hawkeye_reborn | 088065e6c2fc3b413563bc44b0626a13ad9e32a330ae958dd24141862c3c90de

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28-08-2024 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Size

798KB
MD5

c7848797c3eb098eb5e6430baf4a26e1
SHA1

0c954e2e62839957e9746dae3438eb4aed1fe5b8
SHA256

088065e6c2fc3b413563bc44b0626a13ad9e32a330ae958dd24141862c3c90de
SHA512

7bc7071d52dd3ec1cfc9f5b4642110c8605f6eddbc22a669cc69ba33be86cf3ea991db231617f5fb3e23fd3cc3020cc01a1bb9becef49bc79dc028df7f9371de
SSDEEP

12288:t0fHs2Sdapyyfx+pO0XD8kx13h0eg6+4iXBj0cPjZgcaOJknl2:ZXapZJ+nXDN6er3MBj0cjk

Score

10^/10

hawkeye_reborn m00nd3v_logger collection credential_access discovery infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

10.1.2.2

Credentials

Protocol: smtp
Host:
mail.bigmanstan.com
Port:
587
Username:
[email protected]
Password:
khalifa@2020

Mutex

c4ceaee6-98e6-414f-92f0-272fe7bd057c

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:khalifa@2020 _EmailPort:587 _EmailSSL:false _EmailServer:mail.bigmanstan.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:10 _MeltFile:false _Mutex:c4ceaee6-98e6-414f-92f0-272fe7bd057c _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.2 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - RebornX, Version=10.1.2.2, Culture=neutral, PublicKeyToken=null

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

M00nD3v Logger payload 1 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

resource	yara_rule
behavioral2/memory/1928-4-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 64 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

Looks up external IP address via web service 25 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
81	bot.whatismyipaddress.com
25	bot.whatismyipaddress.com
60	bot.whatismyipaddress.com
68	bot.whatismyipaddress.com
69	bot.whatismyipaddress.com
73	bot.whatismyipaddress.com
77	bot.whatismyipaddress.com
65	bot.whatismyipaddress.com
75	bot.whatismyipaddress.com
46	bot.whatismyipaddress.com
61	bot.whatismyipaddress.com
84	bot.whatismyipaddress.com
74	bot.whatismyipaddress.com
79	bot.whatismyipaddress.com
80	bot.whatismyipaddress.com
82	bot.whatismyipaddress.com
62	bot.whatismyipaddress.com
83	bot.whatismyipaddress.com
85	bot.whatismyipaddress.com
30	bot.whatismyipaddress.com
31	bot.whatismyipaddress.com
32	bot.whatismyipaddress.com
37	bot.whatismyipaddress.com
78	bot.whatismyipaddress.com
76	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 2316 set thread context of 1928	2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	89
PID 2252 set thread context of 2768	2252	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	95
PID 3828 set thread context of 4744	3828	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	102
PID 2780 set thread context of 212	2780	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	110
PID 3644 set thread context of 1288	3644	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	115
PID 1344 set thread context of 4068	1344	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	122
PID 4880 set thread context of 4516	4880	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	127
PID 4816 set thread context of 1224	4816	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	132
PID 3772 set thread context of 3264	3772	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	139
PID 1136 set thread context of 3080	1136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	144
PID 2196 set thread context of 972	2196	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	151
PID 1036 set thread context of 4956	1036	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	156
PID 3216 set thread context of 4344	3216	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	161
PID 5112 set thread context of 1944	5112	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	166
PID 936 set thread context of 4292	936	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	171
PID 668 set thread context of 3216	668	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	176
PID 4528 set thread context of 4664	4528	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	181
PID 5236 set thread context of 5336	5236	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	188
PID 5472 set thread context of 5544	5472	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	193
PID 5680 set thread context of 5760	5680	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	199
