isrstealer | 62b98bcdf890bff37ce85ce18d8b4ac046c6a248979ef068c3298e75a48dc5ad

Analysis

max time kernel
125s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Size

173KB
MD5

d1233b402c1f2eb42d9114cabc620af3
SHA1

981ed9468d9ebca4ba046194822f87be88819bac
SHA256

62b98bcdf890bff37ce85ce18d8b4ac046c6a248979ef068c3298e75a48dc5ad
SHA512

be1586ddf658184832198e66fb2453dd3b18faa2ace6e0b82887a5bf384c632aaf7c85f53c436b1661bb86c3fa93f42226ed6512bf62a5d6d6e9277418173d25
SSDEEP

3072:ogO8Ng8VvnvhcZcqfVwuS1glK8CjB0jmUJXRnLuJuq77i28W:ogng8VCZ59/rKtjTUPuJPJT

Score

10^/10

isrstealer xtremerat discovery persistence rat spyware stealer trojan upx

Malware Config

Signatures

Detect XtremeRAT payload 4 IoCs

resource	yara_rule
behavioral2/memory/3184-5-0x0000000000C80000-0x0000000000CAA000-memory.dmp	family_xtremerat
behavioral2/memory/2360-9-0x0000000000C80000-0x0000000000CAA000-memory.dmp	family_xtremerat
behavioral2/memory/3184-25-0x0000000000C80000-0x0000000000CAA000-memory.dmp	family_xtremerat
behavioral2/memory/1952-61-0x0000000000C80000-0x0000000000CAA000-memory.dmp	family_xtremerat

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b8e-15.dat	family_isrstealer

Isrstealer family
isrstealer
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart"	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart"	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart"	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart"	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart"	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart"	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart"	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart"	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart"	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart"	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart"	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart"	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart"	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart"	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart"	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart"	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart"	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart"	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart"	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart"	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart"	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart"	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart"	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart"	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart"	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart"	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart"	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart"	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart"	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart"	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart"	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart"	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe restart"	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

pid	Process
1652	491Servidor xD.exe
4748	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
1188	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
1596	491Servidor xD.exe
4916	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
3104	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
1952	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
2716	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
5044	491Servidor xD.exe
4240	491Servidor xD.exe
1616	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
2992	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
1460	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
4044	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
1088	491Servidor xD.exe
5036	491Servidor xD.exe
3536	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
4512	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
1652	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
3212	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
4444	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
2720	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
1188	491Servidor xD.exe
3148	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
3944	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
5088	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
2932	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
4408	491Servidor xD.exe
1600	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
628	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
4748	491Servidor xD.exe
2240	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
4236	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
3352	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
3552	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
3144	491Servidor xD.exe
1648	491Servidor xD.exe
4444	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
4404	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
4800	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
544	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
1128	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
2136	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
3520	491Servidor xD.exe
936	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
2756	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
4176	491Servidor xD.exe
3148	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
4900	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
2760	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
1020	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
2240	491Servidor xD.exe
4060	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
4468	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
4236	491Servidor xD.exe
1892	491Servidor xD.exe
1728	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
4832	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
3952	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
2380	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
4976	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
2020	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
4404	491Servidor xD.exe
3940	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 3872 set thread context of 3184	3872	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	82
PID 4748 set thread context of 1188	4748	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	94
PID 3104 set thread context of 2716	3104	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	111
PID 4916 set thread context of 1952	4916	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	110
PID 1616 set thread context of 1460	1616	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	128
PID 2992 set thread context of 4044	2992	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	129
PID 4512 set thread context of 4444	4512	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	152
PID 1652 set thread context of 3212	1652	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	151
PID 3536 set thread context of 2720	3536	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	153
PID 3148 set thread context of 3944	3148	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	164
PID 5088 set thread context of 2932	5088	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	166
PID 1600 set thread context of 628	1600	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	182
PID 2240 set thread context of 4236	2240	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	187
PID 3352 set thread context of 3552	3352	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	203
PID 4444 set thread context of 4404	4444	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	209
PID 4800 set thread context of 544	4800	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	212
PID 1128 set thread context of 2136	1128	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	225
PID 936 set thread context of 2756	936	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	232
PID 3148 set thread context of 4900	3148	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	239
PID 2760 set thread context of 1020	2760	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	255
PID 4060 set thread context of 4468	4060	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	263
PID 1728 set thread context of 4832	1728	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	269
PID 3952 set thread context of 2380	3952	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	272
PID 4976 set thread context of 2020	4976	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	288
PID 3940 set thread context of 1176	3940	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	296
PID 4176 set thread context of 4696	4176	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	304
PID 1576 set thread context of 972	1576	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	315
PID 5184 set thread context of 5216	5184	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	329
PID 5392 set thread context of 5416	5392	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	336
PID 5616 set thread context of 5648	5616	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	346
PID 5896 set thread context of 5940	5896	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	353
PID 6000 set thread context of 6032	6000	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	357
PID 4976 set thread context of 3400	4976	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	371
PID 2372 set thread context of 5436	2372	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	381
PID 5668 set thread context of 5680	5668	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	390
PID 5016 set thread context of 5968	5016	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	401
PID 4680 set thread context of 5292	4680	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	415
PID 2592 set thread context of 5396	2592	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	420
PID 5744 set thread context of 5924	5744	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	432
PID 6136 set thread context of 5584	6136	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	441
PID 5624 set thread context of 5320	5624	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	454
PID 3732 set thread context of 5580	3732	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	458
PID 6040 set thread context of 5276	6040	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	463
PID 5772 set thread context of 5736	5772	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	472
PID 3732 set thread context of 3216	3732	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	491
PID 6200 set thread context of 6232	6200	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	504
PID 6444 set thread context of 6476	6444	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	514
PID 6608 set thread context of 6640	6608	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	525
PID 6908 set thread context of 6948	6908	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	535
PID 7012 set thread context of 7044	7012	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	540
PID 2756 set thread context of 4388	2756	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	553
PID 6328 set thread context of 6372	6328	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	564
PID 6804 set thread context of 6836	6804	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	575
PID 6700 set thread context of 6912	6700	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	580
PID 2052 set thread context of 6848	2052	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	584
PID 7068 set thread context of 7128	7068	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	588
PID 5712 set thread context of 1864	5712	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	597
PID 5372 set thread context of 6832	5372	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	619
PID 7088 set thread context of 5704	7088	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	636
PID 4852 set thread context of 6588	4852	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	644
PID 2216 set thread context of 1428	2216	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	648
PID 6924 set thread context of 2140	6924	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	663
PID 6476 set thread context of 6164	6476	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	672
PID 2320 set thread context of 4860	2320	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	677

