Analysis
-
max time kernel
51s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
28-08-2024 20:56
Static task
static1
Behavioral task
behavioral1
Sample
c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe
-
Size
281KB
-
MD5
c7a30945ff76cf5e44be926589ad132a
-
SHA1
370fe0640a5ad3fbd6d43a191a54c5b216e26f85
-
SHA256
9061caadfa15767ca0cd66ce193a074f003948acc0502400ce75c73086c2f49a
-
SHA512
0103b151860ac485da1d07439afefe3062fc9b8ca58111817fe584340adbe73bcfae648125719bc729586c19b9df0390738e600594b389f5971b9625913befb8
-
SSDEEP
6144:93oZd7FqsBHxguKD/EczgmtRNuB2kZhYOvx7Lcr8+hE:93oZLqMHxw/1gmtnucaYcdwh
Malware Config
Extracted
formbook
3.9
kg50
customlasercutter.com
greenworldnursery.net
baltess.com
tanabatahotel.com
pinfang168.com
vakunda.com
gravityassistmaneuver.com
diyuntong.com
brnthz.info
carclubmail.com
gnkye.info
bfclady.com
starboard-realtty.com
guenstig-potenzdoktor.win
qc746g.biz
aplfinder.com
self-serviceshop.com
contenderwrestlingclub.com
jess-tures.com
themorningchannel.com
notrimparo.net
zahralaksmiwati.com
qtycoin.com
allnaturalcbdsirvine.com
shanrenzhou.com
sydneylegalhackers.com
conignib.com
1551556.com
canna.diamonds
vitualfriend.com
maracaplliure.com
browndontfrown.com
mslisasmontessori.com
aerostamps.com
ued.ink
bmwi3accesories.com
bid4employees.com
agression.online
acpnepal.com
professionalrealtyinc.net
quorumnet.net
thebusybutton.com
summitequineinc.com
giywz.com
blackjack77honduras.com
fomomat.com
soymedtech.com
baiyishiye.com
medien-dax.biz
alabamacashbuyer.com
micsuccess.net
fiatcikmaparca.services
numobsters.com
capitalviewofficepark.com
oldschoolsongs.com
orbititmsp.com
ruibaoseed.com
bankgang.com
jvwxgdp.com
yourdotcomuniverse.net
aidatalawyer.com
equifasecurity.com
journal-mil.com
youhavetogoto.com
regular123.info
Signatures
-
Formbook payload 4 IoCs
resource yara_rule behavioral2/memory/868-7-0x0000000000400000-0x000000000042A000-memory.dmp formbook behavioral2/memory/868-11-0x0000000000400000-0x000000000042A000-memory.dmp formbook behavioral2/memory/3512-72-0x0000000000400000-0x000000000042A000-memory.dmp formbook behavioral2/memory/868-79-0x0000000000400000-0x000000000042A000-memory.dmp formbook -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe -
Suspicious use of SetThreadContext 64 IoCs
description pid Process procid_target PID 1860 set thread context of 868 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 90 PID 868 set thread context of 3476 868 RegAsm.exe 55 PID 4380 set thread context of 812 4380 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 92 PID 812 set thread context of 3476 812 RegAsm.exe 55 PID 4560 set thread context of 3512 4560 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 97 PID 3512 set thread context of 3476 3512 RegAsm.exe 55 PID 4420 set thread context of 3456 4420 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 99 PID 3456 set thread context of 3476 3456 RegAsm.exe 55 PID 1476 set thread context of 1168 1476 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 103 PID 1168 set thread context of 3476 1168 RegAsm.exe 55 PID 2632 set thread context of 936 2632 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 106 PID 936 set thread context of 3476 936 RegAsm.exe 55 PID 4260 set thread context of 3188 4260 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 109 PID 3188 set thread context of 3476 3188 RegAsm.exe 55 PID 912 set thread context of 2616 912 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 112 PID 2616 set thread context of 3476 2616 RegAsm.exe 55 PID 3164 set thread context of 4608 3164 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 115 PID 4608 set thread context of 3476 4608 RegAsm.exe 55 PID 1812 set thread context of 1832 1812 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 121 PID 1832 set thread context of 3476 1832 RegAsm.exe 55 PID 