Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:33
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe
-
Size
205KB
-
MD5
9339503bfbb68f6435a37e36057c137b
-
SHA1
fb8714dea5b2cb8884b079b2a32e4246630efa40
-
SHA256
ed27064284abd999686d18a64681781876fbb716587f2e8ce70f862565dc4599
-
SHA512
1d85151ad89ab85e20682ee7940f20d1ef6f63cc2dd53f744ddcaa603750e822722926b03834dc0bec24834b992bfd379122ff80b1f89826acbca719f7104aa5
-
SSDEEP
6144:0V5X9iNrRFBVxk7M2+4D3Iyv1ChpFR0FVvrp9N:08rZVxk7J+1MgwVrx
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found -
Renames multiple (79) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation eWIgIMYQ.exe -
Executes dropped EXE 2 IoCs
pid Process 816 QGEsEUgU.exe 4292 eWIgIMYQ.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QGEsEUgU.exe = "C:\\Users\\Admin\\hYkwoAgk\\QGEsEUgU.exe" JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eWIgIMYQ.exe = "C:\\ProgramData\\IuQMgYwg\\eWIgIMYQ.exe" JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eWIgIMYQ.exe = "C:\\ProgramData\\IuQMgYwg\\eWIgIMYQ.exe" eWIgIMYQ.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QGEsEUgU.exe = "C:\\Users\\Admin\\hYkwoAgk\\QGEsEUgU.exe" QGEsEUgU.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\shell32.dll.exe eWIgIMYQ.exe File opened for modification C:\Windows\SysWOW64\shell32.dll.exe eWIgIMYQ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 4844 reg.exe 3280 reg.exe 4788 Process not Found 3076 reg.exe 3384 reg.exe 4308 reg.exe 4876 reg.exe 4588 reg.exe 468 reg.exe 4776 reg.exe 2364 reg.exe 1188 reg.exe 1592 reg.exe 2044 reg.exe 3920 reg.exe 324 reg.exe 2308 reg.exe 2592 reg.exe 5020 reg.exe 4852 reg.exe 1572 reg.exe 5076 reg.exe 1572 reg.exe 3244 reg.exe 396 reg.exe 1480 reg.exe 1516 reg.exe 1980 reg.exe 1720 reg.exe 1188 reg.exe 1428 Process not Found 1824 Process not Found 3556 reg.exe 2768 reg.exe 4952 reg.exe 1124 reg.exe 4036 reg.exe 1752 reg.exe 4804 reg.exe 3384 reg.exe 4012 reg.exe 5072 reg.exe 1756 reg.exe 928 reg.exe 3444 reg.exe 2560 reg.exe 1452 reg.exe 212 reg.exe 4848 reg.exe 728 reg.exe 4852 reg.exe 1300 reg.exe 3708 reg.exe 3440 reg.exe 3920 reg.exe 4792 reg.exe 3884 reg.exe 4616 reg.exe 4356 reg.exe 2960 reg.exe 1200 reg.exe 4848 reg.exe 4852 reg.exe 2628 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2024 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 2024 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 2024 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 2024 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 1372 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 1372 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 1372 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 1372 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 2120 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 2120 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 2120 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 2120 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 1584 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 1584 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 1584 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 1584 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 1592 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 1592 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 1592 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 1592 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 780 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 780 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 780 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 780 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 4928 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 4928 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 4928 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 4928 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 4496 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 4496 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 4496 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 4496 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 2572 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 2572 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 2572 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 2572 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 3868 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 3868 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 3868 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 3868 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 1200 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 1200 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 1200 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 1200 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 780 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 780 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 780 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 780 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 3420 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 3420 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 3420 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 3420 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 3464 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 3464 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 3464 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 3464 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 3392 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 3392 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 3392 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 3392 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 4804 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 4804 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 4804 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 4804 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4292 eWIgIMYQ.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe 4292 eWIgIMYQ.