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3184-2-0x0000000000C80000-0x0000000000CAA000-memory.dmp	upx
behavioral2/memory/3184-4-0x0000000000C80000-0x0000000000CAA000-memory.dmp	upx
behavioral2/memory/3184-6-0x0000000000C80000-0x0000000000CAA000-memory.dmp	upx
behavioral2/memory/3184-5-0x0000000000C80000-0x0000000000CAA000-memory.dmp	upx
behavioral2/memory/2360-9-0x0000000000C80000-0x0000000000CAA000-memory.dmp	upx
behavioral2/memory/3184-25-0x0000000000C80000-0x0000000000CAA000-memory.dmp	upx
behavioral2/memory/1952-61-0x0000000000C80000-0x0000000000CAA000-memory.dmp	upx
behavioral2/memory/1952-59-0x0000000000C80000-0x0000000000CAA000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	491Servidor xD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	491Servidor xD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	491Servidor xD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	491Servidor xD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	491Servidor xD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	491Servidor xD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	491Servidor xD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	491Servidor xD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	491Servidor xD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	491Servidor xD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	491Servidor xD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	491Servidor xD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	491Servidor xD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	491Servidor xD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1652	491Servidor xD.exe
1652	491Servidor xD.exe
1652	491Servidor xD.exe
1652	491Servidor xD.exe
1652	491Servidor xD.exe
1652	491Servidor xD.exe
1652	491Servidor xD.exe
1652	491Servidor xD.exe
1596	491Servidor xD.exe
1596	491Servidor xD.exe
1596	491Servidor xD.exe
1596	491Servidor xD.exe
1596	491Servidor xD.exe
1596	491Servidor xD.exe
1596	491Servidor xD.exe
1596	491Servidor xD.exe
5044	491Servidor xD.exe
5044	491Servidor xD.exe
5044	491Servidor xD.exe
5044	491Servidor xD.exe
5044	491Servidor xD.exe
5044	491Servidor xD.exe
5044	491Servidor xD.exe
5044	491Servidor xD.exe
4240	491Servidor xD.exe
4240	491Servidor xD.exe
4240	491Servidor xD.exe
4240	491Servidor xD.exe
4240	491Servidor xD.exe
4240	491Servidor xD.exe
4240	491Servidor xD.exe
4240	491Servidor xD.exe
1088	491Servidor xD.exe
1088	491Servidor xD.exe
1088	491Servidor xD.exe
1088	491Servidor xD.exe
1088	491Servidor xD.exe
1088	491Servidor xD.exe
1088	491Servidor xD.exe
1088	491Servidor xD.exe
5036	491Servidor xD.exe
5036	491Servidor xD.exe
5036	491Servidor xD.exe
5036	491Servidor xD.exe
5036	491Servidor xD.exe
5036	491Servidor xD.exe
5036	491Servidor xD.exe
5036	491Servidor xD.exe
1188	491Servidor xD.exe
1188	491Servidor xD.exe
1188	491Servidor xD.exe
1188	491Servidor xD.exe
1188	491Servidor xD.exe
1188	491Servidor xD.exe
1188	491Servidor xD.exe
1188	491Servidor xD.exe
4408	491Servidor xD.exe
4408	491Servidor xD.exe
4408	491Servidor xD.exe
4408	491Servidor xD.exe
4408	491Servidor xD.exe
4408	491Servidor xD.exe
4408	491Servidor xD.exe
4408	491Servidor xD.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3872	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
1652	491Servidor xD.exe
4748	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
1596	491Servidor xD.exe
4916	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
3104	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
5044	491Servidor xD.exe
4240	491Servidor xD.exe
1616	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
2992	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
1088	491Servidor xD.exe
5036	491Servidor xD.exe
3536	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
1652	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
4512	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
1188	491Servidor xD.exe
3148	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
5088	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
4408	491Servidor xD.exe
1600	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
4748	491Servidor xD.exe
2240	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
3352	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
3144	491Servidor xD.exe
1648	491Servidor xD.exe
4444	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
4800	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
1128	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
3520	491Servidor xD.exe
936	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
4176	491Servidor xD.exe
3148	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
2760	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
2240	491Servidor xD.exe
4060	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
4236	491Servidor xD.exe
1892	491Servidor xD.exe
1728	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
3952	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
4976	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
4404	491Servidor xD.exe
3940	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
2604	491Servidor xD.exe
4176	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
4044	491Servidor xD.exe
1576	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
5184	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
5312	491Servidor xD.exe
5392	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
5544	491Servidor xD.exe
5616	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
5740	491Servidor xD.exe
5896	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
5884	491Servidor xD.exe
6000	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
4976	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
5308	491Servidor xD.exe
2372	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
5572	491Servidor xD.exe
5668	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
5792	491Servidor xD.exe
5016	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
5852	491Servidor xD.exe