PID 5896 set thread context of 5984	5896	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	206
PID 6120 set thread context of 1756	6120	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	212
PID 2316 set thread context of 1964	2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	217
PID 5244 set thread context of 5424	5244	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	222
PID 5616 set thread context of 1072	5616	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	228
PID 5848 set thread context of 6036	5848	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	233
PID 6140 set thread context of 5556	6140	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	240
PID 5492 set thread context of 384	5492	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	245
PID 6024 set thread context of 6052	6024	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	250
PID 6224 set thread context of 6300	6224	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	255
PID 6436 set thread context of 6508	6436	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	260
PID 6652 set thread context of 6972	6652	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	267
PID 7116 set thread context of 5476	7116	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	273
PID 5688 set thread context of 6100	5688	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	278
PID 6768 set thread context of 5460	6768	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	284
PID 7056 set thread context of 6388	7056	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	289
PID 6452 set thread context of 6572	6452	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	294
PID 6656 set thread context of 7072	6656	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	299
PID 6432 set thread context of 1016	6432	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	305
PID 2428 set thread context of 6192	2428	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	316
PID 6924 set thread context of 6228	6924	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	322
PID 1116 set thread context of 668	1116	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	327
PID 6368 set thread context of 5404	6368	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	332
PID 5096 set thread context of 2428	5096	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	337
PID 3840 set thread context of 6072	3840	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	342
PID 6336 set thread context of 6640	6336	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	347
PID 1596 set thread context of 3900	1596	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	353
PID 7208 set thread context of 7280	7208	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	358
PID 7444 set thread context of 7488	7444	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	363
PID 7628 set thread context of 7700	7628	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	368
PID 7856 set thread context of 7920	7856	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	374
PID 8060 set thread context of 8132	8060	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	379
PID 1116 set thread context of 7360	1116	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	385
PID 7468 set thread context of 7116	7468	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	390
PID 7212 set thread context of 7380	7212	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	395
PID 7588 set thread context of 8144	7588	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	401
PID 7076 set thread context of 3500	7076	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	406
PID 7288 set thread context of 1776	7288	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	412
PID 6632 set thread context of 5204	6632	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	417
PID 7396 set thread context of 8056	7396	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	423
PID 7568 set thread context of 6160	7568	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	428
PID 7076 set thread context of 1864	7076	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	433
PID 6368 set thread context of 3440	6368	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	439
PID 8008 set thread context of 7540	8008	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	445

