d216eb5f22e4977d3fc4ae2af75ecace8b65e24a021b42ecfd59a3c7060eb3be

Analysis

max time kernel
17s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2024, 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
Size

1.4MB
MD5

0b707e8392d4ddf290d2d1ccce151d9e
SHA1

2df96a5b4634d323d9b89d8c873c144be3cdb3f0
SHA256

d216eb5f22e4977d3fc4ae2af75ecace8b65e24a021b42ecfd59a3c7060eb3be
SHA512

e187f7e6aadd7d74f4eec9a4a03d351479d0425aa40d3097b085ea6693894e32cc6e2ee215b67d9378247816888d92730a385213c3ddcba72d7c2788e0f37cbb
SSDEEP

24576:2Wdj/ehoxK9DyZvVBnqAo4awiNaJrTEtCxS3nwf/MgUqAh5bjmZ:zECcDyZvV4gaNQEnw3M8AvaZ

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File opened (read-only)	\??\J:	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File opened (read-only)	\??\L:	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File opened (read-only)	\??\R:	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File opened (read-only)	\??\S:	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File opened (read-only)	\??\X:	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File opened (read-only)	\??\K:	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File opened (read-only)	\??\O:	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File opened (read-only)	\??\T:	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File opened (read-only)	\??\V:	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File opened (read-only)	\??\Y:	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File opened (read-only)	\??\H:	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File opened (read-only)	\??\I:	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File opened (read-only)	\??\N:	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File opened (read-only)	\??\U:	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File opened (read-only)	\??\Z:	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File opened (read-only)	\??\A:	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File opened (read-only)	\??\B:	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File opened (read-only)	\??\G:	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File opened (read-only)	\??\M:	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File opened (read-only)	\??\P:	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File opened (read-only)	\??\Q:	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File opened (read-only)	\??\W:	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\IME\SHARED\fucking voyeur (Samantha).avi.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\tyrkish handjob fucking big leather .mpeg.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\Temp\horse licking penetration .rar.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\gay several models (Sylvia).avi.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\config\systemprofile\lingerie several models cock gorgeoushorny (Curtney).rar.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\lesbian big (Jade).mpeg.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\blowjob catfight bedroom .mpg.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\FxsTmp\american beastiality lingerie several models (Sarah).zip.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\sperm big (Tatjana).zip.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\config\systemprofile\danish action horse hidden .avi.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\FxsTmp\xxx [milf] glans wifey .avi.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\SHARED\bukkake uncut fishy .mpeg.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\lesbian several models hole .zip.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\tyrkish animal trambling hot (!) ¼ë (Sandy,Liz).rar.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\trambling licking .mpeg.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\italian cumshot xxx sleeping (Melissa).avi.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\american fetish gay public (Jade).mpg.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\russian cumshot gay masturbation hole (Jenna,Sarah).rar.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\trambling lesbian titts granny .zip.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\Temp\porn blowjob girls feet castration (Janette).zip.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\bukkake hidden cock .avi.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Program Files\dotnet\shared\xxx hidden mature .mpeg.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\black beastiality lingerie full movie glans sweet .rar.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\hardcore lesbian (Curtney).mpeg.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\danish porn trambling public cock gorgeoushorny .mpg.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\asian bukkake licking feet .mpeg.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Update\Download\black horse fucking big mistress .rar.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\sperm [milf] titts .mpeg.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Templates\gay hot (!) .rar.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\horse licking cock sm .avi.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\tmp\trambling several models femdom .avi.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\PLA\Templates\indian fetish trambling full movie (Samantha).zip.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_2fe79eae2833b9b1\kicking hardcore several models feet hairy (Curtney).rar.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_4c5922428a6f2d08\german fucking public hotel .zip.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_ef0e010d1381269b\british xxx big glans Ôï .rar.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_89c0bf1761110f07\action bukkake [milf] gorgeoushorny .mpeg.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\mssrv.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.19041.1_none_c87e96327faffd0e\beastiality horse public sm .rar.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_5d54c0aac5c3c12c\gang bang sperm masturbation traffic .avi.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_a7ad1894592cfa12\trambling big stockings .rar.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\swedish gang bang bukkake licking cock .mpg.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\indian cumshot hardcore masturbation (Samantha).zip.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\chinese blowjob [free] .rar.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\black nude lingerie [bangbus] (Tatjana).avi.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\gang bang lesbian [free] .mpg.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\fucking catfight hole (Sonja,Samantha).mpeg.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\nude horse uncut titts .mpg.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_4c786ae2f508e6d5\african fucking hidden bedroom .zip.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_9aa486d790131d4e\norwegian gay lesbian titts ejaculation .zip.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\trambling hidden .rar.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\indian fetish gay voyeur titts .zip.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.746_none_d01527cffa9c25bc\canadian beast hot (!) ash .mpeg.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\british trambling several models titts upskirt .avi.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_62312bfbb33d478a\danish nude horse masturbation titts leather .zip.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_b1ffa0e7b4ed03e2\italian beastiality gay [free] hole bondage (Curtney).mpeg.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_5abbd3c4a3f2014c\russian action xxx catfight high heels (Ashley,Tatjana).rar.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\gang bang sperm [free] cock (Jenna,Jade).mpg.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\trambling [free] traffic .zip.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\asian beast uncut bondage .avi.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\tyrkish fetish lesbian [free] feet .mpeg.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\japanese porn xxx catfight hole shoes (Samantha).mpeg.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.19041.1_none_2f5f00d280dce9f6\xxx uncut (Sarah).mpg.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\japanese action sperm girls cock gorgeoushorny .rar.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\assembly\temp\hardcore masturbation .avi.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\lingerie hot (!) ejaculation .mpeg.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..s-ime-eashared-ihds_31bf3856ad364e35_10.0.19041.1_none_e8996b7d3512363f\sperm masturbation latex .avi.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1288_none_ca3007304990b2ea\malaysia horse [free] titts .zip.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_c6da8048542fddc7\british blowjob catfight .zip.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.19041.1_en-us_99ddc8ce8d3d6dac\porn blowjob catfight circumcision .mpeg.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\InputMethod\SHARED\swedish action bukkake uncut hole beautyfull .mpeg.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\SoftwareDistribution\Download\blowjob lesbian .avi.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\fetish hardcore hot (!) feet blondie .rar.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\malaysia trambling masturbation cock .zip.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_16bd831fd16633be\norwegian hardcore voyeur .rar.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\CbsTemp\beast [milf] shoes .mpg.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\Downloaded Program Files\horse hot (!) wifey .zip.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\bukkake several models titts .mpg.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\blowjob hidden YEâPSè& .zip.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_10.0.19041.1_none_de1581e9a275faf8\brasilian handjob beast uncut cock blondie .zip.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_833abdc06c68d338\danish cumshot gay voyeur glans castration .mpeg.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_bfae5918c0443f83\porn bukkake voyeur sm .avi.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.964_none_1c1a193f5bfcf136\fucking masturbation .mpg.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_d404daff82e97769\malaysia trambling lesbian 40+ .mpg.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_10.0.19041.1_none_a3d9a07cf2290837\african horse [milf] .zip.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\american animal gay big YEâPSè& .mpeg.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\brasilian porn beast uncut glans .rar.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1_none_0b596e2a33be7d4c\american animal bukkake public upskirt (Kathrin,Samantha).mpeg.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\russian cumshot bukkake voyeur feet .rar.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\trambling uncut glans .avi.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_5af076e0a3cb0fa7\french fucking uncut glans .zip.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\blowjob [free] femdom .zip.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\brasilian animal bukkake catfight (Tatjana).zip.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\tyrkish handjob sperm several models (Janette).mpg.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_d8a1416ab7cccdcf\lesbian licking femdom .mpeg.exe	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4500	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
