warzonerat | 88dce7d2fe1bcc1307d49fa502b692a5e29ff4a7c82f8d396ac0b69e48ef6eb3

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-12-2024 19:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
Size

445KB
MD5

e2ce08fc69c8daf0eb448c477df9ce14
SHA1

6eb973c75a1e53ce96d092c3c8a0c3f88aed8bd6
SHA256

88dce7d2fe1bcc1307d49fa502b692a5e29ff4a7c82f8d396ac0b69e48ef6eb3
SHA512

cec7aa715639d61a95905f87200b643e57d0efc10390bfe2a40b3465f348951ebff477684c8da20026bfbee9b73a765a26a5b8e9a36d99b22b1e80053512e5ac
SSDEEP

12288:6MYwtTvBHnKXhqO3vAgdk9K1yl73lWDCpXrmOdjJg7:PptT5qXAIPGUsDWDgrVd1g7

Score

10^/10

warzonerat discovery execution infostealer persistence rat upx

Malware Config

Extracted

Family

warzonerat

111.90.146.200:5200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Warzone RAT payload 17 IoCs

rat

resource	yara_rule
behavioral1/memory/2004-7-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral1/memory/2004-10-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral1/memory/2004-13-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral1/memory/2880-44-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral1/memory/2004-33-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral1/memory/2840-63-0x0000000003120000-0x00000000031F5000-memory.dmp	warzonerat
behavioral1/memory/2896-68-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral1/memory/2644-78-0x00000000030E0000-0x00000000031B5000-memory.dmp	warzonerat
behavioral1/memory/2644-81-0x00000000030E0000-0x00000000031B5000-memory.dmp	warzonerat
behavioral1/memory/2408-89-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral1/memory/1908-112-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral1/memory/1920-227-0x0000000003090000-0x0000000003165000-memory.dmp	warzonerat
behavioral1/memory/2500-237-0x00000000031C0000-0x0000000003295000-memory.dmp	warzonerat
behavioral1/memory/2588-277-0x00000000031D0000-0x00000000032A5000-memory.dmp	warzonerat
behavioral1/memory/2644-285-0x0000000003230000-0x0000000003305000-memory.dmp	warzonerat
behavioral1/memory/2316-372-0x00000000031E0000-0x00000000032B5000-memory.dmp	warzonerat
behavioral1/memory/1308-383-0x0000000002000000-0x00000000020D5000-memory.dmp	warzonerat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2292	powershell.exe
860	powershell.exe

Drops startup file 64 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs	notepad.exe