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2252	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2252	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
3828	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2780	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2780	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
3644	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
1344	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
1344	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
4880	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
4816	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
3772	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
1136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2196	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2196	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2196	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
1036	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
3216	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
5112	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
936	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
668	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
4528	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
5236	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
5236	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
5236	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
5472	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
5680	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
5680	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
5896	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
5896	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
5896	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
6120	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
5244	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
5616	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
5616	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
5848	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
6140	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
6140	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
5492	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
6024	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
6224	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
6436	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
6652	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
7116	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
5688	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
6768	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
6768	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
7056	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
6452	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
6656	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
6432	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
6432	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2428	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2428	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
2428	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
6924	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
6924	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
1116	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
6368	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
5096	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
3840	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
6336	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
1596	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe

Suspicious behavior: SetClipboardViewer 64 IoCs

pid	Process
2768	RegAsm.exe
4744	RegAsm.exe
212	RegAsm.exe
1288	RegAsm.exe
4068	RegAsm.exe
4516	RegAsm.exe
1224	RegAsm.exe
3264	RegAsm.exe
3080	RegAsm.exe
972	RegAsm.exe
4956	RegAsm.exe
4344	RegAsm.exe
1944	RegAsm.exe
4292	RegAsm.exe
3216	RegAsm.exe
4664	RegAsm.exe
5336	RegAsm.exe
5544	RegAsm.exe
5760	RegAsm.exe
5984	RegAsm.exe
1756	RegAsm.exe
1964	RegAsm.exe
5424	RegAsm.exe
1072	RegAsm.exe
6036	RegAsm.exe
5556	RegAsm.exe
384	RegAsm.exe
6052	RegAsm.exe
6300	RegAsm.exe
6508	RegAsm.exe
6972	RegAsm.exe
5476	RegAsm.exe
6100	RegAsm.exe
5460	RegAsm.exe
6388	RegAsm.exe
6572	RegAsm.exe
7072	RegAsm.exe
1016	RegAsm.exe
6192	RegAsm.exe
6228	RegAsm.exe
668	RegAsm.exe
5404	RegAsm.exe
2428	RegAsm.exe
6072	RegAsm.exe
6640	RegAsm.exe
3900	RegAsm.exe
7280	RegAsm.exe
7488	RegAsm.exe
7700	RegAsm.exe
7920	RegAsm.exe
8132	RegAsm.exe
7360	RegAsm.exe
7116	RegAsm.exe
7380	RegAsm.exe
8144	RegAsm.exe
3500	RegAsm.exe
1776	RegAsm.exe
5204	RegAsm.exe
8056	RegAsm.exe
6160	RegAsm.exe
3440	RegAsm.exe
1864	RegAsm.exe
7540	RegAsm.exe
7224	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	2252	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	3828	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	2780	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	3644	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	1344	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	4880	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	4816	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	1928	RegAsm.exe
Token: SeDebugPrivilege	3772	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	2768	RegAsm.exe
Token: SeDebugPrivilege	1136	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	4744	RegAsm.exe
Token: SeDebugPrivilege	2196	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	212	RegAsm.exe
Token: SeDebugPrivilege	1036	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	1288	RegAsm.exe
Token: SeDebugPrivilege	3216	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	4068	RegAsm.exe
Token: SeDebugPrivilege	5112	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	4516	RegAsm.exe
Token: SeDebugPrivilege	936	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	1224	RegAsm.exe
Token: SeDebugPrivilege	668	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	3264	RegAsm.exe
Token: SeDebugPrivilege	4528	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	3080	RegAsm.exe
Token: SeDebugPrivilege	5236	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	972	RegAsm.exe
Token: SeDebugPrivilege	5472	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	4956	RegAsm.exe
Token: SeDebugPrivilege	5680	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	4344	RegAsm.exe
Token: SeDebugPrivilege	5896	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	1944	RegAsm.exe
Token: SeDebugPrivilege	6120	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	4292	RegAsm.exe
Token: SeDebugPrivilege	2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	3216	RegAsm.exe
