be8ac31975e3b017c7c56d33f1253c3da551d69fb0fa86042a205fbf01e85cf7

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/10/2024, 18:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Size

464KB
MD5

3b94b5a943b54ca74aab0c302bc53e49
SHA1

5f87dc1001a44600a76b239087cdf3c65fc561a0
SHA256

be8ac31975e3b017c7c56d33f1253c3da551d69fb0fa86042a205fbf01e85cf7
SHA512

0339b28aeb3a608f819b33cb10504232c41005f276e52302c3dcc1d7fc9eb8162050f1955e491cb37cc45abd0204d530f6042af76b08099ae0ec33698bc17618
SSDEEP

6144:C8rQnOi/xtDmhroXun1wbuO8rQnOi/xNwZmMFxMalpbOJQv+IciENmS3JJb:VrQOiJ4NniChrQOiJNlMn7MQvgiHSj

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\W:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\O:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\G:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\X:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\U:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\E:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\L:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\L:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\Q:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\O:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\J:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\Z:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\Q:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\K:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\A:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\X:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\G:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\L:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\P:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\E:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\X:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\V:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\P:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\K:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\N:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\N:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\H:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\J:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\Y:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\H:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\E:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\G:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\B:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\H:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\I:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\R:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\V:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\L:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\H:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\V:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\X:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\B:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\R:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\H:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\W:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\N:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\J:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\H:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\L:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\E:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\J:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\T:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\S:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\M:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\M:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\W:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\Z:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\I:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\M:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\X:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\G:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\R:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\L:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 2056 set thread context of 1988	2056	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	31
PID 1988 set thread context of 2764	1988	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	32
PID 2764 set thread context of 2776	2764	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	33
PID 2776 set thread context of 2728	2776	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	34
PID 2728 set thread context of 584	2728	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	35
PID 584 set thread context of 904	584	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	36
PID 904 set thread context of 1784	904	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	37
PID 1784 set thread context of 1984	1784	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	38
PID 1984 set thread context of 1012	1984	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	39
PID 1012 set thread context of 2488	1012	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	40
PID 2488 set thread context of 668	2488	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	41
PID 668 set thread context of 2008	668	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	42
PID 2008 set thread context of 1392	2008	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	43
PID 1392 set thread context of 2964	1392	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	44
PID 2964 set thread context of 764	2964	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	45
PID 764 set thread context of 2088	764	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	46
PID 2088 set thread context of 2892	2088	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	47
PID 2892 set thread context of 2636	2892	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	48
PID 2636 set thread context of 1624	2636	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	49
PID 1624 set thread context of 1976	1624	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	50
PID 1976 set thread context of 2792	1976	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	51
PID 2792 set thread context of 1820	2792	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	52
PID 1820 set thread context of 1488	1820	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	53
PID 1488 set thread context of 2108	1488	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	54
PID 2108 set thread context of 2080	2108	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	55
PID 2080 set thread context of 2232	2080	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	56
PID 2232 set thread context of 2520	2232	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	57
PID 2520 set thread context of 1672	2520	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	58
PID 1672 set thread context of 1560	1672	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	59
PID 1560 set thread context of 2160	1560	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	60
PID 2160 set thread context of 2668	2160	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	61
PID 2668 set thread context of 2920	2668	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	62
PID 2920 set thread context of 1068	2920	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	63
PID 1068 set thread context of 2836	1068	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	64
PID 2836 set thread context of 816	2836	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	65
PID 816 set thread context of 2736	816	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	66
PID 2736 set thread context of 852	2736	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	67
PID 852 set thread context of 3080	852	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	68
PID 3080 set thread context of 3188	3080	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	69
PID 3188 set thread context of 3300	3188	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	70
PID 3300 set thread context of 3396	3300	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	71
PID 3396 set thread context of 3504	3396	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	72
PID 3504 set thread context of 3612	3504	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	73
PID 3612 set thread context of 3720	3612	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	74
PID 3720 set thread context of 3828	3720	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	75
PID 3828 set thread context of 3928	3828	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	76
PID 3928 set thread context of 4024	3928	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	77
PID 4024 set thread context of 3108	4024	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	78
PID 3108 set thread context of 3288	3108	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	79
PID 3288 set thread context of 3448	3288	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	80
PID 3448 set thread context of 3624	3448	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	81
PID 3624 set thread context of 3816	3624	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	82
PID 3816 set thread context of 3964	3816	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	83
PID 3964 set thread context of 3132	3964	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	84
PID 3132 set thread context of 3352	3132	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	85
PID 3352 set thread context of 3660	3352	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	86
PID 3660 set thread context of 4036	3660	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	87
PID 4036 set thread context of 3284	4036	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	88
PID 3284 set thread context of 3728	3284	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	89
PID 3728 set thread context of 4068	3728	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	90
PID 4068 set thread context of 3812	4068	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	91
PID 3812 set thread context of 3864	3812	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	92
PID 3864 set thread context of 3512	3864	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	93
PID 3512 set thread context of 4184	3512	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	94

