gh0strat | 021f8273383b82d16d0234d7572fc723723caa891549dbbed85ba2a2ad6af0cd

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/02/2025, 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Size

138KB
MD5

321b9dfd40bec60a3908998f0fdc77ee
SHA1

99bb67f430a439149c54793f7a8bf7cbfbdb4d2a
SHA256

021f8273383b82d16d0234d7572fc723723caa891549dbbed85ba2a2ad6af0cd
SHA512

ff0e8fcec6315755649a2f82f1d42aac91a2f80c68057e72910ab6cd0cab15fd04ddea5cc77ffc4b814b8a4cdddfb00c9a0734a282033dcb0d4b0a19d43c9d75
SSDEEP

3072:IUvKdFhAdT0HYPOLX9np31ByVCgcu8+dOx3L6AAtbe/x8Fvb:IUvKdFhAdoHTLX9hTgXfOx3LNAtS5w

Score

10^/10

gh0strat discovery persistence rat

Malware Config

Signatures

Gh0st RAT payload 8 IoCs

resource	yara_rule
behavioral1/memory/2380-0-0x0000000000400000-0x0000000000424000-memory.dmp	family_gh0strat
behavioral1/memory/2380-1-0x0000000000400000-0x0000000000424000-memory.dmp	family_gh0strat
behavioral1/memory/2644-3-0x0000000000400000-0x0000000000424000-memory.dmp	family_gh0strat
behavioral1/memory/1308-4-0x0000000000400000-0x0000000000424000-memory.dmp	family_gh0strat
behavioral1/memory/1928-8-0x0000000000400000-0x0000000000424000-memory.dmp	family_gh0strat
behavioral1/files/0x0009000000016311-7.dat	family_gh0strat
behavioral1/memory/1636-10-0x0000000010000000-0x000000001001D000-memory.dmp	family_gh0strat
behavioral1/memory/1636-11-0x0000000010000000-0x000000001001D000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Documents and Settings\\Local User\\userdata.dll"	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe

Deletes itself 1 IoCs

pid	Process
1636	SVCHOST.EXE

Loads dropped DLL 1 IoCs

pid	Process
1636	SVCHOST.EXE

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2068	2380	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	30
PID 2380 wrote to memory of 2068	2380	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	30
PID 2380 wrote to memory of 2068	2380	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	30
PID 2380 wrote to memory of 2068	2380	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	30
PID 2068 wrote to memory of 2148	2068	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	31
PID 2068 wrote to memory of 2148	2068	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	31
PID 2068 wrote to memory of 2148	2068	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	31
PID 2068 wrote to memory of 2148	2068	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	31
PID 2148 wrote to memory of 1920	2148	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	32
PID 2148 wrote to memory of 1920	2148	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	32
PID 2148 wrote to memory of 1920	2148	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	32
PID 2148 wrote to memory of 1920	2148	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	32
PID 1920 wrote to memory of 2536	1920	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	33
PID 1920 wrote to memory of 2536	1920	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	33
PID 1920 wrote to memory of 2536	1920	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	33
PID 1920 wrote to memory of 2536	1920	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	33
PID 2536 wrote to memory of 2544	2536	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	34
PID 2536 wrote to memory of 2544	2536	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	34
PID 2536 wrote to memory of 2544	2536	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	34
PID 2536 wrote to memory of 2544	2536	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	34
PID 2544 wrote to memory of 2240	2544	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	35
PID 2544 wrote to memory of 2240	2544	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	35
PID 2544 wrote to memory of 2240	2544	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	35
PID 2544 wrote to memory of 2240	2544	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	35
PID 2240 wrote to memory of 1212	2240	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	36
PID 2240 wrote to memory of 1212	2240	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	36
PID 2240 wrote to memory of 1212	2240	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	36
PID 2240 wrote to memory of 1212	2240	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	36
PID 1212 wrote to memory of 2360	1212	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	37
PID 1212 wrote to memory of 2360	1212	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	37
PID 1212 wrote to memory of 2360	1212	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	37
PID 1212 wrote to memory of 2360	1212	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	37
PID 2360 wrote to memory of 3024	2360	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	38
PID 2360 wrote to memory of 3024	2360	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	38
PID 2360 wrote to memory of 3024	2360	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	38
PID 2360 wrote to memory of 3024	2360	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	38
PID 3024 wrote to memory of 3032	3024	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	39
PID 3024 wrote to memory of 3032	3024	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	39
PID 3024 wrote to memory of 3032	3024	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	39
PID 3024 wrote to memory of 3032	3024	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	39
PID 3032 wrote to memory of 3044	3032	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	40
PID 3032 wrote to memory of 3044	3032	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	40
PID 3032 wrote to memory of 3044	3032	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	40
PID 3032 wrote to memory of 3044	3032	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	40
PID 3044 wrote to memory of 2204	3044	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	41
PID 3044 wrote to memory of 2204	3044	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	41
PID 3044 wrote to memory of 2204	3044	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	41
PID 3044 wrote to memory of 2204	3044	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	41
PID 2204 wrote to memory of 2112	2204	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	42
PID 2204 wrote to memory of 2112	2204	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	42
PID 2204 wrote to memory of 2112	2204	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	42
PID 2204 wrote to memory of 2112	2204	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	42
PID 2112 wrote to memory of 2416	2112	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	43
PID 2112 wrote to memory of 2416	2112	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	43
PID 2112 wrote to memory of 2416	2112	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	43
PID 2112 wrote to memory of 2416	2112	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	43
PID 2416 wrote to memory of 2968	2416	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	44
PID 2416 wrote to memory of 2968	2416	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	44
PID 2416 wrote to memory of 2968	2416	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	44
PID 2416 wrote to memory of 2968	2416	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	44
PID 2968 wrote to memory of 2812	2968	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	45
PID 2968 wrote to memory of 2812	2968	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	45
PID 2968 wrote to memory of 2812	2968	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	45
PID 2968 wrote to memory of 2812	2968	JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe	45

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
    C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1920
    - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2536
      - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        10⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        11⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        13⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        15⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        16⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        17⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:264
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:488
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        23⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        31⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        40⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        43⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        47⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        55⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        63⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:352
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:372
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        72⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        73⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        76⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        77⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321b9dfd40bec60a3908998f0fdc77ee.exe
        78⤵
        Server Software Component: Terminal Services DLL
        System Location Discovery: System Language Discovery
        
        PID:1928

C:\Windows\SysWOW64\SVCHOST.EXE
C:\Windows\SysWOW64\SVCHOST.EXE -K NETSVcS
1⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\documents and settings\local user\userdata.dll

Filesize
107KB

MD5
66cc031ef4bbc32d7408b8ec72c8f514

SHA1
91549168a859160ac80792c75f7eb8cd6cb29989

SHA256
2236d1c924c07e9d38a4c85e42207add03eb179532396ff1356600ea033e3f55

SHA512
c1067b30ee2971cc2c0f882feb77edea3d515c66f83df38641d6148b7d405040f57b871b000bd25d0600a6d205182f1a056e7d6a9c2f323b2db63eef1d278414

Download Submit
memory/1308-4-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1636-10-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/1636-11-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/1928-8-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2360-2-0x0000000000220000-0x0000000000244000-memory.dmp

Filesize
144KB

Download
memory/2380-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2380-1-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2644-3-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download