xtremerat | aa44cd3db152fa38c70321433628cb306f956e8b15d808c9622c1abd843e9453

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Size

21KB
MD5

984857a166b08c993fd30d7cc3bc1b6a
SHA1

40929c549ba105263f6699a912fa9c469cf22b27
SHA256

aa44cd3db152fa38c70321433628cb306f956e8b15d808c9622c1abd843e9453
SHA512

87788794fb00cdfd40709b25b6f8c9769524534c9889853946b718de9beb9c840539e478b62f5a3408b5676ee59447d634d183f5bd36d2ccba5c9d1a1d678969
SSDEEP

384:cIdmF+Ti213fEF9QZd/cBr5M/gOjkaS4s/1k5YiZNl2KQhb/ulaqjpLR:cIsF81fG9QveLOYTe5YikKEGljr

Score

10^/10

xtremerat discovery persistence rat spyware upx

Malware Config

Signatures

Detect XtremeRAT payload 31 IoCs

resource	yara_rule
behavioral2/memory/1872-3-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/1872-4-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/1872-5-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4916-10-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/5012-15-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/1748-19-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/3628-23-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/2104-28-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/704-33-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/2940-38-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/1292-43-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4508-48-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/2540-52-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/5096-57-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/2792-62-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/3084-67-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/428-72-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/440-77-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4528-82-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/1624-87-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4488-91-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/1060-96-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4360-101-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4688-106-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4348-111-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4244-116-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/2188-121-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4748-125-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/3356-130-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/3488-135-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4536-140-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat

Checks computer location settings 2 TTPs 29 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe

UPX packed file 32 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1872-0-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/1872-3-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/1872-4-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/1872-5-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4916-10-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/5012-15-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/1748-19-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/3628-23-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/2104-28-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/704-33-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/2940-38-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/1292-43-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4508-48-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/2540-52-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/5096-57-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/2792-62-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/3084-67-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/428-72-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/440-77-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4528-82-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/1624-87-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4488-91-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/1060-96-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4360-101-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4688-106-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4348-111-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4244-116-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/2188-121-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4748-125-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/3356-130-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/3488-135-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4536-140-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 2380	1872	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	91
PID 1872 wrote to memory of 2380	1872	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	91
PID 1872 wrote to memory of 2380	1872	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	91
PID 1872 wrote to memory of 1876	1872	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	94
PID 1872 wrote to memory of 1876	1872	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	94
PID 1872 wrote to memory of 1876	1872	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	94
PID 1872 wrote to memory of 3504	1872	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	95
PID 1872 wrote to memory of 3504	1872	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	95
PID 1872 wrote to memory of 3504	1872	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	95
PID 1872 wrote to memory of 3344	1872	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	96
PID 1872 wrote to memory of 3344	1872	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	96
PID 1872 wrote to memory of 3344	1872	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	96
PID 1872 wrote to memory of 1264	1872	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	97
PID 1872 wrote to memory of 1264	1872	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	97
PID 1872 wrote to memory of 1264	1872	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	97
PID 1872 wrote to memory of 3052	1872	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	98
PID 1872 wrote to memory of 3052	1872	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	98
PID 1872 wrote to memory of 3052	1872	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	98
PID 1872 wrote to memory of 4208	1872	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	103
PID 1872 wrote to memory of 4208	1872	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	103
PID 1872 wrote to memory of 4208	1872	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	103
PID 1872 wrote to memory of 4896	1872	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	104
PID 1872 wrote to memory of 4896	1872	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	104
PID 1872 wrote to memory of 4916	1872	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	105
PID 1872 wrote to memory of 4916	1872	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	105
PID 1872 wrote to memory of 4916	1872	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	105
PID 4916 wrote to memory of 1516	4916	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	106
PID 4916 wrote to memory of 1516	4916	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	106
PID 4916 wrote to memory of 1516	4916	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	106
PID 4916 wrote to memory of 1776	4916	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	107
PID 4916 wrote to memory of 1776	4916	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	107
PID 4916 wrote to memory of 1776	4916	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	107
PID 4916 wrote to memory of 4856	4916	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	108
PID 4916 wrote to memory of 4856	4916	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	108
PID 4916 wrote to memory of 4856	4916	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	108
PID 4916 wrote to memory of 3496	4916	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	109
PID 4916 wrote to memory of 3496	4916	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	109
PID 4916 wrote to memory of 3496	4916	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	109
PID 4916 wrote to memory of 752	4916	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	110
PID 4916 wrote to memory of 752	4916	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	110
PID 4916 wrote to memory of 752	4916	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	110
PID 4916 wrote to memory of 4900	4916	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	111
PID 4916 wrote to memory of 4900	4916	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	111
PID 4916 wrote to memory of 4900	4916	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	111
PID 4916 wrote to memory of 952	4916	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	112
PID 4916 wrote to memory of 952	4916	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	112
PID 4916 wrote to memory of 952	4916	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	112
PID 4916 wrote to memory of 5000	4916	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	113
PID 4916 wrote to memory of 5000	4916	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	113
PID 4916 wrote to memory of 5012	4916	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	114
PID 4916 wrote to memory of 5012	4916	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	114
PID 4916 wrote to memory of 5012	4916	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	114
PID 5012 wrote to memory of 4504	5012	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	115
PID 5012 wrote to memory of 4504	5012	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	115
PID 5012 wrote to memory of 4504	5012	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	115
PID 5012 wrote to memory of 2668	5012	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	116
PID 5012 wrote to memory of 2668	5012	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	116
PID 5012 wrote to memory of 2668	5012	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	116
PID 5012 wrote to memory of 3144	5012	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	117
PID 5012 wrote to memory of 3144	5012	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	117
PID 5012 wrote to memory of 3144	5012	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	117
PID 5012 wrote to memory of 4824	5012	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	118
PID 5012 wrote to memory of 4824	5012	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	118
PID 5012 wrote to memory of 4824	5012	984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe	118