4680	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3872 wrote to memory of 3184	3872	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	82
PID 3872 wrote to memory of 3184	3872	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	82
PID 3872 wrote to memory of 3184	3872	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	82
PID 3872 wrote to memory of 3184	3872	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	82
PID 3872 wrote to memory of 3184	3872	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	82
PID 3872 wrote to memory of 3184	3872	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	82
PID 3872 wrote to memory of 3184	3872	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	82
PID 3872 wrote to memory of 3184	3872	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	82
PID 3184 wrote to memory of 2360	3184	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	83
PID 3184 wrote to memory of 2360	3184	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	83
PID 3184 wrote to memory of 2360	3184	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	83
PID 3184 wrote to memory of 2360	3184	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	83
PID 3184 wrote to memory of 2080	3184	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	84
PID 3184 wrote to memory of 2080	3184	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	84
PID 3184 wrote to memory of 2080	3184	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	84
PID 3184 wrote to memory of 1208	3184	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	85
PID 3184 wrote to memory of 1208	3184	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	85
PID 3184 wrote to memory of 1208	3184	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	85
PID 3184 wrote to memory of 3740	3184	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	86
PID 3184 wrote to memory of 3740	3184	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	86
PID 3184 wrote to memory of 3740	3184	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	86
PID 3184 wrote to memory of 4820	3184	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	87
PID 3184 wrote to memory of 4820	3184	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	87
PID 3184 wrote to memory of 4820	3184	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	87
PID 3184 wrote to memory of 3908	3184	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	88
PID 3184 wrote to memory of 3908	3184	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	88
PID 3184 wrote to memory of 3908	3184	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	88
PID 3184 wrote to memory of 4340	3184	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	89
PID 3184 wrote to memory of 4340	3184	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	89
PID 3184 wrote to memory of 4340	3184	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	89
PID 3184 wrote to memory of 5024	3184	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	90
PID 3184 wrote to memory of 5024	3184	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	90
PID 3184 wrote to memory of 5024	3184	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	90
PID 3184 wrote to memory of 2680	3184	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	91
PID 3184 wrote to memory of 2680	3184	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	91
PID 3184 wrote to memory of 1652	3184	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	92
PID 3184 wrote to memory of 1652	3184	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	92
PID 3184 wrote to memory of 1652	3184	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	92
PID 3184 wrote to memory of 4748	3184	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	93
PID 3184 wrote to memory of 4748	3184	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	93
PID 3184 wrote to memory of 4748	3184	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	93
PID 4748 wrote to memory of 1188	4748	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	94
PID 4748 wrote to memory of 1188	4748	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	94
PID 4748 wrote to memory of 1188	4748	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	94
PID 4748 wrote to memory of 1188	4748	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	94
PID 4748 wrote to memory of 1188	4748	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	94
PID 4748 wrote to memory of 1188	4748	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	94
PID 4748 wrote to memory of 1188	4748	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	94
PID 4748 wrote to memory of 1188	4748	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	94
PID 1188 wrote to memory of 5076	1188	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	95
PID 1188 wrote to memory of 5076	1188	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	95
PID 1188 wrote to memory of 5076	1188	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	95
PID 1188 wrote to memory of 3472	1188	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	96
PID 1188 wrote to memory of 3472	1188	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	96
PID 1188 wrote to memory of 3472	1188	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	96
PID 1188 wrote to memory of 4872	1188	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	97
PID 1188 wrote to memory of 4872	1188	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	97
PID 1188 wrote to memory of 4872	1188	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	97
PID 1188 wrote to memory of 892	1188	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	98
PID 1188 wrote to memory of 892	1188	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	98
PID 1188 wrote to memory of 892	1188	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	98
PID 1188 wrote to memory of 4588	1188	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	101
PID 1188 wrote to memory of 4588	1188	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	101
PID 1188 wrote to memory of 4588	1188	d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe	101