Token: SeDebugPrivilege	5244	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	4664	RegAsm.exe
Token: SeDebugPrivilege	5616	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	5336	RegAsm.exe
Token: SeDebugPrivilege	5848	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	5544	RegAsm.exe
Token: SeDebugPrivilege	6140	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	5760	RegAsm.exe
Token: SeDebugPrivilege	5492	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	5984	RegAsm.exe
Token: SeDebugPrivilege	6024	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	1756	RegAsm.exe
Token: SeDebugPrivilege	6224	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	1964	RegAsm.exe
Token: SeDebugPrivilege	6436	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	5424	RegAsm.exe
Token: SeDebugPrivilege	6652	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	1072	RegAsm.exe
Token: SeDebugPrivilege	7116	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	6036	RegAsm.exe
Token: SeDebugPrivilege	5688	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	5556	RegAsm.exe
Token: SeDebugPrivilege	6768	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
Token: SeDebugPrivilege	384	RegAsm.exe
Token: SeDebugPrivilege	7056	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 1928	2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	89
PID 2316 wrote to memory of 1928	2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	89
PID 2316 wrote to memory of 1928	2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	89
PID 2316 wrote to memory of 1928	2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	89
PID 2316 wrote to memory of 3756	2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	90
PID 2316 wrote to memory of 3756	2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	90
PID 2316 wrote to memory of 3756	2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	90
PID 3756 wrote to memory of 972	3756	cmd.exe	92
PID 3756 wrote to memory of 972	3756	cmd.exe	92
PID 3756 wrote to memory of 972	3756	cmd.exe	92
PID 2316 wrote to memory of 2252	2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	93
PID 2316 wrote to memory of 2252	2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	93
PID 2316 wrote to memory of 2252	2316	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	93
PID 2252 wrote to memory of 4784	2252	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	94
PID 2252 wrote to memory of 4784	2252	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	94
PID 2252 wrote to memory of 4784	2252	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	94
PID 2252 wrote to memory of 2768	2252	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	95
PID 2252 wrote to memory of 2768	2252	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	95
PID 2252 wrote to memory of 2768	2252	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	95
PID 2252 wrote to memory of 2768	2252	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	95
PID 2252 wrote to memory of 1908	2252	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	96
PID 2252 wrote to memory of 1908	2252	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	96
PID 2252 wrote to memory of 1908	2252	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	96
PID 1908 wrote to memory of 3608	1908	cmd.exe	98
PID 1908 wrote to memory of 3608	1908	cmd.exe	98
PID 1908 wrote to memory of 3608	1908	cmd.exe	98
PID 2252 wrote to memory of 3828	2252	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	99
PID 2252 wrote to memory of 3828	2252	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	99
PID 2252 wrote to memory of 3828	2252	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	99
PID 3828 wrote to memory of 4744	3828	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	102
PID 3828 wrote to memory of 4744	3828	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	102
PID 3828 wrote to memory of 4744	3828	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	102
PID 3828 wrote to memory of 4744	3828	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	102
PID 3828 wrote to memory of 2364	3828	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	103
PID 3828 wrote to memory of 2364	3828	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	103
PID 3828 wrote to memory of 2364	3828	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	103
PID 3828 wrote to memory of 2780	3828	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	105
PID 3828 wrote to memory of 2780	3828	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	105
PID 3828 wrote to memory of 2780	3828	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	105
PID 2364 wrote to memory of 4904	2364	cmd.exe	106
PID 2364 wrote to memory of 4904	2364	cmd.exe	106
PID 2364 wrote to memory of 4904	2364	cmd.exe	106
PID 2780 wrote to memory of 5000	2780	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	109
PID 2780 wrote to memory of 5000	2780	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	109
PID 2780 wrote to memory of 5000	2780	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	109
PID 2780 wrote to memory of 212	2780	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	110
PID 2780 wrote to memory of 212	2780	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	110
PID 2780 wrote to memory of 212	2780	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	110
PID 2780 wrote to memory of 212	2780	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	110
PID 2780 wrote to memory of 3080	2780	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	111
PID 2780 wrote to memory of 3080	2780	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	111
PID 2780 wrote to memory of 3080	2780	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	111
PID 3080 wrote to memory of 1800	3080	cmd.exe	113
PID 3080 wrote to memory of 1800	3080	cmd.exe	113
PID 3080 wrote to memory of 1800	3080	cmd.exe	113
PID 2780 wrote to memory of 3644	2780	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	114
PID 2780 wrote to memory of 3644	2780	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	114
PID 2780 wrote to memory of 3644	2780	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	114
PID 3644 wrote to memory of 1288	3644	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	115
PID 3644 wrote to memory of 1288	3644	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	115
PID 3644 wrote to memory of 1288	3644	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	115
PID 3644 wrote to memory of 1288	3644	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	115
PID 3644 wrote to memory of 2196	3644	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	116
PID 3644 wrote to memory of 2196	3644	c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe	116

