Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20250502-en -
resource tags
arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system -
submitted
15/05/2025, 09:06
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
Resource
win11-20250502-en
General
-
Target
JaffaCakes118_047c408df84c32f8d5712456276d1680.exe
-
Size
481KB
-
MD5
047c408df84c32f8d5712456276d1680
-
SHA1
c058964b23389b0a66e8383c9070245b12b9b9f6
-
SHA256
0c07ac694ef7558a4e2277d2076fb1a432992648748e38ac2b4db4beab1bc6d8
-
SHA512
3c98cebb9e4aa878ec2838e6516342d3b12e783c66f1c2c73f2914439f2e5902b122d840aadce02e70cda7c7ddf16fa9d06f0ba5d384699b101981b54c1a375a
-
SSDEEP
12288:FlYqg3oqi+8R7YrQ2j+zxgJLavC1YU3B4P0Tno31kUrQeG:jdpYrYz6A0zg1TrQJ
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
UAC bypass 3 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (56) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 5 IoCs
pid Process 2820 dqQMQUUc.exe 1440 tWYMwwQw.exe 3672 rgUYIoIw.exe 5488 dqQMQUUc.exe 3192 tWYMwwQw.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 7 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Run\dqQMQUUc.exe = "C:\\Users\\Admin\\BokIcAUI\\dqQMQUUc.exe" JaffaCakes118_047c408df84c32f8d5712456276d1680.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tWYMwwQw.exe = "C:\\ProgramData\\BUkAkoEw\\tWYMwwQw.exe" JaffaCakes118_047c408df84c32f8d5712456276d1680.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Run\dqQMQUUc.exe = "C:\\Users\\Admin\\BokIcAUI\\dqQMQUUc.exe" dqQMQUUc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tWYMwwQw.exe = "C:\\ProgramData\\BUkAkoEw\\tWYMwwQw.exe" tWYMwwQw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tWYMwwQw.exe = "C:\\ProgramData\\BUkAkoEw\\tWYMwwQw.exe" rgUYIoIw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tWYMwwQw.exe = "C:\\ProgramData\\BUkAkoEw\\tWYMwwQw.exe" tWYMwwQw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Run\dqQMQUUc.exe = "C:\\Users\\Admin\\BokIcAUI\\dqQMQUUc.exe" dqQMQUUc.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\sheWatchLock.xlsx tWYMwwQw.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\BokIcAUI rgUYIoIw.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\BokIcAUI\dqQMQUUc rgUYIoIw.exe File created C:\Windows\SysWOW64\shell32.dll.exe tWYMwwQw.exe File opened for modification C:\Windows\SysWOW64\sheSwitchExpand.docx tWYMwwQw.exe File opened for modification C:\Windows\SysWOW64\sheUnlockRegister.zip tWYMwwQw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_047c408df84c32f8d5712456276d1680.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_047c408df84c32f8d5712456276d1680.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_047c408df84c32f8d5712456276d1680.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_047c408df84c32f8d5712456276d1680.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_047c408df84c32f8d5712456276d1680.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_047c408df84c32f8d5712456276d1680.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_047c408df84c32f8d5712456276d1680.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tWYMwwQw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 5596 reg.exe 1508 reg.exe 2764 reg.exe 2436 reg.exe 5856 reg.exe 4992 reg.exe 4120 reg.exe 3576 reg.exe 1548 reg.exe 2508 reg.exe 3808 reg.exe 4944 reg.exe 4356 reg.exe 3780 reg.exe 4820 reg.exe 4756 reg.exe 4188 reg.exe 2204 reg.exe 1004 reg.exe 4712 reg.exe 2968 reg.exe 2324 reg.exe 5492 reg.exe 3440 reg.exe 4700 reg.exe 5316 reg.exe 5616 reg.exe 5904 reg.exe 5356 reg.exe 1732 reg.exe 4712 reg.exe 2908 reg.exe 3500 reg.exe 5084 reg.exe 1988 reg.exe 4976 reg.exe 2256 reg.exe 1612 reg.exe 5660 reg.exe 3044 reg.exe 2016 reg.exe 1684 reg.exe 2924 reg.exe 560 reg.exe 3864 reg.exe 1924 reg.exe 2896 reg.exe 5908 reg.exe 2272 reg.exe 1984 reg.exe 1548 reg.exe 5856 reg.exe 4300 reg.exe 3076 reg.exe 5988 reg.exe 3272 reg.exe 8 reg.exe 3964 reg.exe 5784 reg.exe 5784 reg.exe 2812 reg.exe 3488 reg.exe 4040 reg.exe 2836 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3848 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 3848 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 3848 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 3848 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 5292 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 5292 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 5292 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 5292 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 4964 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 4964 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 4964 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 4964 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 752 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 752 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 752 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 752 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 1888 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 1888 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 1888 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 1888 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 3292 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 3292 