Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-12-2024 19:02
Behavioral task
behavioral1
Sample
e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe
-
Size
445KB
-
MD5
e2ce08fc69c8daf0eb448c477df9ce14
-
SHA1
6eb973c75a1e53ce96d092c3c8a0c3f88aed8bd6
-
SHA256
88dce7d2fe1bcc1307d49fa502b692a5e29ff4a7c82f8d396ac0b69e48ef6eb3
-
SHA512
cec7aa715639d61a95905f87200b643e57d0efc10390bfe2a40b3465f348951ebff477684c8da20026bfbee9b73a765a26a5b8e9a36d99b22b1e80053512e5ac
-
SSDEEP
12288:6MYwtTvBHnKXhqO3vAgdk9K1yl73lWDCpXrmOdjJg7:PptT5qXAIPGUsDWDgrVd1g7
Malware Config
Extracted
warzonerat
111.90.146.200:5200
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzonerat family
-
Warzone RAT payload 11 IoCs
resource yara_rule behavioral2/memory/1540-5-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral2/memory/1540-11-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral2/memory/1540-7-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral2/memory/1540-26-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral2/memory/4252-31-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral2/memory/2640-65-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral2/memory/4056-107-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral2/memory/4020-141-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral2/memory/208-155-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral2/memory/1672-169-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral2/memory/2220-181-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4284 powershell.exe 2284 powershell.exe -
Drops startup file 64 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\confirm.vbs notepad.exe -
Executes dropped EXE 3 IoCs
pid Process 1892 images.exe 4252 images.exe 3728 images.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images1 = "C:\\ProgramData\\images.exe" e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe -
Suspicious use of SetThreadContext 64 IoCs
description pid Process procid_target PID 2808 set thread context of 1540 2808 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 84 PID 1892 set thread context of 4252 1892 images.exe 91 PID 4604 set thread context of 2640 4604 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 94 PID 3168 set thread context of 4056 3168 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 98 PID 4768 set thread context of 4020 4768 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 107 PID 3180 set thread context of 208 3180 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 113 PID 1388 set thread context of 1672 1388 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 121 PID 5040 set thread context of 2220 5040 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 125 PID 372 set thread context of 1392 372 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 131 PID 4668 set thread context of 452 4668 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 135 PID 3984 set thread context of 2508 3984 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 139 PID 1924 set thread context of 3640 1924 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 147 PID 4996 set thread context of 1344 4996 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 151 PID 4476 set thread context of 1324 4476 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 155 PID 4268 set thread context of 3792 4268 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 159 PID 4680 set thread context of 636 4680 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 163 PID 1468 set thread context of 2820 1468 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 167 PID 2060 set thread context of 2184 2060 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 171 PID 4356 set thread context of 2568 4356 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 175 PID 3852 set thread context of 3672 3852 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 179 PID 748 set thread context of 2444 748 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 183 PID 3316 set thread context of 4956 3316 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 187 PID 1488 set thread context of 1600 1488 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 191 PID 4520 set thread context of 1260 4520 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 195 PID 4564 set thread context of 3212 4564 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 201 PID 4532 set thread context of 1352 4532 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 205 PID 4608 set thread context of 2200 4608 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 209 PID 2060 set thread context of 1004 2060 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 214 PID 3168 set thread context of 3784 3168 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 218 PID 4856 set thread context of 2312 4856 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 222 PID 1544 set thread context of 4088 1544 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 226 PID 4376 set thread context of 3232 4376 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 230 PID 1644 set thread context of 3516 1644 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 234 PID 3664 set thread context of 2368 3664 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 238 PID 4700 set thread context of 2160 4700 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 242 PID 3428 set thread context of 4836 3428 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 246 PID 3540 set thread context of 4388 3540 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 250 PID 904 set thread context of 2732 904 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 254 PID 3320 set thread context of 2280 3320 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 258 PID 3236 set thread context of 2388 3236 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 262 PID 3408 set thread context of 2312 3408 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 266 PID 5024 set thread context of 3628 5024 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 270 PID 4908 set thread context of 4996 4908 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 274 PID 4548 set thread context of 4772 4548 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 278 PID 4464 set thread context of 4316 4464 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 282 PID 1608 set thread context of 3688 1608 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 286 PID 3676 set thread context of 508 3676 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 290 PID 3788 set thread context of 2972 3788 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 294 PID 996 set thread context of 3124 996 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 298 PID 2248 set thread context of 2768 2248 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 302 PID 1908 set thread context of 1532 1908 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 306 PID 5096 set thread context of 1544 5096 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 310 PID 1428 set thread context of 1552 1428 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 314 PID 4988 set thread context of 640 4988 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 318 PID 2096 set thread context of 4420 2096 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 322 PID 1892 set thread context of 2088 1892 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 330 PID 2452 set thread context of 4752 2452 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 334 PID 5060 set thread context of 3820 5060 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 338 PID 3284 set thread context of 2380 3284 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 342 PID 2072 set thread context of 2720 2072 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 346 PID 3068 set thread context of 4640 3068 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 350 PID 2884 set thread context of 4008 2884 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 354 PID 4528 set thread context of 2660 4528 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 358 PID 2284 set thread context of 2920 2284 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 362 -