4500	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
3340	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
3340	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
4500	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
4500	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
1480	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
1480	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
3424	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
3424	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
3340	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
3340	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
4500	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
4500	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
3676	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
3676	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
3296	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
3296	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
3612	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
3612	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
1044	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
1044	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
1480	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
1480	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
3424	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
3424	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
4500	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
4500	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
3340	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
3340	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
3300	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
3300	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
2740	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
2740	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
2424	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
2424	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
3424	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
3424	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
3340	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
3340	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
1480	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
1480	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
736	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
736	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
4500	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
4500	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
4376	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
4376	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
3660	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
3660	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
1824	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
1824	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
3676	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
3676	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
3612	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
3612	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
4772	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
4772	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
3296	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
3296	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
1044	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
1044	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
4588	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
4588	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4500 wrote to memory of 3340	4500	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	82
PID 4500 wrote to memory of 3340	4500	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	82
PID 4500 wrote to memory of 3340	4500	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	82
PID 3340 wrote to memory of 1480	3340	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	83
PID 3340 wrote to memory of 1480	3340	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	83
PID 3340 wrote to memory of 1480	3340	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	83
PID 4500 wrote to memory of 3424	4500	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	84
PID 4500 wrote to memory of 3424	4500	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	84
PID 4500 wrote to memory of 3424	4500	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	84
PID 1480 wrote to memory of 3676	1480	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	85
PID 1480 wrote to memory of 3676	1480	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	85
PID 1480 wrote to memory of 3676	1480	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	85
PID 3424 wrote to memory of 3296	3424	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	86
PID 3424 wrote to memory of 3296	3424	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	86
PID 3424 wrote to memory of 3296	3424	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	86
PID 4500 wrote to memory of 3612	4500	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	87
PID 4500 wrote to memory of 3612	4500	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	87
PID 4500 wrote to memory of 3612	4500	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	87
PID 3340 wrote to memory of 1044	3340	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	88
PID 3340 wrote to memory of 1044	3340	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	88
PID 3340 wrote to memory of 1044	3340	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	88
PID 3424 wrote to memory of 3300	3424	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	93
PID 3424 wrote to memory of 3300	3424	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	93
PID 3424 wrote to memory of 3300	3424	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	93
PID 3340 wrote to memory of 2740	3340	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	94
PID 3340 wrote to memory of 2740	3340	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	94
PID 3340 wrote to memory of 2740	3340	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	94
PID 4500 wrote to memory of 736	4500	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	95
PID 4500 wrote to memory of 736	4500	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	95
PID 4500 wrote to memory of 736	4500	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	95
PID 1480 wrote to memory of 2424	1480	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	96
PID 1480 wrote to memory of 2424	1480	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	96
PID 1480 wrote to memory of 2424	1480	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	96
PID 3296 wrote to memory of 3660	3296	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	98
PID 3296 wrote to memory of 3660	3296	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	98
PID 3296 wrote to memory of 3660	3296	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	98
PID 3676 wrote to memory of 1824	3676	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	97
PID 3676 wrote to memory of 1824	3676	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	97
PID 3676 wrote to memory of 1824	3676	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	97
PID 3612 wrote to memory of 4376	3612	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	99
PID 3612 wrote to memory of 4376	3612	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	99
PID 3612 wrote to memory of 4376	3612	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	99
PID 1044 wrote to memory of 4772	1044	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	100
PID 1044 wrote to memory of 4772	1044	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	100
PID 1044 wrote to memory of 4772	1044	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	100
PID 3424 wrote to memory of 4588	3424	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	103
PID 3424 wrote to memory of 4588	3424	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	103
PID 3424 wrote to memory of 4588	3424	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	103
PID 4500 wrote to memory of 3940	4500	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	104
PID 4500 wrote to memory of 3940	4500	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	104
PID 4500 wrote to memory of 3940	4500	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	104
PID 1480 wrote to memory of 1048	1480	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	102
PID 1480 wrote to memory of 1048	1480	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	102
PID 1480 wrote to memory of 1048	1480	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	102
PID 3340 wrote to memory of 4416	3340	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	105
PID 3340 wrote to memory of 4416	3340	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	105
PID 3340 wrote to memory of 4416	3340	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	105
PID 3300 wrote to memory of 4936	3300	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	106
PID 3300 wrote to memory of 4936	3300	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	106
PID 3300 wrote to memory of 4936	3300	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	106
PID 3676 wrote to memory of 836	3676	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	107
PID 3676 wrote to memory of 836	3676	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	107
PID 3676 wrote to memory of 836	3676	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	107
PID 3612 wrote to memory of 2700	3612	0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe	108

