be8ac31975e3b017c7c56d33f1253c3da551d69fb0fa86042a205fbf01e85cf7

Analysis

max time kernel
149s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2024 18:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Size

464KB
MD5

3b94b5a943b54ca74aab0c302bc53e49
SHA1

5f87dc1001a44600a76b239087cdf3c65fc561a0
SHA256

be8ac31975e3b017c7c56d33f1253c3da551d69fb0fa86042a205fbf01e85cf7
SHA512

0339b28aeb3a608f819b33cb10504232c41005f276e52302c3dcc1d7fc9eb8162050f1955e491cb37cc45abd0204d530f6042af76b08099ae0ec33698bc17618
SSDEEP

6144:C8rQnOi/xtDmhroXun1wbuO8rQnOi/xNwZmMFxMalpbOJQv+IciENmS3JJb:VrQOiJ4NniChrQOiJNlMn7MQvgiHSj

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\H:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\Y:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\K:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\X:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\V:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\E:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\N:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\X:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\S:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\H:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\R:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\B:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\O:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\Y:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\J:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\N:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\A:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\N:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\S:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\B:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\K:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\O:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\Q:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\Z:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\H:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\O:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\P:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\G:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\H:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\L:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\P:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\U:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\X:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\R:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\S:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\Z:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\O:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\U:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\Q:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\J:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\U:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\B:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\T:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\T:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\O:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\J:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\P:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\Q:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\V:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\U:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\X:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\U:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\Z:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\L:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\K:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\O:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\R:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\K:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\Z:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\A:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\P:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\M:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
File opened (read-only)	\??\P:	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 1764 set thread context of 3256	1764	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	86
PID 3256 set thread context of 3700	3256	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	87
PID 3700 set thread context of 3908	3700	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	88
PID 3908 set thread context of 2904	3908	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	89
PID 2904 set thread context of 1492	2904	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	90
PID 1492 set thread context of 576	1492	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	91
PID 576 set thread context of 8	576	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	92
PID 8 set thread context of 1400	8	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	93
PID 1400 set thread context of 4116	1400	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	94
PID 4116 set thread context of 4712	4116	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	95
PID 4712 set thread context of 4992	4712	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	96
PID 4992 set thread context of 3816	4992	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	97
PID 3816 set thread context of 908	3816	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	98
PID 908 set thread context of 3248	908	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	99
PID 3248 set thread context of 1952	3248	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	100
PID 1952 set thread context of 400	1952	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	101
PID 400 set thread context of 4964	400	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	102
PID 4964 set thread context of 4140	4964	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	103
PID 4140 set thread context of 4280	4140	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	104
PID 4280 set thread context of 4744	4280	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	105
PID 4744 set thread context of 2332	4744	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	106
PID 2332 set thread context of 4496	2332	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	107
PID 4496 set thread context of 1956	4496	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	108
PID 1956 set thread context of 368	1956	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	109
PID 368 set thread context of 3740	368	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	110
PID 3740 set thread context of 2252	3740	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	111
PID 2252 set thread context of 3648	2252	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	112
PID 3648 set thread context of 3156	3648	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	113
PID 3156 set thread context of 3284	3156	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	114
PID 3284 set thread context of 2128	3284	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	115
PID 2128 set thread context of 3584	2128	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	116
PID 3584 set thread context of 4636	3584	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	119
PID 4636 set thread context of 60	4636	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	120
PID 60 set thread context of 4244	60	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	121
PID 4244 set thread context of 4632	4244	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	122
PID 4632 set thread context of 1592	4632	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	123
PID 1592 set thread context of 2368	1592	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	124
PID 2368 set thread context of 1680	2368	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	125
PID 1680 set thread context of 5140	1680	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	126
PID 5140 set thread context of 5212	5140	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	127
PID 5212 set thread context of 5284	5212	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	128
PID 5284 set thread context of 5360	5284	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	129
PID 5360 set thread context of 5432	5360	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	130
PID 5432 set thread context of 5496	5432	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	131
PID 5496 set thread context of 5764	5496	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	133
PID 5764 set thread context of 5848	5764	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	134
PID 5848 set thread context of 5916	5848	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	135
PID 5916 set thread context of 5988	5916	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	136
PID 5988 set thread context of 6060	5988	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	137
PID 6060 set thread context of 6136	6060	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	138
PID 6136 set thread context of 5236	6136	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	139
PID 5236 set thread context of 5388	5236	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	140
PID 5388 set thread context of 2944	5388	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	141
PID 2944 set thread context of 5636	2944	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	142
PID 5636 set thread context of 216	5636	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	143
PID 216 set thread context of 6048	216	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	144
PID 6048 set thread context of 5220	6048	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	145
PID 5220 set thread context of 5536	5220	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	146
PID 5536 set thread context of 4812	5536	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	147
PID 4812 set thread context of 5292	4812	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	148
PID 5292 set thread context of 5196	5292	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	149
PID 5196 set thread context of 6152	5196	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	150
PID 6152 set thread context of 6224	6152	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	151
PID 6224 set thread context of 6316	6224	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	152