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  PID:1928
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3756
- - C:\Windows\SysWOW64\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:972
- C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4784
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious behavior: SetClipboardViewer
    - Suspicious use of AdjustPrivilegeToken
    PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1908
  - - C:\Windows\SysWOW64\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      System Location Discovery: System Language Discovery
      PID:3608
- - C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3828
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Suspicious behavior: SetClipboardViewer
      Suspicious use of AdjustPrivilegeToken
      PID:4744
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2364
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:4904
  - - C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2780
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:5000
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:212
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3080
      - C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:1800
    - - C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        5⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3644
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:1288
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        6⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        7⤵
        
        PID:3612
      - C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        6⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1344
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:1172
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        Accesses Microsoft Outlook profiles
        System Location Discovery: System Language Discovery
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        7⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        8⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        7⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4880
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        8⤵
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        8⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        9⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        8⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4816
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        9⤵
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4164
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        10⤵
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        9⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3772
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        10⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        10⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        11⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        10⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1136
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        11⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        11⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        12⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        11⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        12⤵
        
        PID:1344
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        12⤵
        
        PID:3504
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        12⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        12⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        13⤵
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        12⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        13⤵
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        13⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        13⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3216
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        14⤵
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        14⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        15⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        14⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:5112
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        15⤵
        Accesses Microsoft Outlook profiles
        System Location Discovery: System Language Discovery
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        15⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        15⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:936
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        16⤵
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:1036
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        17⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        16⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:668
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        17⤵
        Accesses Microsoft Outlook profiles
        System Location Discovery: System Language Discovery
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:3216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        17⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        18⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        17⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4528
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        18⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        18⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        19⤵
        
        PID:5212
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        18⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:5236
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        19⤵
        
        PID:5320
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        19⤵
        
        PID:5328
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        19⤵
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:5336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        19⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        20⤵
        
        PID:5448
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        19⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:5472
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        20⤵
        Accesses Microsoft Outlook profiles
        System Location Discovery: System Language Discovery
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:5544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        20⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:5656
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        20⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:5680
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        21⤵
        
        PID:5752
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        21⤵
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:5760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        21⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        22⤵
        
        PID:5880
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        21⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:5896
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        22⤵
        
        PID:5968
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        22⤵
        
        PID:5976
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        22⤵
        Accesses Microsoft Outlook profiles
        System Location Discovery: System Language Discovery
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:5984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        22⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        23⤵
        
        PID:6096
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        22⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:6120
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        23⤵
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        23⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        24⤵
        
        PID:5460
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        23⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        24⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        24⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        25⤵
        
        PID:5720
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        24⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:5244
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        25⤵
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:5424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        25⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        26⤵
        
        PID:5668
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        25⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:5616
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        26⤵
        
        PID:3052
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        26⤵
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        26⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        27⤵
        
        PID:5892
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        26⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:5848
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        27⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:6036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        27⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        28⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        27⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:6140
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        28⤵
        
        PID:3120
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        28⤵
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:5556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        28⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        29⤵
        
        PID:5940
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        28⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:5492
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        29⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:4092
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        30⤵
        
        PID:5776
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        29⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:6024
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        30⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:6052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        30⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        31⤵
        
        PID:6200
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        30⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:6224
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        31⤵
        Accesses Microsoft Outlook profiles
        System Location Discovery: System Language Discovery
        Suspicious behavior: SetClipboardViewer
        
        PID:6300
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        31⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:6412
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        31⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:6436
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        32⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:6508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        32⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        33⤵
        
        PID:6624
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        32⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:6652
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        33⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:6972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        33⤵
        
        PID:7040
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        34⤵
        
        PID:7088
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        33⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:7116
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        34⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: SetClipboardViewer
        
        PID:5476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        34⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        35⤵
        
        PID:5680
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        34⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:5688
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        35⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:6100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        35⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        36⤵
        
        PID:5156
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        35⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:6768
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        36⤵
        
        PID:1016
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        36⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: SetClipboardViewer
        
        PID:5460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        36⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        37⤵
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        36⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:7056
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        37⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: SetClipboardViewer
        
        PID:6388
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:3744
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        38⤵
        
        PID:5660
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        37⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:6452
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        38⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: SetClipboardViewer
        
        PID:6572
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:1724
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        39⤵
        
        PID:7016
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        38⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:6656
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        39⤵
        Accesses Microsoft Outlook profiles
        System Location Discovery: System Language Discovery
        Suspicious behavior: SetClipboardViewer
        
        PID:7072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:7140
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        40⤵
        
        PID:7116
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        39⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:6432
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        40⤵
        
        PID:764
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        40⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        40⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        41⤵
        
        PID:6188
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        40⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:2428
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        41⤵
        
        PID:7016
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        41⤵
        
        PID:4916
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        41⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: SetClipboardViewer
        
        PID:6192
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        41⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        42⤵
        
        PID:6968
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        41⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:6924
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        42⤵
        
        PID:6236
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        42⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: SetClipboardViewer
        
