
2272	api-ms-win-core-memory-l1-1-0.exe
2448	adtschema.exe
2448	adtschema.exe
1692	ACCTRES.exe
1692	ACCTRES.exe
1628	adsldpc.exe
1628	adsldpc.exe
2236	adsldp.exe
2236	adsldp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\smwcore = "C:\\Windows\\system32\\accessibilitycpl.exe"	accessibilitycpl.exe

Enumerates connected drives 3 TTPs 26 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	adsldp.exe
File opened (read-only)	\??\F:	acledit.exe
File opened (read-only)	\??\F:	ACCTRES.exe
File opened (read-only)	\??\F:	actxprxy.exe
File opened (read-only)	\??\F:	ActionCenterCPL.exe
File opened (read-only)	\??\F:	api-ms-win-core-string-l1-1-0.exe
File opened (read-only)	\??\F:	api-ms-win-core-datetime-l1-1-0.exe
File opened (read-only)	\??\F:	acppage.exe
File opened (read-only)	\??\F:	api-ms-win-core-errorhandling-l1-1-0.exe
File opened (read-only)	\??\F:	api-ms-win-core-synch-l1-1-0.exe
File opened (read-only)	\??\F:	appmgmts.exe
File opened (read-only)	\??\F:	amstream.exe
File opened (read-only)	\??\F:	api-ms-win-core-namedpipe-l1-1-0.exe
File opened (read-only)	\??\F:	AltTab.exe
File opened (read-only)	\??\F:	api-ms-win-core-file-l1-2-0.exe
File opened (read-only)	\??\F:	advpack.exe
File opened (read-only)	\??\F:	AdmTmpl.exe
File opened (read-only)	\??\F:	api-ms-win-core-memory-l1-1-0.exe
File opened (read-only)	\??\F:	api-ms-win-core-heap-l1-1-0.exe
File opened (read-only)	\??\F:	AltTab.exe
File opened (read-only)	\??\F:	api-ms-win-core-fibers-l1-1-0.exe
File opened (read-only)	\??\F:	apircl.exe
File opened (read-only)	\??\F:	ACCTRES.exe
File opened (read-only)	\??\F:	api-ms-win-core-delayload-l1-1-0.exe
File opened (read-only)	\??\F:	AltTab.exe
File opened (read-only)	\??\F:	api-ms-win-crt-private-l1-1-0.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\amxread.exe	accessibilitycpl.exe
File opened for modification	C:\Windows\SysWOW64\acledit.exe	api-ms-win-core-namedpipe-l1-1-0.exe
File created	C:\Windows\SysWOW64\aaclient.exe	ACCTRES.exe
File created	C:\Windows\SysWOW64\actxprxy.exe	advpack.exe
File created	C:\Windows\SysWOW64\AltTab.exe	aclui.exe
File opened for modification	C:\Windows\SysWOW64\advpack.exe	api-ms-win-core-errorhandling-l1-1-0.exe
File opened for modification	C:\Windows\SysWOW64\acledit.exe	adsldpc.exe
File created	C:\Windows\SysWOW64\advpack.exe	acledit.exe
File opened for modification	C:\Windows\SysWOW64\adsldpc.exe	ACCTRES.exe
File opened for modification	C:\Windows\SysWOW64\amstream.exe	acledit.exe
File opened for modification	C:\Windows\SysWOW64\actxprxy.exe	advpack.exe
File opened for modification	C:\Windows\SysWOW64\AltTab.exe	aclui.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.exe	actxprxy.exe
File created	C:\Windows\SysWOW64\advpack.exe	apds.exe
File created	C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe	api-ms-win-core-file-l1-2-0.exe
File opened for modification	C:\Windows\SysWOW64\aclui.exe	amxread.exe
File created	C:\Windows\SysWOW64\aclui.exe	api-ms-win-core-processenvironment-l1-1-0.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe	api-ms-win-core-fibers-l1-1-0.exe
File created	C:\Windows\SysWOW64\ActionCenter.exe	AuthFWGP.exe
File opened for modification	C:\Windows\SysWOW64\advpack.exe	acledit.exe
File created	C:\Windows\SysWOW64\bitsprx2.exe	api-ms-win-core-libraryloader-l1-1-0.exe
File opened for modification	C:\Windows\SysWOW64\ActionCenter.exe	adtschema.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe	aecache.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe	api-ms-win-downlevel-ole32-l1-1-0.exe
File opened for modification	C:\Windows\SysWOW64\AltTab.exe	atl110.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe	AltTab.exe
File created	C:\Windows\SysWOW64\aaclient.exe	advpack.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.exe	amstream.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe	api-ms-win-core-synch-l1-1-0.exe
File opened for modification	C:\Windows\SysWOW64\acledit.exe	activeds.exe
File opened for modification	C:\Windows\SysWOW64\adsnt.exe	ACCTRES.exe
File opened for modification	C:\Windows\SysWOW64\adprovider.exe	aclui.exe
File opened for modification	C:\Windows\SysWOW64\acledit.exe	api-ms-win-crt-private-l1-1-0.exe
File created	C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe	AltTab.exe
File created	C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe	api-ms-win-core-synch-l1-1-0.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe	api-ms-win-core-file-l1-2-0.exe
File created	C:\Windows\SysWOW64\adsldpc.exe	ACCTRES.exe
File created	C:\Windows\SysWOW64\advpack.exe	api-ms-win-core-errorhandling-l1-1-0.exe
File created	C:\Windows\SysWOW64\ActionCenterCPL.exe	appmgmts.exe
File opened for modification	C:\Windows\SysWOW64\ACCTRES.exe	ActionCenter.exe
File created	C:\Windows\SysWOW64\accessibilitycpl.exe	acledit.exe
File opened for modification	C:\Windows\SysWOW64\AdmTmpl.exe	ActionCenter.exe
File created	C:\Windows\SysWOW64\aaclient.exe	adprovider.exe
File opened for modification	C:\Windows\SysWOW64\aclui.exe	aaclient.exe
File opened for modification	C:\Windows\SysWOW64\apds.exe	AltTab.exe
File opened for modification	C:\Windows\SysWOW64\ACCTRES.exe	api-ms-win-core-memory-l1-1-0.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe	api-ms-win-downlevel-ole32-l1-1-0.exe
File created	C:\Windows\SysWOW64\AltTab.exe	aclui.exe
File created	C:\Windows\SysWOW64\AuthFWGP.exe	aaclient.exe
File created	C:\Windows\SysWOW64\amstream.exe	acledit.exe
File opened for modification	C:\Windows\SysWOW64\adprovider.exe	ActionCenter.exe
File created	C:\Windows\SysWOW64\AltTab.exe	acledit.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe	ActionCenter.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe	ActionCenter.exe
File opened for modification	C:\Windows\SysWOW64\accessibilitycpl.exe	acledit.exe
File opened for modification	C:\Windows\SysWOW64\advpack.exe	adsldp.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe	api-ms-win-core-fibers-l1-1-0.exe
File opened for modification	C:\Windows\SysWOW64\AdmTmpl.exe	api-ms-win-crt-filesystem-l1-1-0.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe	api-ms-win-core-string-l1-1-0.exe
File created	C:\Windows\SysWOW64\ACCTRES.exe	adtschema.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe	api-ms-win-core-heap-l1-1-0.exe
File created	C:\Windows\SysWOW64\adprovider.exe	ActionCenter.exe
File opened for modification	C:\Windows\SysWOW64\AltTab.exe	acledit.exe
File opened for modification	C:\Windows\SysWOW64\atl110.exe	aclui.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdmTmpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	api-ms-win-core-delayload-l1-1-0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	advpack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ACCTRES.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acledit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aclui.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acledit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsprx2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adprovider.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	accessibilitycpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aaclient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aclui.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdmTmpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aclui.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adsnt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	api-ms-win-core-libraryloader-l1-1-0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ACCTRES.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adsldp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	advpack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adsldpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	appmgmts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ActionCenterCPL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atl110.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aclui.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AltTab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	api-ms-win-crt-runtime-l1-1-0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acledit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acppage.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AltTab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ACCTRES.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	actxprxy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	api-ms-win-core-localregistry-l1-1-0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	advpack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	api-ms-win-core-string-l1-1-0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	accessibilitycpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adsldp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apircl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	api-ms-win-core-file-l1-2-0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aclui.