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2024 wrote to memory of 816 2024 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 83 PID 2024 wrote to memory of 816 2024 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 83 PID 2024 wrote to memory of 816 2024 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 83 PID 2024 wrote to memory of 4292 2024 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 84 PID 2024 wrote to memory of 4292 2024 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 84 PID 2024 wrote to memory of 4292 2024 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 84 PID 2024 wrote to memory of 2008 2024 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 85 PID 2024 wrote to memory of 2008 2024 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 85 PID 2024 wrote to memory of 2008 2024 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 85 PID 2008 wrote to memory of 1372 2008 cmd.exe 87 PID 2008 wrote to memory of 1372 2008 cmd.exe 87 PID 2008 wrote to memory of 1372 2008 cmd.exe 87 PID 2024 wrote to memory of 2892 2024 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 88 PID 2024 wrote to memory of 2892 2024 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 88 PID 2024 wrote to memory of 2892 2024 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 88 PID 2024 wrote to memory of 4472 2024 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 89 PID 2024 wrote to memory of 4472 2024 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 89 PID 2024 wrote to memory of 4472 2024 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 89 PID 2024 wrote to memory of 1524 2024 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 90 PID 2024 wrote to memory of 1524 2024 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 90 PID 2024 wrote to memory of 1524 2024 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 90 PID 2024 wrote to memory of 1720 2024 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 91 PID 2024 wrote to memory of 1720 2024 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 91 PID 2024 wrote to memory of 1720 2024 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 91 PID 1372 wrote to memory of 3692 1372 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 96 PID 1372 wrote to memory of 3692 1372 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 96 PID 1372 wrote to memory of 3692 1372 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 96 PID 1720 wrote to memory of 2832 1720 cmd.exe 98 PID 1720 wrote to memory of 2832 1720 cmd.exe 98 PID 1720 wrote to memory of 2832 1720 cmd.exe 98 PID 3692 wrote to memory of 2120 3692 cmd.exe 99 PID 3692 wrote to memory of 2120 3692 cmd.exe 99 PID 3692 wrote to memory of 2120 3692 cmd.exe 99 PID 1372 wrote to memory of 3672 1372 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 100 PID 1372 wrote to memory of 3672 1372 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 100 PID 1372 wrote to memory of 3672 1372 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 100 PID 1372 wrote to memory of 1172 1372 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 101 PID 1372 wrote to memory of 1172 1372 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 101 PID 1372 wrote to memory of 1172 1372 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 101 PID 1372 wrote to memory of 3416 1372 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 102 PID 1372 wrote to memory of 3416 1372 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 102 PID 1372 wrote to memory of 3416 1372 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 102 PID 1372 wrote to memory of 3240 1372 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 103 PID 1372 wrote to memory of 3240 1372 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 103 PID 1372 wrote to memory of 3240 1372 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 103 PID 3240 wrote to memory of 1596 3240 cmd.exe 108 PID 3240 wrote to memory of 1596 3240 cmd.exe 108 PID 3240 wrote to memory of 1596 3240 cmd.exe 108 PID 2120 wrote to memory of 4156 2120 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 109 PID 2120 wrote to memory of 4156 2120 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 109 PID 2120 wrote to memory of 4156 2120 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 109 PID 4156 wrote to memory of 1584 4156 cmd.exe 111 PID 4156 wrote to memory of 1584 4156 cmd.exe 111 PID 4156 wrote to memory of 1584 4156 cmd.exe 111 PID 2120 wrote to memory of 3960 2120 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 112 PID 2120 wrote to memory of 3960 2120 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 112 PID 2120 wrote to memory of 3960 2120 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 112 PID 2120 wrote to memory of 1628 2120 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 113 PID 2120 wrote to memory of 1628 2120 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 113 PID 2120 wrote to memory of 1628 2120 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 113 PID 2120 wrote to memory of 1600 2120 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 114 PID 2120 wrote to memory of 1600 2120 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 114 PID 2120 wrote to memory of 1600 2120 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 114 PID 2120 wrote to memory of 1468 2120 JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Users\Admin\hYkwoAgk\QGEsEUgU.exe"C:\Users\Admin\hYkwoAgk\QGEsEUgU.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:816
-
-
C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe"C:\ProgramData\IuQMgYwg\eWIgIMYQ.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:4292
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"2⤵
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"4⤵
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"6⤵
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1584 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"8⤵PID:2344
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b9⤵
- Suspicious behavior: EnumeratesProcesses
PID:1592 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"10⤵PID:3280
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b11⤵
- Suspicious behavior: EnumeratesProcesses
PID:780 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"12⤵PID:4340
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b13⤵
- Suspicious behavior: EnumeratesProcesses
PID:4928 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"14⤵
- System Location Discovery: System Language Discovery
PID:844 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b15⤵
- Suspicious behavior: EnumeratesProcesses
PID:4496 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"16⤵PID:3436
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b17⤵
- Suspicious behavior: EnumeratesProcesses
PID:2572 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"18⤵PID:5040
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b19⤵
- Suspicious behavior: EnumeratesProcesses
PID:3868 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"20⤵PID:3432
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b21⤵
- Suspicious behavior: EnumeratesProcesses
PID:1200 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"22⤵PID:4276
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b23⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:780 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"24⤵PID:4160
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b25⤵
- Suspicious behavior: EnumeratesProcesses
PID:3420 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"26⤵PID:5020
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b27⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3464 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"28⤵PID:1356