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2056	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
1988	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
2764	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
2776	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
2728	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
584	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
904	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
1784	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
1984	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
1012	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
2488	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
668	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
2008	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
1392	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
2964	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
764	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
2088	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
2892	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
2636	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
1624	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
1976	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
2792	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
1820	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
1488	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
2108	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
2080	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
2232	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
2520	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
1672	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
1560	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
2160	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
2668	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
2920	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
1068	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
2836	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
816	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
2736	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
852	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
3080	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
3188	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
3300	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
3396	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
3504	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
3612	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
3720	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
3828	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
3928	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
4024	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
3108	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
3288	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
3448	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
3624	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
3816	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
3964	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
3132	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
3352	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
3660	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
4036	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
3284	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
3728	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
4068	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
3812	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
3864	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
3512	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 1988	2056	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	31
PID 2056 wrote to memory of 1988	2056	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	31
PID 2056 wrote to memory of 1988	2056	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	31
PID 2056 wrote to memory of 1988	2056	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	31
PID 2056 wrote to memory of 1988	2056	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	31
PID 2056 wrote to memory of 1988	2056	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	31
PID 2056 wrote to memory of 1988	2056	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	31
PID 2056 wrote to memory of 1988	2056	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	31
PID 2056 wrote to memory of 1988	2056	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	31
PID 1988 wrote to memory of 2764	1988	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	32
PID 1988 wrote to memory of 2764	1988	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	32
PID 1988 wrote to memory of 2764	1988	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	32
PID 1988 wrote to memory of 2764	1988	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	32
PID 1988 wrote to memory of 2764	1988	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	32
PID 1988 wrote to memory of 2764	1988	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	32
PID 1988 wrote to memory of 2764	1988	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	32
PID 1988 wrote to memory of 2764	1988	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	32
PID 1988 wrote to memory of 2764	1988	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	32
PID 2764 wrote to memory of 2776	2764	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	33
PID 2764 wrote to memory of 2776	2764	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	33
PID 2764 wrote to memory of 2776	2764	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	33
PID 2764 wrote to memory of 2776	2764	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	33
PID 2764 wrote to memory of 2776	2764	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	33
PID 2764 wrote to memory of 2776	2764	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	33
PID 2764 wrote to memory of 2776	2764	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	33
PID 2764 wrote to memory of 2776	2764	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	33
PID 2764 wrote to memory of 2776	2764	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	33
PID 2776 wrote to memory of 2728	2776	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	34
PID 2776 wrote to memory of 2728	2776	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	34
PID 2776 wrote to memory of 2728	2776	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	34
PID 2776 wrote to memory of 2728	2776	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	34
PID 2776 wrote to memory of 2728	2776	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	34
PID 2776 wrote to memory of 2728	2776	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	34
PID 2776 wrote to memory of 2728	2776	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	34
PID 2776 wrote to memory of 2728	2776	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	34
PID 2776 wrote to memory of 2728	2776	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	34
PID 2728 wrote to memory of 584	2728	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	35
PID 2728 wrote to memory of 584	2728	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	35
PID 2728 wrote to memory of 584	2728	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	35
PID 2728 wrote to memory of 584	2728	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	35
PID 2728 wrote to memory of 584	2728	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	35
PID 2728 wrote to memory of 584	2728	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	35
PID 2728 wrote to memory of 584	2728	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	35
PID 2728 wrote to memory of 584	2728	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	35
PID 2728 wrote to memory of 584	2728	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	35
PID 584 wrote to memory of 904	584	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	36
PID 584 wrote to memory of 904	584	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	36
PID 584 wrote to memory of 904	584	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	36
PID 584 wrote to memory of 904	584	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	36
PID 584 wrote to memory of 904	584	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	36
PID 584 wrote to memory of 904	584	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	36
PID 584 wrote to memory of 904	584	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	36
PID 584 wrote to memory of 904	584	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	36
PID 584 wrote to memory of 904	584	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	36
PID 904 wrote to memory of 1784	904	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	37
PID 904 wrote to memory of 1784	904	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	37
PID 904 wrote to memory of 1784	904	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	37
PID 904 wrote to memory of 1784	904	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	37
PID 904 wrote to memory of 1784	904	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	37
PID 904 wrote to memory of 1784	904	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	37
PID 904 wrote to memory of 1784	904	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	37
PID 904 wrote to memory of 1784	904	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	37
PID 904 wrote to memory of 1784	904	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	37
PID 1784 wrote to memory of 1984	1784	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	38