        PID:6228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        42⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        43⤵
        
        PID:6756
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        42⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1116
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        43⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:6984
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        44⤵
        
        PID:7120
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        43⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:6368
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        44⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: SetClipboardViewer
        
        PID:5404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        44⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        45⤵
        
        PID:6180
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        44⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:5096
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        45⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        45⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        46⤵
        
        PID:5252
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        45⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:3840
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        46⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:6072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        46⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        47⤵
        
        PID:6932
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        46⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:6336
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        47⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:6640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        47⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        48⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        47⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:1596
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        48⤵
        
        PID:7016
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        48⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:6904
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        49⤵
        
        PID:7184
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        48⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        
        PID:7208
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        49⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:7280
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        49⤵
        
        PID:7348
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        50⤵
        
        PID:7392
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        49⤵
        Suspicious use of SetThreadContext
        
        PID:7444
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        50⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:7488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        50⤵
        
        PID:7560
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        51⤵
        
        PID:7604
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        50⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:7628
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        51⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: SetClipboardViewer
        
        PID:7700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        51⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        52⤵
        
        PID:7812
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        51⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        
        PID:7856
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        52⤵
        
        PID:7912
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        52⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:7920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        52⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        53⤵
        
        PID:8036
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        52⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        
        PID:8060
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        53⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: SetClipboardViewer
        
        PID:8132
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        53⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        54⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        53⤵
        Suspicious use of SetThreadContext
        
        PID:1116
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        54⤵
        
        PID:7232
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        54⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: SetClipboardViewer
        
        PID:7360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        54⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        55⤵
        
        PID:6700
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        54⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        
        PID:7468
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        55⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: SetClipboardViewer
        
        PID:7116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        55⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        56⤵
        
        PID:7708
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        55⤵
        Suspicious use of SetThreadContext
        
        PID:7212
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        56⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:7380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        56⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        57⤵
        
        PID:8056
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        56⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        
        PID:7588
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        57⤵
        
        PID:8140
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        57⤵
        Accesses Microsoft Outlook profiles
        System Location Discovery: System Language Discovery
        Suspicious behavior: SetClipboardViewer
        
        PID:8144
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        57⤵
        
        PID:7824
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        58⤵
        
        PID:7776
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        57⤵
        Suspicious use of SetThreadContext
        
        PID:7076
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        58⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: SetClipboardViewer
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        58⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        59⤵
        
        PID:5252
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        58⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        
        PID:7288
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        59⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: SetClipboardViewer
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        59⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:6544
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        59⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:6632
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        60⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:5204
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        60⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        61⤵
        
        PID:7200
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        60⤵
        Suspicious use of SetThreadContext
        
        PID:7396
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        61⤵
        
        PID:2524
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        61⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:8056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:6880
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        62⤵
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        61⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:7568
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        62⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: SetClipboardViewer
        
        PID:6160
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:7768
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        63⤵
        
        PID:7196
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        62⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        
        PID:7076
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        63⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: SetClipboardViewer
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        63⤵
        
        PID:7536
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:8080
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        63⤵
        Suspicious use of SetThreadContext
        
        PID:6368
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        64⤵
        
        PID:8052
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        64⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: SetClipboardViewer
        
        PID:3440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        64⤵
        
        PID:7592
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        65⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        64⤵
        Suspicious use of SetThreadContext
        
        PID:8008
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        65⤵
        
        PID:7404
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        65⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:7540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        65⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        66⤵
        
        PID:7712
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:7784
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        66⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: SetClipboardViewer
        
        PID:7224
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        67⤵
        
        PID:7744
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        66⤵
        
        PID:7536
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        67⤵
        Accesses Microsoft Outlook profiles
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:3952
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        68⤵
        
        PID:6344
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        67⤵
        Checks computer location settings
        
        PID:5140
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        68⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:5288
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        69⤵
        
        PID:8196
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        68⤵
        Checks computer location settings
        
        PID:8236
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        69⤵
        
        PID:8280
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        69⤵
        Accesses Microsoft Outlook profiles
        System Location Discovery: System Language Discovery
        
