7a2f7898f910e72521527d72427811121636b39489460b804ba98482285616c6

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26/07/2024, 10:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Size

296KB
MD5

73a4d636f46c641953400900d87f4202
SHA1

861c5d24fb226e47a8deda06c88efffa4e0f1d5c
SHA256

7a2f7898f910e72521527d72427811121636b39489460b804ba98482285616c6
SHA512

ece1fbbb447eccf15c047745ff219f44690bd5aede606553d13e4f5a61c352da91bdb60ca3c4c0df968519666f3b05bafefca264f15776b6cd11ef87bf468685
SSDEEP

1536:Aai15jKVEpITjFKj/xRJGthFbW5Mssb4yehPy5/XGa:Aai1ZKVEW8j/DohJWEb4yeBSvG

Score

5^/10

discovery

Malware Config

Signatures

Suspicious use of SetThreadContext 27 IoCs

description	pid	Process	procid_target
PID 1716 set thread context of 2680	1716	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	31
PID 2680 set thread context of 2908	2680	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	32
PID 2908 set thread context of 3060	2908	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	33
PID 3060 set thread context of 1960	3060	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	34
PID 1960 set thread context of 1544	1960	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	35
PID 1544 set thread context of 2896	1544	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	36
PID 2896 set thread context of 876	2896	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	37
PID 876 set thread context of 2964	876	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	38
PID 2964 set thread context of 1280	2964	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	39
PID 1280 set thread context of 2460	1280	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	40
PID 2460 set thread context of 2656	2460	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	41
PID 2656 set thread context of 1572	2656	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	42
PID 1572 set thread context of 2392	1572	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	43
PID 2392 set thread context of 2824	2392	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	44
PID 2824 set thread context of 2448	2824	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	45
PID 2448 set thread context of 1896	2448	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	46
PID 1896 set thread context of 3028	1896	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	47
PID 3028 set thread context of 1616	3028	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	48
PID 1616 set thread context of 2688	1616	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	49
PID 2688 set thread context of 996	2688	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	50
PID 996 set thread context of 2768	996	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	51
PID 2768 set thread context of 1752	2768	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	52
PID 1752 set thread context of 964	1752	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	53
PID 964 set thread context of 2984	964	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	54
PID 2984 set thread context of 1636	2984	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	55
PID 1636 set thread context of 2528	1636	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	56
PID 2528 set thread context of 2372	2528	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	57