resource yara_rule behavioral2/memory/2808-0-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/2808-2-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/2808-4-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/2404-8-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/2404-12-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/2404-14-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/2404-15-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/files/0x000a000000023b7d-23.dat upx behavioral2/memory/1892-24-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/4604-33-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/3728-34-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/3728-39-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/4604-41-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/3856-44-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/1892-36-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/1892-28-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/3168-67-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/3856-68-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/2444-72-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/3168-69-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/3168-74-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/2444-77-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/2444-120-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/4768-121-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/4768-127-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/3832-129-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/4768-123-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/3832-132-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/3832-144-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/3180-145-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/3180-149-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/1312-151-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/3728-150-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/1312-152-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/1312-158-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/1388-159-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/1388-160-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/1388-164-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/4920-165-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/5040-171-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/4920-170-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/5040-172-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/2344-175-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/5040-177-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/2344-180-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/2344-183-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/3504-189-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/372-188-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/4668-197-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/3504-199-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/4668-204-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/3896-205-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/3896-212-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/2884-217-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/3984-218-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/1924-225-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/2884-226-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/3472-230-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/1924-232-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/3472-239-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/4996-244-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/3264-245-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/3264-252-0x0000000000400000-0x00000000004D5000-memory.dmp upx behavioral2/memory/4476-257-0x0000000000400000-0x00000000004D5000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language images.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\ProgramData:ApplicationData e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2808 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 2808 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 2404 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 2404 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 2404 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 2404 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 2404 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 2404 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 2404 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 2404 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 2404 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 2404 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 2404 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 2404 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 2404 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 2404 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 2404 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 2404 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 2404 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 2404 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 2404 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 2404 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 2404 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 2404 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 2404 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 2404 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 2404 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 2404 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 2404 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 2404 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 2404 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 2404 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 2404 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 2404 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 2404 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 2404 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 1892 images.exe 1892 images.exe 4604 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 4604 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 3728 images.exe 3728 images.exe 3728 images.exe 3728 images.exe 3856 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 3856 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 3856 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 3856 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 3728 images.exe 3728 images.exe 4284 powershell.exe 3856 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 3856 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 3728 images.exe 3728 images.exe 3728 images.exe 3728 images.exe 3856 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 3856 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 3856 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 3856 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 3728 images.exe 3728 images.exe 4284 powershell.exe -
Suspicious behavior: MapViewOfSection 64 IoCs
pid Process 2808 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 1892 images.exe 4604 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 3168 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 4768 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 3180 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 1388 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 5040 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 372 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 4668 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 3984 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 1924 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 4996 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 4476 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 4268 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 4680 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 1468 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 2060 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 4356 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 3852 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 748 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 3316 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 1488 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 4520 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 4564 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 4532 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 4608 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 2060 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 3168 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 4856 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 1544 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 4376 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 1644 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 3664 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 4700 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 3428 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 3540 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 904 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 3320 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 3236 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 3408 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 5024 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 4908 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 4548 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 4464 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 1608 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 3676 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 3788 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 996 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 2248 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 1908 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 5096 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 1428 