        PID:8288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        69⤵
        
        PID:8356
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:8420
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        69⤵
        
        PID:8452
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        70⤵
        Accesses Microsoft Outlook profiles
        
        PID:8496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        70⤵
        
        PID:8564
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:8644
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        70⤵
        Checks computer location settings
        
        PID:8680
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        71⤵
        Accesses Microsoft Outlook profiles
        
        PID:8708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:8808
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        72⤵
        
        PID:8856
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:8888
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        72⤵
        
        PID:8936
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        72⤵
        
        PID:8944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        72⤵
        
        PID:9032
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:9088
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        72⤵
        Checks computer location settings
        
        PID:9120
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        73⤵
        
        PID:9180
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        73⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        74⤵
        
        PID:7332
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        73⤵
        Checks computer location settings
        
        PID:8228
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        74⤵
        
        PID:6700
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        74⤵
        
        PID:1140
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:6948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        74⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        75⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        74⤵
        
        PID:5136
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        75⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        75⤵
        
        PID:8428
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        76⤵
        
        PID:8304
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        75⤵
        Checks computer location settings
        
        PID:8392
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        76⤵
        Accesses Microsoft Outlook profiles
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        76⤵
        
        PID:8540
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        77⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        76⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:8564
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        77⤵
        Accesses Microsoft Outlook profiles
        
        PID:8760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        77⤵
        
        PID:8828
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        78⤵
        
        PID:9152
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        77⤵
        
        PID:7064
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        78⤵
        Accesses Microsoft Outlook profiles
        
        PID:8964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        78⤵
        
        PID:9048
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        79⤵
        
        PID:8664
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        78⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        79⤵
        
        PID:8552
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        79⤵
        Accesses Microsoft Outlook profiles
        
        PID:7712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        79⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        80⤵
        
        PID:5668
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        79⤵
        Checks computer location settings
        
        PID:9188
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        80⤵
        
        PID:5140
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        80⤵
        
        PID:8720
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        80⤵
        
        PID:8200
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        80⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:9020
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        80⤵
        
        PID:8372
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        81⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        81⤵
        
        PID:8836
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:8572
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        81⤵
        
        PID:3772
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        82⤵
        
        PID:6580
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        82⤵
        
        PID:8716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        82⤵
        
        PID:9064
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        83⤵
        
        PID:7448
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        82⤵
        Checks computer location settings
        
        PID:6196
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        83⤵
        
        PID:8628
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        83⤵
        Accesses Microsoft Outlook profiles
        System Location Discovery: System Language Discovery
        
        PID:8228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        83⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        84⤵
        
        PID:6852
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        83⤵
        Checks computer location settings
        
        PID:5560
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        84⤵
        Accesses Microsoft Outlook profiles
        
        PID:3140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:1240
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        85⤵
        
        PID:8688
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        84⤵
        Checks computer location settings
        
        PID:8904
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        85⤵
        Accesses Microsoft Outlook profiles
        
        PID:5372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        85⤵
        
        PID:8356
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        86⤵
        
        PID:8780
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        85⤵
        Checks computer location settings
        
        PID:2640
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        86⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        86⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        87⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        86⤵
        Checks computer location settings
        
        PID:8848
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        87⤵
        Accesses Microsoft Outlook profiles
        
        PID:8720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        87⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        88⤵
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        87⤵
        
        PID:6872
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        88⤵
        
        PID:8636
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        88⤵
        Accesses Microsoft Outlook profiles
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:7332
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        89⤵
        
        PID:9112
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        88⤵
        Checks computer location settings
        
        PID:8840
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        89⤵
        Accesses Microsoft Outlook profiles
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        89⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        90⤵
        
        PID:9032
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        89⤵
        Checks computer location settings
        
        PID:1268
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        90⤵
        Accesses Microsoft Outlook profiles
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        90⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        91⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        91⤵
        Accesses Microsoft Outlook profiles
        