816 set thread context of 2444 816 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 124 PID 2444 set thread context of 3476 2444 RegAsm.exe 55 PID 4796 set thread context of 4336 4796 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 126 PID 4336 set thread context of 3476 4336 RegAsm.exe 55 PID 2040 set thread context of 2300 2040 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 129 PID 2300 set thread context of 3476 2300 RegAsm.exe 55 PID 868 set thread context of 3476 868 RegAsm.exe 55 PID 3668 set thread context of 3020 3668 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 133 PID 3020 set thread context of 3476 3020 RegAsm.exe 55 PID 2744 set thread context of 4040 2744 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 136 PID 4040 set thread context of 3476 4040 RegAsm.exe 55 PID 2452 set thread context of 2796 2452 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 139 PID 2796 set thread context of 3476 2796 RegAsm.exe 55 PID 1272 set thread context of 3792 1272 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 141 PID 3792 set thread context of 3476 3792 RegAsm.exe 55 PID 3512 set thread context of 3476 3512 RegAsm.exe 55 PID 368 set thread context of 1948 368 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 146 PID 1948 set thread context of 3476 1948 RegAsm.exe 55 PID 2436 set thread context of 4504 2436 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 149 PID 4504 set thread context of 3476 4504 RegAsm.exe 55 PID 3380 set thread context of 3140 3380 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 154 PID 3140 set thread context of 3476 3140 RegAsm.exe 55 PID 3164 set thread context of 4352 3164 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 158 PID 4352 set thread context of 3476 4352 RegAsm.exe 55 PID 3632 set thread context of 2488 3632 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 164 PID 2488 set thread context of 3476 2488 RegAsm.exe 55 PID 224 set thread context of 4008 224 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 166 PID 4008 set thread context of 3476 4008 RegAsm.exe 55 PID 4700 set thread context of 4708 4700 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 168 PID 4708 set thread context of 3476 4708 RegAsm.exe 55 PID 1552 set thread context of 3320 1552 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 171 PID 3320 set thread context of 3476 3320 RegAsm.exe 55 PID 860 set thread context of 4612 860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 174 PID 4612 set thread context of 3476 4612 RegAsm.exe 55 PID 4276 set thread context of 3476 4276 netsh.exe 55 PID 5056 set thread context of 3932 5056 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 177 PID 3932 set thread context of 3476 3932 RegAsm.exe 55 PID 2444 set thread context of 3476 2444 RegAsm.exe 55 PID 2816 set thread context of 1088 2816 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 180 PID 1088 set thread context of 3476 1088 RegAsm.exe 55 PID 1648 set thread context of 1616 1648 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 183 PID 1616 set thread context of 3476 1616 RegAsm.exe 55 PID 3328 set thread context of 3752 3328 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 185 PID 3752 set thread context of 3476 3752 RegAsm.exe 55 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4620 6448 WerFault.exe 821 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmmon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language control.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmmon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language raserver.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mstsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Gathers network information 2 TTPs 25 IoCs
Uses commandline utility to view network configuration.