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 4988 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 2096 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 1892 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 2452 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 5060 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 3284 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 2072 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 3068 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 2884 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 4528 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 2284 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4284 powershell.exe Token: SeDebugPrivilege 2284 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2808 wrote to memory of 3556 2808 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 83 PID 2808 wrote to memory of 3556 2808 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 83 PID 2808 wrote to memory of 3556 2808 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 83 PID 2808 wrote to memory of 3556 2808 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 83 PID 2808 wrote to memory of 3556 2808 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 83 PID 2808 wrote to memory of 1540 2808 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 84 PID 2808 wrote to memory of 1540 2808 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 84 PID 2808 wrote to memory of 1540 2808 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 84 PID 2808 wrote to memory of 2404 2808 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 85 PID 2808 wrote to memory of 2404 2808 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 85 PID 2808 wrote to memory of 2404 2808 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 85 PID 1540 wrote to memory of 4284 1540 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 86 PID 1540 wrote to memory of 4284 1540 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 86 PID 1540 wrote to memory of 4284 1540 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 86 PID 1540 wrote to memory of 1892 1540 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 88 PID 1540 wrote to memory of 1892 1540 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 88 PID 1540 wrote to memory of 1892 1540 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 88 PID 2404 wrote to memory of 4604 2404 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 89 PID 2404 wrote to memory of 4604 2404 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 89 PID 2404 wrote to memory of 4604 2404 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 89 PID 1892 wrote to memory of 1808 1892 images.exe 90 PID 1892 wrote to memory of 1808 1892 images.exe 90 PID 1892 wrote to memory of 1808 1892 images.exe 90 PID 1892 wrote to memory of 1808 1892 images.exe 90 PID 1892 wrote to memory of 1808 1892 images.exe 90 PID 1892 wrote to memory of 4252 1892 images.exe 91 PID 1892 wrote to memory of 4252 1892 images.exe 91 PID 1892 wrote to memory of 4252 1892 images.exe 91 PID 1892 wrote to memory of 3728 1892 images.exe 92 PID 1892 wrote to memory of 3728 1892 images.exe 92 PID 1892 wrote to memory of 3728 1892 images.exe 92 PID 4604 wrote to memory of 3592 4604 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 93 PID 4604 wrote to memory of 3592 4604 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 93 PID 4604 wrote to memory of 3592 4604 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 93 PID 4604 wrote to memory of 3592 4604 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 93 PID 4604 wrote to memory of 3592 4604 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 93 PID 4604 wrote to memory of 2640 4604 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 94 PID 4604 wrote to memory of 2640 4604 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 94 PID 4604 wrote to memory of 2640 4604 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 94 PID 4604 wrote to memory of 3856 4604 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 95 PID 4604 wrote to memory of 3856 4604 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 95 PID 4604 wrote to memory of 3856 4604 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 95 PID 3856 wrote to memory of 3168 3856 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 96 PID 3856 wrote to memory of 3168 3856 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 96 PID 3856 wrote to memory of 3168 3856 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 96 PID 3168 wrote to memory of 4072 3168 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 97 PID 3168 wrote to memory of 4072 3168 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 97 PID 3168 wrote to memory of 4072 3168 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 97 PID 3168 wrote to memory of 4072 3168 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 97 PID 3168 wrote to memory of 4072 3168 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 97 PID 3168 wrote to memory of 4056 3168 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 98 PID 3168 wrote to memory of 4056 3168 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 98 PID 3168 wrote to memory of 4056 3168 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 98 PID 3168 wrote to memory of 2444 3168 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 99 PID 3168 wrote to memory of 2444 3168 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 99 PID 3168 wrote to memory of 2444 3168 e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe 99 PID 4252 wrote to memory of 2284 4252 images.exe 100 PID 4252 wrote to memory of 2284 4252 images.exe 100 PID 4252 wrote to memory of 2284 4252 images.exe 100 PID 4252 wrote to memory of 1444 4252 images.exe 101 PID 4252 wrote to memory of 1444 4252 images.exe 101 PID 4252 wrote to memory of 1444 4252 images.exe 101 PID 4252 wrote to memory of 1444 4252 images.exe 101 PID 4252 wrote to memory of 1444 4252 images.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"2⤵PID:3556
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"2⤵
- Drops startup file
- Adds Run key to start application
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4284
-
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"4⤵
- Drops startup file
PID:1808
-
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2284
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"5⤵PID:1444
-
-
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe" 2 4252 2406146714⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3728
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1540 2406124842⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"4⤵PID:3592
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"4⤵PID:2640
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2640 2406147504⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"6⤵PID:4072
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"6⤵PID:4056
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 4056 2406165156⤵PID:2444
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"7⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4768 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"8⤵PID:2600
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"8⤵PID:4020
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 4020 2406183438⤵PID:3832
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"9⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3180 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"10⤵PID:2128
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"10⤵
- System Location Discovery: System Language Discovery
PID:208
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 208 24061970310⤵
- System Location Discovery: System Language Discovery
PID:1312 -
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"11⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
PID:1388 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"12⤵
- Drops startup file
PID:4424
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"12⤵PID:1672
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1672 24062107812⤵PID:4920
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"13⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:5040 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"14⤵
- Drops startup file
PID:4752
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"14⤵PID:2220
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2220 24062245314⤵
- System Location Discovery: System Language Discovery
PID:2344 -
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"15⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:372 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"16⤵
- System Location Discovery: System Language Discovery
PID:2532
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"16⤵PID:1392
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1392 24062364016⤵PID:3504
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"17⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4668 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"18⤵
- System Location Discovery: System Language Discovery
PID:4580
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"18⤵PID:452
