xtremerat | 7291dfa90de1063b5cfe238606d5c61db8e886927065f9708282770380beac14

Analysis

max time kernel
150s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
04-02-2025 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Size

260KB
MD5

95d47bf91b1118562ad6a7479b8ffdcf
SHA1

93c80224c963a5002c6556481253464fd282c820
SHA256

7291dfa90de1063b5cfe238606d5c61db8e886927065f9708282770380beac14
SHA512

c458227559463508ca1f73b675d2b1baf1a7bbb5b9b9f9a9596f5379665a361ced05d0ec8c86a0914aecd6b62d6e3aeb5cfa06814059529a4118bf728005024d
SSDEEP

1536:71KdM0mDw7jFd+/q0Z9LcQ91dWcbXIEx2sQKYkIpY8Gjvuh/cGsYDSKJPToHfPOe:lpY+/v971d5UKPj9udcr2SKJlD+w8

Score

10^/10

xtremerat discovery persistence rat spyware upx

Malware Config

Signatures

Detect XtremeRAT payload 4 IoCs

resource	yara_rule
behavioral2/memory/4268-5-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/4268-9-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/4852-15-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/4852-20-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat

Checks computer location settings 2 TTPs 30 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe

Suspicious use of SetThreadContext 31 IoCs

description	pid	Process	procid_target
PID 4692 set thread context of 4268	4692	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	84
PID 3948 set thread context of 4852	3948	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	99
PID 5008 set thread context of 5060	5008	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	109
PID 1420 set thread context of 1848	1420	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	119
PID 1452 set thread context of 2420	1452	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	129
PID 3440 set thread context of 2940	3440	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	139
PID 3448 set thread context of 1628	3448	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	149
PID 3068 set thread context of 3032	3068	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	162
PID 888 set thread context of 1168	888	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	172
PID 2556 set thread context of 5068	2556	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	182
PID 4380 set thread context of 2824	4380	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	192
PID 3976 set thread context of 3828	3976	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	202
PID 840 set thread context of 2092	840	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	212
PID 2828 set thread context of 2008	2828	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	222
PID 4912 set thread context of 3216	4912	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	232
PID 3036 set thread context of 1968	3036	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	242
PID 2572 set thread context of 5004	2572	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	252
PID 4544 set thread context of 1320	4544	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	262
PID 3764 set thread context of 2460	3764	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	272
PID 976 set thread context of 1828	976	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	283
PID 3348 set thread context of 2896	3348	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	293
PID 1216 set thread context of 1276	1216	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	303
PID 5164 set thread context of 5188	5164	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	313
PID 5336 set thread context of 5360	5336	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	323
PID 5524 set thread context of 5548	5524	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	333
PID 5708 set thread context of 5732	5708	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	343
PID 5884 set thread context of 5908	5884	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	353
PID 5356 set thread context of 5400	5356	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	363
PID 5660 set thread context of 5700	5660	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	373
PID 5928 set thread context of 4504	5928	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	383
PID 5516 set thread context of 4064	5516	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	393

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4268-2-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/4268-4-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/4268-5-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/4268-6-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/4268-9-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/4852-14-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/4852-16-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/4852-15-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/4852-20-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 62 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe

