7a2f7898f910e72521527d72427811121636b39489460b804ba98482285616c6

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 10:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Size

296KB
MD5

73a4d636f46c641953400900d87f4202
SHA1

861c5d24fb226e47a8deda06c88efffa4e0f1d5c
SHA256

7a2f7898f910e72521527d72427811121636b39489460b804ba98482285616c6
SHA512

ece1fbbb447eccf15c047745ff219f44690bd5aede606553d13e4f5a61c352da91bdb60ca3c4c0df968519666f3b05bafefca264f15776b6cd11ef87bf468685
SSDEEP

1536:Aai15jKVEpITjFKj/xRJGthFbW5Mssb4yehPy5/XGa:Aai1ZKVEW8j/DohJWEb4yeBSvG

Score

5^/10

discovery

Malware Config

Signatures

Suspicious use of SetThreadContext 40 IoCs

description	pid	Process	procid_target
PID 2184 set thread context of 1060	2184	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	92
PID 1060 set thread context of 3280	1060	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	94
PID 3280 set thread context of 1768	3280	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	95
PID 1768 set thread context of 2352	1768	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	98
PID 2352 set thread context of 988	2352	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	99
PID 988 set thread context of 2500	988	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	100
PID 2500 set thread context of 2172	2500	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	101
PID 2172 set thread context of 3452	2172	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	103
PID 3452 set thread context of 1188	3452	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	104
PID 1188 set thread context of 1064	1188	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	105
PID 1064 set thread context of 4320	1064	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	108
PID 4320 set thread context of 2780	4320	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	109
PID 2780 set thread context of 5000	2780	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	110
PID 5000 set thread context of 4292	5000	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	111
PID 4292 set thread context of 4472	4292	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	112
PID 4472 set thread context of 5092	4472	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	113
PID 5092 set thread context of 4168	5092	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	114
PID 4168 set thread context of 5108	4168	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	115
PID 5108 set thread context of 3904	5108	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	116
PID 3904 set thread context of 4924	3904	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	118
PID 4924 set thread context of 4448	4924	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	119
PID 4448 set thread context of 2092	4448	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	120
PID 2092 set thread context of 892	2092	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	121
PID 892 set thread context of 3520	892	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	122
PID 3520 set thread context of 3988	3520	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	125
PID 3988 set thread context of 2280	3988	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	130
PID 2280 set thread context of 3164	2280	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	133
PID 3164 set thread context of 4424	3164	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	134
PID 4424 set thread context of 4716	4424	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	135
PID 4716 set thread context of 4800	4716	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	136
PID 4800 set thread context of 1836	4800	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	137
PID 1836 set thread context of 4496	1836	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	138
PID 4496 set thread context of 2964	4496	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	139
PID 2964 set thread context of 4364	2964	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	140
PID 4364 set thread context of 4692	4364	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	144
PID 4692 set thread context of 2132	4692	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	145
PID 2132 set thread context of 3640	2132	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	146
PID 3640 set thread context of 1360	3640	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	147
PID 1360 set thread context of 4856	1360	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	148
PID 4856 set thread context of 3472	4856	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	149