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 452 24062489018⤵
- System Location Discovery: System Language Discovery
PID:3896 -
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"19⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3984 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"20⤵PID:4868
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"20⤵
- System Location Discovery: System Language Discovery
PID:2508
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2508 24062620320⤵PID:2884
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"21⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1924 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"22⤵PID:4120
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"22⤵PID:3640
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 3640 24062748422⤵PID:3472
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"23⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4996 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"24⤵PID:2252
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"24⤵PID:1344
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1344 24062873424⤵PID:3264
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"25⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4476 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"26⤵
- Drops startup file
PID:5088
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"26⤵PID:1324
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1324 24062990626⤵PID:1088
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"27⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4268 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"28⤵PID:4372
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"28⤵PID:3792
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 3792 24063110928⤵PID:832
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"29⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4680 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"30⤵
- Drops startup file
PID:1252
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"30⤵
- System Location Discovery: System Language Discovery
PID:636
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 636 24063226530⤵PID:4388
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"31⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1468 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"32⤵PID:4920
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"32⤵PID:2820
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2820 24063337532⤵PID:3744
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"33⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2060 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"34⤵PID:3284
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"34⤵PID:2184
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2184 24063446834⤵
- System Location Discovery: System Language Discovery
PID:1220 -
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"35⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4356 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"36⤵PID:3856
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"36⤵PID:2568
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2568 24063576536⤵PID:2408
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"37⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3852 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"38⤵
- Drops startup file
PID:2312
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"38⤵PID:3672
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 3672 24063698438⤵PID:5092
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"39⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:748 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"40⤵PID:1864
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"40⤵PID:2444
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2444 24063818740⤵PID:2456
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"41⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3316 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"42⤵PID:3344
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"42⤵PID:4956
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 4956 24063935942⤵PID:4208
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"43⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1488 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"44⤵PID:2076
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"44⤵
- System Location Discovery: System Language Discovery
PID:1600
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1600 24064050044⤵PID:4572
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"45⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4520 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"46⤵
- Drops startup file
- System Location Discovery: System Language Discovery
PID:4772
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"46⤵PID:1260
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1260 24064162546⤵PID:4704
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"47⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4564 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"48⤵PID:1772
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"48⤵PID:3212
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 3212 24064275048⤵
- System Location Discovery: System Language Discovery
PID:3428 -
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"49⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4532 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"50⤵PID:4536
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"50⤵
- System Location Discovery: System Language Discovery
PID:1352
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1352 24064384350⤵PID:4424
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"51⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4608 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"52⤵
- Drops startup file
PID:5040
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"52⤵PID:2200
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2200 24064493752⤵PID:3124
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"53⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2060 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"54⤵PID:3284
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"54⤵PID:1004
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1004 24064606254⤵PID:3152
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"55⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3168 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"56⤵
- Drops startup file
PID:3100
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"56⤵PID:3784
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 3784 24064715656⤵PID:2532
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"57⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4856 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"58⤵PID:1628
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"58⤵PID:2312
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2312 24064829658⤵PID:4868
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"59⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1544 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"60⤵
- Drops startup file
PID:4212
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"60⤵PID:4088
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 4088 24064937560⤵PID:388
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"61⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4376 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"62⤵
- Drops startup file
PID:2276
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"62⤵PID:3232
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 3232 24065051562⤵PID:4120
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"63⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1644 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"64⤵
- Drops startup file
PID:2920
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"64⤵PID:3516
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 3516 24065165664⤵PID:2324
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"65⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3664 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"66⤵PID:3220
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"66⤵PID:2368
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2368 24065279666⤵
- System Location Discovery: System Language Discovery
PID:4220 -
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"67⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4700 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"68⤵
- Drops startup file
- System Location Discovery: System Language Discovery
PID:2488
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"68⤵PID:2160
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2160 24065387568⤵PID:5028
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"69⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3428 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"70⤵
- Drops startup file
PID:1284
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"70⤵PID:4836
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 4836 24065501570⤵PID:2088