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	api-ms-win-core-fibers-l1-1-0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ActionCenter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	advpack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adtschema.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ACCTRES.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ActionCenter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adprovider.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ActionCenterCPL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	activeds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AltTab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	api-ms-win-core-localization-l1-1-0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AltTab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aecache.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ACCTRES.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amstream.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	api-ms-win-core-localization-l1-2-0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdmTmpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adprovider.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	api-ms-win-downlevel-ole32-l1-1-0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	api-ms-win-core-namedpipe-l1-1-0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	api-ms-win-core-errorhandling-l1-1-0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acledit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ActionCenter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	api-ms-win-core-memory-l1-1-0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe
2336	accessibilitycpl.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2016	713184e197f15dc870a14c0249927eef_JaffaCakes118.exe
Token: SeDebugPrivilege	2548	api-ms-win-core-localization-l1-1-0.exe
Token: SeDebugPrivilege	2896	api-ms-win-crt-private-l1-1-0.exe
Token: SeDebugPrivilege	3068	acledit.exe
Token: SeDebugPrivilege	2076	AltTab.exe
Token: SeDebugPrivilege	1912	api-ms-win-crt-filesystem-l1-1-0.exe
Token: SeDebugPrivilege	1048	AdmTmpl.exe
Token: SeDebugPrivilege	1828	adprovider.exe
Token: SeDebugPrivilege	2844	aecache.exe
Token: SeDebugPrivilege	3024	api-ms-win-core-synch-l1-1-0.exe
Token: SeDebugPrivilege	988	api-ms-win-downlevel-ole32-l1-1-0.exe
Token: SeDebugPrivilege	2004	api-ms-win-core-file-l1-2-0.exe
Token: SeDebugPrivilege	1620	api-ms-win-crt-runtime-l1-1-0.exe
Token: SeDebugPrivilege	2484	ACCTRES.exe
Token: SeDebugPrivilege	2284	ActionCenterCPL.exe
Token: SeDebugPrivilege	2352	appmgmts.exe
Token: SeDebugPrivilege	2268	ActionCenterCPL.exe
Token: SeDebugPrivilege	2720	ActionCenter.exe
Token: SeDebugPrivilege	2240	api-ms-win-core-string-l1-1-0.exe
Token: SeDebugPrivilege	1072	api-ms-win-core-datetime-l1-1-0.exe
Token: SeDebugPrivilege	2028	activeds.exe
Token: SeDebugPrivilege	1232	acledit.exe
Token: SeDebugPrivilege	1264	accessibilitycpl.exe
Token: SeDebugPrivilege	1148	amxread.exe
Token: SeDebugPrivilege	2852	aclui.exe
Token: SeDebugPrivilege	1956	atl110.exe
Token: SeDebugPrivilege	1764	AltTab.exe
Token: SeDebugPrivilege	2272	api-ms-win-core-memory-l1-1-0.exe
Token: SeDebugPrivilege	2448	adtschema.exe
Token: SeDebugPrivilege	1692	ACCTRES.exe
Token: SeDebugPrivilege	1628	adsldpc.exe
Token: SeDebugPrivilege	2236	adsldp.exe
Token: SeDebugPrivilege	2776	aclui.exe
Token: SeDebugPrivilege	2432	acppage.exe
Token: SeDebugPrivilege	2724	api-ms-win-core-heap-l1-1-0.exe
Token: SeDebugPrivilege	2220	api-ms-win-core-namedpipe-l1-1-0.exe
Token: SeDebugPrivilege	2088	acledit.exe
Token: SeDebugPrivilege	1972	adsldp.exe
Token: SeDebugPrivilege	2596	advpack.exe
Token: SeDebugPrivilege	2856	ActionCenter.exe
Token: SeDebugPrivilege	2952	ACCTRES.exe
Token: SeDebugPrivilege	3000	aaclient.exe
Token: SeDebugPrivilege	840	api-ms-win-core-processenvironment-l1-1-0.exe
Token: SeDebugPrivilege	2476	aclui.exe
Token: SeDebugPrivilege	1816	AltTab.exe
Token: SeDebugPrivilege	1372	api-ms-win-core-fibers-l1-1-0.exe
Token: SeDebugPrivilege	888	api-ms-win-core-errorhandling-l1-1-0.exe
Token: SeDebugPrivilege	2416	ActionCenter.exe
Token: SeDebugPrivilege	2772	ACCTRES.exe
Token: SeDebugPrivilege	2816	adsnt.exe
Token: SeDebugPrivilege	2728	api-ms-win-core-errorhandling-l1-1-0.exe
Token: SeDebugPrivilege	2032	advpack.exe
Token: SeDebugPrivilege	1712	aaclient.exe
Token: SeDebugPrivilege	2624	AuthFWGP.exe
Token: SeDebugPrivilege	1812	ActionCenter.exe
Token: SeDebugPrivilege	2012	AdmTmpl.exe
Token: SeDebugPrivilege	1640	aeevts.exe
Token: SeDebugPrivilege	2312	apircl.exe
Token: SeDebugPrivilege	2492	acledit.exe
Token: SeDebugPrivilege	1792	amstream.exe
Token: SeDebugPrivilege	1524	api-ms-win-core-delayload-l1-1-0.exe
Token: SeDebugPrivilege	812	adsldpc.exe
Token: SeDebugPrivilege	1860	acledit.exe
Token: SeDebugPrivilege	2424	advpack.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 2548	2016	713184e197f15dc870a14c0249927eef_JaffaCakes118.exe	31
PID 2016 wrote to memory of 2548	2016	713184e197f15dc870a14c0249927eef_JaffaCakes118.exe	31
PID 2016 wrote to memory of 2548	2016	713184e197f15dc870a14c0249927eef_JaffaCakes118.exe	31
PID 2016 wrote to memory of 2548	2016	713184e197f15dc870a14c0249927eef_JaffaCakes118.exe	31
PID 2548 wrote to memory of 2896	2548	api-ms-win-core-localization-l1-1-0.exe	32
PID 2548 wrote to memory of 2896	2548	api-ms-win-core-localization-l1-1-0.exe	32
PID 2548 wrote to memory of 2896	2548	api-ms-win-core-localization-l1-1-0.exe	32
PID 2548 wrote to memory of 2896	2548	api-ms-win-core-localization-l1-1-0.exe	32
PID 2896 wrote to memory of 3068	2896	api-ms-win-crt-private-l1-1-0.exe	33
PID 2896 wrote to memory of 3068	2896	api-ms-win-crt-private-l1-1-0.exe	33
PID 2896 wrote to memory of 3068	2896	api-ms-win-crt-private-l1-1-0.exe	33
PID 2896 wrote to memory of 3068	2896	api-ms-win-crt-private-l1-1-0.exe	33
PID 3068 wrote to memory of 2076	3068	acledit.exe	34
PID 3068 wrote to memory of 2076	3068	acledit.exe	34
PID 3068 wrote to memory of 2076	3068	acledit.exe	34
PID 3068 wrote to memory of 2076	3068	acledit.exe	34
PID 2076 wrote to memory of 1912	2076	AltTab.exe	35
PID 2076 wrote to memory of 1912	2076	AltTab.exe	35
PID 2076 wrote to memory of 1912	2076	AltTab.exe	35
PID 2076 wrote to memory of 1912	2076	AltTab.exe	35
PID 1912 wrote to memory of 1048	1912	api-ms-win-crt-filesystem-l1-1-0.exe	36
PID 1912 wrote to memory of 1048	1912	api-ms-win-crt-filesystem-l1-1-0.exe	36
PID 1912 wrote to memory of 1048	1912	api-ms-win-crt-filesystem-l1-1-0.exe	36
PID 1912 wrote to memory of 1048	1912	api-ms-win-crt-filesystem-l1-1-0.exe	36
PID 1048 wrote to memory of 1828	1048	AdmTmpl.exe	37
PID 1048 wrote to memory of 1828	1048	AdmTmpl.exe	37
PID 1048 wrote to memory of 1828	1048	AdmTmpl.exe	37
PID 1048 wrote to memory of 1828	1048	AdmTmpl.exe	37
PID 1828 wrote to memory of 2844	1828	adprovider.exe	38
PID 1828 wrote to memory of 2844	1828	adprovider.exe	38
PID 1828 wrote to memory of 2844	1828	adprovider.exe	38
PID 1828 wrote to memory of 2844	1828	adprovider.exe	38
PID 2844 wrote to memory of 3024	2844	aecache.exe	39
PID 2844 wrote to memory of 3024	2844	aecache.exe	39
PID 2844 wrote to memory of 3024	2844	aecache.exe	39
PID 2844 wrote to memory of 3024	2844	aecache.exe	39
PID 3024 wrote to memory of 988	3024	api-ms-win-core-synch-l1-1-0.exe	40
PID 3024 wrote to memory of 988	3024	api-ms-win-core-synch-l1-1-0.exe	40
PID 3024 wrote to memory of 988	3024	api-ms-win-core-synch-l1-1-0.exe	40
PID 3024 wrote to memory of 988	3024	api-ms-win-core-synch-l1-1-0.exe	40
PID 988 wrote to memory of 2004	988	api-ms-win-downlevel-ole32-l1-1-0.exe	41
PID 988 wrote to memory of 2004	988	api-ms-win-downlevel-ole32-l1-1-0.exe	41
PID 988 wrote to memory of 2004	988	api-ms-win-downlevel-ole32-l1-1-0.exe	41
PID 988 wrote to memory of 2004	988	api-ms-win-downlevel-ole32-l1-1-0.exe	41
PID 2004 wrote to memory of 1620	2004	api-ms-win-core-file-l1-2-0.exe	42
PID 2004 wrote to memory of 1620	2004	api-ms-win-core-file-l1-2-0.exe	42
PID 2004 wrote to memory of 1620	2004	api-ms-win-core-file-l1-2-0.exe	42
PID 2004 wrote to memory of 1620	2004	api-ms-win-core-file-l1-2-0.exe	42
PID 1620 wrote to memory of 2484	1620	api-ms-win-crt-runtime-l1-1-0.exe	43
PID 1620 wrote to memory of 2484	1620	api-ms-win-crt-runtime-l1-1-0.exe	43
PID 1620 wrote to memory of 2484	1620	api-ms-win-crt-runtime-l1-1-0.exe	43
PID 1620 wrote to memory of 2484	1620	api-ms-win-crt-runtime-l1-1-0.exe	43
PID 2484 wrote to memory of 2284	2484	ACCTRES.exe	44
PID 2484 wrote to memory of 2284	2484	ACCTRES.exe	44
PID 2484 wrote to memory of 2284	2484	ACCTRES.exe	44
PID 2484 wrote to memory of 2284	2484	ACCTRES.exe	44
PID 2284 wrote to memory of 2352	2284	ActionCenterCPL.exe	45
PID 2284 wrote to memory of 2352	2284	ActionCenterCPL.exe	45
PID 2284 wrote to memory of 2352	2284	ActionCenterCPL.exe	45
PID 2284 wrote to memory of 2352	2284	ActionCenterCPL.exe	45
PID 2352 wrote to memory of 2268	2352	appmgmts.exe	46
PID 2352 wrote to memory of 2268	2352	appmgmts.exe	46
PID 2352 wrote to memory of 2268	2352	appmgmts.exe	46
PID 2352 wrote to memory of 2268	2352	appmgmts.exe	46

