Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
15/05/2025, 06:47
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_046457cbd394579894127270aafef150.exe
Resource
win10v2004-20250502-en
General
-
Target
JaffaCakes118_046457cbd394579894127270aafef150.exe
-
Size
441KB
-
MD5
046457cbd394579894127270aafef150
-
SHA1
ca7780fa5c9bf129fd0e90b5c02a31a4fd9cc153
-
SHA256
ae902131766463db3d8a54a584cd6de03bd2ef4c50e57401ad9ad501261f3501
-
SHA512
52ae99a65d1a12fe0c90aa7328c1ea687af71896705cfb01c99411bafca0d5d9e67a3e5df2fe0ee032d06ff17146957c4f69107db61ee1a741af3cf61292db60
-
SSDEEP
12288:uwQW1NZsM9CZImwOPHVwvLmFn85pXDIL9sTs7N:uwtH4/PdFn8fXDIL9sqN
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
UAC bypass 3 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (51) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\International\Geo\Nation OOwUMYAw.exe -
Executes dropped EXE 5 IoCs
pid Process 2136 hIUMQYgM.exe 4552 OOwUMYAw.exe 4916 tYIUEgcc.exe 2184 hIUMQYgM.exe 2724 OOwUMYAw.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 7 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hIUMQYgM.exe = "C:\\Users\\Admin\\ooYcIQAo\\hIUMQYgM.exe" JaffaCakes118_046457cbd394579894127270aafef150.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OOwUMYAw.exe = "C:\\ProgramData\\uMgoocUU\\OOwUMYAw.exe" JaffaCakes118_046457cbd394579894127270aafef150.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hIUMQYgM.exe = "C:\\Users\\Admin\\ooYcIQAo\\hIUMQYgM.exe" hIUMQYgM.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OOwUMYAw.exe = "C:\\ProgramData\\uMgoocUU\\OOwUMYAw.exe" OOwUMYAw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OOwUMYAw.exe = "C:\\ProgramData\\uMgoocUU\\OOwUMYAw.exe" tYIUEgcc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hIUMQYgM.exe = "C:\\Users\\Admin\\ooYcIQAo\\hIUMQYgM.exe" hIUMQYgM.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OOwUMYAw.exe = "C:\\ProgramData\\uMgoocUU\\OOwUMYAw.exe" OOwUMYAw.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\shePublishFormat.png OOwUMYAw.exe File opened for modification C:\Windows\SysWOW64\sheResumeUse.docx OOwUMYAw.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\ooYcIQAo tYIUEgcc.exe File created C:\Windows\SysWOW64\shell32.dll.exe OOwUMYAw.exe File opened for modification C:\Windows\SysWOW64\sheSelectResume.docx OOwUMYAw.exe File opened for modification C:\Windows\SysWOW64\sheUnprotectJoin.xlsx OOwUMYAw.exe File opened for modification C:\Windows\SysWOW64\sheUnpublishExport.gif OOwUMYAw.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\ooYcIQAo\hIUMQYgM tYIUEgcc.exe File opened for modification C:\Windows\SysWOW64\sheNewBlock.docx OOwUMYAw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_046457cbd394579894127270aafef150.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_046457cbd394579894127270aafef150.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hIUMQYgM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_046457cbd394579894127270aafef150.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_046457cbd394579894127270aafef150.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_046457cbd394579894127270aafef150.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_046457cbd394579894127270aafef150.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_046457cbd394579894127270aafef150.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_046457cbd394579894127270aafef150.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_046457cbd394579894127270aafef150.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_046457cbd394579894127270aafef150.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_046457cbd394579894127270aafef150.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_046457cbd394579894127270aafef150.