        PID:7772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        91⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        92⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        91⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:6524
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        92⤵
        Accesses Microsoft Outlook profiles
        System Location Discovery: System Language Discovery
        
        PID:7720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        92⤵
        
        PID:9248
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        93⤵
        
        PID:9300
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        92⤵
        Checks computer location settings
        
        PID:9324
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        93⤵
        
        PID:9400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        93⤵
        
        PID:9468
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        94⤵
        
        PID:9512
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        93⤵
        Checks computer location settings
        
        PID:9540
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        94⤵
        
        PID:9608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        94⤵
        
        PID:9680
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        95⤵
        
        PID:9724
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        94⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:9752
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        95⤵
        Accesses Microsoft Outlook profiles
        
        PID:9824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        95⤵
        
        PID:9892
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        96⤵
        
        PID:9936
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        95⤵
        Checks computer location settings
        
        PID:9960
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        96⤵
        
        PID:10036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        96⤵
        
        PID:10096
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        97⤵
        
        PID:10148
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        96⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:10172
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        97⤵
        
        PID:7256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        97⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:7884
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        97⤵
        Checks computer location settings
        
        PID:4964
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        98⤵
        outlook_office_path
        outlook_win_path
        
        PID:7296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        98⤵
        
        PID:9580
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        99⤵
        
        PID:9272
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        98⤵
        Checks computer location settings
        
        PID:9268
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        99⤵
        
        PID:9228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:9520
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        100⤵
        
        PID:9492
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        99⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:9440
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        100⤵
        
        PID:7888
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        100⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        100⤵
        
        PID:9552
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        101⤵
        
        PID:9708
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        100⤵
        Checks computer location settings
        
        PID:10224
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        101⤵
        
        PID:9896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        101⤵
        
        PID:9756
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        101⤵
        Checks computer location settings
        
        PID:5260
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        102⤵
        
        PID:10052
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        102⤵
        
        PID:10076
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        102⤵
        
        PID:10144
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        102⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:8636
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        102⤵
        Checks computer location settings
        
        PID:7788
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        103⤵
        
        PID:9420
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        103⤵
        
        PID:9236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        103⤵
        
        PID:9292
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        104⤵
        
        PID:9308
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        103⤵
        Checks computer location settings
        
        PID:5560
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        104⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        104⤵
        
        PID:9904
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7848797c3eb098eb5e6430baf4a26e1_JaffaCakes118.exe"
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:8572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1928-7-0x0000000074D70000-0x0000000075520000-memory.dmp

Filesize
7.7MB

Download
memory/1928-17-0x0000000074D70000-0x0000000075520000-memory.dmp

Filesize
7.7MB

Download
memory/1928-23-0x00000000067B0000-0x00000000067BA000-memory.dmp

Filesize
40KB

Download
memory/1928-4-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1928-22-0x0000000005EE0000-0x0000000005F72000-memory.dmp

Filesize
584KB

Download
memory/1928-6-0x0000000002F60000-0x0000000002F66000-memory.dmp

Filesize
24KB

Download
memory/1928-21-0x0000000006900000-0x0000000006EA4000-memory.dmp

Filesize
5.6MB

Download
memory/1928-9-0x0000000074D70000-0x0000000075520000-memory.dmp

Filesize
7.7MB

Download
memory/1928-19-0x0000000005640000-0x00000000056A6000-memory.dmp

Filesize
408KB

Download
memory/1928-8-0x0000000009D50000-0x0000000009DEC000-memory.dmp

Filesize
624KB

Download
memory/2316-11-0x0000000074D70000-0x0000000075520000-memory.dmp

Filesize
7.7MB

Download
memory/2316-0-0x0000000074D7E000-0x0000000074D7F000-memory.dmp

Filesize
4KB

Download
memory/2316-1-0x0000000000100000-0x00000000001CE000-memory.dmp

Filesize
824KB

Download
memory/2316-5-0x0000000074D70000-0x0000000075520000-memory.dmp

Filesize
7.7MB

Download
memory/2316-2-0x0000000004AE0000-0x0000000004B78000-memory.dmp

Filesize
608KB

Download