C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3872
- C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3184
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Modifies registry class
    PID:2360
  - - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:3104
    - - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2716
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:336
      - C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5044
  - - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1616
    - - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1460
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4488
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1956
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:928
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4336
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2432
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4496
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:872
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1612
      - C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1088
      - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2720
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2904
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2452
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2228
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2764
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:1900
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2420
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4300
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:4236
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3212
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:1872
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:1984
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3172
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:2788
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3176
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3428
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:4900
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:528
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:1884
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:552
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:1992
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:4576
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:4780
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:2164
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        12⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        13⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:972
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:2032
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:1672
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5184
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5404
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:2960
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5748
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5692
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        14⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5852
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        14⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        15⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5292
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:116
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:5240
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:5900
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:2896
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:6192
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:6340
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:6524
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:6628
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        16⤵
        
        PID:6748
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        16⤵
        Suspicious use of SetThreadContext
        
        PID:6908
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        17⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:6948
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:4528
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:5576
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:6768
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:5536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:6208
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:1796
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:5320
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:6988
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        18⤵
        
        PID:6776
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        18⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:6476
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        19⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:6164
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:8056
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:8128
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:7392
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:6844
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:7696
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:7848
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:6348
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        20⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        20⤵
        
        PID:7268
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        21⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        
        PID:7296
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:4012
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:8048
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:8232
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:8388
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:8656
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:8908
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:9192
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:7556
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        22⤵
        
        PID:7172
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        22⤵
        
        PID:7720
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        23⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:8956
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:8472
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:9308
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:9488
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:9644
  - - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:4512
    - - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:4444
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:896
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:876
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4228
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:792
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4612
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2888
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4420
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1236
      - C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1188
      - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2932
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4008
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:1652
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:1552
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:828
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4656
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2388
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:1200
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:544
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3412
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:4100
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:1880
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:1492
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:2940
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3632
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:980
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:2380
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:8
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:3480
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5128
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5164
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5260
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5452
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5600
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5816
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5884
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        12⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:6000
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        13⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:6032
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:6012
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5188
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5412
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:3332
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:2220
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5572
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5684
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        14⤵
        Suspicious use of SetThreadContext
        
        PID:6040
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        15⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        
        PID:5276
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:6596
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:6820
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:7080
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:5436
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:4032
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:6320
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:6304
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:6880
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        16⤵
        
        PID:6704
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        16⤵
        Suspicious use of SetThreadContext
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        17⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        
        PID:6848
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:7040
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:6492
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:6616
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:6660
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:6920
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:5648
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:6372
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        18⤵
        