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 2680	1716	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	31
PID 1716 wrote to memory of 2680	1716	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	31
PID 1716 wrote to memory of 2680	1716	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	31
PID 1716 wrote to memory of 2680	1716	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	31
PID 1716 wrote to memory of 2680	1716	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	31
PID 1716 wrote to memory of 2680	1716	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	31
PID 1716 wrote to memory of 2680	1716	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	31
PID 1716 wrote to memory of 2680	1716	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	31
PID 1716 wrote to memory of 2680	1716	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	31
PID 1716 wrote to memory of 2680	1716	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	31
PID 1716 wrote to memory of 2680	1716	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	31
PID 1716 wrote to memory of 2680	1716	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	31
PID 2680 wrote to memory of 2908	2680	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	32
PID 2680 wrote to memory of 2908	2680	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	32
PID 2680 wrote to memory of 2908	2680	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	32
PID 2680 wrote to memory of 2908	2680	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	32
PID 2680 wrote to memory of 2908	2680	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	32
PID 2680 wrote to memory of 2908	2680	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	32
PID 2680 wrote to memory of 2908	2680	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	32
PID 2680 wrote to memory of 2908	2680	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	32
PID 2680 wrote to memory of 2908	2680	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	32
PID 2680 wrote to memory of 2908	2680	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	32
PID 2680 wrote to memory of 2908	2680	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	32
PID 2680 wrote to memory of 2908	2680	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	32
PID 2908 wrote to memory of 3060	2908	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	33
PID 2908 wrote to memory of 3060	2908	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	33
PID 2908 wrote to memory of 3060	2908	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	33
PID 2908 wrote to memory of 3060	2908	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	33
PID 2908 wrote to memory of 3060	2908	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	33
PID 2908 wrote to memory of 3060	2908	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	33
PID 2908 wrote to memory of 3060	2908	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	33
PID 2908 wrote to memory of 3060	2908	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	33
PID 2908 wrote to memory of 3060	2908	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	33
PID 2908 wrote to memory of 3060	2908	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	33
PID 2908 wrote to memory of 3060	2908	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	33
PID 2908 wrote to memory of 3060	2908	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	33
PID 3060 wrote to memory of 1960	3060	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	34
PID 3060 wrote to memory of 1960	3060	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	34
PID 3060 wrote to memory of 1960	3060	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	34
PID 3060 wrote to memory of 1960	3060	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	34
PID 3060 wrote to memory of 1960	3060	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	34
PID 3060 wrote to memory of 1960	3060	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	34
PID 3060 wrote to memory of 1960	3060	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	34
PID 3060 wrote to memory of 1960	3060	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	34
PID 3060 wrote to memory of 1960	3060	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	34
PID 3060 wrote to memory of 1960	3060	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	34
PID 3060 wrote to memory of 1960	3060	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	34
PID 3060 wrote to memory of 1960	3060	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	34
PID 1960 wrote to memory of 1544	1960	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	35
PID 1960 wrote to memory of 1544	1960	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	35
PID 1960 wrote to memory of 1544	1960	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	35
PID 1960 wrote to memory of 1544	1960	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	35
PID 1960 wrote to memory of 1544	1960	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	35
PID 1960 wrote to memory of 1544	1960	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	35
PID 1960 wrote to memory of 1544	1960	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	35
PID 1960 wrote to memory of 1544	1960	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	35
PID 1960 wrote to memory of 1544	1960	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	35
PID 1960 wrote to memory of 1544	1960	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	35
PID 1960 wrote to memory of 1544	1960	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	35
PID 1960 wrote to memory of 1544	1960	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	35
PID 1544 wrote to memory of 2896	1544	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	36
PID 1544 wrote to memory of 2896	1544	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	36
PID 1544 wrote to memory of 2896	1544	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	36
PID 1544 wrote to memory of 2896	1544	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	36

C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3060
    - - C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1960
      - C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        7⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        8⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        9⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        10⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        11⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        12⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        13⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        14⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        15⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        16⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        17⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        18⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        19⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        20⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        21⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        22⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        23⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        24⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        25⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        26⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        27⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        28⤵
        
        PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1716-25-0x0000000012300000-0x000000001232C000-memory.dmp

Filesize
176KB

Download
memory/1716-1-0x0000000012300000-0x000000001232C000-memory.dmp

Filesize
176KB

Download
memory/1716-0-0x0000000012300000-0x000000001232C000-memory.dmp

Filesize
176KB

Download
memory/2680-18-0x0000000012300000-0x000000001232C000-memory.dmp

Filesize
176KB

Download
memory/2680-27-0x0000000012300000-0x000000001232C000-memory.dmp

Filesize
176KB

Download
memory/2680-26-0x0000000012300000-0x000000001232C000-memory.dmp

Filesize
176KB

Download
memory/2680-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2680-21-0x0000000012300000-0x000000001232C000-memory.dmp

Filesize
176KB

Download
memory/2680-9-0x0000000012300000-0x000000001232C000-memory.dmp

Filesize
176KB

Download
memory/2680-15-0x0000000012300000-0x000000001232C000-memory.dmp

Filesize
176KB

Download
memory/2680-12-0x0000000012300000-0x000000001232C000-memory.dmp

Filesize
176KB

Download
memory/2680-6-0x0000000012300000-0x000000001232C000-memory.dmp

Filesize
176KB

Download
memory/2680-4-0x0000000012300000-0x000000001232C000-memory.dmp

Filesize
176KB

Download
memory/2680-2-0x0000000012300000-0x000000001232C000-memory.dmp

Filesize
176KB

Download
memory/2680-28-0x0000000012300000-0x000000001232C000-memory.dmp

Filesize
176KB

Download
memory/2680-52-0x0000000012300000-0x000000001232C000-memory.dmp

Filesize
176KB

Download