C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3340
- - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1480
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3676
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1824
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        7⤵
        
        PID:5844
        
        C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        8⤵
        
        PID:11016
        
        C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        8⤵
        
        PID:14428
        
        C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        7⤵
        
        PID:7572
        
        C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        7⤵
        
        PID:10280
        
        C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        7⤵
        
        PID:14560
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        7⤵
        
        PID:8348
        
        C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        7⤵
        
        PID:11128
        
        C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        7⤵
        
        PID:14420
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:6148
        
        C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        7⤵
        
        PID:10932
        
        C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        7⤵
        
        PID:14364
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:8024
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:10956
        
        C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        7⤵
        
        PID:15244
        
        C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        7⤵
        
        PID:9192
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:14664
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:836
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:5804
        
        C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        7⤵
        
        PID:10036
        
        C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        7⤵
        
        PID:14496
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:7648
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:10580
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:14696
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:1452
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:7792
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:10448
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:14608
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:6292
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:10996
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:1108
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:8392
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:11784
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:4632
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2424
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:2848
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:5904
        
        C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        7⤵
        
        PID:11004
        
        C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        7⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        7⤵
        
        PID:8640
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:7612
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:10436
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:14616
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:3752
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:7404
        
        C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        7⤵
        
        PID:15112
        
        C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        7⤵
        
        PID:9048
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:10288
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:14632
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:6284
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:12504
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:2288
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:8236
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:11316
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:14356
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1048
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:5820
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:9748
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:14468
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:7656
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:10336
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:14640
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:860
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:8680
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:11948
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:1384
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:6604
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:10988
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:14680
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:8688
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:11800
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:2172
- - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1044
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4772
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2780
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:5648
        
        C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        7⤵
        
        PID:9232
        
        C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        7⤵
        
        PID:12680
        
        C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        7⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        7⤵
        
        PID:8720
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:7036
        
        C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        7⤵
        
        PID:14784
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:9324
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:12672
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:4092
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:3276
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:6776
        