pid Process 7520 Process not Found 5592 ipconfig.exe 1756 ipconfig.exe 6820 NETSTAT.EXE 5964 NETSTAT.EXE 7732 Process not Found 6824 Process not Found 2584 Process not Found 2596 Process not Found 856 ipconfig.exe 5344 NETSTAT.EXE 388 ipconfig.exe 5500 ipconfig.exe 8068 NETSTAT.EXE 8060 NETSTAT.EXE 5424 ipconfig.exe 1264 NETSTAT.EXE 5508 ipconfig.exe 2472 ipconfig.exe 3976 NETSTAT.EXE 6692 ipconfig.exe 8184 Process not Found 3356 NETSTAT.EXE 3504 ipconfig.exe 3748 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe -
Suspicious behavior: MapViewOfSection 64 IoCs
pid Process 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 868 RegAsm.exe 4380 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 812 RegAsm.exe 4560 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 4560 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 3512 RegAsm.exe 4420 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 3456 RegAsm.exe 1476 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1476 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1168 RegAsm.exe 2632 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 936 RegAsm.exe 4260 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 3188 RegAsm.exe 912 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 2616 RegAsm.exe 3164 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 4608 RegAsm.exe 812 RegAsm.exe 812 RegAsm.exe 1812 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1812 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1832 RegAsm.exe 816 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 2444 RegAsm.exe 3456 RegAsm.exe 3456 RegAsm.exe 4796 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1168 RegAsm.exe 1168 RegAsm.exe 4276 netsh.exe 4336 RegAsm.exe 2040 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 936 RegAsm.exe 936 RegAsm.exe 2300 RegAsm.exe 868 RegAsm.exe 3188 RegAsm.exe 3188 RegAsm.exe 3668 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 3668 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 3020 RegAsm.exe 2744 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 2616 RegAsm.exe 2616 RegAsm.exe 4040 RegAsm.exe 4608 RegAsm.exe 4608 RegAsm.exe 2452 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 2796 RegAsm.exe 1272 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 3792 RegAsm.exe 3512 RegAsm.exe 1832 RegAsm.exe 1832 RegAsm.exe 368 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 368 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 1948 RegAsm.exe 2436 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Token: SeDebugPrivilege 868 RegAsm.exe Token: SeDebugPrivilege 4380 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Token: SeShutdownPrivilege 3476 Explorer.EXE Token: SeCreatePagefilePrivilege 3476 Explorer.EXE Token: SeDebugPrivilege 812 RegAsm.exe Token: SeDebugPrivilege 4560 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Token: SeShutdownPrivilege 3476 Explorer.EXE Token: SeCreatePagefilePrivilege 3476 Explorer.EXE Token: SeDebugPrivilege 3512 RegAsm.exe Token: SeDebugPrivilege 4420 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Token: SeDebugPrivilege 3456 RegAsm.exe Token: SeShutdownPrivilege 3476 Explorer.EXE Token: SeCreatePagefilePrivilege 3476 Explorer.EXE Token: SeDebugPrivilege 1476 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Token: SeShutdownPrivilege 3476 Explorer.EXE Token: SeCreatePagefilePrivilege 3476 Explorer.EXE Token: SeDebugPrivilege 1168 RegAsm.exe Token: SeDebugPrivilege 2632 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Token: SeShutdownPrivilege 3476 Explorer.EXE Token: SeCreatePagefilePrivilege 3476 Explorer.EXE Token: SeDebugPrivilege 936 RegAsm.exe Token: SeDebugPrivilege 4260 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Token: SeShutdownPrivilege 3476 Explorer.EXE Token: SeCreatePagefilePrivilege 3476 Explorer.EXE Token: SeDebugPrivilege 3188 RegAsm.exe Token: SeDebugPrivilege 912 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Token: SeShutdownPrivilege 3476 Explorer.EXE Token: SeCreatePagefilePrivilege 3476 Explorer.EXE Token: SeDebugPrivilege 2616 RegAsm.exe Token: SeDebugPrivilege 3164 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Token: SeShutdownPrivilege 3476 Explorer.EXE Token: SeCreatePagefilePrivilege 3476 Explorer.EXE Token: SeDebugPrivilege 4608 RegAsm.exe Token: SeDebugPrivilege 4276 netsh.exe Token: SeDebugPrivilege 1812 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Token: SeShutdownPrivilege 3476 Explorer.EXE Token: SeCreatePagefilePrivilege 3476 Explorer.EXE Token: SeDebugPrivilege 1832 RegAsm.exe Token: SeDebugPrivilege 816 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Token: SeDebugPrivilege 2444 RegAsm.exe Token: SeShutdownPrivilege 3476 Explorer.EXE Token: SeCreatePagefilePrivilege 3476 Explorer.EXE Token: SeDebugPrivilege 1300 cmmon32.exe Token: SeDebugPrivilege 4796 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Token: SeShutdownPrivilege 3476 Explorer.EXE Token: SeCreatePagefilePrivilege 3476 Explorer.EXE Token: SeDebugPrivilege 4336 RegAsm.exe Token: SeDebugPrivilege 4112 wscript.exe Token: SeDebugPrivilege 2040 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Token: SeShutdownPrivilege 3476 Explorer.EXE Token: SeCreatePagefilePrivilege 3476 Explorer.EXE Token: SeDebugPrivilege 2300 RegAsm.exe Token: SeDebugPrivilege 1056 cmstp.exe Token: SeDebugPrivilege 3668 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Token: SeDebugPrivilege 5016 control.exe Token: SeShutdownPrivilege 3476 Explorer.EXE Token: SeCreatePagefilePrivilege 3476 Explorer.EXE Token: SeDebugPrivilege 3020 RegAsm.exe Token: SeDebugPrivilege 2744 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe Token: SeDebugPrivilege 4040 RegAsm.exe Token: SeShutdownPrivilege 3476 Explorer.EXE Token: SeCreatePagefilePrivilege 3476 Explorer.EXE Token: SeDebugPrivilege 3356 NETSTAT.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1860 wrote to memory of 2384 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 87 PID 1860 wrote to memory of 2384 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 87 PID 1860 wrote to memory of 2384 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 87 PID 1860 wrote to memory of 4588 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 88 PID 1860 wrote to memory of 4588 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 88 PID 1860 wrote to memory of 4588 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 88 PID 1860 wrote to memory of 3284 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 89 PID 1860 wrote to memory of 3284 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 89 PID 1860 wrote to memory of 3284 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 89 PID 1860 wrote to memory of 868 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 90 PID 1860 wrote to memory of 868 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 90 PID 1860 wrote to memory of 868 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 90 PID 1860 wrote to memory of 868 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 90 PID 1860 wrote to memory of 4380 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 91 PID 1860 wrote to memory of 4380 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 91 PID 1860 wrote to memory of 4380 1860 