Suspicious use of SetWindowsHookEx 31 IoCs

pid	Process
4692	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
3948	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
5008	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
1420	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
1452	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
3440	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
3448	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
3068	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
888	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
2556	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
4380	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
3976	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
840	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
2828	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
4912	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
3036	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
2572	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
4544	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
3764	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
976	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
3348	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
1216	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
5164	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
5336	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
5524	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
5708	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
5884	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
5356	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
5660	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
5928	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
5516	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4692 wrote to memory of 4268	4692	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	84
PID 4692 wrote to memory of 4268	4692	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	84
PID 4692 wrote to memory of 4268	4692	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	84
PID 4692 wrote to memory of 4268	4692	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	84
PID 4692 wrote to memory of 4268	4692	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	84
PID 4692 wrote to memory of 4268	4692	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	84
PID 4692 wrote to memory of 4268	4692	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	84
PID 4692 wrote to memory of 4268	4692	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	84
PID 4268 wrote to memory of 4084	4268	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	87
PID 4268 wrote to memory of 4084	4268	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	87
PID 4268 wrote to memory of 4084	4268	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	87
PID 4268 wrote to memory of 624	4268	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	89
PID 4268 wrote to memory of 624	4268	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	89
PID 4268 wrote to memory of 624	4268	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	89
PID 4268 wrote to memory of 3000	4268	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	91
PID 4268 wrote to memory of 3000	4268	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	91
PID 4268 wrote to memory of 3000	4268	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	91
PID 4268 wrote to memory of 1360	4268	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	93
PID 4268 wrote to memory of 1360	4268	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	93
PID 4268 wrote to memory of 1360	4268	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	93
PID 4268 wrote to memory of 2496	4268	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	94
PID 4268 wrote to memory of 2496	4268	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	94
PID 4268 wrote to memory of 2496	4268	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	94
PID 4268 wrote to memory of 4188	4268	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	95
PID 4268 wrote to memory of 4188	4268	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	95
PID 4268 wrote to memory of 4188	4268	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	95
PID 4268 wrote to memory of 232	4268	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	96
PID 4268 wrote to memory of 232	4268	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	96
PID 4268 wrote to memory of 232	4268	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	96
PID 4268 wrote to memory of 636	4268	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	97
PID 4268 wrote to memory of 636	4268	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	97
PID 4268 wrote to memory of 3948	4268	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	98
PID 4268 wrote to memory of 3948	4268	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	98
PID 4268 wrote to memory of 3948	4268	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	98
PID 3948 wrote to memory of 4852	3948	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	99
PID 3948 wrote to memory of 4852	3948	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	99
PID 3948 wrote to memory of 4852	3948	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	99
PID 3948 wrote to memory of 4852	3948	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	99
PID 3948 wrote to memory of 4852	3948	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	99
PID 3948 wrote to memory of 4852	3948	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	99
PID 3948 wrote to memory of 4852	3948	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	99
PID 3948 wrote to memory of 4852	3948	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	99
PID 4852 wrote to memory of 3444	4852	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	100
PID 4852 wrote to memory of 3444	4852	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	100
PID 4852 wrote to memory of 3444	4852	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	100
PID 4852 wrote to memory of 3676	4852	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	101
PID 4852 wrote to memory of 3676	4852	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	101
PID 4852 wrote to memory of 3676	4852	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	101
PID 4852 wrote to memory of 3344	4852	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	102
PID 4852 wrote to memory of 3344	4852	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	102
PID 4852 wrote to memory of 3344	4852	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	102
PID 4852 wrote to memory of 2680	4852	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	103
PID 4852 wrote to memory of 2680	4852	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	103
PID 4852 wrote to memory of 2680	4852	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	103
PID 4852 wrote to memory of 2928	4852	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	104
PID 4852 wrote to memory of 2928	4852	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	104
PID 4852 wrote to memory of 2928	4852	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	104
PID 4852 wrote to memory of 4412	4852	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	105
PID 4852 wrote to memory of 4412	4852	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	105
PID 4852 wrote to memory of 4412	4852	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	105
PID 4852 wrote to memory of 1364	4852	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	106
PID 4852 wrote to memory of 1364	4852	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	106
PID 4852 wrote to memory of 1364	4852	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	106
PID 4852 wrote to memory of 1560	4852	JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe	107

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4268
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4084
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:624
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:3000
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:1360
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:2496
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4188
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:636
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3948
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4852
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3444
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3676
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3344
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2680
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2928
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4412
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:1364
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:1560
    - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5008
      - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:5060
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:3460
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:4816
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:2260
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:2340
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:712
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:3152
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:3356
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        7⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        8⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1848
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:2444
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:4088
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:1604
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:2100
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:3596
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:1896
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:3884
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        9⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        10⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:4100
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:3592
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:1568
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:1472
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:3980
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:2504
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:4076
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        11⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        12⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:2924
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:968
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:3336
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:4436
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:3780
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:3352
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:4612
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        13⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3448
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        14⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        15⤵
        