C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe
  C:\Windows\system32\api-ms-win-core-localization-l1-1-0.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe
    C:\Windows\system32\api-ms-win-crt-private-l1-1-0.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\SysWOW64\acledit.exe
      C:\Windows\system32\acledit.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3068
    - - C:\Windows\SysWOW64\AltTab.exe
        
        C:\Windows\system32\AltTab.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2076
      - C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-crt-filesystem-l1-1-0.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\AdmTmpl.exe
        
        C:\Windows\system32\AdmTmpl.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\adprovider.exe
        
        C:\Windows\system32\adprovider.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Windows\SysWOW64\aecache.exe
        
        C:\Windows\system32\aecache.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-synch-l1-1-0.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-downlevel-ole32-l1-1-0.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:988
        
        C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe
        
        C:\Windows\system32\api-ms-win-core-file-l1-2-0.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-crt-runtime-l1-1-0.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\ACCTRES.exe
        
        C:\Windows\system32\ACCTRES.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\ActionCenterCPL.exe
        
        C:\Windows\system32\ActionCenterCPL.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\appmgmts.exe
        
        C:\Windows\system32\appmgmts.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\ActionCenterCPL.exe
        
        C:\Windows\system32\ActionCenterCPL.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
        
        C:\Windows\SysWOW64\ActionCenter.exe
        
        C:\Windows\system32\ActionCenter.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
        
        C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-string-l1-1-0.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
        
        C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        
        PID:1072
        
        C:\Windows\SysWOW64\activeds.exe
        
        C:\Windows\system32\activeds.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
        
        C:\Windows\SysWOW64\acledit.exe
        
        C:\Windows\system32\acledit.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1232
        
        C:\Windows\SysWOW64\accessibilitycpl.exe
        
        C:\Windows\system32\accessibilitycpl.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1264
        
        C:\Windows\SysWOW64\amxread.exe
        
        C:\Windows\system32\amxread.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148
        
        C:\Windows\SysWOW64\aclui.exe
        
        C:\Windows\system32\aclui.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
        
        C:\Windows\SysWOW64\atl110.exe
        
        C:\Windows\system32\atl110.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
        
        C:\Windows\SysWOW64\AltTab.exe
        
        C:\Windows\system32\AltTab.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
        
        C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-memory-l1-1-0.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
        
        C:\Windows\SysWOW64\adtschema.exe
        
        C:\Windows\system32\adtschema.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
        
        C:\Windows\SysWOW64\ACCTRES.exe
        
        C:\Windows\system32\ACCTRES.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
        
        C:\Windows\SysWOW64\adsldpc.exe
        
        C:\Windows\system32\adsldpc.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
        
        C:\Windows\SysWOW64\adsldp.exe
        
        C:\Windows\system32\adsldp.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
        
        C:\Windows\SysWOW64\aclui.exe
        
        C:\Windows\system32\aclui.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\Windows\SysWOW64\acppage.exe
        
        C:\Windows\system32\acppage.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2776:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32
        34⤵
        Executes dropped EXE
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
        
        C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-heap-l1-1-0.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2776:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m2432:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32
        35⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
        
        C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2776:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m2432:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m2724:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32
        36⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
        
        C:\Windows\SysWOW64\acledit.exe
        
        C:\Windows\system32\acledit.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2776:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m2432:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m2724:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32 -m2220:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe -sC:\Windows\system32
        37⤵
        Executes dropped EXE
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
        
        C:\Windows\SysWOW64\adsldp.exe
        
        C:\Windows\system32\adsldp.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2776:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m2432:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m2724:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32 -m2220:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe -sC:\Windows\system32 -m2088:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
        
        C:\Windows\SysWOW64\advpack.exe
        
        C:\Windows\system32\advpack.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2776:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m2432:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m2724:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32 -m2220:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe -sC:\Windows\system32 -m2088:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1972:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32
        39⤵
        Executes dropped EXE
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
        
        C:\Windows\SysWOW64\ActionCenter.exe
        
        C:\Windows\system32\ActionCenter.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2776:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m2432:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m2724:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32 -m2220:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe -sC:\Windows\system32 -m2088:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1972:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2596:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
        
        C:\Windows\SysWOW64\ACCTRES.exe
        
        C:\Windows\system32\ACCTRES.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2776:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m2432:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m2724:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32 -m2220:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe -sC:\Windows\system32 -m2088:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1972:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2596:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2856:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32
        41⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
        
        C:\Windows\SysWOW64\aaclient.exe
        
        C:\Windows\system32\aaclient.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2776:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m2432:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m2724:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32 -m2220:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe -sC:\Windows\system32 -m2088:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1972:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2596:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2856:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2952:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32
        42⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
        
        C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2776:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m2432:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m2724:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32 -m2220:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe -sC:\Windows\system32 -m2088:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1972:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2596:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2856:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2952:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m3000:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:840
        
        C:\Windows\SysWOW64\aclui.exe
        
        C:\Windows\system32\aclui.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2776:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m2432:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m2724:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32 -m2220:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe -sC:\Windows\system32 -m2088:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1972:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2596:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2856:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2952:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m3000:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m840:C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe -sC:\Windows\system32
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2476
        
        C:\Windows\SysWOW64\AltTab.exe
        
        C:\Windows\system32\AltTab.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2776:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m2432:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m2724:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32 -m2220:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe -sC:\Windows\system32 -m2088:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1972:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2596:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2856:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2952:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m3000:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m840:C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe -sC:\Windows\system32 -m2476:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32
        45⤵
        Executes dropped EXE
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1816
        