        PID:7460
  - - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:3148
    - - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:3944
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3904
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4564
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3700
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1596
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3884
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3372
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1828
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4916
      - C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3144
      - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:4404
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:1424
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3832
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3612
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5028
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3168
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4572
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2832
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Modifies registry class
        
        PID:4832
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:2872
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:2964
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:1576
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5144
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5200
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5360
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5484
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5640
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        10⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5740
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        10⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:5896
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5940
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5884
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5052
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5280
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5596
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:2860
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5348
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5860
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5616
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:6068
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        12⤵
        Suspicious use of SetThreadContext
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:5580
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:6540
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:6668
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:6996
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:7112
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:4180
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:4876
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:6412
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        14⤵
        
        PID:6728
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        14⤵
        Suspicious use of SetThreadContext
        
        PID:6700
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        15⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:6912
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:6432
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:6256
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:4692
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:6496
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:6700
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:5500
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:1452
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:5960
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        16⤵
        
        PID:7264
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        16⤵
        
        PID:7508
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        17⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:7536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:5380
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:7808
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:7680
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:7768
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:224
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:8088
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:6860
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:6716
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        18⤵
        
        PID:7100
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:6964
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        19⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:7912
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:9112
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:7488
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:8748
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:7824
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:8508
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:8496
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:8336
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:9040
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        20⤵
        
        PID:7660
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        20⤵
        
        PID:8968
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:7036
  - - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1600
    - - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:628
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4172
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1960
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1400
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4184
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3976
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2460
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2816
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:232
      - C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3520
      - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4736
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:1932
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4944
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:1368
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4580
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4748
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:1892
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        8⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        9⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4696
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6076
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6104
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:4016
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:2604
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5152
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5516
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3972
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5756
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        10⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5792
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        10⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        11⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5968
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5228
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5560
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5668
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:2224
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5624
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5724
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:6176
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:6280
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        12⤵
        
        PID:6348
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        12⤵
        Suspicious use of SetThreadContext
        
        PID:6444
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6476
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5512
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:7148
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:1676
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:4888
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:1916
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:6688
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:6840
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5736
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        14⤵
        
        PID:5376
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        14⤵
        Suspicious use of SetThreadContext
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        15⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:1428
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:7812
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:7972
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:8032
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:8120
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:7372
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:5728
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:7580
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:7884
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        16⤵
        
        PID:7664
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        16⤵
        
        PID:8156
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        17⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:6136
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:7652
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:8096
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:7736
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:7540
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:8224
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:8364
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:8648
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:8900
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        18⤵
        
        PID:9040
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        18⤵
        
        PID:9152
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        19⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        
        PID:9176
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:7844
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:9084
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:9052
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:9316
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:9496
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:9696
  - - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:3352
    - - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:3552
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4452
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1328
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1388
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2532
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4744
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:756
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1136
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:760
      - C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2240
      - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:4468
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2124
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:1856
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5044
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4176
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5136
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5176
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5340
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5476
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5544
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        8⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:5616
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:5648
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:4220
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5912
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5088
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5196
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5528
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:668
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3144
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5868
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        10⤵
        
        PID:5768
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        10⤵
        Suspicious use of SetThreadContext
        
        PID:5624
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        11⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5320
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:6436
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:6556
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:6740
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:7028
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:7156
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5300
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:6312
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5908
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        12⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        12⤵
        Suspicious use of SetThreadContext
        
        PID:6804
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        13⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:6836
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:972
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5768
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:6220
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5304
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:3112
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:6156
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:6904
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5916
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:6964
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        14⤵
        
        PID:7328
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        15⤵
        Checks computer location settings
        Modifies registry class
        
        PID:7376
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:7188
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:6972
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:4784
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:7220
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:6784
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:7620
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:7056
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:7344
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        16⤵
        
        PID:8044
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        16⤵
        
        PID:7304
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        17⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Modifies registry class
        
        PID:7876
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:9000
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:8256
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:8564
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:9160
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:8560
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:8700
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:7364
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:8500
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        18⤵
        
        PID:7280
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:8684
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        19⤵
        
        PID:7468
  - - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:1128
    - - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2136
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1196
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1140
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3316
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2456
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3352
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2024
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3148
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3192
      - C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4404
      - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        7⤵
        Modifies registry class
        
        PID:1176
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5760
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5992
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6088
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6112
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3436
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4044
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5268
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5572
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        8⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:5668
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Modifies registry class
        
        PID:5680
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5432
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3104
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5956
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5784
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5740
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5936
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3400
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5864
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        10⤵
        