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1764	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	1764	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeShutdownPrivilege	3256	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	3256	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeShutdownPrivilege	3700	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	3700	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeShutdownPrivilege	3908	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	3908	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeShutdownPrivilege	2904	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2904	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeShutdownPrivilege	1492	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	1492	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeShutdownPrivilege	576	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	576	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeShutdownPrivilege	8	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	8	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeShutdownPrivilege	1400	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	1400	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeShutdownPrivilege	4116	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	4116	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeShutdownPrivilege	4712	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	4712	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeShutdownPrivilege	4992	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	4992	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeShutdownPrivilege	3816	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	3816	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeShutdownPrivilege	908	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	908	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeShutdownPrivilege	3248	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	3248	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeShutdownPrivilege	1952	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	1952	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeShutdownPrivilege	400	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	400	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeShutdownPrivilege	4964	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	4964	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeShutdownPrivilege	4140	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	4140	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeShutdownPrivilege	4280	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	4280	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeShutdownPrivilege	4744	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	4744	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeShutdownPrivilege	2332	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2332	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeShutdownPrivilege	4496	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	4496	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeShutdownPrivilege	1956	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	1956	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeShutdownPrivilege	368	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	368	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeShutdownPrivilege	3740	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	3740	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeShutdownPrivilege	2252	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2252	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeShutdownPrivilege	3648	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	3648	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeShutdownPrivilege	3156	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	3156	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeShutdownPrivilege	3284	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	3284	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeShutdownPrivilege	2128	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2128	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeShutdownPrivilege	3584	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	3584	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1764	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
3256	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
3700	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
3908	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
2904	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
1492	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
576	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
8	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
1400	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
4116	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
4712	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
4992	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
3816	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
908	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
3248	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
1952	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
400	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
4964	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
4140	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
4280	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
4744	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
2332	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
4496	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
1956	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
368	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
3740	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
2252	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
3648	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
3156	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
3284	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
2128	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
3584	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
4636	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
60	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
4244	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
4632	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
1592	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
2368	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
1680	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
5140	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
5212	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
5284	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
5360	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
5432	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
5496	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
5764	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
5848	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
5916	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
5988	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
6060	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
6136	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
5236	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
5388	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
2944	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
5636	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
216	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
6048	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
5220	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
5536	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
4812	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
5292	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
5196	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
6152	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
6224	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 3256	1764	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	86
PID 1764 wrote to memory of 3256	1764	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	86
PID 1764 wrote to memory of 3256	1764	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	86
PID 1764 wrote to memory of 3256	1764	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	86
PID 1764 wrote to memory of 3256	1764	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	86
PID 1764 wrote to memory of 3256	1764	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	86
PID 1764 wrote to memory of 3256	1764	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	86
PID 1764 wrote to memory of 3256	1764	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	86
PID 3256 wrote to memory of 3700	3256	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	87
PID 3256 wrote to memory of 3700	3256	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	87
PID 3256 wrote to memory of 3700	3256	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	87
PID 3256 wrote to memory of 3700	3256	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	87
PID 3256 wrote to memory of 3700	3256	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	87
PID 3256 wrote to memory of 3700	3256	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	87
PID 3256 wrote to memory of 3700	3256	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	87
PID 3256 wrote to memory of 3700	3256	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	87
PID 3700 wrote to memory of 3908	3700	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	88
PID 3700 wrote to memory of 3908	3700	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	88
PID 3700 wrote to memory of 3908	3700	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	88
PID 3700 wrote to memory of 3908	3700	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	88
PID 3700 wrote to memory of 3908	3700	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	88
PID 3700 wrote to memory of 3908	3700	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	88
PID 3700 wrote to memory of 3908	3700	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	88
PID 3700 wrote to memory of 3908	3700	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	88
PID 3908 wrote to memory of 2904	3908	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	89
PID 3908 wrote to memory of 2904	3908	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	89
PID 3908 wrote to memory of 2904	3908	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	89
PID 3908 wrote to memory of 2904	3908	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	89
PID 3908 wrote to memory of 2904	3908	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	89
PID 3908 wrote to memory of 2904	3908	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	89
PID 3908 wrote to memory of 2904	3908	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	89
PID 3908 wrote to memory of 2904	3908	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	89
PID 2904 wrote to memory of 1492	2904	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	90
PID 2904 wrote to memory of 1492	2904	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	90
PID 2904 wrote to memory of 1492	2904	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	90
PID 2904 wrote to memory of 1492	2904	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	90
PID 2904 wrote to memory of 1492	2904	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	90
PID 2904 wrote to memory of 1492	2904	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	90
PID 2904 wrote to memory of 1492	2904	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	90
PID 2904 wrote to memory of 1492	2904	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	90
PID 1492 wrote to memory of 576	1492	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	91
PID 1492 wrote to memory of 576	1492	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	91
PID 1492 wrote to memory of 576	1492	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	91
PID 1492 wrote to memory of 576	1492	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	91
PID 1492 wrote to memory of 576	1492	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	91
PID 1492 wrote to memory of 576	1492	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	91
PID 1492 wrote to memory of 576	1492	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	91
PID 1492 wrote to memory of 576	1492	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	91
PID 576 wrote to memory of 8	576	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	92
PID 576 wrote to memory of 8	576	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	92
PID 576 wrote to memory of 8	576	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	92
PID 576 wrote to memory of 8	576	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	92
PID 576 wrote to memory of 8	576	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	92
PID 576 wrote to memory of 8	576	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	92
PID 576 wrote to memory of 8	576	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	92
PID 576 wrote to memory of 8	576	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	92
PID 8 wrote to memory of 1400	8	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	93
PID 8 wrote to memory of 1400	8	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	93
PID 8 wrote to memory of 1400	8	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	93
PID 8 wrote to memory of 1400	8	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	93
PID 8 wrote to memory of 1400	8	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	93
PID 8 wrote to memory of 1400	8	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	93
PID 8 wrote to memory of 1400	8	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	93
PID 8 wrote to memory of 1400	8	3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe	93