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b29⤵
- Suspicious behavior: EnumeratesProcesses
PID:3392 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"30⤵PID:3600
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b31⤵
- Suspicious behavior: EnumeratesProcesses
PID:4804 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"32⤵PID:1724
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b33⤵PID:3592
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"34⤵PID:4076
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b35⤵PID:2564
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"36⤵PID:1980
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b37⤵PID:3944
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"38⤵PID:3240
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b39⤵PID:3844
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"40⤵PID:4616
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b41⤵PID:3508
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"42⤵PID:3372
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b43⤵
- System Location Discovery: System Language Discovery
PID:4788 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"44⤵PID:2376
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b45⤵PID:316
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"46⤵PID:1936
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b47⤵PID:1044
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"48⤵PID:1372
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b49⤵PID:1700
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"50⤵PID:4444
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b51⤵PID:3844
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"52⤵PID:2664
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b53⤵PID:3880
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"54⤵PID:4804
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b55⤵PID:5012
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"56⤵PID:3928
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b57⤵PID:3024
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"58⤵PID:2564
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b59⤵PID:4108
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"60⤵PID:2232
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b61⤵
- System Location Discovery: System Language Discovery
PID:4156 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"62⤵PID:1596
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b63⤵PID:632
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"64⤵PID:2932
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b65⤵PID:4260
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"66⤵PID:1284
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV167⤵PID:3292
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b67⤵PID:4380
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"68⤵PID:1724
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b69⤵
- System Location Discovery: System Language Discovery
PID:4912 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"70⤵PID:1408
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b71⤵PID:4928
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"72⤵PID:2132
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b73⤵PID:2144
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"74⤵PID:2992
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b75⤵PID:640
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"76⤵
- System Location Discovery: System Language Discovery
PID:3596 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b77⤵PID:2864
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"78⤵PID:868
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b79⤵PID:184
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"80⤵PID:2116
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b81⤵PID:2104
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"82⤵PID:1940
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b83⤵PID:1280
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"84⤵PID:4164
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b85⤵PID:2132
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"86⤵PID:4360
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV187⤵PID:544
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b87⤵PID:652
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"88⤵PID:3712
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b89⤵PID:3084
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"90⤵PID:4308
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b91⤵PID:2452
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"92⤵PID:3400
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b93⤵PID:2768
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"94⤵PID:1408
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b95⤵PID:1936
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"96⤵PID:412
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b97⤵PID:3196
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"98⤵PID:2192
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b99⤵
- System Location Discovery: System Language Discovery
PID:1020 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"100⤵PID:2188
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b101⤵PID:4984
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"102⤵PID:2024
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b103⤵PID:3464
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"104⤵PID:1848
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b105⤵PID:4444
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"106⤵PID:1456
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b107⤵PID:1720
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"108⤵PID:1628
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1109⤵PID:1420
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b109⤵PID:736
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"110⤵PID:1752
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b111⤵PID:2988
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"112⤵PID:1484
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b113⤵PID:3712
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"114⤵PID:1228
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b115⤵PID:5060
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"116⤵PID:1928
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b117⤵PID:1340
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"118⤵PID:2056
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b119⤵PID:2832
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"120⤵PID:3744
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1121⤵PID:3680
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b121⤵PID:2364
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9339503bfbb68f6435a37e36057c137b"122⤵PID:3708
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-