        C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-fibers-l1-1-0.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2776:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m2432:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m2724:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32 -m2220:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe -sC:\Windows\system32 -m2088:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1972:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2596:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2856:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2952:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m3000:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m840:C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe -sC:\Windows\system32 -m2476:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1816:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32
        46⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1372
        
        C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2776:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m2432:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m2724:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32 -m2220:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe -sC:\Windows\system32 -m2088:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1972:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2596:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2856:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2952:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m3000:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m840:C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe -sC:\Windows\system32 -m2476:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1816:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1372:C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.exe -sC:\Windows\system32
        47⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:888
        
        C:\Windows\SysWOW64\ActionCenter.exe
        
        C:\Windows\system32\ActionCenter.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2776:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m2432:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m2724:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32 -m2220:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe -sC:\Windows\system32 -m2088:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1972:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2596:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2856:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2952:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m3000:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m840:C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe -sC:\Windows\system32 -m2476:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1816:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1372:C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.exe -sC:\Windows\system32 -m888:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32
        48⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416
        
        C:\Windows\SysWOW64\ACCTRES.exe
        
        C:\Windows\system32\ACCTRES.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2776:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m2432:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m2724:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32 -m2220:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe -sC:\Windows\system32 -m2088:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1972:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2596:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2856:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2952:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m3000:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m840:C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe -sC:\Windows\system32 -m2476:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1816:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1372:C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.exe -sC:\Windows\system32 -m888:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2416:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32
        49⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
        
        C:\Windows\SysWOW64\adsnt.exe
        
        C:\Windows\system32\adsnt.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2776:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m2432:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m2724:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32 -m2220:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe -sC:\Windows\system32 -m2088:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1972:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2596:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2856:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2952:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m3000:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m840:C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe -sC:\Windows\system32 -m2476:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1816:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1372:C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.exe -sC:\Windows\system32 -m888:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2416:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2772:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
        
        C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2776:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m2432:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m2724:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32 -m2220:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe -sC:\Windows\system32 -m2088:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1972:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2596:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2856:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2952:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m3000:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m840:C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe -sC:\Windows\system32 -m2476:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1816:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1372:C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.exe -sC:\Windows\system32 -m888:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2416:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2772:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2816:C:\Windows\SysWOW64\adsnt.exe -sC:\Windows\system32
        51⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
        
        C:\Windows\SysWOW64\advpack.exe
        
        C:\Windows\system32\advpack.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2776:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m2432:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m2724:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32 -m2220:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe -sC:\Windows\system32 -m2088:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1972:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2596:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2856:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2952:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m3000:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m840:C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe -sC:\Windows\system32 -m2476:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1816:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1372:C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.exe -sC:\Windows\system32 -m888:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2416:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2772:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2816:C:\Windows\SysWOW64\adsnt.exe -sC:\Windows\system32 -m2728:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
        
        C:\Windows\SysWOW64\aaclient.exe
        
        C:\Windows\system32\aaclient.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2776:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m2432:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m2724:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32 -m2220:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe -sC:\Windows\system32 -m2088:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1972:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2596:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2856:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2952:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m3000:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m840:C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe -sC:\Windows\system32 -m2476:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1816:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1372:C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.exe -sC:\Windows\system32 -m888:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2416:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2772:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2816:C:\Windows\SysWOW64\adsnt.exe -sC:\Windows\system32 -m2728:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2032:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
        
        C:\Windows\SysWOW64\AuthFWGP.exe
        
        C:\Windows\system32\AuthFWGP.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2776:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m2432:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m2724:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32 -m2220:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe -sC:\Windows\system32 -m2088:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1972:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2596:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2856:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2952:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m3000:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m840:C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe -sC:\Windows\system32 -m2476:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1816:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1372:C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.exe -sC:\Windows\system32 -m888:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2416:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2772:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2816:C:\Windows\SysWOW64\adsnt.exe -sC:\Windows\system32 -m2728:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2032:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m1712:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Windows\SysWOW64\ActionCenter.exe
        
        C:\Windows\system32\ActionCenter.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2776:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m2432:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m2724:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32 -m2220:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe -sC:\Windows\system32 -m2088:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1972:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2596:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2856:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2952:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m3000:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m840:C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe -sC:\Windows\system32 -m2476:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1816:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1372:C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.exe -sC:\Windows\system32 -m888:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2416:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2772:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2816:C:\Windows\SysWOW64\adsnt.exe -sC:\Windows\system32 -m2728:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2032:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m1712:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m2624:C:\Windows\SysWOW64\AuthFWGP.exe -sC:\Windows\system32
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1812
        
        C:\Windows\SysWOW64\AdmTmpl.exe
        
        C:\Windows\system32\AdmTmpl.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2776:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m2432:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m2724:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32 -m2220:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe -sC:\Windows\system32 -m2088:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1972:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2596:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2856:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2952:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m3000:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m840:C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe -sC:\Windows\system32 -m2476:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1816:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1372:C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.exe -sC:\Windows\system32 -m888:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2416:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2772:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2816:C:\Windows\SysWOW64\adsnt.exe -sC:\Windows\system32 -m2728:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2032:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m1712:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m2624:C:\Windows\SysWOW64\AuthFWGP.exe -sC:\Windows\system32 -m1812:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32
        56⤵
        Executes dropped EXE
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
        
        C:\Windows\SysWOW64\aeevts.exe
        
        C:\Windows\system32\aeevts.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2776:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m2432:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m2724:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32 -m2220:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe -sC:\Windows\system32 -m2088:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1972:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2596:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2856:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2952:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m3000:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m840:C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe -sC:\Windows\system32 -m2476:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1816:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1372:C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.exe -sC:\Windows\system32 -m888:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2416:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2772:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2816:C:\Windows\SysWOW64\adsnt.exe -sC:\Windows\system32 -m2728:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2032:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m1712:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m2624:C:\Windows\SysWOW64\AuthFWGP.exe -sC:\Windows\system32 -m1812:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2012:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32
        57⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
        
        C:\Windows\SysWOW64\apircl.exe
        
        C:\Windows\system32\apircl.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2776:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m2432:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m2724:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32 -m2220:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe -sC:\Windows\system32 -m2088:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1972:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2596:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2856:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2952:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m3000:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m840:C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe -sC:\Windows\system32 -m2476:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1816:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1372:C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.exe -sC:\Windows\system32 -m888:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2416:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2772:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2816:C:\Windows\SysWOW64\adsnt.exe -sC:\Windows\system32 -m2728:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2032:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m1712:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m2624:C:\Windows\SysWOW64\AuthFWGP.exe -sC:\Windows\system32 -m1812:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2012:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1640:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32
        58⤵
        Executes dropped EXE
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
        
        C:\Windows\SysWOW64\acledit.exe
        
        C:\Windows\system32\acledit.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2776:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m2432:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m2724:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32 -m2220:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe -sC:\Windows\system32 -m2088:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1972:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2596:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2856:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2952:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m3000:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m840:C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe -sC:\Windows\system32 -m2476:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1816:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1372:C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.exe -sC:\Windows\system32 -m888:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2416:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2772:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2816:C:\Windows\SysWOW64\adsnt.exe -sC:\Windows\system32 -m2728:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2032:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m1712:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m2624:C:\Windows\SysWOW64\AuthFWGP.exe -sC:\Windows\system32 -m1812:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2012:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1640:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m2312:C:\Windows\SysWOW64\apircl.exe -sC:\Windows\system32
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
        
        C:\Windows\SysWOW64\amstream.exe
        
        C:\Windows\system32\amstream.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2776:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m2432:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m2724:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32 -m2220:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe -sC:\Windows\system32 -m2088:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1972:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2596:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2856:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2952:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m3000:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m840:C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe -sC:\Windows\system32 -m2476:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1816:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1372:C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.exe -sC:\Windows\system32 -m888:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2416:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2772:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2816:C:\Windows\SysWOW64\adsnt.exe -sC:\Windows\system32 -m2728:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2032:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m1712:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m2624:C:\Windows\SysWOW64\AuthFWGP.exe -sC:\Windows\system32 -m1812:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2012:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1640:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m2312:C:\Windows\SysWOW64\apircl.exe -sC:\Windows\system32 -m2492:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32
        60⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
        
