e4559ad65f56f830afd339da818d991c2487352b9d0b3c3970293e4bdbaee7c2

Analysis

max time kernel
10s
max time network
62s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/10/2024, 11:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
Size

1.7MB
MD5

571809383c6304b0a2e258ecfa8fc0a7
SHA1

5fb87754d33011dc270b9f965eaa96f89daf711d
SHA256

e4559ad65f56f830afd339da818d991c2487352b9d0b3c3970293e4bdbaee7c2
SHA512

4e6e7d6ab48469245c37b33b38c645f0bf15777a09a57fe2c58b8f21ca0c78194ce94141082aac2294ddf55fe80067a44471e68708e5f6e3245cb042b5eda6ea
SSDEEP

49152:zzErDjgfNQvcJILNUIk2nU4u2LjbhAzrE06eXcP1Sf:s0NQvl9nU4XGhZ41Sf

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File opened (read-only)	\??\T:	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File opened (read-only)	\??\W:	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File opened (read-only)	\??\X:	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File opened (read-only)	\??\A:	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File opened (read-only)	\??\I:	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File opened (read-only)	\??\J:	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File opened (read-only)	\??\R:	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File opened (read-only)	\??\Z:	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File opened (read-only)	\??\B:	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File opened (read-only)	\??\E:	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File opened (read-only)	\??\O:	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File opened (read-only)	\??\H:	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File opened (read-only)	\??\P:	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File opened (read-only)	\??\Q:	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File opened (read-only)	\??\N:	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File opened (read-only)	\??\S:	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File opened (read-only)	\??\U:	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File opened (read-only)	\??\V:	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File opened (read-only)	\??\Y:	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File opened (read-only)	\??\G:	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File opened (read-only)	\??\K:	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File opened (read-only)	\??\M:	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\indian fetish action licking girly .rar.exe	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\bukkake voyeur .mpeg.exe	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\config\systemprofile\tyrkish sperm bukkake [bangbus] gorgeoushorny .avi.exe	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\Temp\tyrkish blowjob [milf] nipples boots .zip.exe	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\FxsTmp\chinese gay action full movie .mpg.exe	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\SHARED\nude voyeur (Sonja,Sylvia).zip.exe	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\cum kicking big wifey .mpeg.exe	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\african cum beastiality catfight .mpeg.exe	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\spanish sperm licking cock balls .mpeg.exe	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\xxx licking pregnant .mpeg.exe	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\gang bang voyeur nipples .rar.exe	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\norwegian gang bang gay hot (!) .avi.exe	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File created	C:\Program Files\dotnet\shared\russian cum [bangbus] young .mpeg.exe	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\bukkake big feet shoes .mpeg.exe	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Temp\beast xxx public titts young (Anniston).mpg.exe	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\horse [free] castration (Anniston,Curtney).avi.exe	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\black hardcore [free] legs traffic .mpeg.exe	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Update\Download\nude fucking [milf] hairy .mpeg.exe	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Templates\nude [milf] (Sarah).mpeg.exe	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\canadian nude hardcore [milf] (Christine,Samantha).rar.exe	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\lingerie cumshot girls .rar.exe	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\brasilian gay action hot (!) cock blondie (Ashley).rar.exe	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\gay uncut (Curtney,Samantha).zip.exe	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\japanese horse sperm lesbian black hairunshaved .avi.exe	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\lingerie [free] .zip.exe	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File created	C:\Windows\assembly\temp\gang bang fetish licking bedroom .zip.exe	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File created	C:\Windows\assembly\tmp\tyrkish lingerie [free] .avi.exe	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\german hardcore cumshot uncut mistress .zip.exe	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File created	C:\Windows\security\templates\swedish handjob lesbian castration .zip.exe	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File created	C:\Windows\mssrv.exe	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\chinese nude gay girls .avi.exe	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\canadian lingerie porn catfight castration (Sandy,Sonja).zip.exe	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\italian lesbian horse hidden hairy .avi.exe	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\kicking animal licking beautyfull (Liz).zip.exe	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\tyrkish beast licking nipples (Jenna).avi.exe	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\brasilian gang bang nude uncut .avi.exe	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File created	C:\Windows\Downloaded Program Files\cumshot cumshot sleeping blondie .mpeg.exe	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File created	C:\Windows\PLA\Templates\malaysia lesbian horse girls (Kathrin).mpeg.exe	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\beastiality big upskirt (Jade,Sylvia).mpg.exe	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\american horse [bangbus] gorgeoushorny .rar.exe	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\brasilian gay animal licking glans mistress .mpg.exe	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\norwegian gang bang sperm sleeping .rar.exe	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File created	C:\Windows\SoftwareDistribution\Download\japanese nude [free] hole high heels (Sonja).mpg.exe	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File created	C:\Windows\CbsTemp\lesbian nude public boobs .mpeg.exe	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File created	C:\Windows\InputMethod\SHARED\american kicking beastiality licking (Samantha,Janette).zip.exe	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\russian action uncut nipples upskirt .rar.exe	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\indian gay trambling hidden (Liz).rar.exe	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\african hardcore xxx several models sm (Britney).avi.exe	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\indian nude xxx several models titts .zip.exe	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\trambling sperm sleeping lady .zip.exe	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