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 3292 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 3292 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 3284 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 3284 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 3284 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 3284 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 964 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 964 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 964 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 964 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 892 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 892 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 892 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 892 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 3808 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 3808 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 3808 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 3808 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 3892 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 3892 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 3892 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 3892 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 3448 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 3448 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 3448 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 3448 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 3964 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 3964 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 3964 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 3964 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 1400 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 1400 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 1400 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 1400 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 880 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 880 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 880 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 880 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 5740 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 5740 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 5740 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 5740 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe -
Suspicious use of FindShellTrayWindow 24 IoCs
pid Process 1440 tWYMwwQw.exe 1440 tWYMwwQw.exe 1440 tWYMwwQw.exe 1440 tWYMwwQw.exe 1440 tWYMwwQw.exe 1440 tWYMwwQw.exe 1440 tWYMwwQw.exe 1440 tWYMwwQw.exe 1440 tWYMwwQw.exe 1440 tWYMwwQw.exe 1440 tWYMwwQw.exe 1440 tWYMwwQw.exe 1440 tWYMwwQw.exe 1440 tWYMwwQw.exe 1440 tWYMwwQw.exe 1440 tWYMwwQw.exe 1440 tWYMwwQw.exe 1440 tWYMwwQw.exe 1440 tWYMwwQw.exe 1440 tWYMwwQw.exe 1440 tWYMwwQw.exe 1440 tWYMwwQw.exe 1440 tWYMwwQw.exe 1440 tWYMwwQw.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3848 wrote to memory of 2820 3848 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 79 PID 3848 wrote to memory of 2820 3848 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 79 PID 3848 wrote to memory of 2820 3848 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 79 PID 3848 wrote to memory of 1440 3848 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 81 PID 3848 wrote to memory of 1440 3848 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 81 PID 3848 wrote to memory of 1440 3848 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 81 PID 688 wrote to memory of 5488 688 cmd.exe 86 PID 688 wrote to memory of 5488 688 cmd.exe 86 PID 688 wrote to memory of 5488 688 cmd.exe 86 PID 3656 wrote to memory of 3192 3656 cmd.exe 87 PID 3656 wrote to memory of 3192 3656 cmd.exe 87 PID 3656 wrote to memory of 3192 3656 cmd.exe 87 PID 3848 wrote to memory of 3468 3848 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 88 PID 3848 wrote to memory of 3468 3848 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 88 PID 3848 wrote to memory of 3468 3848 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 88 PID 3848 wrote to memory of 2272 3848 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 90 PID 3848 wrote to memory of 2272 3848 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 90 PID 3848 wrote to memory of 2272 3848 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 90 PID 3848 wrote to memory of 1988 3848 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 91 PID 3848 wrote to memory of 1988 3848 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 91 PID 3848 wrote to memory of 1988 3848 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 91 PID 3848 wrote to memory of 1228 3848 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 92 PID 3848 wrote to memory of 1228 3848 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 92 PID 3848 wrote to memory of 1228 3848 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 92 PID 3468 wrote to memory of 5292 3468 cmd.exe 93 PID 3468 wrote to memory of 5292 3468 cmd.exe 93 PID 3468 wrote to memory of 5292 3468 cmd.exe 93 PID 5292 wrote to memory of 5092 5292 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 97 PID 