        C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-delayload-l1-1-0.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2776:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m2432:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m2724:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32 -m2220:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe -sC:\Windows\system32 -m2088:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1972:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2596:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2856:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2952:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m3000:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m840:C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe -sC:\Windows\system32 -m2476:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1816:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1372:C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.exe -sC:\Windows\system32 -m888:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2416:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2772:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2816:C:\Windows\SysWOW64\adsnt.exe -sC:\Windows\system32 -m2728:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2032:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m1712:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m2624:C:\Windows\SysWOW64\AuthFWGP.exe -sC:\Windows\system32 -m1812:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2012:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1640:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m2312:C:\Windows\SysWOW64\apircl.exe -sC:\Windows\system32 -m2492:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1792:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32
        61⤵
        Executes dropped EXE
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
        
        C:\Windows\SysWOW64\adsldpc.exe
        
        C:\Windows\system32\adsldpc.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2776:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m2432:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m2724:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32 -m2220:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe -sC:\Windows\system32 -m2088:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1972:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2596:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2856:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2952:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m3000:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m840:C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe -sC:\Windows\system32 -m2476:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1816:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1372:C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.exe -sC:\Windows\system32 -m888:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2416:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2772:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2816:C:\Windows\SysWOW64\adsnt.exe -sC:\Windows\system32 -m2728:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2032:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m1712:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m2624:C:\Windows\SysWOW64\AuthFWGP.exe -sC:\Windows\system32 -m1812:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2012:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1640:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m2312:C:\Windows\SysWOW64\apircl.exe -sC:\Windows\system32 -m2492:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1792:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1524:C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.exe -sC:\Windows\system32
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:812
        
        C:\Windows\SysWOW64\acledit.exe
        
        C:\Windows\system32\acledit.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2776:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m2432:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m2724:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32 -m2220:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe -sC:\Windows\system32 -m2088:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1972:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2596:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2856:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2952:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m3000:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m840:C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe -sC:\Windows\system32 -m2476:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1816:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1372:C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.exe -sC:\Windows\system32 -m888:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2416:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2772:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2816:C:\Windows\SysWOW64\adsnt.exe -sC:\Windows\system32 -m2728:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2032:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m1712:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m2624:C:\Windows\SysWOW64\AuthFWGP.exe -sC:\Windows\system32 -m1812:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2012:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1640:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m2312:C:\Windows\SysWOW64\apircl.exe -sC:\Windows\system32 -m2492:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1792:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1524:C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.exe -sC:\Windows\system32 -m812:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
        
        C:\Windows\SysWOW64\advpack.exe
        
        C:\Windows\system32\advpack.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2776:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m2432:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m2724:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32 -m2220:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe -sC:\Windows\system32 -m2088:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1972:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2596:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2856:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2952:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m3000:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m840:C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe -sC:\Windows\system32 -m2476:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1816:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1372:C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.exe -sC:\Windows\system32 -m888:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2416:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2772:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2816:C:\Windows\SysWOW64\adsnt.exe -sC:\Windows\system32 -m2728:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2032:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m1712:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m2624:C:\Windows\SysWOW64\AuthFWGP.exe -sC:\Windows\system32 -m1812:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2012:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1640:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m2312:C:\Windows\SysWOW64\apircl.exe -sC:\Windows\system32 -m2492:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1792:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1524:C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.exe -sC:\Windows\system32 -m812:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m1860:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
        
        C:\Windows\SysWOW64\actxprxy.exe
        
        C:\Windows\system32\actxprxy.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2776:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m2432:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m2724:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32 -m2220:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe -sC:\Windows\system32 -m2088:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1972:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2596:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2856:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2952:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m3000:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m840:C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe -sC:\Windows\system32 -m2476:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1816:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1372:C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.exe -sC:\Windows\system32 -m888:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2416:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2772:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2816:C:\Windows\SysWOW64\adsnt.exe -sC:\Windows\system32 -m2728:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2032:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m1712:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m2624:C:\Windows\SysWOW64\AuthFWGP.exe -sC:\Windows\system32 -m1812:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2012:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1640:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m2312:C:\Windows\SysWOW64\apircl.exe -sC:\Windows\system32 -m2492:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1792:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1524:C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.exe -sC:\Windows\system32 -m812:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m1860:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2424:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32
        65⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2776:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m2432:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m2724:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32 -m2220:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe -sC:\Windows\system32 -m2088:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1972:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2596:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2856:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2952:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m3000:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m840:C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe -sC:\Windows\system32 -m2476:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1816:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1372:C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.exe -sC:\Windows\system32 -m888:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2416:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2772:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2816:C:\Windows\SysWOW64\adsnt.exe -sC:\Windows\system32 -m2728:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2032:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m1712:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m2624:C:\Windows\SysWOW64\AuthFWGP.exe -sC:\Windows\system32 -m1812:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2012:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1640:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m2312:C:\Windows\SysWOW64\apircl.exe -sC:\Windows\system32 -m2492:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1792:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1524:C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.exe -sC:\Windows\system32 -m812:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m1860:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2424:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2060:C:\Windows\SysWOW64\actxprxy.exe -sC:\Windows\system32
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Windows\SysWOW64\bitsprx2.exe
        
        C:\Windows\system32\bitsprx2.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2776:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m2432:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m2724:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32 -m2220:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe -sC:\Windows\system32 -m2088:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1972:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2596:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2856:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2952:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m3000:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m840:C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe -sC:\Windows\system32 -m2476:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1816:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1372:C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.exe -sC:\Windows\system32 -m888:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2416:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2772:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2816:C:\Windows\SysWOW64\adsnt.exe -sC:\Windows\system32 -m2728:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2032:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m1712:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m2624:C:\Windows\SysWOW64\AuthFWGP.exe -sC:\Windows\system32 -m1812:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2012:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1640:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m2312:C:\Windows\SysWOW64\apircl.exe -sC:\Windows\system32 -m2492:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1792:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1524:C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.exe -sC:\Windows\system32 -m812:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m1860:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2424:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2060:C:\Windows\SysWOW64\actxprxy.exe -sC:\Windows\system32 -m2888:C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.exe -sC:\Windows\system32
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:592
        
        C:\Windows\SysWOW64\adtschema.exe
        
        C:\Windows\system32\adtschema.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2776:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m2432:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m2724:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32 -m2220:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe -sC:\Windows\system32 -m2088:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1972:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2596:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2856:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2952:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m3000:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m840:C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe -sC:\Windows\system32 -m2476:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1816:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1372:C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.exe -sC:\Windows\system32 -m888:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2416:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2772:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2816:C:\Windows\SysWOW64\adsnt.exe -sC:\Windows\system32 -m2728:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2032:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m1712:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m2624:C:\Windows\SysWOW64\AuthFWGP.exe -sC:\Windows\system32 -m1812:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2012:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1640:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m2312:C:\Windows\SysWOW64\apircl.exe -sC:\Windows\system32 -m2492:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1792:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1524:C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.exe -sC:\Windows\system32 -m812:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m1860:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2424:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2060:C:\Windows\SysWOW64\actxprxy.exe -sC:\Windows\system32 -m2888:C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.exe -sC:\Windows\system32 -m592:C:\Windows\SysWOW64\bitsprx2.exe -sC:\Windows\system32
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Windows\SysWOW64\ActionCenter.exe
        
        C:\Windows\system32\ActionCenter.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2776:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m2432:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m2724:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32 -m2220:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe -sC:\Windows\system32 -m2088:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1972:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2596:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2856:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2952:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m3000:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m840:C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe -sC:\Windows\system32 -m2476:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1816:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1372:C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.exe -sC:\Windows\system32 -m888:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2416:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2772:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2816:C:\Windows\SysWOW64\adsnt.exe -sC:\Windows\system32 -m2728:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2032:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m1712:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m2624:C:\Windows\SysWOW64\AuthFWGP.exe -sC:\Windows\system32 -m1812:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2012:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1640:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m2312:C:\Windows\SysWOW64\apircl.exe -sC:\Windows\system32 -m2492:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1792:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1524:C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.exe -sC:\Windows\system32 -m812:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m1860:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2424:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2060:C:\Windows\SysWOW64\actxprxy.exe -sC:\Windows\system32 -m2888:C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.exe -sC:\Windows\system32 -m592:C:\Windows\SysWOW64\bitsprx2.exe -sC:\Windows\system32 -m2628:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1492
        