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 91 PID 4380 wrote to memory of 812 4380 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 92 PID 4380 wrote to memory of 812 4380 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 92 PID 4380 wrote to memory of 812 4380 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 92 PID 4380 wrote to memory of 812 4380 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 92 PID 4380 wrote to memory of 4560 4380 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 94 PID 4380 wrote to memory of 4560 4380 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 94 PID 4380 wrote to memory of 4560 4380 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 94 PID 3476 wrote to memory of 4276 3476 Explorer.EXE 95 PID 3476 wrote to memory of 4276 3476 Explorer.EXE 95 PID 3476 wrote to memory of 4276 3476 Explorer.EXE 95 PID 4560 wrote to memory of 1608 4560 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 96 PID 4560 wrote to memory of 1608 4560 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 96 PID 4560 wrote to memory of 1608 4560 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 96 PID 4560 wrote to memory of 3512 4560 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 97 PID 4560 wrote to memory of 3512 4560 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 97 PID 4560 wrote to memory of 3512 4560 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 97 PID 4560 wrote to memory of 3512 4560 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 97 PID 4560 wrote to memory of 4420 4560 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 98 PID 4560 wrote to memory of 4420 4560 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 98 PID 4560 wrote to memory of 4420 4560 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 98 PID 4420 wrote to memory of 3456 4420 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 99 PID 4420 wrote to memory of 3456 4420 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 99 PID 4420 wrote to memory of 3456 4420 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 99 PID 4420 wrote to memory of 3456 4420 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 99 PID 3476 wrote to memory of 1300 3476 Explorer.EXE 100 PID 3476 wrote to memory of 1300 3476 Explorer.EXE 100 PID 3476 wrote to memory of 1300 3476 Explorer.EXE 100 PID 4420 wrote to memory of 1476 4420 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 101 PID 4420 wrote to memory of 1476 4420 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 101 PID 4420 wrote to memory of 1476 4420 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 101 PID 1476 wrote to memory of 3320 1476 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 102 PID 1476 wrote to memory of 3320 1476 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 102 PID 1476 wrote to memory of 3320 1476 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 102 PID 1476 wrote to memory of 1168 1476 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 103 PID 1476 wrote to memory of 1168 1476 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 103 PID 1476 wrote to memory of 1168 1476 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 103 PID 1476 wrote to memory of 1168 1476 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 103 PID 3476 wrote to memory of 4112 3476 Explorer.EXE 104 PID 3476 wrote to memory of 4112 3476 Explorer.EXE 104 PID 3476 wrote to memory of 4112 3476 Explorer.EXE 104 PID 1476 wrote to memory of 2632 1476 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 105 PID 1476 wrote to memory of 2632 1476 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 105 PID 1476 wrote to memory of 2632 1476 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 105 PID 2632 wrote to memory of 936 2632 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 106 PID 2632 wrote to memory of 936 2632 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 106 PID 2632 wrote to memory of 936 2632 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 106 PID 2632 wrote to memory of 936 2632 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 106 PID 2632 wrote to memory of 4260 2632 c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe 107
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:2384
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:4588
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:3284
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:868 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"4⤵PID:2104
-
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:812
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"4⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵PID:1608
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3512
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3456
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"6⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵PID:3320
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1168
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"7⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"8⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:936
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"8⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4260 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"9⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3188
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"9⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:912 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"10⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"10⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3164 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"11⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4608
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"11⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1812 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"12⤵PID:5100
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"12⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1832
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"12⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:816 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"13⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2444
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"13⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4796 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"14⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4336
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"14⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2040 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"15⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2300
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"15⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3668 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"16⤵PID:3728
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"16⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3020
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"16⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2744 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"17⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4040