3656	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
3656	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
764	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
764	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
3656	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
3656	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
4208	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
4208	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
1416	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
1416	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
3656	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
3656	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
764	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
764	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
4544	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
4544	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
1816	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
1816	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
4208	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
4208	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
4412	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
4412	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
764	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
764	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
3656	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
3656	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
3856	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
3856	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
1416	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
1416	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 3656 wrote to memory of 764	3656	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe	87
PID 3656 wrote to memory of 764	3656	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe	87
PID 3656 wrote to memory of 764	3656	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe	87
PID 3656 wrote to memory of 4208	3656	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe	88
PID 3656 wrote to memory of 4208	3656	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe	88
PID 3656 wrote to memory of 4208	3656	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe	88
PID 764 wrote to memory of 1416	764	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe	89
PID 764 wrote to memory of 1416	764	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe	89
PID 764 wrote to memory of 1416	764	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe	89
PID 4208 wrote to memory of 4544	4208	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe	94
PID 4208 wrote to memory of 4544	4208	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe	94
PID 4208 wrote to memory of 4544	4208	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe	94
PID 764 wrote to memory of 1816	764	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe	95
PID 764 wrote to memory of 1816	764	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe	95
PID 764 wrote to memory of 1816	764	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe	95
PID 3656 wrote to memory of 4412	3656	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe	96
PID 3656 wrote to memory of 4412	3656	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe	96
PID 3656 wrote to memory of 4412	3656	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe	96
PID 1416 wrote to memory of 3856	1416	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe	97
PID 1416 wrote to memory of 3856	1416	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe	97
PID 1416 wrote to memory of 3856	1416	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe	97
PID 4208 wrote to memory of 2224	4208	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe	99
PID 4208 wrote to memory of 2224	4208	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe	99
PID 4208 wrote to memory of 2224	4208	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe	99
PID 4544 wrote to memory of 3292	4544	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe	101
PID 4544 wrote to memory of 3292	4544	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe	101
PID 4544 wrote to memory of 3292	4544	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe	101
PID 764 wrote to memory of 4432	764	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe	102
PID 764 wrote to memory of 4432	764	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe	102
PID 764 wrote to memory of 4432	764	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe	102
PID 3656 wrote to memory of 1012	3656	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe	103
PID 3656 wrote to memory of 1012	3656	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe	103
PID 3656 wrote to memory of 1012	3656	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe	103
PID 1416 wrote to memory of 4804	1416	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe	104
PID 1416 wrote to memory of 4804	1416	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe	104
PID 1416 wrote to memory of 4804	1416	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe	104
PID 1816 wrote to memory of 2816	1816	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe	106
PID 1816 wrote to memory of 2816	1816	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe	106
PID 1816 wrote to memory of 2816	1816	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe	106
PID 4412 wrote to memory of 3508	4412	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe	107
PID 4412 wrote to memory of 3508	4412	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe	107
PID 4412 wrote to memory of 3508	4412	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe	107
PID 3856 wrote to memory of 3588	3856	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe	108
PID 3856 wrote to memory of 3588	3856	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe	108
PID 3856 wrote to memory of 3588	3856	571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe	108