        C:\Windows\SysWOW64\adprovider.exe
        
        C:\Windows\system32\adprovider.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2776:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m2432:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m2724:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32 -m2220:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe -sC:\Windows\system32 -m2088:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1972:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2596:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2856:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2952:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m3000:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m840:C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe -sC:\Windows\system32 -m2476:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1816:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1372:C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.exe -sC:\Windows\system32 -m888:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2416:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2772:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2816:C:\Windows\SysWOW64\adsnt.exe -sC:\Windows\system32 -m2728:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2032:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m1712:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m2624:C:\Windows\SysWOW64\AuthFWGP.exe -sC:\Windows\system32 -m1812:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2012:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1640:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m2312:C:\Windows\SysWOW64\apircl.exe -sC:\Windows\system32 -m2492:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1792:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1524:C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.exe -sC:\Windows\system32 -m812:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m1860:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2424:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2060:C:\Windows\SysWOW64\actxprxy.exe -sC:\Windows\system32 -m2888:C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.exe -sC:\Windows\system32 -m592:C:\Windows\SysWOW64\bitsprx2.exe -sC:\Windows\system32 -m2628:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1492:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\aaclient.exe
        
        C:\Windows\system32\aaclient.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2776:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m2432:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m2724:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32 -m2220:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe -sC:\Windows\system32 -m2088:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1972:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2596:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2856:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2952:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m3000:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m840:C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe -sC:\Windows\system32 -m2476:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1816:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1372:C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.exe -sC:\Windows\system32 -m888:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2416:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2772:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2816:C:\Windows\SysWOW64\adsnt.exe -sC:\Windows\system32 -m2728:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2032:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m1712:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m2624:C:\Windows\SysWOW64\AuthFWGP.exe -sC:\Windows\system32 -m1812:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2012:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1640:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m2312:C:\Windows\SysWOW64\apircl.exe -sC:\Windows\system32 -m2492:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1792:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1524:C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.exe -sC:\Windows\system32 -m812:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m1860:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2424:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2060:C:\Windows\SysWOW64\actxprxy.exe -sC:\Windows\system32 -m2888:C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.exe -sC:\Windows\system32 -m592:C:\Windows\SysWOW64\bitsprx2.exe -sC:\Windows\system32 -m2628:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1492:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m3056:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1788
        
        C:\Windows\SysWOW64\aclui.exe
        
        C:\Windows\system32\aclui.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2776:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m2432:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m2724:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32 -m2220:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe -sC:\Windows\system32 -m2088:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1972:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2596:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2856:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2952:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m3000:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m840:C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe -sC:\Windows\system32 -m2476:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1816:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1372:C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.exe -sC:\Windows\system32 -m888:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2416:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2772:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2816:C:\Windows\SysWOW64\adsnt.exe -sC:\Windows\system32 -m2728:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2032:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m1712:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m2624:C:\Windows\SysWOW64\AuthFWGP.exe -sC:\Windows\system32 -m1812:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2012:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1640:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m2312:C:\Windows\SysWOW64\apircl.exe -sC:\Windows\system32 -m2492:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1792:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1524:C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.exe -sC:\Windows\system32 -m812:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m1860:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2424:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2060:C:\Windows\SysWOW64\actxprxy.exe -sC:\Windows\system32 -m2888:C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.exe -sC:\Windows\system32 -m592:C:\Windows\SysWOW64\bitsprx2.exe -sC:\Windows\system32 -m2628:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1492:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m3056:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1788:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2620
        
        C:\Windows\SysWOW64\adprovider.exe
        
        C:\Windows\system32\adprovider.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2776:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m2432:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m2724:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32 -m2220:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe -sC:\Windows\system32 -m2088:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1972:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2596:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2856:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2952:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m3000:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m840:C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe -sC:\Windows\system32 -m2476:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1816:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1372:C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.exe -sC:\Windows\system32 -m888:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2416:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2772:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2816:C:\Windows\SysWOW64\adsnt.exe -sC:\Windows\system32 -m2728:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2032:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m1712:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m2624:C:\Windows\SysWOW64\AuthFWGP.exe -sC:\Windows\system32 -m1812:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2012:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1640:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m2312:C:\Windows\SysWOW64\apircl.exe -sC:\Windows\system32 -m2492:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1792:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1524:C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.exe -sC:\Windows\system32 -m812:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m1860:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2424:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2060:C:\Windows\SysWOW64\actxprxy.exe -sC:\Windows\system32 -m2888:C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.exe -sC:\Windows\system32 -m592:C:\Windows\SysWOW64\bitsprx2.exe -sC:\Windows\system32 -m2628:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1492:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m3056:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1788:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m2620:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:1092
        
        C:\Windows\SysWOW64\api-ms-win-core-localization-l1-2-0.exe
        
        C:\Windows\system32\api-ms-win-core-localization-l1-2-0.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2776:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m2432:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m2724:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32 -m2220:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe -sC:\Windows\system32 -m2088:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1972:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2596:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2856:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2952:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m3000:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m840:C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe -sC:\Windows\system32 -m2476:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1816:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1372:C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.exe -sC:\Windows\system32 -m888:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2416:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2772:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2816:C:\Windows\SysWOW64\adsnt.exe -sC:\Windows\system32 -m2728:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2032:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m1712:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m2624:C:\Windows\SysWOW64\AuthFWGP.exe -sC:\Windows\system32 -m1812:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2012:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1640:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m2312:C:\Windows\SysWOW64\apircl.exe -sC:\Windows\system32 -m2492:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1792:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1524:C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.exe -sC:\Windows\system32 -m812:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m1860:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2424:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2060:C:\Windows\SysWOW64\actxprxy.exe -sC:\Windows\system32 -m2888:C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.exe -sC:\Windows\system32 -m592:C:\Windows\SysWOW64\bitsprx2.exe -sC:\Windows\system32 -m2628:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1492:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m3056:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1788:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m2620:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1092:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:1268
        
        C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-localregistry-l1-1-0.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2776:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m2432:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m2724:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32 -m2220:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe -sC:\Windows\system32 -m2088:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1972:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2596:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2856:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2952:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m3000:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m840:C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe -sC:\Windows\system32 -m2476:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1816:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1372:C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.exe -sC:\Windows\system32 -m888:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2416:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2772:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2816:C:\Windows\SysWOW64\adsnt.exe -sC:\Windows\system32 -m2728:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2032:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m1712:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m2624:C:\Windows\SysWOW64\AuthFWGP.exe -sC:\Windows\system32 -m1812:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2012:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1640:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m2312:C:\Windows\SysWOW64\apircl.exe -sC:\Windows\system32 -m2492:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1792:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1524:C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.exe -sC:\Windows\system32 -m812:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m1860:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2424:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2060:C:\Windows\SysWOW64\actxprxy.exe -sC:\Windows\system32 -m2888:C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.exe -sC:\Windows\system32 -m592:C:\Windows\SysWOW64\bitsprx2.exe -sC:\Windows\system32 -m2628:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1492:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m3056:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1788:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m2620:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1092:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1268:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-2-0.exe -sC:\Windows\system32
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:1040
        
        C:\Windows\SysWOW64\aclui.exe
        
        C:\Windows\system32\aclui.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2776:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m2432:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m2724:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32 -m2220:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe -sC:\Windows\system32 -m2088:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1972:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2596:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2856:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2952:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m3000:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m840:C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe -sC:\Windows\system32 -m2476:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1816:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1372:C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.exe -sC:\Windows\system32 -m888:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2416:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2772:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2816:C:\Windows\SysWOW64\adsnt.exe -sC:\Windows\system32 -m2728:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2032:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m1712:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m2624:C:\Windows\SysWOW64\AuthFWGP.exe -sC:\Windows\system32 -m1812:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2012:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1640:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m2312:C:\Windows\SysWOW64\apircl.exe -sC:\Windows\system32 -m2492:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1792:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1524:C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.exe -sC:\Windows\system32 -m812:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m1860:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2424:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2060:C:\Windows\SysWOW64\actxprxy.exe -sC:\Windows\system32 -m2888:C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.exe -sC:\Windows\system32 -m592:C:\Windows\SysWOW64\bitsprx2.exe -sC:\Windows\system32 -m2628:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1492:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m3056:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1788:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m2620:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1092:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1268:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-2-0.exe -sC:\Windows\system32 -m1040:C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.exe -sC:\Windows\system32
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Windows\SysWOW64\AltTab.exe
        