System Location Discovery: System Language Discovery 1 TTPs 40 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 1060	2184	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	92
PID 2184 wrote to memory of 1060	2184	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	92
PID 2184 wrote to memory of 1060	2184	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	92
PID 2184 wrote to memory of 1060	2184	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	92
PID 2184 wrote to memory of 1060	2184	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	92
PID 2184 wrote to memory of 1060	2184	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	92
PID 2184 wrote to memory of 1060	2184	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	92
PID 2184 wrote to memory of 1060	2184	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	92
PID 2184 wrote to memory of 1060	2184	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	92
PID 2184 wrote to memory of 1060	2184	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	92
PID 2184 wrote to memory of 1060	2184	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	92
PID 2184 wrote to memory of 1060	2184	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	92
PID 2184 wrote to memory of 1060	2184	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	92
PID 1060 wrote to memory of 3280	1060	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	94
PID 1060 wrote to memory of 3280	1060	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	94
PID 1060 wrote to memory of 3280	1060	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	94
PID 1060 wrote to memory of 3280	1060	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	94
PID 1060 wrote to memory of 3280	1060	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	94
PID 1060 wrote to memory of 3280	1060	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	94
PID 1060 wrote to memory of 3280	1060	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	94
PID 1060 wrote to memory of 3280	1060	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	94
PID 1060 wrote to memory of 3280	1060	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	94
PID 1060 wrote to memory of 3280	1060	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	94
PID 1060 wrote to memory of 3280	1060	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	94
PID 1060 wrote to memory of 3280	1060	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	94
PID 1060 wrote to memory of 3280	1060	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	94
PID 3280 wrote to memory of 1768	3280	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	95
PID 3280 wrote to memory of 1768	3280	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	95
PID 3280 wrote to memory of 1768	3280	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	95
PID 3280 wrote to memory of 1768	3280	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	95
PID 3280 wrote to memory of 1768	3280	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	95
PID 3280 wrote to memory of 1768	3280	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	95
PID 3280 wrote to memory of 1768	3280	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	95
PID 3280 wrote to memory of 1768	3280	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	95
PID 3280 wrote to memory of 1768	3280	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	95
PID 3280 wrote to memory of 1768	3280	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	95
PID 3280 wrote to memory of 1768	3280	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	95
PID 3280 wrote to memory of 1768	3280	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	95
PID 3280 wrote to memory of 1768	3280	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	95
PID 1768 wrote to memory of 2352	1768	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	98
PID 1768 wrote to memory of 2352	1768	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	98
PID 1768 wrote to memory of 2352	1768	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	98
PID 1768 wrote to memory of 2352	1768	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	98
PID 1768 wrote to memory of 2352	1768	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	98
PID 1768 wrote to memory of 2352	1768	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	98
PID 1768 wrote to memory of 2352	1768	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	98
PID 1768 wrote to memory of 2352	1768	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	98
PID 1768 wrote to memory of 2352	1768	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	98
PID 1768 wrote to memory of 2352	1768	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	98
PID 1768 wrote to memory of 2352	1768	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	98
PID 1768 wrote to memory of 2352	1768	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	98
PID 1768 wrote to memory of 2352	1768	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	98
PID 2352 wrote to memory of 988	2352	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	99
PID 2352 wrote to memory of 988	2352	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	99
PID 2352 wrote to memory of 988	2352	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	99
PID 2352 wrote to memory of 988	2352	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	99
PID 2352 wrote to memory of 988	2352	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	99
PID 2352 wrote to memory of 988	2352	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	99
PID 2352 wrote to memory of 988	2352	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	99
PID 2352 wrote to memory of 988	2352	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	99
PID 2352 wrote to memory of 988	2352	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	99
PID 2352 wrote to memory of 988	2352	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	99
PID 2352 wrote to memory of 988	2352	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	99
PID 2352 wrote to memory of 988	2352	73a4d636f46c641953400900d87f4202_JaffaCakes118.exe	99

C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1060
- - C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3280
  - - C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1768
    - - C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2352
      - C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        7⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        8⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        9⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        10⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        11⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        12⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        13⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        14⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        15⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        16⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        17⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        18⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        19⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        20⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        21⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        22⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        23⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        24⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        25⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        26⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        27⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        28⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        29⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        30⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        31⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        32⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        33⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        34⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        35⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        36⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        37⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        38⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        39⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        40⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\73a4d636f46c641953400900d87f4202_JaffaCakes118.exe"
        41⤵
        
        PID:3472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1060-5-0x0000000012300000-0x000000001232C000-memory.dmp

Filesize
176KB

Download
memory/1060-7-0x0000000012300000-0x000000001232C000-memory.dmp

Filesize
176KB

Download
memory/1060-11-0x0000000012300000-0x000000001232C000-memory.dmp

Filesize
176KB

Download
memory/1060-10-0x0000000012300000-0x000000001232C000-memory.dmp

Filesize
176KB

Download
memory/1060-6-0x0000000012300000-0x000000001232C000-memory.dmp

Filesize
176KB

Download
memory/1060-0-0x0000000012300000-0x000000001232C000-memory.dmp

Filesize
176KB

Download
memory/1060-3-0x0000000012300000-0x000000001232C000-memory.dmp

Filesize
176KB

Download
memory/1060-1-0x0000000012300000-0x000000001232C000-memory.dmp

Filesize
176KB

Download
memory/1060-21-0x0000000012300000-0x000000001232C000-memory.dmp

Filesize
176KB

Download
memory/1768-47-0x0000000012300000-0x000000001232C000-memory.dmp

Filesize
176KB

Download
memory/2184-9-0x0000000012300000-0x000000001232C000-memory.dmp

Filesize
176KB

Download
memory/2352-60-0x0000000012300000-0x000000001232C000-memory.dmp

Filesize
176KB

Download
memory/3280-34-0x0000000012300000-0x000000001232C000-memory.dmp

Filesize
176KB

Download