        PID:5792
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        10⤵
        Suspicious use of SetThreadContext
        
        PID:6200
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        
        PID:6232
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:3844
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:7020
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:7144
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:2364
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:2828
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:6396
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:6452
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:6980
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        12⤵
        
        PID:5296
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        12⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:7088
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:5704
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:7636
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:7788
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:7920
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:8024
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:8112
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:6836
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:7444
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:7512
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        14⤵
        
        PID:7712
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        14⤵
        
        PID:6720
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:7504
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:6852
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:7748
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:7728
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:8044
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:1248
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:8196
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:8308
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:8580
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        16⤵
        
        PID:8664
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:8752
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        17⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        
        PID:8800
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:8848
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:8092
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:8704
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:4280
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:9292
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:9412
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:9604
  - - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:2760
    - - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Modifies registry class
        
        PID:1020
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2120
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3552
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2544
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4584
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4964
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2044
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5156
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5244
      - C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5312
      - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5392
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        7⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:5416
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5656
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5788
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5928
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5848
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5040
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5496
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5776
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5696
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        8⤵
        
        PID:5324
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        8⤵
        Suspicious use of SetThreadContext
        
        PID:6136
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        9⤵
        Modifies registry class
        
        PID:5584
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6168
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6272
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6500
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6580
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6816
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:7072
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:4468
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        10⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        10⤵
        Suspicious use of SetThreadContext
        
        PID:6328
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        11⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:6372
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:7068
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5712
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5672
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:6236
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:2052
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5376
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:6204
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:6636
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        12⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:6604
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        13⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6804
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:7596
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:7900
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:8168
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:6932
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:8184
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:8052
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:7684
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:7428
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        14⤵
        
        PID:7744
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        14⤵
        
        PID:6244
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        15⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Modifies registry class
        
        PID:4464
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:8572
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:8860
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:9120
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:8340
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:8744
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:8296
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:7316
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:8468
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        16⤵
        
        PID:8704
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        16⤵
        
        PID:9060
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        17⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Modifies registry class
        
        PID:8292
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:9776
  - - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4976
    - - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        
        PID:2020
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5468
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5604
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5824
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6024
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6096
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6120
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4236
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5208
      - C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5308
      - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Modifies registry class
        
        PID:5436
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3608
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4800
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2240
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5224
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2380
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5892
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6016
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6064
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        8⤵
        
        PID:5284
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        8⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        9⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:3216
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5972
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6664
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3980
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5440
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5544
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:512
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:4472
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6392
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        10⤵
        
        PID:6508
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        10⤵
        Suspicious use of SetThreadContext
        
        PID:5372
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        11⤵
        
        PID:6832
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:7096
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:7224
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:7564
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:7700
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:7892
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:7988
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:8064
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        12⤵
        
        PID:7284
  - - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:5184
    - - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Modifies registry class
        
        PID:5216
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1664
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5564
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5720
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2932
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5988
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6128
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5356
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5492
      - C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        6⤵
        
        PID:5616
      - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        6⤵
        Suspicious use of SetThreadContext
        
        PID:5744
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Modifies registry class
        
        PID:5924
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2596
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5216
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6224
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6356
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6548
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6676
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:7004
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:7120
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        8⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        8⤵
        Suspicious use of SetThreadContext
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Modifies registry class
        
        PID:4388
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6516
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6900
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5016
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5968
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6760
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6612
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6684
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6704
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:6536
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        10⤵
        
        PID:6804
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        
        PID:7048
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:7328
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:7252
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:7492
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:4412
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:7600
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:7644
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:7136
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:7632
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        12⤵
        
        PID:7588
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        12⤵
        
        PID:7288
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8092
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:8348
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:8620
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:8884
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:9144
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:8460
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:8996
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:8636
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:8924
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        14⤵
        
        PID:9108
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        14⤵
        
        PID:8472
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        15⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8396
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:9636
  - - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4976
    - - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:3400
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5904
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1728
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3380
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5232
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5896
      - C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3520
  - - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
      4⤵
      Suspicious use of SetThreadContext
      PID:2592
    - - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Modifies registry class
        
        PID:5396
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6044
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5328
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2668
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5732
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6264
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6464
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6564
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6788
      - C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        6⤵
        
        PID:6884
      - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        6⤵
        Suspicious use of SetThreadContext
        