Executes dropped EXE 3 IoCs

pid	Process
2936	images.exe
2880	images.exe
2780	images.exe

Loads dropped DLL 2 IoCs

pid	Process
2004	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
2004	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images1 = "C:\\ProgramData\\images.exe"	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 2536 set thread context of 2004	2536	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	31
PID 2936 set thread context of 2880	2936	images.exe	38
PID 2840 set thread context of 2896	2840	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	41
PID 2644 set thread context of 2408	2644	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	45
PID 2012 set thread context of 1908	2012	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	53
PID 2952 set thread context of 2200	2952	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	58
PID 2372 set thread context of 2448	2372	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	62
PID 636 set thread context of 616	636	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	66
PID 1308 set thread context of 1464	1308	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	70
PID 1544 set thread context of 2024	1544	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	74
PID 2176 set thread context of 1424	2176	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	78
PID 3064 set thread context of 1732	3064	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	82
PID 2500 set thread context of 2720	2500	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	86
PID 2888 set thread context of 2616	2888	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	90
PID 2636 set thread context of 2900	2636	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	94
PID 2644 set thread context of 2884	2644	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	98
PID 376 set thread context of 1260	376	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	102
PID 800 set thread context of 1588	800	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	106
PID 2808 set thread context of 2996	2808	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	110
PID 2632 set thread context of 2784	2632	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	114
PID 636 set thread context of 1656	636	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	118
PID 1308 set thread context of 320	1308	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	122
PID 1960 set thread context of 1052	1960	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	126
PID 2176 set thread context of 2108	2176	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	130
PID 3064 set thread context of 2556	3064	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	134
PID 2304 set thread context of 2696	2304	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	138
PID 1916 set thread context of 2876	1916	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	142
PID 2908 set thread context of 2180	2908	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	146
PID 2712 set thread context of 1644	2712	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	150
PID 2292 set thread context of 1728	2292	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	154
PID 524 set thread context of 2816	524	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	158
PID 1948 set thread context of 2796	1948	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	162
PID 2992 set thread context of 2980	2992	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	166
PID 1884 set thread context of 1392	1884	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	170
PID 1412 set thread context of 1252	1412	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	174
PID 1532 set thread context of 1200	1532	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	178
PID 1308 set thread context of 1544	1308	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	182
PID 1960 set thread context of 344	1960	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	186
PID 2028 set thread context of 2536	2028	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	190
PID 3064 set thread context of 1920	3064	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	194
PID 2700 set thread context of 1000	2700	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	198
PID 1916 set thread context of 2932	1916	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	202
PID 2636 set thread context of 2648	2636	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	206
PID 2712 set thread context of 676	2712	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	210
PID 2668 set thread context of 2148	2668	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	214
PID 288 set thread context of 2828	288	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	218
PID 1744 set thread context of 1144	1744	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	222
PID 2076 set thread context of 644	2076	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	226
PID 796 set thread context of 1824	796	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	230
PID 1120 set thread context of 1316	1120	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	234
PID 2064 set thread context of 1680	2064	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	238
PID 1936 set thread context of 1812	1936	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	242
PID 2000 set thread context of 1704	2000	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	246
PID 2212 set thread context of 1900	2212	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	250
PID 2172 set thread context of 748	2172	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	254
PID 3016 set thread context of 2528	3016	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	258
PID 2748 set thread context of 2636	2748	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	262
PID 1484 set thread context of 2712	1484	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	266
PID 1928 set thread context of 1540	1928	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	270
PID 1880 set thread context of 2960	1880	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	274
PID 284 set thread context of 2216	284	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	278
PID 2972 set thread context of 2208	2972	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	282
PID 832 set thread context of 2432	832	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	286
PID 1640 set thread context of 900	1640	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	290