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 3656 reg.exe 3528 reg.exe 4400 reg.exe 3344 reg.exe 4408 reg.exe 4268 reg.exe 1608 reg.exe 4572 reg.exe 4424 reg.exe 5084 reg.exe 1648 reg.exe 1760 reg.exe 5032 reg.exe 4172 reg.exe 3580 reg.exe 1760 reg.exe 3620 reg.exe 2052 reg.exe 2612 reg.exe 1436 reg.exe 3188 reg.exe 3612 reg.exe 2124 reg.exe 4636 reg.exe 3180 reg.exe 4384 reg.exe 3092 reg.exe 3496 reg.exe 4088 reg.exe 4624 reg.exe 1488 reg.exe 3536 reg.exe 100 reg.exe 1332 reg.exe 2860 reg.exe 4724 reg.exe 3364 reg.exe 4292 reg.exe 4408 reg.exe 1480 reg.exe 3120 reg.exe 1892 reg.exe 3004 reg.exe 4412 reg.exe 3592 reg.exe 4104 reg.exe 1760 reg.exe 1892 reg.exe 3040 reg.exe 1164 reg.exe 4384 reg.exe 5052 reg.exe 4756 reg.exe 3172 reg.exe 704 reg.exe 1256 reg.exe 2504 reg.exe 1404 reg.exe 4940 reg.exe 4332 reg.exe 4544 reg.exe 5080 reg.exe 2280 reg.exe 836 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2052 JaffaCakes118_046457cbd394579894127270aafef150.exe 2052 JaffaCakes118_046457cbd394579894127270aafef150.exe 2052 JaffaCakes118_046457cbd394579894127270aafef150.exe 2052 JaffaCakes118_046457cbd394579894127270aafef150.exe 3840 JaffaCakes118_046457cbd394579894127270aafef150.exe 3840 JaffaCakes118_046457cbd394579894127270aafef150.exe 3840 JaffaCakes118_046457cbd394579894127270aafef150.exe 3840 JaffaCakes118_046457cbd394579894127270aafef150.exe 1504 JaffaCakes118_046457cbd394579894127270aafef150.exe 1504 JaffaCakes118_046457cbd394579894127270aafef150.exe 1504 JaffaCakes118_046457cbd394579894127270aafef150.exe 1504 JaffaCakes118_046457cbd394579894127270aafef150.exe 3756 JaffaCakes118_046457cbd394579894127270aafef150.exe 3756 JaffaCakes118_046457cbd394579894127270aafef150.exe 3756 JaffaCakes118_046457cbd394579894127270aafef150.exe 3756 JaffaCakes118_046457cbd394579894127270aafef150.exe 4804 JaffaCakes118_046457cbd394579894127270aafef150.exe 4804 JaffaCakes118_046457cbd394579894127270aafef150.exe 4804 JaffaCakes118_046457cbd394579894127270aafef150.exe 4804 JaffaCakes118_046457cbd394579894127270aafef150.exe 632 JaffaCakes118_046457cbd394579894127270aafef150.exe 632 JaffaCakes118_046457cbd394579894127270aafef150.exe 632 JaffaCakes118_046457cbd394579894127270aafef150.exe 632 JaffaCakes118_046457cbd394579894127270aafef150.exe 4664 JaffaCakes118_046457cbd394579894127270aafef150.exe 4664 JaffaCakes118_046457cbd394579894127270aafef150.exe 4664 JaffaCakes118_046457cbd394579894127270aafef150.exe 4664 JaffaCakes118_046457cbd394579894127270aafef150.exe 2416 JaffaCakes118_046457cbd394579894127270aafef150.exe 2416 JaffaCakes118_046457cbd394579894127270aafef150.exe 2416 JaffaCakes118_046457cbd394579894127270aafef150.exe 2416 JaffaCakes118_046457cbd394579894127270aafef150.exe 3232 JaffaCakes118_046457cbd394579894127270aafef150.exe 3232 JaffaCakes118_046457cbd394579894127270aafef150.exe 3232 JaffaCakes118_046457cbd394579894127270aafef150.exe 3232 JaffaCakes118_046457cbd394579894127270aafef150.exe 1992 JaffaCakes118_046457cbd394579894127270aafef150.exe 1992 JaffaCakes118_046457cbd394579894127270aafef150.exe 1992 JaffaCakes118_046457cbd394579894127270aafef150.exe 1992 JaffaCakes118_046457cbd394579894127270aafef150.exe 4256 JaffaCakes118_046457cbd394579894127270aafef150.exe 4256 JaffaCakes118_046457cbd394579894127270aafef150.exe 4256 JaffaCakes118_046457cbd394579894127270aafef150.exe 4256 JaffaCakes118_046457cbd394579894127270aafef150.exe 1280 JaffaCakes118_046457cbd394579894127270aafef150.exe 1280 JaffaCakes118_046457cbd394579894127270aafef150.exe 1280 JaffaCakes118_046457cbd394579894127270aafef150.exe 1280 JaffaCakes118_046457cbd394579894127270aafef150.exe 4352 JaffaCakes118_046457cbd394579894127270aafef150.exe 4352 JaffaCakes118_046457cbd394579894127270aafef150.exe 4352 JaffaCakes118_046457cbd394579894127270aafef150.exe 4352 JaffaCakes118_046457cbd394579894127270aafef150.exe 4864 JaffaCakes118_046457cbd394579894127270aafef150.exe 4864 JaffaCakes118_046457cbd394579894127270aafef150.exe 4864 JaffaCakes118_046457cbd394579894127270aafef150.exe 4864 JaffaCakes118_046457cbd394579894127270aafef150.exe 1760 JaffaCakes118_046457cbd394579894127270aafef150.exe 1760 JaffaCakes118_046457cbd394579894127270aafef150.exe 1760 JaffaCakes118_046457cbd394579894127270aafef150.exe 1760 JaffaCakes118_046457cbd394579894127270aafef150.exe 4408 JaffaCakes118_046457cbd394579894127270aafef150.exe 4408 JaffaCakes118_046457cbd394579894127270aafef150.exe 4408 JaffaCakes118_046457cbd394579894127270aafef150.exe 4408 JaffaCakes118_046457cbd394579894127270aafef150.exe -