C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
    3⤵
    - Enumerates connected drives
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2776
    - - C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        5⤵
        Enumerates connected drives
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2728
      - C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:584
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        7⤵
        Enumerates connected drives
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        8⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        9⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        10⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        11⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        12⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        13⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        14⤵
        Enumerates connected drives
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        15⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        16⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        17⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        18⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        19⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        20⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        21⤵
        Enumerates connected drives
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        22⤵
        Enumerates connected drives
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        23⤵
        Enumerates connected drives
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        24⤵
        Enumerates connected drives
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        25⤵
        Enumerates connected drives
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        26⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        27⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        28⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        29⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        30⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        31⤵
        Enumerates connected drives
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        32⤵
        Enumerates connected drives
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        33⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        34⤵
        Enumerates connected drives
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        35⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        36⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:816
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        37⤵
        Enumerates connected drives
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        38⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        39⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        40⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        41⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3300
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        42⤵
        Enumerates connected drives
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3396
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        43⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        44⤵
        Enumerates connected drives
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        45⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        46⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        47⤵
        Enumerates connected drives
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        48⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        49⤵
        Enumerates connected drives
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        50⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        51⤵
        Enumerates connected drives
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3448
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        52⤵
        Enumerates connected drives
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        53⤵
        Enumerates connected drives
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        54⤵
        Enumerates connected drives
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        55⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        56⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        57⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        58⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        59⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        60⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        61⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        62⤵
        Enumerates connected drives
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3812
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        63⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        64⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        65⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        68⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        70⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        72⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        73⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        74⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        75⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        76⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        77⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        78⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        80⤵
        Enumerates connected drives
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        81⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        82⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        84⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        85⤵
        Enumerates connected drives
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        90⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        91⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        92⤵
        Enumerates connected drives
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        93⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:5212
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        94⤵
        
        PID:5316
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:5420
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:5532
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        97⤵
        
        PID:5644
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        98⤵
        Enumerates connected drives
        
        PID:5748
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        99⤵
        
        PID:5860
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:5968
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        101⤵
        Enumerates connected drives
        
        PID:6060
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        102⤵
        
        PID:5172
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        103⤵
        
        PID:5336
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        104⤵
        Enumerates connected drives
        
        PID:5520
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:5676
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        106⤵
        
        PID:5844
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:5996
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:5128
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:5416
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:5672
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        111⤵
        Enumerates connected drives
        
        PID:5856
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        112⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:6096
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:5460
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        114⤵
        Enumerates connected drives
        
        PID:5640
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        115⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        116⤵
        Enumerates connected drives
        
        PID:5540
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:5872
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        118⤵
        Enumerates connected drives
        
        PID:5240
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        119⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:5572
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        121⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:352
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        123⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        124⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        125⤵
        Enumerates connected drives
        
        PID:6236
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        126⤵
        
        PID:6340
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        127⤵
        System Location Discovery: System Language Discovery
        
        PID:6444
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:6540
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        129⤵
        
        PID:6648
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        130⤵
        
        PID:6752
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        131⤵
        Enumerates connected drives
        
        PID:6868
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        132⤵
        Enumerates connected drives
        
        PID:6976
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:7084
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        134⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:6156
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        135⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:6440
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        137⤵
        Enumerates connected drives
        
        PID:6580
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        138⤵
        
        PID:6744
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        139⤵
        
        PID:6900
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        140⤵
        Enumerates connected drives
        
        PID:7024
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        141⤵
        
        PID:6148
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        142⤵
        
        PID:6368
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        143⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        144⤵
        
        PID:6776
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        145⤵
        
        PID:6924
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:7140
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        147⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:6332
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        148⤵
        
        PID:6536
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:6876
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        150⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        151⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        152⤵
        Enumerates connected drives
        
        PID:6764
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        153⤵
        System Location Discovery: System Language Discovery
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        154⤵
        
        PID:6592
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        155⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        156⤵
        Enumerates connected drives
        
        PID:6288
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        157⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        158⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        159⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        160⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:7240
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        162⤵
        Enumerates connected drives
        
        PID:7348
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        163⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:7456
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        164⤵
        
        PID:7552
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        165⤵
        Enumerates connected drives
        
        PID:7664
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        166⤵
        
        PID:7776
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        167⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:7880
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        168⤵
        
        PID:7992
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        169⤵
        System Location Discovery: System Language Discovery
        
        PID:8100
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        170⤵
        
        PID:3600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1988-14-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1988-12-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1988-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1988-6-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1988-4-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1988-2-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1988-162-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2764-178-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download