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2536-0-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2536-2-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2536-6-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/1436-12-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/1436-14-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2936-35-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/files/0x0008000000016d31-47.dat	upx
behavioral1/memory/2780-50-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2936-37-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/1436-48-0x0000000003050000-0x0000000003125000-memory.dmp	upx
behavioral1/memory/2936-46-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2840-56-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2588-65-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2840-62-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2840-55-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2780-54-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2588-66-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2588-71-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2644-80-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2644-77-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/768-82-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2644-72-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2012-93-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/768-92-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2012-99-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2012-108-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/540-110-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/540-109-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2780-107-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/540-114-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2952-115-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2268-123-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2952-122-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2268-129-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2372-130-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/1092-139-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2372-138-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2944-154-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/636-152-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2944-160-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/1584-170-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/1308-169-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/1092-166-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/1584-176-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/1544-183-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/784-185-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2176-192-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/784-191-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2176-201-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2384-203-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2384-209-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/3064-210-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/1920-217-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/3064-219-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2500-229-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/1920-228-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2500-238-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/1436-246-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2888-254-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2708-255-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2636-262-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2708-261-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2636-270-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2588-271-0x0000000000400000-0x00000000004D5000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\ProgramData:ApplicationData	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2536	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
1436	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
1436	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
1436	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
1436	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
1436	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
1436	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
1436	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
1436	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
1436	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
1436	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
1436	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
1436	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
1436	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
1436	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
2936	images.exe
2780	images.exe
2780	images.exe
2780	images.exe
2780	images.exe
2780	images.exe
2780	images.exe
2840	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
2780	images.exe
2780	images.exe
2780	images.exe
2588	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
2588	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
2780	images.exe
2588	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
2780	images.exe
2588	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
2292	powershell.exe
2780	images.exe
2588	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
2780	images.exe
2588	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
2780	images.exe
2588	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
2780	images.exe
2588	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
2780	images.exe
2588	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
2644	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
2780	images.exe
768	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
768	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
2780	images.exe
768	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
860	powershell.exe
2780	images.exe
768	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
2780	images.exe
768	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
2780	images.exe
768	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
2780	images.exe
768	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
2780	images.exe
768	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
2780	images.exe
768	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
2780	images.exe
768	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
2536	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
2936	images.exe
2840	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
2644	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
2012	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
2952	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
2372	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
636	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
1308	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
1544	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
2176	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
3064	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
2500	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
2888	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
2636	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
2644	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
376	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
800	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
2808	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
2632	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
636	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
1308	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
1960	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
2176	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
3064	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
2304	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
1916	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
2908	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
2712	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
2292	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
524	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
1948	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
2992	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
1884	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
1412	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
1532	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
1308	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
1960	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
2028	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
3064	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
2700	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
1916	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
2636	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
2712	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
2668	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
288	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
1744	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
2076	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
796	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
1120	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
2064	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
1936	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
2000	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
2212	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
2172	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
3016	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
2748	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
1484	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
1928	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
1880	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
284	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
2972	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
832	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
1640	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	860	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2172	2536	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	30
PID 2536 wrote to memory of 2172	2536	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	30
PID 2536 wrote to memory of 2172	2536	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	30
PID 2536 wrote to memory of 2172	2536	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	30
PID 2536 wrote to memory of 2172	2536	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	30
PID 2536 wrote to memory of 2172	2536	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	30
PID 2536 wrote to memory of 2004	2536	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	31
PID 2536 wrote to memory of 2004	2536	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	31
PID 2536 wrote to memory of 2004	2536	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	31
PID 2536 wrote to memory of 2004	2536	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	31
PID 2536 wrote to memory of 1436	2536	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	32
PID 2536 wrote to memory of 1436	2536	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	32
PID 2536 wrote to memory of 1436	2536	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	32
PID 2536 wrote to memory of 1436	2536	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	32
PID 2004 wrote to memory of 2292	2004	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	33
PID 2004 wrote to memory of 2292	2004	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	33
PID 2004 wrote to memory of 2292	2004	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	33
PID 2004 wrote to memory of 2292	2004	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	33
PID 2004 wrote to memory of 2936	2004	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	35
PID 2004 wrote to memory of 2936	2004	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	35
PID 2004 wrote to memory of 2936	2004	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	35
PID 2004 wrote to memory of 2936	2004	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	35
PID 1436 wrote to memory of 2840	1436	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	36
PID 1436 wrote to memory of 2840	1436	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	36
PID 1436 wrote to memory of 2840	1436	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	36
PID 1436 wrote to memory of 2840	1436	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	36
PID 2936 wrote to memory of 2532	2936	images.exe	37
PID 2936 wrote to memory of 2532	2936	images.exe	37
PID 2936 wrote to memory of 2532	2936	images.exe	37
PID 2936 wrote to memory of 2532	2936	images.exe	37
PID 2936 wrote to memory of 2532	2936	images.exe	37
PID 2936 wrote to memory of 2532	2936	images.exe	37
PID 2936 wrote to memory of 2880	2936	images.exe	38
PID 2936 wrote to memory of 2880	2936	images.exe	38
PID 2936 wrote to memory of 2880	2936	images.exe	38
PID 2936 wrote to memory of 2880	2936	images.exe	38
PID 2936 wrote to memory of 2780	2936	images.exe	39
PID 2936 wrote to memory of 2780	2936	images.exe	39
PID 2936 wrote to memory of 2780	2936	images.exe	39
PID 2936 wrote to memory of 2780	2936	images.exe	39
PID 2840 wrote to memory of 2760	2840	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	40
PID 2840 wrote to memory of 2760	2840	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	40
PID 2840 wrote to memory of 2760	2840	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	40
PID 2840 wrote to memory of 2760	2840	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	40
PID 2840 wrote to memory of 2760	2840	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	40
PID 2840 wrote to memory of 2760	2840	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	40
PID 2840 wrote to memory of 2896	2840	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	41
PID 2840 wrote to memory of 2896	2840	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	41
PID 2840 wrote to memory of 2896	2840	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	41
PID 2840 wrote to memory of 2896	2840	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	41
PID 2840 wrote to memory of 2588	2840	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	42
PID 2840 wrote to memory of 2588	2840	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	42
PID 2840 wrote to memory of 2588	2840	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	42
PID 2840 wrote to memory of 2588	2840	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	42
PID 2588 wrote to memory of 2644	2588	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	43
PID 2588 wrote to memory of 2644	2588	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	43
PID 2588 wrote to memory of 2644	2588	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	43
PID 2588 wrote to memory of 2644	2588	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	43
PID 2644 wrote to memory of 2296	2644	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	44
PID 2644 wrote to memory of 2296	2644	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	44
PID 2644 wrote to memory of 2296	2644	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	44
PID 2644 wrote to memory of 2296	2644	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	44
PID 2644 wrote to memory of 2296	2644	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	44
PID 2644 wrote to memory of 2296	2644	e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe	44