Suspicious use of FindShellTrayWindow 23 IoCs
pid Process 4552 OOwUMYAw.exe 4552 OOwUMYAw.exe 4552 OOwUMYAw.exe 4552 OOwUMYAw.exe 4552 OOwUMYAw.exe 4552 OOwUMYAw.exe 4552 OOwUMYAw.exe 4552 OOwUMYAw.exe 4552 OOwUMYAw.exe 4552 OOwUMYAw.exe 4552 OOwUMYAw.exe 4552 OOwUMYAw.exe 4552 OOwUMYAw.exe 4552 OOwUMYAw.exe 4552 OOwUMYAw.exe 4552 OOwUMYAw.exe 4552 OOwUMYAw.exe 4552 OOwUMYAw.exe 4552 OOwUMYAw.exe 4552 OOwUMYAw.exe 4552 OOwUMYAw.exe 4552 OOwUMYAw.exe 4552 OOwUMYAw.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2052 wrote to memory of 2136 2052 JaffaCakes118_046457cbd394579894127270aafef150.exe 86 PID 2052 wrote to memory of 2136 2052 JaffaCakes118_046457cbd394579894127270aafef150.exe 86 PID 2052 wrote to memory of 2136 2052 JaffaCakes118_046457cbd394579894127270aafef150.exe 86 PID 2052 wrote to memory of 4552 2052 JaffaCakes118_046457cbd394579894127270aafef150.exe 89 PID 2052 wrote to memory of 4552 2052 JaffaCakes118_046457cbd394579894127270aafef150.exe 89 PID 2052 wrote to memory of 4552 2052 JaffaCakes118_046457cbd394579894127270aafef150.exe 89 PID 3168 wrote to memory of 2184 3168 cmd.exe 93 PID 3168 wrote to memory of 2184 3168 cmd.exe 93 PID 3168 wrote to memory of 2184 3168 cmd.exe 93 PID 2788 wrote to memory of 2724 2788 cmd.exe 94 PID 2788 wrote to memory of 2724 2788 cmd.exe 94 PID 2788 wrote to memory of 2724 2788 cmd.exe 94 PID 2052 wrote to memory of 1728 2052 JaffaCakes118_046457cbd394579894127270aafef150.exe 95 PID 2052 wrote to memory of 1728 2052 JaffaCakes118_046457cbd394579894127270aafef150.exe 95 PID 2052 wrote to memory of 1728 2052 JaffaCakes118_046457cbd394579894127270aafef150.exe 95 PID 1728 wrote to memory of 3840 1728 cmd.exe 97 PID 1728 wrote to memory of 3840 1728 cmd.exe 97 PID 1728 wrote to memory of 3840 1728 cmd.exe 97 PID 2052 wrote to memory of 4864 2052 JaffaCakes118_046457cbd394579894127270aafef150.exe 98 PID 2052 wrote to memory of 4864 2052 JaffaCakes118_046457cbd394579894127270aafef150.exe 98 PID 2052 wrote to memory of 4864 2052 JaffaCakes118_046457cbd394579894127270aafef150.exe 98 PID 2052 wrote to memory of 1332 2052 JaffaCakes118_046457cbd394579894127270aafef150.exe 99 PID 2052 wrote to memory of 1332 2052 JaffaCakes118_046457cbd394579894127270aafef150.exe 99 PID 2052 wrote to memory of 1332 2052 JaffaCakes118_046457cbd394579894127270aafef150.exe 99 PID 2052 wrote to memory of 100 2052 JaffaCakes118_046457cbd394579894127270aafef150.exe 100 PID 2052 wrote to memory of 100 2052 JaffaCakes118_046457cbd394579894127270aafef150.exe 100 PID 2052 wrote to memory of 100 2052 JaffaCakes118_046457cbd394579894127270aafef150.exe 100 PID 3840 wrote to memory of 2284 3840 JaffaCakes118_046457cbd394579894127270aafef150.exe 104 PID 3840 wrote to memory of 2284 3840 JaffaCakes118_046457cbd394579894127270aafef150.exe 104 PID 3840 wrote to memory of 2284 3840 JaffaCakes118_046457cbd394579894127270aafef150.exe 104 PID 3840 wrote to memory of 2228 3840 JaffaCakes118_046457cbd394579894127270aafef150.exe 105 PID 3840 wrote to memory of 2228 3840 JaffaCakes118_046457cbd394579894127270aafef150.exe 105 PID 3840 wrote to memory of 2228 3840 JaffaCakes118_046457cbd394579894127270aafef150.exe 105 PID 3840 wrote to memory of 2280 3840 JaffaCakes118_046457cbd394579894127270aafef150.exe 106 PID 3840 wrote to memory of 2280 3840 JaffaCakes118_046457cbd394579894127270aafef150.exe 106 PID 3840 wrote to memory of 2280 3840 JaffaCakes118_046457cbd394579894127270aafef150.exe 106 PID 3840 wrote to memory of 3892 3840 JaffaCakes118_046457cbd394579894127270aafef150.exe 107 PID 3840 wrote to memory of 3892 3840 JaffaCakes118_046457cbd394579894127270aafef150.exe 107 PID 3840 wrote to memory of 3892 3840 JaffaCakes118_046457cbd394579894127270aafef150.exe 107 PID 3840 wrote to memory of 1836 3840 JaffaCakes118_046457cbd394579894127270aafef150.exe 108 PID 3840 wrote to memory of 1836 3840 JaffaCakes118_046457cbd394579894127270aafef150.exe 108 PID 3840 wrote to memory of 1836 3840 JaffaCakes118_046457cbd394579894127270aafef150.exe 108 PID 2284 wrote to memory of 1504 2284 cmd.exe 114 PID 2284 wrote to memory of 1504 2284 cmd.exe 114 PID 2284 wrote to memory of 