        PID:7012
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        7⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:7044
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5592
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6404
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5632
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5336
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6200
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5540
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:7024
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:6804
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        8⤵
        Suspicious use of SetThreadContext
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        9⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4860
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:8104
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6868
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:7348
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:7480
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5416
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:8152
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:7132
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:7460
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        10⤵
        
        PID:7208
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        10⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:7128
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:8204
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:8316
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:8596
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:8868
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:9128
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:8404
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:8940
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        12⤵
        
        PID:9012
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        12⤵
        
        PID:9208
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        
        PID:8248
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:9256
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:9376
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:9596
  - - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
      4⤵
      Suspicious use of SetThreadContext
      PID:5772
    - - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        
        PID:5736
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7104
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6240
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1192
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6332
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6460
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6916
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7052
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5680
      - C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        6⤵
        
        PID:1180
      - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        6⤵
        Suspicious use of SetThreadContext
        
        PID:5712
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1864
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:636
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6532
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4360
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3396
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2820
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:7432
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:7604
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:7780
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:7840
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        8⤵
        
        PID:7912
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        
        PID:7944
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:2660
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:2000
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:7676
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:7820
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:7176
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:7048
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:7272
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:7380
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        10⤵
        
        PID:7804
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        10⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Modifies registry class
        
        PID:7376
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:8784
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:8916
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:8776
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:7216
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:7672
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:8400
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:8668
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:6752
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        12⤵
        
        PID:8592
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        12⤵
        
        PID:9104
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        13⤵
        Adds Run key to start application
        
        PID:8588
  - - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
      4⤵
      Suspicious use of SetThreadContext
      PID:6608
    - - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        5⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:6640
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5388
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5108
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6384
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6424
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6940
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5352
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6152
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6780
      - C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        6⤵
        
        PID:6572
      - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        6⤵
        Suspicious use of SetThreadContext
        
        PID:6924
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Modifies registry class
        
        PID:2140
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:8004
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:8072
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:8136
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:7340
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:7448
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:7856
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:7952
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6912
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:7128
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        8⤵
        
        PID:7588
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        9⤵
        Checks computer location settings
        
        PID:7824
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:7536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:7744
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:7724
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:8300
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:8476
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:8724
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:9032
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:8280
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        10⤵
        
        PID:8360
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        10⤵
        
        PID:8512
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        11⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:8732
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:8628
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:7208
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:9340
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:9588
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:9748
  - - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
      4⤵
      Suspicious use of SetThreadContext
      PID:7068
    - - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:7128
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3924
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6656
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6020
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5664
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2320
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6388
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7236
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7572
      - C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        6⤵
        
        PID:7620
      - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        6⤵
        
        PID:7692
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        7⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:7724
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:7616
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6308
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:7656
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3180
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:460
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:7308
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4948
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:8188
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:7360
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        8⤵
        
        PID:7540
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        9⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:7424
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:8768
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:8456
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:7968
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:8444
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:2216
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:7284
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6136
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        10⤵
        
        PID:9104
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:9068
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:8968
  - - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
      4⤵
      Suspicious use of SetThreadContext
      PID:4852
    - - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Modifies registry class
        
        PID:6588
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7772
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7904
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:8016
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:8080
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7192
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7408
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6848
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6992
      - C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        6⤵
        
        PID:7500
      - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        6⤵
        
        PID:7676
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        7⤵
        Adds Run key to start application
        
        PID:7264
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:8160
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:7852
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:7304
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:7960
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:8180
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:8260
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:8432
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:8716
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        8⤵
        
        PID:8760
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        8⤵
        
        PID:8892
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:8932
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:9096
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:9100
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:8664
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:9104
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:9324
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:9504
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:9708
  - - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
      4⤵
      PID:7336
    - - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        5⤵
        Checks computer location settings
        Modifies registry class
        
        PID:7384
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:8176
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6976
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6260
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7212
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7984
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5652
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1696
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7288
      - C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        6⤵
        
        PID:6964
      - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        6⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7844
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:8976
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:9212
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:8524
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:9016
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:8796
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:9028
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:9184
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:8772
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:9044
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        8⤵
        
        PID:9104
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4508
  - - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
      4⤵
      PID:3220
    - - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        5⤵
        Checks computer location settings
        Modifies registry class
        
        PID:7528
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:8000
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7356
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6964
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7204
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7732
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7500
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:8212
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:8328
      - C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:8424
      - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        6⤵
        
        PID:8504
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        
        PID:8528
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:9012
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:9108
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:7876
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:7944
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:8548
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:9300
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:9448
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:9612
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        8⤵
        