C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:2172
- C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Adds Run key to start application
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Add-MpPreference -ExclusionPath C:\
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2292
- - C:\ProgramData\images.exe
    "C:\ProgramData\images.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\system32\notepad.exe"
      4⤵
      PID:2532
  - - C:\ProgramData\images.exe
      "C:\ProgramData\images.exe"
      4⤵
      Executes dropped EXE
      PID:2880
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath C:\
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:860
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:1220
  - - C:\ProgramData\images.exe
      "C:\ProgramData\images.exe" 2 2880 259440567
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2780
- C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2004 259439069
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\system32\notepad.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2760
  - - C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
      4⤵
      PID:2896
  - - C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2896 259441144
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2644
      - C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        6⤵
        
        PID:2296
      - C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2408
      - C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2408 259442236
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        7⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2012
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1908 259443421
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        9⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2952
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        10⤵
        Drops startup file
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2200 259444607
        10⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        11⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2372
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        12⤵
        Drops startup file
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2448 259445824
        12⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        13⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:636
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        14⤵
        Drops startup file
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        14⤵
        
        PID:616
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 616 259446994
        14⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        15⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1308
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        16⤵
        Drops startup file
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        16⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1464 259448133
        16⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        17⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1544
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        18⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        18⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2024 259449318
        18⤵
        
        PID:784
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        19⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:2176
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        20⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1424 259450566
        20⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        21⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:3064
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        22⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        22⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1732 259451814
        22⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        23⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2500
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        24⤵
        
        PID:484
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2720 259453125
        24⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        25⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2888
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        26⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        26⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2616 259454435
        26⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        27⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2636
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        28⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        28⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2900 259455683
        28⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        29⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2644
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        30⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        30⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2884 259456947
        30⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        31⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:376
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        32⤵
        Drops startup file
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        32⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1260 259458195
        32⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        33⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:800
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        34⤵
        Drops startup file
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        34⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1588 259459287
        34⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        35⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2808
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        36⤵
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        36⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2996 259460597
        36⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        37⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2632
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        38⤵
        Drops startup file
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        38⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2784 259461798
        38⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        39⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:636
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        40⤵
        Drops startup file
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        40⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1656 259462922
        40⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        41⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:1308
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        42⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        42⤵
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 320 259464185
        42⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        43⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:1960
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        44⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        44⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1052 259465324
        44⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        45⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2176
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        46⤵
        Drops startup file
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        46⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2108 259466400
        46⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        47⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:3064
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        48⤵
        Drops startup file
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        48⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2556 259467570
        48⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        49⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2304
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        50⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2696 259468647
        50⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        51⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1916
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        52⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        52⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2876 259469708
        52⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        53⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2908
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        54⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        54⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2180 259470784
        54⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        55⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2712
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        56⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        56⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1644 259471845
        56⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        57⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2292
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        58⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        58⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1728 259472890
        58⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        59⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:524
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        60⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2816 259473951
        60⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        61⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1948
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        62⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        62⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2796 259475136
        62⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        63⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2992
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        64⤵
        Drops startup file
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        64⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2980 259476228
        64⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        65⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1884
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        66⤵
        Drops startup file
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        66⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1392 259477289
        66⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        67⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:1412
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        68⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        68⤵
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1252 259478350
        68⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        69⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1532
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        70⤵
        Drops startup file
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        70⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1200 259479411
        70⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        71⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1308
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        72⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        72⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1544 259480472
        72⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        73⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1960
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        74⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        74⤵
        
        PID:344
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 344 259481533
        74⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        75⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2028
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        76⤵
        Drops startup file
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        76⤵
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2536 259482593
        76⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        77⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:3064
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        78⤵
        Drops startup file
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1920 259483779
        78⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        79⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2700
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        80⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        80⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1000 259484918
        80⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        81⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:1916
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        82⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        82⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2932 259486010
        82⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        83⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:2636
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        84⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2648 259487180
        84⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        85⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2712
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        86⤵
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 676 259488256
        86⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        87⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2668
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        88⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        88⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2148 259489348
        88⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        89⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:288
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        90⤵
        Drops startup file
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        90⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2828 259490440
        90⤵
        