1504 2284 cmd.exe 114 PID 1836 wrote to memory of 1444 1836 cmd.exe 115 PID 1836 wrote to memory of 1444 1836 cmd.exe 115 PID 1836 wrote to memory of 1444 1836 cmd.exe 115 PID 1504 wrote to memory of 1756 1504 JaffaCakes118_046457cbd394579894127270aafef150.exe 117 PID 1504 wrote to memory of 1756 1504 JaffaCakes118_046457cbd394579894127270aafef150.exe 117 PID 1504 wrote to memory of 1756 1504 JaffaCakes118_046457cbd394579894127270aafef150.exe 117 PID 1756 wrote to memory of 3756 1756 cmd.exe 119 PID 1756 wrote to memory of 3756 1756 cmd.exe 119 PID 1756 wrote to memory of 3756 1756 cmd.exe 119 PID 1504 wrote to memory of 4832 1504 JaffaCakes118_046457cbd394579894127270aafef150.exe 120 PID 1504 wrote to memory of 4832 1504 JaffaCakes118_046457cbd394579894127270aafef150.exe 120 PID 1504 wrote to memory of 4832 1504 JaffaCakes118_046457cbd394579894127270aafef150.exe 120 PID 1504 wrote to memory of 1892 1504 JaffaCakes118_046457cbd394579894127270aafef150.exe 121 PID 1504 wrote to memory of 1892 1504 JaffaCakes118_046457cbd394579894127270aafef150.exe 121 PID 1504 wrote to memory of 1892 1504 JaffaCakes118_046457cbd394579894127270aafef150.exe 121 PID 1504 wrote to memory of 704 1504 JaffaCakes118_046457cbd394579894127270aafef150.exe 122 PID 1504 wrote to memory of 704 1504 JaffaCakes118_046457cbd394579894127270aafef150.exe 122 PID 1504 wrote to memory of 704 1504 JaffaCakes118_046457cbd394579894127270aafef150.exe 122 PID 1504 wrote to memory of 3612 1504 JaffaCakes118_046457cbd394579894127270aafef150.exe 123
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Users\Admin\ooYcIQAo\hIUMQYgM.exe"C:\Users\Admin\ooYcIQAo\hIUMQYgM.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2136
-
-
C:\ProgramData\uMgoocUU\OOwUMYAw.exe"C:\ProgramData\uMgoocUU\OOwUMYAw.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
PID:4552
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"2⤵
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef1503⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"4⤵
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef1505⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"6⤵
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef1507⤵
- Suspicious behavior: EnumeratesProcesses
PID:3756 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"8⤵PID:3732
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef1509⤵
- Suspicious behavior: EnumeratesProcesses
PID:4804 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"10⤵PID:4676
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef15011⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:632 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"12⤵
- System Location Discovery: System Language Discovery
PID:1180 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef15013⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4664 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"14⤵PID:1636
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef15015⤵
- Suspicious behavior: EnumeratesProcesses
PID:2416 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"16⤵PID:2932
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef15017⤵
- Suspicious behavior: EnumeratesProcesses
PID:3232 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"18⤵PID:3748
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef15019⤵
- Suspicious behavior: EnumeratesProcesses
PID:1992 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"20⤵PID:632
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef15021⤵
- Suspicious behavior: EnumeratesProcesses
PID:4256 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"22⤵PID:4272
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef15023⤵
- Suspicious behavior: EnumeratesProcesses
PID:1280 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"24⤵PID:4088
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef15025⤵
- Suspicious behavior: EnumeratesProcesses
PID:4352 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"26⤵PID:1700
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef15027⤵
- Suspicious behavior: EnumeratesProcesses
PID:4864 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"28⤵PID:2836