        C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        7⤵
        
        PID:13228
        
        C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        7⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        7⤵
        
        PID:7280
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:8892
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:11956
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:856
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:6156
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:11048
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:1316
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:8088
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:10940
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:14372
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3944
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:5756
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:9716
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:14736
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:7336
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:15252
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:10132
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:14528
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:3560
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:7312
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:1232
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:9160
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:964
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:14568
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:6448
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:10880
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:14440
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:8752
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:11808
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:2140
- - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2740
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4820
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:5812
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:10972
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:14776
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:7672
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:10360
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:14592
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:1804
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:8340
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:11036
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:14688
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:6276
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:10864
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:14656
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:8296
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:11692
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:4920
- - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
    3⤵
    PID:4416
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:5796
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:10012
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:14520
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:7628
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:10328
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:14404
- - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
    3⤵
    PID:1116
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:2164
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:12620
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:4932
- - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
    3⤵
    PID:6884
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:14804
- - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
    3⤵
    PID:9024
- - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
    3⤵
    PID:12604
- - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
    3⤵
    PID:13560
- C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3424
- - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3296
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3660
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1112
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:5852
        
        C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        7⤵
        
        PID:10004
        
        C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        7⤵
        
        PID:14504
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:7784
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:4984
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:14536
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:3004
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:8940
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:11940
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:4240
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:8664
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:6164
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:10888
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:14752
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:8080
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:11344
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:14348
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:3376
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:5912
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:10816
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:14648
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:7596
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:10236
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:14624
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:1928
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:6808
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:12696
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:6208
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:8488
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:8780
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:12084
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:4824
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:6344
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:11328
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:14388
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:8420
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:11308
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:14396
- - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3300
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:4936
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:5888
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:9880
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:14460
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:7620
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:10308
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:14584
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:3688
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:7296
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:15120
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:8556
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:10140
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:14744
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:6260
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:10896
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:14412
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:8288
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:10948
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:14728
- - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4588
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:5896
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:10840
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:14704
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:7604
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:7636
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:14544
- - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
    3⤵
    PID:4364
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:8948
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:12172
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:4004
- - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
    3⤵
    PID:6908
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:14812
- - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
    3⤵
    PID:9036
- - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
    3⤵
    PID:12612
- - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
    3⤵
    PID:2116
- C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3612
- - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4376
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3644
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:5656
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:9272
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:12636
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:2992
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:7112
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:14452
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:9976
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:14488
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:640
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:7356
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:15292
      - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        6⤵
        
        PID:8900
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:10300
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:14552
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:4740
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:10872
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:14436
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:8304
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:11744
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:14340
- - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2700
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:5860
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:10848
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:14720
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:7640
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:10424
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:14600
- - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
    3⤵
    PID:2472
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:6992
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:14792
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:9328
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:12688
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:1308
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:8704
- - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
    3⤵
    PID:6268
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:10980
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:14768
- - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
    3⤵
    PID:8384
- - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
    3⤵
    PID:11028
- - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
    3⤵
    PID:14380
- C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:736
- - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1764
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:5700
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:9728
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:14480
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:7284
    - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
        5⤵
        
        PID:5580
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:10124
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:14512
- - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
    3⤵
    PID:2620
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:9016
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:12192
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:4000
- - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
    3⤵
    PID:6220
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:10608
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:14712
- - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
    3⤵
    PID:8224
- - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
    3⤵
    PID:10964
- - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
    3⤵
    PID:14672
- C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
  2⤵
  PID:3940
- - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
    3⤵
    PID:5868
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:10220
  - - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
      4⤵
      PID:14760
- - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
    3⤵
    PID:7664
- - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
    3⤵
    PID:10376
- - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
    3⤵
    PID:14576
- C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
  2⤵
  PID:2072
- - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
    3⤵
    PID:9004
- - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
    3⤵
    PID:12524
- - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
    3⤵
    PID:3140
- C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
  2⤵
  PID:6800
- - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
    3⤵
    PID:12628
- - C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
    3⤵
    PID:1992
- C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
  2⤵
  PID:8612
- C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
  2⤵
  PID:11792
- C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\0b707e8392d4ddf290d2d1ccce151d9e_JaffaCakes118.exe"
  2⤵
  PID:4892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\horse licking cock sm .avi.exe

Filesize
813KB

MD5
e1a83eefb20c35baedb223f7646f5ae9

SHA1
2749ef6917576d012b56461016114770d3daf6db

SHA256
55ca75e4ee8c4dc8b914bc324b9068989903d3ebe618f10ec72501d3778a8d90

SHA512
9a23555f96c8d5c2f5c02b94800f294c00a3b2f90b73c84d29cb9fe007a0ed6173dd214ff6bc181d32b1932fde05149427840192eb4908457a66c0ffa72f0663

Download Submit