        PID:9672
  - - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
      4⤵
      PID:7668
    - - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        
        PID:6752
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:8612
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:8876
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:9136
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:8416
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:8920
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:8680
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:8144
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7532
      - C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        6⤵
        
        PID:8668
      - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:8252
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Modifies registry class
        
        PID:8448
  - - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
      4⤵
      PID:8240
    - - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        5⤵
        Checks computer location settings
        Modifies registry class
        
        PID:8272
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:9076
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:8712
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:8852
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7912
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:9208
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:8708
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:9168
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:9332
      - C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:9420
      - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        6⤵
        
        PID:9512
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:9548
  - - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
      4⤵
      PID:4508
    - - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:8604
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:9556
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:9740
  - - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
      4⤵
      PID:7376
    - - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:9264
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:2080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:1208
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:3740
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4820
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:3908
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4340
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:5024
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:2680
- - C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
    "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1652
- - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4748
  - - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1188
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:5076
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3472
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4872
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:892
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4588
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:1476
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3228
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3544
    - - C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1596
    - - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4916
      - C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Modifies registry class
        
        PID:1952
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:4704
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:1104
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:2500
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:4160
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:3588
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:4592
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:3596
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4044
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:1876
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:3052
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:620
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:4380
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:3164
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:4660
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:4884
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3212
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:4880
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:1952
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:5072
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:3116
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe

Filesize
76KB

MD5
f0ee8359740566432e38a3484cadca79

SHA1
a8ca527f525df95622f9184b29fffa7c9fbb2a5e

SHA256
56a7b8839eb72accb03d8509147f0278fb9739b72317b5d01a28457536f3a6dc

SHA512
d19bd78f86e7c79e4517790d778101e7b9b517f5028182f703ac0ca2a3bd9ec97d9185ea3aa902330046eb8c289d153a4cd5e0816e8065ddbf20f7c0c630e60e

Download Submit
C:\Users\Admin\AppData\Local\Temp\491Servidor xD.exe.exe

Filesize
4B

MD5
a2ce4c7b743725199da04033b5b57469

SHA1
1ae348eafa097ab898941eafe912d711a407da10

SHA256
0fff86057dcfb3975c8bc44459740ba5ffb43551931163538df3f39a6bb991bc

SHA512
23bd59f57b16cd496b550c1bba09eb3f9a9dfe764ea03470e3cc43e4d0b4ca415d239772e4a9b930749e88cead9a7ec4b0a77d0dd310e61d8c6521ae6ff278b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118.exe

Filesize
173KB

MD5
d1233b402c1f2eb42d9114cabc620af3

SHA1
981ed9468d9ebca4ba046194822f87be88819bac

SHA256
62b98bcdf890bff37ce85ce18d8b4ac046c6a248979ef068c3298e75a48dc5ad

SHA512
be1586ddf658184832198e66fb2453dd3b18faa2ace6e0b82887a5bf384c632aaf7c85f53c436b1661bb86c3fa93f42226ed6512bf62a5d6d6e9277418173d25

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg

Filesize
1KB

MD5
9484ce26d422922d74d5276a555fca5a

SHA1
1cc474a11be32d8957f45a845e36d3a07ad3d167

SHA256
bfcade57b3a8e37d02cb6176c10dd7a6cd57c6b75d4fe2b485758d3bb9576b75

SHA512
592114e4bf48ad94f20605bf099b8261b3058d7e381593a043deaa045f2430327b9cd2c8f23c5bc22e73ea46e52e4e87cef60deb7e8ae168331342d2138db5f8

Download Submit
memory/1952-61-0x0000000000C80000-0x0000000000CAA000-memory.dmp

Filesize
168KB

Download
memory/1952-59-0x0000000000C80000-0x0000000000CAA000-memory.dmp

Filesize
168KB

Download
memory/2360-9-0x0000000000C80000-0x0000000000CAA000-memory.dmp

Filesize
168KB

Download
memory/3184-2-0x0000000000C80000-0x0000000000CAA000-memory.dmp

Filesize
168KB

Download
memory/3184-4-0x0000000000C80000-0x0000000000CAA000-memory.dmp

Filesize
168KB

Download
memory/3184-6-0x0000000000C80000-0x0000000000CAA000-memory.dmp

Filesize
168KB

Download
memory/3184-5-0x0000000000C80000-0x0000000000CAA000-memory.dmp

Filesize
168KB

Download
memory/3184-25-0x0000000000C80000-0x0000000000CAA000-memory.dmp

Filesize
168KB

Download