C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3256
- - C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
    3⤵
    - Enumerates connected drives
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3700
  - - C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3908
    - - C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        5⤵
        Enumerates connected drives
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2904
      - C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        6⤵
        Enumerates connected drives
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        7⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        8⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        9⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        10⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        11⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        12⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        13⤵
        Enumerates connected drives
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        14⤵
        Enumerates connected drives
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        15⤵
        Enumerates connected drives
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        16⤵
        Enumerates connected drives
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        17⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        18⤵
        Enumerates connected drives
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        19⤵
        Enumerates connected drives
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        20⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        21⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        22⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        23⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        24⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        25⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        26⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        27⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        28⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        29⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        30⤵
        Enumerates connected drives
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        31⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        32⤵
        Enumerates connected drives
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        33⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        34⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:60
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        35⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        36⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        37⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        38⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        39⤵
        Enumerates connected drives
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        40⤵
        Enumerates connected drives
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:5140
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        41⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5212
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        42⤵
        Enumerates connected drives
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:5284
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        43⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:5360
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        44⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5432
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        45⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5496
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        46⤵
        Enumerates connected drives
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5764
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        47⤵
        Enumerates connected drives
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5848
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        48⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:5916
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        49⤵
        Enumerates connected drives
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:5988
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        50⤵
        Enumerates connected drives
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:6060
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        51⤵
        Enumerates connected drives
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:6136
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        52⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5236
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        53⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5388
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        54⤵
        Enumerates connected drives
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        55⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5636
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        56⤵
        Enumerates connected drives
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        57⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:6048
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        58⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:5220
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        59⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:5536
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        60⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        61⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:5292
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        62⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:5196
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        63⤵
        Enumerates connected drives
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:6152
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        64⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:6224
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:6316
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        66⤵
        
        PID:6404
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:6480
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        68⤵
        
        PID:6556
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        69⤵
        
        PID:6628
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        70⤵
        
        PID:6704
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:6780
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        72⤵
        
        PID:6860
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        73⤵
        
        PID:6932
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        74⤵
        Enumerates connected drives
        
        PID:7000
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:7072
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:7144
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        77⤵
        
        PID:6240
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        78⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        79⤵
        Enumerates connected drives
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        80⤵
        
        PID:6464
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:6616
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        82⤵
        Enumerates connected drives
        
        PID:6712
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:6852
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:6956
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        85⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:7088
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        86⤵
        Enumerates connected drives
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        87⤵
        Enumerates connected drives
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        88⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        89⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        90⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        91⤵
        
        PID:6888
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        92⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        93⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        94⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:3448
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        95⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        96⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        97⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        98⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        99⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        100⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        102⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:5152
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:7180
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        104⤵
        
        PID:7248
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:7320
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        106⤵
        Enumerates connected drives
        
        PID:7388
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        107⤵
        
        PID:7460
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:7532
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        109⤵
        
        PID:7620
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        110⤵
        Enumerates connected drives
        
        PID:7692
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        111⤵
        
        PID:7764
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        112⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:7836
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        113⤵
        
        PID:7928
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        114⤵
        
        PID:7996
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:8064
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        116⤵
        
        PID:8136
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        117⤵
        
        PID:5296
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        118⤵
        
        PID:5448
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        119⤵
        
        PID:5776
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:7604
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        121⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:7748
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        122⤵
        Enumerates connected drives
        
        PID:7876
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:7988
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        124⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:7272
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:5428
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        127⤵
        Enumerates connected drives
        
        PID:5280
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        128⤵
        Enumerates connected drives
        
        PID:8060
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        129⤵
        Enumerates connected drives
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        130⤵
        
        PID:7652
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        131⤵
        
        PID:6644
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        132⤵
        
        PID:7636
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        133⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        135⤵
        
        PID:6444
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        136⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:6568
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        137⤵
        
        PID:5748
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        138⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        139⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        141⤵
        Enumerates connected drives
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        143⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        144⤵
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        145⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:6732
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        146⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        147⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        148⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b94b5a943b54ca74aab0c302bc53e49_JaffaCakes118.exe"
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
memory/8-94-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/576-89-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/908-122-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1400-99-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1492-84-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2904-79-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3256-12-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3256-14-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3256-58-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3700-69-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3816-115-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3908-74-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4116-104-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4712-109-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4992-114-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download