        C:\Windows\system32\AltTab.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2776:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m2432:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m2724:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32 -m2220:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe -sC:\Windows\system32 -m2088:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1972:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2596:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2856:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2952:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m3000:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m840:C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe -sC:\Windows\system32 -m2476:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1816:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1372:C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.exe -sC:\Windows\system32 -m888:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2416:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2772:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2816:C:\Windows\SysWOW64\adsnt.exe -sC:\Windows\system32 -m2728:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2032:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m1712:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m2624:C:\Windows\SysWOW64\AuthFWGP.exe -sC:\Windows\system32 -m1812:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2012:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1640:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m2312:C:\Windows\SysWOW64\apircl.exe -sC:\Windows\system32 -m2492:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1792:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1524:C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.exe -sC:\Windows\system32 -m812:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m1860:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2424:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2060:C:\Windows\SysWOW64\actxprxy.exe -sC:\Windows\system32 -m2888:C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.exe -sC:\Windows\system32 -m592:C:\Windows\SysWOW64\bitsprx2.exe -sC:\Windows\system32 -m2628:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1492:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m3056:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1788:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m2620:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1092:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1268:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-2-0.exe -sC:\Windows\system32 -m1040:C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.exe -sC:\Windows\system32 -m2708:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32
        77⤵
        Enumerates connected drives
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:808
        
        C:\Windows\SysWOW64\apds.exe
        
        C:\Windows\system32\apds.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2776:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m2432:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m2724:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32 -m2220:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe -sC:\Windows\system32 -m2088:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1972:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2596:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2856:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2952:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m3000:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m840:C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe -sC:\Windows\system32 -m2476:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1816:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1372:C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.exe -sC:\Windows\system32 -m888:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2416:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2772:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2816:C:\Windows\SysWOW64\adsnt.exe -sC:\Windows\system32 -m2728:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2032:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m1712:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m2624:C:\Windows\SysWOW64\AuthFWGP.exe -sC:\Windows\system32 -m1812:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2012:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1640:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m2312:C:\Windows\SysWOW64\apircl.exe -sC:\Windows\system32 -m2492:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1792:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1524:C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.exe -sC:\Windows\system32 -m812:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m1860:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2424:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2060:C:\Windows\SysWOW64\actxprxy.exe -sC:\Windows\system32 -m2888:C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.exe -sC:\Windows\system32 -m592:C:\Windows\SysWOW64\bitsprx2.exe -sC:\Windows\system32 -m2628:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1492:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m3056:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1788:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m2620:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1092:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1268:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-2-0.exe -sC:\Windows\system32 -m1040:C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.exe -sC:\Windows\system32 -m2708:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m808:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32
        78⤵
        Drops file in System32 directory
        
        PID:2092
        
        C:\Windows\SysWOW64\advpack.exe
        
        C:\Windows\system32\advpack.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2776:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m2432:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m2724:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32 -m2220:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe -sC:\Windows\system32 -m2088:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1972:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2596:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2856:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2952:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m3000:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m840:C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe -sC:\Windows\system32 -m2476:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1816:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1372:C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.exe -sC:\Windows\system32 -m888:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2416:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2772:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2816:C:\Windows\SysWOW64\adsnt.exe -sC:\Windows\system32 -m2728:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2032:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m1712:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m2624:C:\Windows\SysWOW64\AuthFWGP.exe -sC:\Windows\system32 -m1812:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2012:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1640:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m2312:C:\Windows\SysWOW64\apircl.exe -sC:\Windows\system32 -m2492:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1792:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1524:C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.exe -sC:\Windows\system32 -m812:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m1860:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2424:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2060:C:\Windows\SysWOW64\actxprxy.exe -sC:\Windows\system32 -m2888:C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.exe -sC:\Windows\system32 -m592:C:\Windows\SysWOW64\bitsprx2.exe -sC:\Windows\system32 -m2628:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1492:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m3056:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1788:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m2620:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1092:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1268:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-2-0.exe -sC:\Windows\system32 -m1040:C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.exe -sC:\Windows\system32 -m2708:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m808:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2092:C:\Windows\SysWOW64\apds.exe -sC:\Windows\system32
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe
        
        C:\Windows\system32\api-ms-win-core-memory-l1-1-0.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2776:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m2432:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m2724:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32 -m2220:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe -sC:\Windows\system32 -m2088:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1972:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2596:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2856:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2952:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m3000:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m840:C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe -sC:\Windows\system32 -m2476:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1816:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1372:C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.exe -sC:\Windows\system32 -m888:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2416:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2772:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2816:C:\Windows\SysWOW64\adsnt.exe -sC:\Windows\system32 -m2728:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2032:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m1712:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m2624:C:\Windows\SysWOW64\AuthFWGP.exe -sC:\Windows\system32 -m1812:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2012:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1640:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m2312:C:\Windows\SysWOW64\apircl.exe -sC:\Windows\system32 -m2492:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1792:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1524:C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.exe -sC:\Windows\system32 -m812:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m1860:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2424:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2060:C:\Windows\SysWOW64\actxprxy.exe -sC:\Windows\system32 -m2888:C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.exe -sC:\Windows\system32 -m592:C:\Windows\SysWOW64\bitsprx2.exe -sC:\Windows\system32 -m2628:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1492:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m3056:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1788:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m2620:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1092:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1268:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-2-0.exe -sC:\Windows\system32 -m1040:C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.exe -sC:\Windows\system32 -m2708:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m808:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2092:C:\Windows\SysWOW64\apds.exe -sC:\Windows\system32 -m1924:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32
        80⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:688
        
        C:\Windows\SysWOW64\ACCTRES.exe
        
        C:\Windows\system32\ACCTRES.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2776:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m2432:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m2724:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32 -m2220:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe -sC:\Windows\system32 -m2088:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1972:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2596:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2856:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2952:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m3000:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m840:C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe -sC:\Windows\system32 -m2476:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1816:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1372:C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.exe -sC:\Windows\system32 -m888:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2416:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2772:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2816:C:\Windows\SysWOW64\adsnt.exe -sC:\Windows\system32 -m2728:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2032:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m1712:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m2624:C:\Windows\SysWOW64\AuthFWGP.exe -sC:\Windows\system32 -m1812:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2012:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1640:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m2312:C:\Windows\SysWOW64\apircl.exe -sC:\Windows\system32 -m2492:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1792:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1524:C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.exe -sC:\Windows\system32 -m812:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m1860:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2424:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2060:C:\Windows\SysWOW64\actxprxy.exe -sC:\Windows\system32 -m2888:C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.exe -sC:\Windows\system32 -m592:C:\Windows\SysWOW64\bitsprx2.exe -sC:\Windows\system32 -m2628:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1492:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m3056:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1788:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m2620:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1092:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1268:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-2-0.exe -sC:\Windows\system32 -m1040:C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.exe -sC:\Windows\system32 -m2708:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m808:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2092:C:\Windows\SysWOW64\apds.exe -sC:\Windows\system32 -m1924:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m688:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Windows\SysWOW64\accessibilitycpl.exe
        
        C:\Windows\system32\accessibilitycpl.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2776:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m2432:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m2724:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32 -m2220:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe -sC:\Windows\system32 -m2088:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1972:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2596:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2856:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2952:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m3000:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m840:C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe -sC:\Windows\system32 -m2476:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1816:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1372:C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.exe -sC:\Windows\system32 -m888:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2416:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2772:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2816:C:\Windows\SysWOW64\adsnt.exe -sC:\Windows\system32 -m2728:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2032:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m1712:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m2624:C:\Windows\SysWOW64\AuthFWGP.exe -sC:\Windows\system32 -m1812:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2012:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1640:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m2312:C:\Windows\SysWOW64\apircl.exe -sC:\Windows\system32 -m2492:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1792:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1524:C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.exe -sC:\Windows\system32 -m812:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m1860:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2424:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2060:C:\Windows\SysWOW64\actxprxy.exe -sC:\Windows\system32 -m2888:C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.exe -sC:\Windows\system32 -m592:C:\Windows\SysWOW64\bitsprx2.exe -sC:\Windows\system32 -m2628:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1492:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m3056:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1788:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m2620:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1092:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1268:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-2-0.exe -sC:\Windows\system32 -m1040:C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.exe -sC:\Windows\system32 -m2708:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m808:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2092:C:\Windows\SysWOW64\apds.exe -sC:\Windows\system32 -m1924:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m688:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m1748:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32
        82⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2336
        