C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:2380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:1876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:3344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:1264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:3052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:4208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:4896
- C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4916
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:1516
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:1776
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4856
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:3496
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:752
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4900
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:952
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:5000
- - C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5012
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4504
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:2668
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:3144
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4824
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4884
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:2228
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:3748
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4844
  - - C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      PID:1748
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:884
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4312
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:1012
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2460
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:1064
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3592
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2480
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:756
    - - C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe"
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3628
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4036
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5088
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1640
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3536
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3456
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1284
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1592
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2452
      - C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe"
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:5060
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:64
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:1096
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:3700
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:4524
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:2992
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:1348
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe"
        7⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:704
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3532
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4788
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2580
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3276
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:1124
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:528
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3304
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe"
        8⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:4772
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:3608
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:3412
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:2000
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:3688
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:4764
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:2644
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe"
        9⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1292
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:4380
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:2736
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3516
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:4492
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:4076
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:4540
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:4224
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe"
        10⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4508
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:1488
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:1556
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:2208
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:1760
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:1696
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:3948
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:1324
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe"
        11⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:4136
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:3712
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:1432
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:2412
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:2136
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:916
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:4916
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe"
        12⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:5096
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:3924
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:220
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:4168
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:1028
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:1236
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:4948
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:2200
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe"
        13⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:1320
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:1444
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:1824
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:3168
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:1116
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:2040
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:2572
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe"
        14⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3084
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        15⤵
        
        PID:5044
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        15⤵
        
        PID:4388
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        15⤵
        
        PID:1092
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        15⤵
        
        PID:1340
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        15⤵
        
        PID:3544
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        15⤵
        
        PID:432
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        15⤵
        
        PID:4720
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        15⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe"
        15⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:428
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:1504
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:4660
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:3424
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:4756
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:4996
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:4108
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:5040
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe"
        16⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:440
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:4212
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:3116
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:4128
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:1328
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:3364
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:4888
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:2628
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe"
        17⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4528
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:1920
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:3908
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:4584
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:3972
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:3320
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:4500
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:2168
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe"
        18⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        19⤵
        