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"17⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2452 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"18⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2796 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"19⤵PID:1436
-
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"18⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1272 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"19⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3792
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"19⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:368 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"20⤵PID:676
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"20⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1948
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"20⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2436 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"21⤵
- Suspicious use of SetThreadContext
PID:4504
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"21⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3380 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"22⤵PID:1648
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"22⤵PID:4528
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"22⤵PID:5008
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"22⤵
- Suspicious use of SetThreadContext
PID:3140
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"22⤵
- Suspicious use of SetThreadContext
PID:3164 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"23⤵PID:3464
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"23⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4352
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"23⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:3632 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"24⤵PID:4828
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"24⤵PID:4908
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"24⤵PID:5072
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"24⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2488
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"24⤵
- Suspicious use of SetThreadContext
PID:224 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"25⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4008 -
C:\Windows\SysWOW64\control.exe"C:\Windows\SysWOW64\control.exe"26⤵PID:3912
-
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"25⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:4700 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"26⤵
- Suspicious use of SetThreadContext
PID:4708
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"26⤵
- Suspicious use of SetThreadContext
PID:1552 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"27⤵
- Suspicious use of SetThreadContext
PID:3320
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"27⤵
- Suspicious use of SetThreadContext
PID:860 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"28⤵
- Suspicious use of SetThreadContext
PID:4612
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"28⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5056 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"29⤵
- Suspicious use of SetThreadContext
PID:3932
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"29⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:2816 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"30⤵
- Suspicious use of SetThreadContext
PID:1088
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"30⤵
- Suspicious use of SetThreadContext
PID:1648 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"31⤵PID:3108
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"31⤵
- Suspicious use of SetThreadContext
PID:1616
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"31⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:3328 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"32⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3752
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"32⤵
- Checks computer location settings
PID:4908 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"33⤵PID:1728
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"33⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4712 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"34⤵PID:2012
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"34⤵PID:4808
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"35⤵PID:2476
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"35⤵PID:3716
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"35⤵
- Checks computer location settings
PID:1924 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"36⤵PID:2496
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"36⤵
- System Location Discovery: System Language Discovery
PID:4584
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"36⤵PID:2652
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"37⤵PID:1868
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"37⤵
- System Location Discovery: System Language Discovery
PID:1492
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"37⤵
- System Location Discovery: System Language Discovery
PID:4124 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"38⤵PID:4016
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"38⤵PID:3968
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"39⤵PID:3556
-
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"38⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1756 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"39⤵PID:3228
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"39⤵PID:3772
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"40⤵PID:4812
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"40⤵PID:3524
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"40⤵PID:2384
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"41⤵PID:408
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"41⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4380 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"42⤵PID:5072
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"42⤵
- Checks computer location settings
PID:2264 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"43⤵PID:1772
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"44⤵PID:5416
-
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"43⤵
- Checks computer location settings
PID:4004 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"44⤵PID:3548
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"44⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2572 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"45⤵PID:3628
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"45⤵
- Checks computer location settings
PID:4124 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"46⤵PID:4488
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"47⤵PID:5864
-
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"46⤵PID:2960
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"47⤵PID:4848
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"47⤵
- System Location Discovery: System Language Discovery
PID:3672
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"47⤵
- Checks computer location settings
PID:8 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"48⤵