        PID:4784
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        15⤵
        
        PID:4620
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        15⤵
        
        PID:1448
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        15⤵
        
        PID:4972
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        15⤵
        
        PID:3544
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        15⤵
        
        PID:4836
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        15⤵
        
        PID:3600
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        15⤵
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        15⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        16⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:2036
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:1056
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:3536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:32
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:2800
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:432
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:1624
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        17⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        18⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1168
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        19⤵
        
        PID:3640
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        19⤵
        
        PID:4244
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        19⤵
        
        PID:2040
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        19⤵
        
        PID:1820
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        19⤵
        
        PID:216
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        19⤵
        
        PID:1964
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        19⤵
        
        PID:464
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        19⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        19⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        20⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:5068
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        21⤵
        
        PID:3776
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        21⤵
        
        PID:3556
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        21⤵
        
        PID:3748
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        21⤵
        
        PID:4476
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        21⤵
        
        PID:3720
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        21⤵
        
        PID:4988
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        21⤵
        
        PID:1156
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        21⤵
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        21⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        22⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:2580
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:4028
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:4976
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:3716
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:1076
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:1944
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:4892
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        23⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        24⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3828
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        25⤵
        
        PID:4560
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        25⤵
        
        PID:4444
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        25⤵
        
        PID:3276
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        25⤵
        
        PID:3480
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        25⤵
        
        PID:4284
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        25⤵
        
        PID:1240
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        25⤵
        
        PID:4604
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        25⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        25⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        26⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        27⤵
        
        PID:3516
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        27⤵
        
        PID:4856
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        27⤵
        
        PID:4940
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        27⤵
        
        PID:2980
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        27⤵
        
        PID:4832
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        27⤵
        
        PID:4660
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        27⤵
        
        PID:4200
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        27⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        27⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        28⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        29⤵
        
        PID:4632
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        29⤵
        
        PID:5088
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        29⤵
        
        PID:3268
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        29⤵
        
        PID:1892
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        29⤵
        
        PID:4948
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        29⤵
        
        PID:2072
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        29⤵
        
        PID:452
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        29⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        29⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        30⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3216
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        31⤵
        
        PID:3484
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        31⤵
        
        PID:1692
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        31⤵
        
        PID:3040
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        31⤵
        
        PID:1680
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        31⤵
        
        PID:3804
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        31⤵
        
        PID:1072
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        31⤵
        
        PID:1480
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        31⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        31⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        32⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        33⤵
        
        PID:4776
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        33⤵
        
        PID:640
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        33⤵
        
        PID:2664
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        33⤵
        
        PID:876
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        33⤵
        
        PID:1152
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        33⤵
        
        PID:3192
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        33⤵
        
        PID:2160
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        33⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        33⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        34⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:5004
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        35⤵
        
        PID:2988
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        35⤵
        
        PID:2172
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        35⤵
        
        PID:1948
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        35⤵
        
        PID:2820
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        35⤵
        
        PID:1044
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        35⤵
        
        PID:1536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        35⤵
        
        PID:3784
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        35⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        35⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        36⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1320
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        37⤵
        
        PID:4640
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        37⤵
        
        PID:3248
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        37⤵
        
        PID:1752
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        37⤵
        
        PID:4060
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        37⤵
        
        PID:3496
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        37⤵
        
        PID:3912
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        37⤵
        
        PID:1708
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        37⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        37⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3764
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        38⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        39⤵
        
        PID:1764
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        39⤵
        
        PID:756
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        39⤵
        
        PID:3296
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        39⤵
        
        PID:1288
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        39⤵
        
        PID:4432
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        39⤵
        
        PID:5104
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        39⤵
        
        PID:4004
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        39⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        39⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        40⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1828
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        41⤵
        
        PID:2424
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        41⤵
        
        PID:4992
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        41⤵
        
        PID:748
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        41⤵
        
        PID:3772
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        41⤵
        
        PID:4388
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        41⤵
        
        PID:4460
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        41⤵
        
        PID:4312
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        41⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        41⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        42⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        43⤵
        
        PID:1792
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        43⤵
        
        PID:4576
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        43⤵
        
        PID:3644
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        43⤵
        
        PID:3796
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        43⤵
        
        PID:4616
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        43⤵
        
        PID:4564
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        43⤵
        
        PID:468
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        43⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        43⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        44⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1276
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        45⤵
        