C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3656
- C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1416
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3856
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:3588
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        7⤵
        
        PID:6248
        
        C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        8⤵
        
        PID:10592
        
        C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        8⤵
        
        PID:14520
        
        C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        7⤵
        
        PID:7948
        
        C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        7⤵
        
        PID:11104
        
        C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        7⤵
        
        PID:15096
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:6100
        
        C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        7⤵
        
        PID:10520
        
        C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        7⤵
        
        PID:14400
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:7720
        
        C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        7⤵
        
        PID:15160
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:10668
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:14596
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:4792
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:6212
        
        C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        7⤵
        
        PID:10836
        
        C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        7⤵
        
        PID:15024
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:7804
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:10776
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:14852
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:5676
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:9212
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:12476
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:7056
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:13568
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:9192
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:12248
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:4804
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:3384
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:6240
        
        C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        7⤵
        
        PID:11944
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:7976
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:11080
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:15216
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:5904
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:9728
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:13952
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:7520
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:14132
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:10328
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:14384
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:2776
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:5820
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:9688
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:13880
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:7112
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:13984
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:9376
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:12740
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:5424
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:9020
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:11916
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:6660
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:12884
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:8440
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:11580
- - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1816
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:2816
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:4260
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:6344
        
        C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        7⤵
        
        PID:10604
        
        C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        7⤵
        
        PID:14572
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:7992
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:11128
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:15428
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:5916
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:10384
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:14344
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:7536
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:14208
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:10244
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:3516
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:3396
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:6228
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:10568
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:14492
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:7852
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:10828
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:15016
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:5628
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:9092
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:12132
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:6908
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:12240
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:9000
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:11988
- - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
    3⤵
    PID:4432
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:4488
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:6256
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:10696
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:15040
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:8000
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:11096
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:15148
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:5944
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:10196
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:1804
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:7284
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:14124
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:9552
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:13560
- - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
    3⤵
    PID:1736
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:5616
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:8824
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:11640
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:6992
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:13408
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:9012
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:12124
- - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
    3⤵
    PID:5412
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:7316
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:14116
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:9560
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:13640
- - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
    3⤵
    PID:6636
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:10848
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:14844
- - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
    3⤵
    PID:8316
- - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
    3⤵
    PID:11304
- C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4208
- - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4544
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:3292
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:4784
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:6180
        
        C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        7⤵
        
        PID:10688
        
        C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        7⤵
        
        PID:14820
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:7828
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:10820
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:14880
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:5704
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:9184
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:11976
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:7188
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:13740
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:9544
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:13464
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:1124
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:5492
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:8096
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:11288
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:6680
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:13176
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:8600
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:11556
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:5356
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:7048
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:13584
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:9164
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:12352
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:6628
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:12092
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:8324
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:11348
- - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
    3⤵
    PID:2224
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:676
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:5508
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:7664
        
        C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        7⤵
        
        PID:15616
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:10476
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:14392
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:6824
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:12232
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:8892
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:11728
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:5292
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:6720
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:12116
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:8448
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:11564
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:6512
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:10636
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:14604
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:8332
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:11356
- - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
    3⤵
    PID:3296
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:5248
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:6644
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:10768
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:14872
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:8416
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:11468
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:6452
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:10584
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:14588
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:8032
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:11112
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:4448
- - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
    3⤵
    PID:5276
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:6816
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:13252
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:8756
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:11548
- - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
    3⤵
    PID:6524
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:10576
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:14580
- - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
    3⤵
    PID:8268
- - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
    3⤵
    PID:11296
- C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4412
- - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
    3⤵
    PID:3508
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:4992
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:6436
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:11168
      - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        6⤵
        
        PID:15420
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:8084
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:11176
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:5980
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:10180
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:14236
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:7528
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:14164
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:10320
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:3612
- - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
    3⤵
    PID:4348
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:6264
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:10544
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:14564
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:7984
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:11088
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:232
- - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
    3⤵
    PID:5864
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:9568
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:13576
- - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
    3⤵
    PID:7392
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:14040
- - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
    3⤵
    PID:9896
- - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
    3⤵
    PID:14152
- C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
  2⤵
  PID:1012
- - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
    3⤵
    PID:1576
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:6132
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:10096
    - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
        5⤵
        
        PID:14224
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:7820
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:10804
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:14612
- - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
    3⤵
    PID:5668
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:9440
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:12748
- - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
    3⤵
    PID:7072
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:13728
- - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
    3⤵
    PID:9340
- - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
    3⤵
    PID:12732
- C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
  2⤵
  PID:456
- - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
    3⤵
    PID:5696
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:8840
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:11572
- - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
    3⤵
    PID:7064
  - - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
      4⤵
      PID:13612
- - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
    3⤵
    PID:9176
- - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
    3⤵
    PID:11936
- C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
  2⤵
  PID:5524
- - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
    3⤵
    PID:7968
- - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
    3⤵
    PID:11120
- - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
    3⤵
    PID:15508
- C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
  2⤵
  PID:6880
- - C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
    3⤵
    PID:13120
- C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
  2⤵
  PID:9052
- C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\571809383c6304b0a2e258ecfa8fc0a7_JaffaCakes118.exe"
  2⤵
  PID:11924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\canadian nude hardcore [milf] (Christine,Samantha).rar.exe

Filesize
384KB

MD5
155c56f823cdfc41c9d58b345d3e1701

SHA1
d64166b68ec78a8dccc8825c8bdcebe3cb711888

SHA256
ab79e473d24ec4d49a439c2cf6af417c8f7f9bd750d6c7effc4cc27ecb5da364

SHA512
05ae228fbe78423cb1e0b47a9cdbd0b28870ac0700143b74c87e7818a492f11a82495047f15ebbf856e08e4b3e6f39032510b1cfcb09c1f509433fb0c62c29fd

Download Submit