- System Location Discovery: System Language Discovery
PID:3460
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"48⤵
- Checks computer location settings
PID:4988 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"49⤵PID:2356
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"49⤵
- Checks computer location settings
PID:4416 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"50⤵PID:4796
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"50⤵PID:1684
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"50⤵
- Checks computer location settings
PID:3848 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"51⤵PID:4772
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"51⤵
- Checks computer location settings
PID:4812 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"52⤵PID:1048
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"52⤵
- Checks computer location settings
PID:816 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"53⤵PID:4876
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"53⤵PID:3204
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"53⤵PID:3948
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"53⤵
- Checks computer location settings
PID:4816 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"54⤵PID:4984
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"54⤵
- Checks computer location settings
PID:4260 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"55⤵
- System Location Discovery: System Language Discovery
PID:4408
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"55⤵
- Checks computer location settings
PID:3564 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"56⤵PID:1272
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"56⤵PID:1068
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"57⤵PID:3744
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"57⤵PID:4724
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"57⤵PID:2724
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"58⤵
- System Location Discovery: System Language Discovery
PID:2816
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"58⤵
- Checks computer location settings
PID:3696 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"59⤵PID:2040
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"59⤵PID:1052
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"60⤵
- System Location Discovery: System Language Discovery
PID:2976
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"60⤵PID:3088
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"61⤵PID:220
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"61⤵PID:4492
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"62⤵PID:5076
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"62⤵PID:2724
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"63⤵PID:3104
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"64⤵PID:5744
-
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"63⤵
- Checks computer location settings
PID:4588 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"64⤵PID:4260
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"64⤵
- Checks computer location settings
PID:3464 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"65⤵PID:4124
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"65⤵PID:1680
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"65⤵
- Checks computer location settings
PID:1184 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"66⤵PID:4964
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"66⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4992 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"67⤵PID:3632
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"67⤵PID:5112
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"67⤵
- System Location Discovery: System Language Discovery
PID:2688 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"68⤵PID:2724
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"68⤵
- Checks computer location settings
PID:5088 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"69⤵PID:1184
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"69⤵
- Checks computer location settings
PID:3980 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"70⤵PID:4124
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"70⤵
- Checks computer location settings
PID:5184 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"71⤵PID:5220
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"71⤵PID:5300
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"72⤵PID:5376
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"72⤵PID:5612
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"73⤵PID:5672
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"73⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5736 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"74⤵PID:5804
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"74⤵
- Checks computer location settings
PID:5904 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"75⤵PID:5952
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"75⤵PID:6028
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"76⤵
- System Location Discovery: System Language Discovery
PID:6080
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"76⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2472 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"77⤵PID:2132
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"77⤵
- System Location Discovery: System Language Discovery
PID:5056 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"78⤵PID:5244
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"78⤵PID:5456
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"79⤵PID:5168
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"79⤵PID:5176
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"79⤵PID:3980
-
C:\Windows\SysWOW64\WWAHost.exe"C:\Windows\SysWOW64\WWAHost.exe"80⤵PID:5984
-
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"79⤵
- Checks computer location settings
PID:2508 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"80⤵
- System Location Discovery: System Language Discovery
PID:5560
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"80⤵PID:5520
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"81⤵PID:5780
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"81⤵PID:5788
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"81⤵PID:5836
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"82⤵PID:5712
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"82⤵
- Checks computer location settings
PID:6104 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"83⤵
- System Location Discovery: System Language Discovery
PID:5872
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"83⤵
- Checks computer location settings
PID:5920 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"84⤵PID:6128
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"85⤵PID:5100
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"85⤵
- System Location Discovery: System Language Discovery
PID:5128
-
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"84⤵
- System Location Discovery: System Language Discovery
PID:2052 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"85⤵
- System Location Discovery: System Language Discovery
PID:6032
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"85⤵