        PID:284
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        91⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1744
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        92⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1144 259491501
        92⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        93⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2076
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        94⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 644 259492577
        94⤵
        
        PID:348
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        95⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:796
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        96⤵
        Drops startup file
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        96⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1824 259493638
        96⤵
        
        PID:108
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        97⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1120
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        98⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        98⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1316 259494715
        98⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        99⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2064
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        100⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1680 259495775
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        101⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1936
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        102⤵
        Drops startup file
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        102⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1812 259496836
        102⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        103⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2000
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        104⤵
        Drops startup file
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        104⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1704 259497897
        104⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        105⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2212
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        106⤵
        Drops startup file
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        106⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1900 259498927
        106⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        107⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2172
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        108⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        108⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 748 259500003
        108⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        109⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:3016
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        110⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        110⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2528 259501173
        110⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        111⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2748
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        112⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        112⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2636 259502327
        112⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        113⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1484
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        114⤵
        Drops startup file
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2712 259503388
        114⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        115⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1928
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        116⤵
        Drops startup file
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        116⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1540 259504465
        116⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        117⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1880
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        118⤵
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        118⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2960 259505510
        118⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        119⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:284
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        120⤵
        Drops startup file
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2216 259506571
        120⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        121⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2972
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        122⤵
        Drops startup file
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        122⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2208 259507616
        122⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        123⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:832
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        124⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        124⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2432 259508677
        124⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        125⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1640
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        126⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        126⤵
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 900 259509737
        126⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        127⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        128⤵
        Drops startup file
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        128⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 960 259510798
        128⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        129⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        130⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        130⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2052 259511875
        130⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        131⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        132⤵
        Drops startup file
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        132⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1496 259512920
        132⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        133⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        134⤵
        Drops startup file
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        134⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2304 259513996
        134⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        135⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        136⤵
        Drops startup file
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        136⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2732 259515057
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        138⤵
        Drops startup file
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        138⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2752 259516134
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        139⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        140⤵
        Drops startup file
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        140⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1556 259517194
        140⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        141⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        142⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        142⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2668 259518240
        142⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        143⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        144⤵
        
        PID:336
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        144⤵
        
        PID:288
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 288 259519410
        144⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        145⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        146⤵
        Drops startup file
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        146⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1528 259520470
        146⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        148⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        148⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1672 259521516
        148⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        149⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        150⤵
        Drops startup file
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        150⤵
        
        PID:348
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 348 259522701
        150⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        151⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        152⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        152⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2924 259523746
        152⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        153⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        154⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        154⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2316 259524792
        154⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        155⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        156⤵
        Drops startup file
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        156⤵
        
        PID:784
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 784 259525868
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        157⤵
        
        PID:608
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        158⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        158⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2336 259526929
        158⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        159⤵
        System Location Discovery: System Language Discovery
        
        PID:1352
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        160⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        160⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1732 259527990
        160⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        161⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        162⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        162⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2300 259529035
        162⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        163⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        164⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        164⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2964 259530080
        164⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        165⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        166⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        166⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2760 259531141
        166⤵
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        167⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        168⤵
        Drops startup file
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        168⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1484 259532217
        168⤵
        System Location Discovery: System Language Discovery
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        169⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        170⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        170⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1184 259533262
        170⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        171⤵
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        172⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        172⤵
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 932 259534339
        172⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        173⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        174⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        174⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1888 259535509
        174⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        175⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        176⤵
        Drops startup file
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        176⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 408 259536570
        176⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        177⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        178⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        178⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1256 259537630
        178⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        179⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        180⤵
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        180⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2944 259538676
        180⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        181⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        182⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        182⤵
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2768 259539736
        182⤵
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        183⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        184⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        184⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2352 259540797
        184⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        185⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        186⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        186⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1216 259541858
        186⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        187⤵
        System Location Discovery: System Language Discovery
        
        PID:1912
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        188⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        188⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2700 259542888
        188⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        189⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        190⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        190⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2764 259543964
        190⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        191⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        192⤵
        
        PID:352
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        192⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2124 259545134
        192⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        193⤵
        
        PID:840
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        194⤵
        Drops startup file
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        194⤵
        System Location Discovery: System Language Discovery
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1896 259546179
        194⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        195⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        196⤵
        Drops startup file
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        196⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2504 259547256
        196⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        197⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        198⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        198⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2560 259548317
        198⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        199⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        200⤵
        Drops startup file
        