        PID:2212
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        19⤵
        
        PID:2740
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        19⤵
        
        PID:3480
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        19⤵
        
        PID:812
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        19⤵
        
        PID:4236
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        19⤵
        
        PID:1436
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        19⤵
        
        PID:4928
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        19⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe"
        19⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4488
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:1484
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:3408
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:4704
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:1524
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:2284
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:4872
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:3024
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe"
        20⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1060
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        21⤵
        
        PID:2608
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        21⤵
        
        PID:3904
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        21⤵
        
        PID:4744
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        21⤵
        
        PID:1128
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        21⤵
        
        PID:4100
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        21⤵
        
        PID:704
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        21⤵
        
        PID:4400
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        21⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe"
        21⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:2704
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:4328
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:4216
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:2956
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:4728
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:1292
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:372
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe"
        22⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4688
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:2360
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:1620
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:5084
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:4508
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:1460
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:244
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:2176
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe"
        23⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4348
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:1624
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:1924
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:964
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:868
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:4912
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:2616
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:1020
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe"
        24⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4244
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        25⤵
        
        PID:4340
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        25⤵
        
        PID:2536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        25⤵
        
        PID:3084
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        25⤵
        
        PID:3520
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        25⤵
        
        PID:5016
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        25⤵
        
        PID:1060
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        25⤵
        
        PID:1212
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        25⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe"
        25⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        26⤵
        
        PID:1756
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        26⤵
        
        PID:3440
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        26⤵
        
        PID:3644
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        26⤵
        
        PID:2124
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        26⤵
        
        PID:440
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        26⤵
        
        PID:5096
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        26⤵
        
        PID:1892
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        26⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe"
        26⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4748
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        27⤵
        
        PID:3660
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        27⤵
        
        PID:2504
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        27⤵
        
        PID:2768
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        27⤵
        
        PID:400
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        27⤵
        
        PID:2564
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        27⤵
        
        PID:516
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        27⤵
        
        PID:3704
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        27⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe"
        27⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3356
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        28⤵
        
        PID:5104
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        28⤵
        
        PID:1680
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        28⤵
        
        PID:2260
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        28⤵
        
        PID:1144
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        28⤵
        
        PID:4968
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        28⤵
        
        PID:4348
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        28⤵
        
        PID:2312
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        28⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe"
        28⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3488
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        29⤵
        
        PID:2416
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        29⤵
        
        PID:1148
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        29⤵
        
        PID:3648
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        29⤵
        
        PID:2784
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        29⤵
        
        PID:4716
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        29⤵
        
        PID:2860
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        29⤵
        
        PID:3164
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        29⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe"
        29⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        30⤵
        
        PID:4012
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        30⤵
        
        PID:4184
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        30⤵
        
        PID:3176
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        30⤵
        
        PID:3616
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        30⤵
        
        PID:888
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        30⤵
        
        PID:4072
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        30⤵
        
        PID:4768
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        30⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\984857a166b08c993fd30d7cc3bc1b6a_JaffaCakes118.exe"
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:744
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        31⤵
        
        PID:2556
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        31⤵
        
        PID:4940
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        31⤵
        
        PID:636
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        31⤵
        
        PID:212
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        31⤵
        
        PID:3288
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        31⤵
        
        PID:5128
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        31⤵
        
        PID:5140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg

Filesize
1KB

MD5
a105d3b0b6cd099fadbff4889722192e

SHA1
6a2786424fbb1b91c776dfd2963557d5da8536db

SHA256
f6f09616d6efbe383a37c13dd37ac67bb3f460dbe1f01c60f9e745d1c8ff429b

SHA512
b50c32b602297ff203c22238dd1303046d65eb5d945312f95ea0935ca228d28db7cbeed74a7e9293b86a7544908482ee803740e86ed713d2ebd8680662e1e0a9

Download Submit
memory/428-72-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/440-77-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/704-33-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1060-96-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1292-43-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1624-87-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1748-19-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1872-3-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1872-0-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1872-5-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1872-4-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2104-28-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2188-121-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2540-52-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2792-62-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2940-38-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3084-67-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3356-130-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3488-135-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3628-23-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4244-116-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4348-111-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4360-101-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4488-91-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4508-48-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4528-82-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4536-140-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4688-106-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4748-125-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4916-10-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/5012-15-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/5096-57-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download