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef15029⤵
- Suspicious behavior: EnumeratesProcesses
PID:1760 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"30⤵PID:3996
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef15031⤵
- Suspicious behavior: EnumeratesProcesses
PID:4408 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"32⤵PID:836
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV133⤵PID:4272
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef15033⤵PID:1568
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"34⤵PID:4268
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef15035⤵PID:4896
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"36⤵PID:4004
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef15037⤵PID:4000
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"38⤵PID:4528
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef15039⤵PID:1572
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"40⤵PID:2800
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef15041⤵PID:4576
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"42⤵PID:4816
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV143⤵PID:4940
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef15043⤵
- System Location Discovery: System Language Discovery
PID:3296 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"44⤵PID:3236
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef15045⤵PID:4852
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"46⤵PID:556
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef15047⤵
- System Location Discovery: System Language Discovery
PID:620 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"48⤵PID:1020
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef15049⤵
- System Location Discovery: System Language Discovery
PID:4268 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"50⤵PID:5028
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef15051⤵PID:4824
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"52⤵PID:1756
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef15053⤵
- System Location Discovery: System Language Discovery
PID:1760 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"54⤵PID:3520
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef15055⤵PID:4192
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"56⤵PID:1572
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV157⤵PID:4512
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef15057⤵PID:2260
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"58⤵PID:3144
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV159⤵PID:2800
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef15059⤵PID:2680
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"60⤵PID:3112
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef15061⤵PID:2064
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"62⤵PID:2672
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef15063⤵
- System Location Discovery: System Language Discovery
PID:3528 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"64⤵PID:1600
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef15065⤵PID:4976
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"66⤵PID:1740
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef15067⤵PID:4668
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"68⤵PID:4104
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef15069⤵PID:3888
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"70⤵PID:4816
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef15071⤵PID:4272
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"72⤵PID:2232
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef15073⤵PID:2872
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"74⤵PID:3636
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef15075⤵PID:4508
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"76⤵PID:5084
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef15077⤵PID:4172
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"78⤵PID:3928
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef15079⤵