        PID:284
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        200⤵
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2196 259549377
        200⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        201⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        202⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        202⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 948 259550438
        202⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        203⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        204⤵
        Drops startup file
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        204⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2632 259551468
        204⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        205⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        206⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        206⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1212 259552638
        206⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        207⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        208⤵
        Drops startup file
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        208⤵
        System Location Discovery: System Language Discovery
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2468 259553699
        208⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        209⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        210⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        210⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1828 259554759
        210⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        211⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        212⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        212⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2520 259555805
        212⤵
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        213⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        214⤵
        Drops startup file
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        214⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1436 259556881
        214⤵
        System Location Discovery: System Language Discovery
        
        PID:484
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        215⤵
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        216⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        216⤵
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 992 259557926
        216⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        217⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        218⤵
        Drops startup file
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        218⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2152 259559096
        218⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        219⤵
        System Location Discovery: System Language Discovery
        
        PID:1668
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        220⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        220⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2040 259560157
        220⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        221⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        222⤵
        Drops startup file
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        222⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1612 259561218
        222⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        223⤵
        
        PID:872
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        224⤵
        Drops startup file
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        224⤵
        System Location Discovery: System Language Discovery
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1548 259562279
        224⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        225⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        226⤵
        Drops startup file
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        226⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1716 259563339
        226⤵
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        227⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        228⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        228⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2572 259564400
        228⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        229⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        230⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        230⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1640 259565461
        230⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        231⤵
        
        PID:916
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        232⤵
        Drops startup file
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        232⤵
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 880 259566631
        232⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        233⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        234⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        234⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2176 259567707
        234⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        235⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        236⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        236⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2236 259568768
        236⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        237⤵
        
        PID:592
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        238⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        238⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2736 259569813
        238⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        239⤵
        
        PID:484
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        240⤵
        Drops startup file
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        240⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2532 259570859
        240⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        241⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        242⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        242⤵
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 588 259571919
        242⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        243⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        244⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        244⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2332 259572965
        244⤵
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        245⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        246⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        246⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1904 259574026
        246⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        247⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        248⤵
        Drops startup file
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        248⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1744 259575102
        248⤵
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        249⤵
        
        PID:284
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        250⤵
        Drops startup file
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        250⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2344 259576163
        250⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        251⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        252⤵
        Drops startup file
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        252⤵
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 780 259577208
        252⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        253⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        254⤵
        Drops startup file
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        254⤵
        System Location Discovery: System Language Discovery
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1308 259578409
        254⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        255⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        256⤵
        Drops startup file
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        256⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1020 259579486
        256⤵
        System Location Discovery: System Language Discovery
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        257⤵
        
        PID:596
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        258⤵
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        258⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1420 259580546
        258⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        259⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        260⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        260⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2324 259581701
        260⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        261⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        262⤵
        Drops startup file
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        262⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2704 259582777
        262⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        263⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        264⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        264⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2596 259583838
        264⤵
        System Location Discovery: System Language Discovery
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        265⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        266⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        266⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2588 259584899
        266⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        267⤵
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        268⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        268⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2436 259585960
        268⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        269⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        270⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        270⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2244 259587036
        270⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        271⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        272⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        272⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1128 259588112
        272⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        273⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        274⤵
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"
        274⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2036 259589189
        274⤵
        
        PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\images.exe

Filesize
445KB

MD5
e2ce08fc69c8daf0eb448c477df9ce14

SHA1
6eb973c75a1e53ce96d092c3c8a0c3f88aed8bd6

SHA256
88dce7d2fe1bcc1307d49fa502b692a5e29ff4a7c82f8d396ac0b69e48ef6eb3

SHA512
cec7aa715639d61a95905f87200b643e57d0efc10390bfe2a40b3465f348951ebff477684c8da20026bfbee9b73a765a26a5b8e9a36d99b22b1e80053512e5ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EHC6G9KR52P30SH74SXP.temp

Filesize
7KB

MD5
5aa2f1fef8f3ae6136935d45c62f368d

SHA1
69bcefd54331636df64bca3212841dfee380dc04

SHA256
668de0e9e4332a36e3e7fa5b24c862b378e2fb10f5142109c5ebae12fbceb4c6

SHA512
0baf26c6753f998430f4b3f0daaff8b916ec4075f0d840ad595895b6ea8e52e801029f546bad758898c403ffe7eddfb0b9c28042fc3347aa5df1ce1f9af4827f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs

Filesize
158B

MD5
dcb64d6eaa393cd864bb1ec2883207bb

SHA1
9c0bee003bfa9ec5fcde0532c822084367401673

SHA256
aac44c60c337e06e8c1866348951949dca3384bc5f0f377678b1344d76ab769a

SHA512
524f0146ba6323f6443595661fa1d285f199a27c2151704a4ab37e1f2ee71192c5e360c7c6a16996163f07f8a3390a8a47cdd63b81d274596bc912b07152d38a

Download Submit
memory/376-302-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/540-114-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/540-109-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/540-110-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/636-358-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/636-366-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/636-152-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/768-82-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/768-92-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/784-191-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/784-185-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/800-315-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1092-166-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1092-139-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1220-96-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1308-169-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1308-382-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1308-374-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1308-383-0x0000000002000000-0x00000000020D5000-memory.dmp

Filesize
852KB

Download
memory/1436-246-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1436-14-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1436-245-0x0000000003050000-0x0000000003125000-memory.dmp

Filesize
852KB

Download
memory/1436-48-0x0000000003050000-0x0000000003125000-memory.dmp

Filesize
852KB

Download
memory/1436-12-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1504-308-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1544-183-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1584-170-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1584-176-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1728-286-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1728-294-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1808-323-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1808-317-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1908-112-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/1920-217-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1920-227-0x0000000003090000-0x0000000003165000-memory.dmp

Filesize
852KB

Download
memory/1920-228-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1960-396-0x00000000030F0000-0x00000000031C5000-memory.dmp

Filesize
852KB

Download
memory/2004-32-0x0000000002C50000-0x0000000002D25000-memory.dmp

Filesize
852KB

Download
memory/2004-10-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2004-7-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2004-33-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2004-13-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2012-93-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2012-99-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2012-108-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2012-106-0x00000000032E0000-0x00000000033B5000-memory.dmp

Filesize
852KB

Download
memory/2164-341-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2172-15-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2172-4-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2176-192-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2176-201-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2268-123-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2268-129-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2316-372-0x00000000031E0000-0x00000000032B5000-memory.dmp

Filesize
852KB

Download
memory/2316-373-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2372-130-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2372-138-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2384-203-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2384-209-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2408-89-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2500-237-0x00000000031C0000-0x0000000003295000-memory.dmp

Filesize
852KB

Download
memory/2500-238-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2500-239-0x0000000003320000-0x00000000033F5000-memory.dmp

Filesize
852KB

Download
memory/2500-229-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2536-8-0x00000000020A0000-0x0000000002175000-memory.dmp

Filesize
852KB

Download
memory/2536-1-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2536-2-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2536-3-0x0000000000483000-0x000000000048B000-memory.dmp

Filesize
32KB

Download
memory/2536-0-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2536-6-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2588-66-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2588-71-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2588-65-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2588-277-0x00000000031D0000-0x00000000032A5000-memory.dmp

Filesize
852KB

Download
memory/2588-271-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2588-278-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2632-349-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2632-342-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2636-262-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2636-270-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2644-81-0x00000000030E0000-0x00000000031B5000-memory.dmp

Filesize
852KB

Download
memory/2644-285-0x0000000003230000-0x0000000003305000-memory.dmp

Filesize
852KB

Download
memory/2644-289-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2644-80-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2644-78-0x00000000030E0000-0x00000000031B5000-memory.dmp

Filesize
852KB

Download
memory/2644-77-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2644-72-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2708-255-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2708-261-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2780-54-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2780-50-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2780-107-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2808-324-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2808-334-0x0000000003290000-0x0000000003365000-memory.dmp

Filesize
852KB

Download
memory/2808-335-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2840-63-0x0000000003120000-0x00000000031F5000-memory.dmp

Filesize
852KB

Download
memory/2840-56-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2840-62-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2840-55-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2880-44-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2888-254-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2896-68-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2924-351-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2924-357-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2936-46-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2936-37-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2936-35-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2944-160-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2944-154-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2952-153-0x00000000030E0000-0x00000000031B5000-memory.dmp

Filesize
852KB

Download
memory/2952-115-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2952-122-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/3040-384-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/3040-390-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/3064-216-0x00000000030F0000-0x00000000031C5000-memory.dmp

Filesize
852KB

Download
memory/3064-210-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/3064-219-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download