- System Location Discovery: System Language Discovery
PID:2192 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"86⤵PID:5152
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"86⤵
- System Location Discovery: System Language Discovery
PID:5536 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"87⤵PID:5180
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"87⤵PID:2536
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"88⤵
- System Location Discovery: System Language Discovery
PID:5568
-
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"87⤵PID:1808
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"88⤵PID:5204
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"88⤵PID:5812
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"88⤵PID:5824
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"88⤵PID:3420
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"88⤵
- System Location Discovery: System Language Discovery
PID:5356 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"89⤵PID:5612
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"89⤵PID:6084
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"90⤵PID:5764
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"90⤵
- Checks computer location settings
PID:5900 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"91⤵PID:6068
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"91⤵
- Checks computer location settings
PID:3544 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"92⤵PID:5528
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"92⤵
- Checks computer location settings
PID:2384 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"93⤵PID:1652
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"93⤵PID:5948
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"93⤵PID:5380
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"94⤵PID:5200
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"94⤵
- System Location Discovery: System Language Discovery
PID:5444 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"95⤵PID:5332
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"95⤵
- System Location Discovery: System Language Discovery
PID:5316 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"96⤵PID:5676
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"96⤵PID:5532
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"97⤵
- System Location Discovery: System Language Discovery
PID:5420
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"97⤵PID:6112
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"98⤵PID:5324
-
C:\Windows\SysWOW64\colorcpl.exe"C:\Windows\SysWOW64\colorcpl.exe"99⤵PID:1868
-
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"98⤵PID:6040
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"99⤵
- System Location Discovery: System Language Discovery
PID:3348
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"99⤵
- System Location Discovery: System Language Discovery
PID:412 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"100⤵PID:5892
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"100⤵
- System Location Discovery: System Language Discovery
PID:4320 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"101⤵PID:5944
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"101⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1868 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"102⤵PID:5428
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"102⤵PID:5056
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"103⤵PID:2192
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"103⤵
- Checks computer location settings
PID:3696 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"104⤵PID:5524
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"104⤵
- System Location Discovery: System Language Discovery
PID:5976 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"105⤵PID:5832
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"105⤵PID:6108
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"105⤵PID:3284
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"105⤵
- Checks computer location settings
PID:5356 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"106⤵
- System Location Discovery: System Language Discovery
PID:5960
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"106⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4588 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"107⤵PID:2128
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"107⤵PID:6084
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"108⤵PID:5472
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"108⤵
- System Location Discovery: System Language Discovery
PID:1620
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"108⤵
- Checks computer location settings
PID:6072 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"109⤵PID:1000
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"109⤵PID:5316
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"110⤵PID:5168
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"110⤵PID:6108
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"111⤵PID:5824
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"111⤵PID:2384
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"112⤵PID:6116
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"112⤵PID:3600
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"112⤵PID:5248
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"112⤵
- Checks computer location settings
PID:5144 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"113⤵PID:1460
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"113⤵
- Checks computer location settings
PID:1652 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"114⤵PID:6084
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"114⤵
- Checks computer location settings
PID:6060 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"115⤵PID:5732
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"115⤵
- System Location Discovery: System Language Discovery
PID:5792
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"115⤵
- Checks computer location settings
PID:5620 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"116⤵PID:5276
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"116⤵PID:5888
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"117⤵PID:3600
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"117⤵
- System Location Discovery: System Language Discovery
PID:5228 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"118⤵PID:5340
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"118⤵
- Checks computer location settings
PID:5784 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"119⤵PID:412
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"119⤵PID:5732
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"119⤵
- Checks computer location settings
PID:5552 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"120⤵PID:4104
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"120⤵PID:5920
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"121⤵PID:5916
-
-
C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7a30945ff76cf5e44be926589ad132a_JaffaCakes118.exe"121⤵
- Checks computer location settings
PID:5596 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"122⤵PID:5668
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-