- System Location Discovery: System Language Discovery
PID:4504 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"80⤵
- System Location Discovery: System Language Discovery
PID:1276 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV181⤵PID:4236
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef15081⤵PID:1480
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"82⤵PID:4476
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef15083⤵PID:5100
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"84⤵PID:2004
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef15085⤵PID:4508
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"86⤵PID:3340
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef15087⤵PID:1460
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"88⤵PID:5112
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef15089⤵PID:1332
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"90⤵PID:692
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef15091⤵PID:3764
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"92⤵PID:4472
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV193⤵PID:2672
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef15093⤵PID:2896
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"94⤵PID:4124
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV195⤵PID:4696
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef15095⤵
- System Location Discovery: System Language Discovery
PID:1636 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"96⤵PID:2400
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV197⤵PID:3456
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef15097⤵PID:4376
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"98⤵PID:2612
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV199⤵PID:3344
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef15099⤵PID:3316
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"100⤵PID:2800
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1101⤵PID:3004
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150101⤵PID:1748
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"102⤵PID:1488
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150103⤵PID:4432
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"104⤵PID:688
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1105⤵PID:3928
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150105⤵PID:1572
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"106⤵PID:2124
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1107⤵PID:2492
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150107⤵PID:3636
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"108⤵PID:1292
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1109⤵PID:1740
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150109⤵PID:3748
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"110⤵PID:1588
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150111⤵
- System Location Discovery: System Language Discovery
PID:436 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"112⤵PID:404
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1113⤵PID:1272
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150113⤵PID:4444
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"114⤵PID:4668
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150115⤵
- System Location Discovery: System Language Discovery
PID:232 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"116⤵PID:2260
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1117⤵PID:1648
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150117⤵PID:3888
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"118⤵
- System Location Discovery: System Language Discovery
PID:3452 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150119⤵PID:1148
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"120⤵PID:4576
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1121⤵PID:4088
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150121⤵PID:1480
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046457cbd394579894127270aafef150"122⤵PID:4000
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-