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"71⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3540 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"72⤵
- Drops startup file
PID:1388
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"72⤵
- System Location Discovery: System Language Discovery
PID:4388
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 4388 24065615672⤵PID:4608
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"73⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
PID:904 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"74⤵PID:2064
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"74⤵PID:2732
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2732 24065732874⤵
- System Location Discovery: System Language Discovery
PID:992 -
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"75⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3320 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"76⤵
- Drops startup file
PID:2248
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"76⤵PID:2280
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2280 24065842176⤵PID:4356
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"77⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3236 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"78⤵PID:1484
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"78⤵PID:2388
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2388 24065956278⤵PID:4556
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"79⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3408 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"80⤵PID:1060
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"80⤵PID:2312
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2312 24066068780⤵
- System Location Discovery: System Language Discovery
PID:1076 -
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"81⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:5024 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"82⤵PID:228
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"82⤵PID:3628
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 3628 24066178182⤵PID:3748
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"83⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4908 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"84⤵
- Drops startup file
PID:4036
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"84⤵PID:4996
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 4996 24066289084⤵PID:4120
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"85⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4548 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"86⤵PID:5000
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"86⤵PID:4772
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 4772 24066403186⤵PID:4420
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"87⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4464 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"88⤵PID:4220
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"88⤵PID:4316
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 4316 24066512588⤵PID:4832
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"89⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1608 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"90⤵PID:2128
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"90⤵PID:3688
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 3688 24066625090⤵PID:4260
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"91⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3676 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"92⤵
- Drops startup file
- System Location Discovery: System Language Discovery
PID:2564
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"92⤵PID:508
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 508 24066737592⤵PID:2908
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"93⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3788 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"94⤵
- Drops startup file
PID:4608
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"94⤵PID:2972
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2972 24066846894⤵PID:4920
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"95⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:996 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"96⤵
- Drops startup file
PID:4584
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"96⤵
- System Location Discovery: System Language Discovery
PID:3124
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 3124 24066959396⤵PID:1448
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"97⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2248 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"98⤵
- Drops startup file
PID:4984
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"98⤵PID:2768
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2768 24067070398⤵PID:4668
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"99⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1908 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"100⤵
- Drops startup file
- System Location Discovery: System Language Discovery
PID:2548
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"100⤵PID:1532
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1532 240671765100⤵PID:116
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"101⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:5096 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"102⤵
- Drops startup file
PID:3732
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"102⤵PID:1544
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1544 240672875102⤵PID:2080
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"103⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1428 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"104⤵
- Drops startup file
PID:3404
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"104⤵PID:1552
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 1552 240673968104⤵PID:1872
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"105⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4988 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"106⤵
- Drops startup file
PID:4284
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"106⤵PID:640
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 640 240675109106⤵
- System Location Discovery: System Language Discovery
PID:1492 -
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"107⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2096 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"108⤵
- Drops startup file
- System Location Discovery: System Language Discovery
PID:5088
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"108⤵PID:4420
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 4420 240676203108⤵PID:4268
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"109⤵PID:2160
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"110⤵
- Drops startup file
PID:4832
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"110⤵PID:4312
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 4312 240677328110⤵
- System Location Discovery: System Language Discovery
PID:4540 -
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"111⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1892 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"112⤵PID:4260
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"112⤵PID:2088
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2088 240678453112⤵PID:3860
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"113⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2452 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"114⤵
- Drops startup file
PID:1640
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"114⤵PID:4752
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 4752 240679546114⤵PID:4032
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"115⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:5060 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"116⤵PID:3060
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"116⤵PID:3820
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 3820 240680656116⤵PID:3152
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"117⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3284 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"118⤵
- Drops startup file
PID:3852
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"118⤵PID:2380
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2380 240681765118⤵PID:2248
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"119⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2072 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"120⤵PID:4668
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"120⤵
- System Location Discovery: System Language Discovery
PID:2720
-
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe" 2 2720 240682906120⤵PID:3504
-
C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2ce08fc69c8daf0eb448c477df9ce14_JaffaCakes118.exe"121⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3068 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"122⤵PID:1072
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-