        C:\Windows\SysWOW64\AdmTmpl.exe
        
        C:\Windows\system32\AdmTmpl.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2776:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m2432:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m2724:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32 -m2220:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe -sC:\Windows\system32 -m2088:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1972:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2596:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2856:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2952:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m3000:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m840:C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe -sC:\Windows\system32 -m2476:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1816:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1372:C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.exe -sC:\Windows\system32 -m888:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2416:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2772:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2816:C:\Windows\SysWOW64\adsnt.exe -sC:\Windows\system32 -m2728:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2032:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m1712:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m2624:C:\Windows\SysWOW64\AuthFWGP.exe -sC:\Windows\system32 -m1812:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2012:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1640:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m2312:C:\Windows\SysWOW64\apircl.exe -sC:\Windows\system32 -m2492:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1792:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1524:C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.exe -sC:\Windows\system32 -m812:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m1860:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2424:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2060:C:\Windows\SysWOW64\actxprxy.exe -sC:\Windows\system32 -m2888:C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.exe -sC:\Windows\system32 -m592:C:\Windows\SysWOW64\bitsprx2.exe -sC:\Windows\system32 -m2628:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1492:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m3056:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1788:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m2620:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1092:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1268:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-2-0.exe -sC:\Windows\system32 -m1040:C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.exe -sC:\Windows\system32 -m2708:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m808:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2092:C:\Windows\SysWOW64\apds.exe -sC:\Windows\system32 -m1924:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m688:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m1748:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2336:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        C:\Windows\SysWOW64\netsh.exe
        
        C:\Windows\system32\netsh.exe firewall add allowedprogram "C:\Windows\SysWOW64\accessibilitycpl.exe" enable
        83⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Windows\SysWOW64\accessibilitycpl.exe
        
        C:\Windows\SysWOW64\accessibilitycpl.exe -m2016:C:\Users\Admin\AppData\Local\Temp\713184e197f15dc870a14c0249927eef_JaffaCakes118.exe -sC:\Windows\system32 -m2548:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe -sC:\Windows\system32 -m2896:C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.exe -sC:\Windows\system32 -m3068:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2076:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1912:C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.exe -sC:\Windows\system32 -m1048:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1828:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m2844:C:\Windows\SysWOW64\aecache.exe -sC:\Windows\system32 -m3024:C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe -sC:\Windows\system32 -m988:C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.exe -sC:\Windows\system32 -m2004:C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.exe -sC:\Windows\system32 -m1620:C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.exe -sC:\Windows\system32 -m2484:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2284:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\appmgmts.exe -sC:\Windows\system32 -m2268:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2720:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2240:C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.exe -sC:\Windows\system32 -m1072:C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.exe -sC:\Windows\system32 -m2028:C:\Windows\SysWOW64\activeds.exe -sC:\Windows\system32 -m1232:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1264:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m1148:C:\Windows\SysWOW64\amxread.exe -sC:\Windows\system32 -m2852:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1956:C:\Windows\SysWOW64\atl110.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2272:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m2448:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1692:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m1628:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m2236:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2776:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m2432:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m2724:C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.exe -sC:\Windows\system32 -m2220:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.exe -sC:\Windows\system32 -m2088:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1972:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m2596:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2856:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2952:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m3000:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m840:C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe -sC:\Windows\system32 -m2476:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1816:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m1372:C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.exe -sC:\Windows\system32 -m888:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2416:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2772:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -m2816:C:\Windows\SysWOW64\adsnt.exe -sC:\Windows\system32 -m2728:C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe -sC:\Windows\system32 -m2032:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m1712:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m2624:C:\Windows\SysWOW64\AuthFWGP.exe -sC:\Windows\system32 -m1812:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m2012:C:\Windows\SysWOW64\AdmTmpl.exe -sC:\Windows\system32 -m1640:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m2312:C:\Windows\SysWOW64\apircl.exe -sC:\Windows\system32 -m2492:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m1792:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1524:C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.exe -sC:\Windows\system32 -m812:C:\Windows\SysWOW64\adsldpc.exe -sC:\Windows\system32 -m1860:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m2424:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m2060:C:\Windows\SysWOW64\actxprxy.exe -sC:\Windows\system32 -m2888:C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.exe -sC:\Windows\system32 -m592:C:\Windows\SysWOW64\bitsprx2.exe -sC:\Windows\system32 -m2628:C:\Windows\SysWOW64\adtschema.exe -sC:\Windows\system32 -m1492:C:\Windows\SysWOW64\ActionCenter.exe -sC:\Windows\system32 -m3056:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1788:C:\Windows\SysWOW64\aaclient.exe -sC:\Windows\system32 -m2620:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m1092:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1268:C:\Windows\SysWOW64\api-ms-win-core-localization-l1-2-0.exe -sC:\Windows\system32 -m1040:C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.exe -sC:\Windows\system32 -m2708:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m808:C:\Windows\SysWOW64\AltTab.exe -sC:\Windows\system32 -m2092:C:\Windows\SysWOW64\apds.exe -sC:\Windows\system32 -m1924:C:\Windows\SysWOW64\advpack.exe -sC:\Windows\system32 -m688:C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.exe -sC:\Windows\system32 -m1748:C:\Windows\SysWOW64\ACCTRES.exe -sC:\Windows\system32 -w2336
        83⤵
        
        PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.exe

Filesize
287KB

MD5
713184e197f15dc870a14c0249927eef

SHA1
4404b5c7c874aee4edf63974181c3da8cfbce49e

SHA256
575954abfded7c11d6b368d0f09f7c14af898cf93f62739444d2781bfa23d3dd

SHA512
7be56402974eb95979f50c9ae4a804c3a3d409397b0743de0fb986d05df594d895be80d7cd3435424751c017e659c95db00cecb4e76b46d008efe02655bdf0ec

Download Submit
memory/988-130-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/988-116-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1048-84-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1072-214-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1072-223-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1072-222-0x0000000003560000-0x0000000003648000-memory.dmp

Filesize
928KB

Download
memory/1148-247-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1148-256-0x0000000003590000-0x0000000003678000-memory.dmp

Filesize
928KB

Download
memory/1148-258-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1232-241-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1232-239-0x0000000003540000-0x0000000003628000-memory.dmp

Filesize
928KB

Download
memory/1232-231-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1264-250-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1264-240-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1620-152-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1628-317-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1628-306-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1692-309-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1692-305-0x00000000033F0000-0x00000000034D8000-memory.dmp

Filesize
928KB

Download
memory/1764-282-0x0000000003410000-0x00000000034F8000-memory.dmp

Filesize
928KB

Download
memory/1764-285-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1764-275-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1828-95-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1828-82-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1912-72-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1956-265-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1956-276-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1956-274-0x0000000003510000-0x00000000035F8000-memory.dmp

Filesize
928KB

Download
memory/2004-128-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2004-141-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2016-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2016-16-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2016-11-0x00000000033B0000-0x0000000003498000-memory.dmp

Filesize
928KB

Download
memory/2016-5-0x00000000033B0000-0x0000000003498000-memory.dmp

Filesize
928KB

Download
memory/2016-1-0x000000000049A000-0x00000000004E1000-memory.dmp

Filesize
284KB

Download
memory/2028-230-0x0000000003550000-0x0000000003638000-memory.dmp

Filesize
928KB

Download
memory/2028-232-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2076-61-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2088-356-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2088-366-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2220-358-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2236-324-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2240-213-0x00000000033E0000-0x00000000034C8000-memory.dmp

Filesize
928KB

Download
memory/2240-215-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2268-198-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2268-195-0x0000000003440000-0x0000000003528000-memory.dmp

Filesize
928KB

Download
memory/2268-197-0x0000000003440000-0x0000000003528000-memory.dmp

Filesize
928KB

Download
memory/2272-293-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2272-283-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2284-175-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2352-185-0x0000000003460000-0x0000000003548000-memory.dmp

Filesize
928KB

Download
memory/2352-189-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2432-331-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2432-342-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2448-291-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2448-308-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2484-164-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2484-161-0x0000000003570000-0x0000000003658000-memory.dmp

Filesize
928KB

Download
memory/2548-12-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2548-26-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2720-206-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2720-204-0x0000000003420000-0x0000000003508000-memory.dmp

Filesize
928KB

Download
memory/2724-349-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2776-333-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2844-106-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2852-264-0x0000000003570000-0x0000000003658000-memory.dmp

Filesize
928KB

Download
memory/2852-267-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2852-257-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2896-35-0x0000000003400000-0x00000000034E8000-memory.dmp

Filesize
928KB

Download
memory/2896-38-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2896-24-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/3024-118-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/3068-50-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download