        PID:3800
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        45⤵
        
        PID:2992
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        45⤵
        
        PID:3940
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        45⤵
        
        PID:4480
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        45⤵
        
        PID:228
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        45⤵
        
        PID:1304
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        45⤵
        
        PID:5128
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        45⤵
        
        PID:5140
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        45⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5164
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        46⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:5188
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        47⤵
        
        PID:5236
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        47⤵
        
        PID:5252
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        47⤵
        
        PID:5260
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        47⤵
        
        PID:5272
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        47⤵
        
        PID:5280
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        47⤵
        
        PID:5292
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        47⤵
        
        PID:5300
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        47⤵
        
        PID:5312
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        47⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5336
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        48⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:5360
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        49⤵
        
        PID:5408
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        49⤵
        
        PID:5420
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        49⤵
        
        PID:5428
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        49⤵
        
        PID:5440
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        49⤵
        
        PID:5468
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        49⤵
        
        PID:5480
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        49⤵
        
        PID:5488
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        49⤵
        
        PID:5500
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        49⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5524
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        50⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:5548
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        51⤵
        
        PID:5596
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        51⤵
        
        PID:5612
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        51⤵
        
        PID:5620
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        51⤵
        
        PID:5636
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        51⤵
        
        PID:5648
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        51⤵
        
        PID:5664
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        51⤵
        
        PID:5672
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        51⤵
        
        PID:5684
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        51⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5708
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        52⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:5732
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        53⤵
        
        PID:5780
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        53⤵
        
        PID:5792
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        53⤵
        
        PID:5800
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        53⤵
        
        PID:5812
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        53⤵
        
        PID:5828
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        53⤵
        
        PID:5840
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        53⤵
        
        PID:5848
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        53⤵
        
        PID:5860
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        53⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5884
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        54⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:5908
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        55⤵
        
        PID:5956
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        55⤵
        
        PID:6124
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        55⤵
        
        PID:6132
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        55⤵
        
        PID:2700
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        55⤵
        
        PID:5180
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        55⤵
        
        PID:5224
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        55⤵
        
        PID:5288
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        55⤵
        
        PID:5208
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        55⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5356
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        56⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:5400
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        57⤵
        
        PID:5512
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        57⤵
        
        PID:5540
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        57⤵
        
        PID:5592
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        57⤵
        
        PID:4164
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        57⤵
        
        PID:5604
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        57⤵
        
        PID:5632
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        57⤵
        
        PID:4896
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        57⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        57⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5660
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        58⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:5700
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        59⤵
        
        PID:5768
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        59⤵
        
        PID:3788
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        59⤵
        
        PID:5788
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        59⤵
        
        PID:5608
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        59⤵
        
        PID:4496
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        59⤵
        
        PID:5836
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        59⤵
        
        PID:5764
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        59⤵
        
        PID:5876
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        59⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5928
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        60⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4504
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        61⤵
        
        PID:3136
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        61⤵
        
        PID:736
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        61⤵
        
        PID:6140
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        61⤵
        
        PID:1432
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        61⤵
        
        PID:5324
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        61⤵
        
        PID:5924
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        61⤵
        
        PID:5332
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        61⤵
        
        PID:5308
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        61⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5516
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d47bf91b1118562ad6a7479b8ffdcf.exe"
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:4064
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        63⤵
        
        PID:4360
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        63⤵
        
        PID:3404
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        63⤵
        
        PID:4384
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        63⤵
        
        PID:4656
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        63⤵
        
        PID:5372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\M5BTEa.cfg

Filesize
1KB

MD5
a5d1c62674c53c7c5e7b8b230cbbbe42

SHA1
95b8444b24890c4b0040e212d834c73f51b7ab52

SHA256
9efac950437965d03b52ac3064c017c8e555405d25c08db114eeed1b3bb1c2f1

SHA512
e981a3d7628cd351deeb0ded8323b8ec10e3837d8d44b3b6c5e405c98da2bd76d6342a889b210056d1cdfae53ae6e041a26ef2d4914cdd253a32ab643af072ab

Download Submit
memory/4268-2-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/4268-4-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/4268-5-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/4268-6-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/4268-9-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/4852-14-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/4852-16-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/4852-15-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/4852-20-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download