5292 wrote to memory of 5092 5292 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 97 PID 5292 wrote to memory of 5092 5292 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 97 PID 5292 wrote to memory of 5032 5292 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 99 PID 5292 wrote to memory of 5032 5292 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 99 PID 5292 wrote to memory of 5032 5292 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 99 PID 5292 wrote to memory of 5116 5292 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 100 PID 5292 wrote to memory of 5116 5292 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 100 PID 5292 wrote to memory of 5116 5292 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 100 PID 5292 wrote to memory of 3416 5292 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 101 PID 5292 wrote to memory of 3416 5292 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 101 PID 5292 wrote to memory of 3416 5292 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 101 PID 5292 wrote to memory of 4496 5292 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 102 PID 5292 wrote to memory of 4496 5292 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 102 PID 5292 wrote to memory of 4496 5292 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 102 PID 4496 wrote to memory of 4952 4496 cmd.exe 107 PID 4496 wrote to memory of 4952 4496 cmd.exe 107 PID 4496 wrote to memory of 4952 4496 cmd.exe 107 PID 5092 wrote to memory of 4964 5092 cmd.exe 108 PID 5092 wrote to memory of 4964 5092 cmd.exe 108 PID 5092 wrote to memory of 4964 5092 cmd.exe 108 PID 4964 wrote to memory of 3016 4964 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 109 PID 4964 wrote to memory of 3016 4964 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 109 PID 4964 wrote to memory of 3016 4964 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 109 PID 3016 wrote to memory of 752 3016 cmd.exe 111 PID 3016 wrote to memory of 752 3016 cmd.exe 111 PID 3016 wrote to memory of 752 3016 cmd.exe 111 PID 4964 wrote to memory of 2508 4964 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 112 PID 4964 wrote to memory of 2508 4964 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 112 PID 4964 wrote to memory of 2508 4964 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 112 PID 4964 wrote to memory of 5104 4964 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 113 PID 4964 wrote to memory of 5104 4964 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 113 PID 4964 wrote to memory of 5104 4964 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 113 PID 4964 wrote to memory of 5112 4964 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 114 PID 4964 wrote to memory of 5112 4964 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 114 PID 4964 wrote to memory of 5112 4964 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 114 PID 4964 wrote to memory of 6004 4964 JaffaCakes118_047c408df84c32f8d5712456276d1680.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Users\Admin\BokIcAUI\dqQMQUUc.exe"C:\Users\Admin\BokIcAUI\dqQMQUUc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2820
-
-
C:\ProgramData\BUkAkoEw\tWYMwwQw.exe"C:\ProgramData\BUkAkoEw\tWYMwwQw.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:1440
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"2⤵
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d16803⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5292 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"4⤵
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d16805⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"6⤵
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d16807⤵
- Suspicious behavior: EnumeratesProcesses
PID:752 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"8⤵PID:1424
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d16809⤵
- Suspicious behavior: EnumeratesProcesses
PID:1888 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"10⤵PID:2856
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d168011⤵
- Suspicious behavior: EnumeratesProcesses
PID:3292 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"12⤵PID:2060
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d168013⤵
- Suspicious behavior: EnumeratesProcesses
PID:3284 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"14⤵PID:1212
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d168015⤵
- Suspicious behavior: EnumeratesProcesses
PID:964 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"16⤵PID:5700
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d168017⤵
- Suspicious behavior: EnumeratesProcesses
PID:892 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"18⤵PID:3832
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d168019⤵
- Suspicious behavior: EnumeratesProcesses
PID:3808 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"20⤵PID:5980
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d168021⤵
- Suspicious behavior: EnumeratesProcesses
PID:3892 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"22⤵PID:2200
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d168023⤵
- Suspicious behavior: EnumeratesProcesses
PID:3448 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"24⤵PID:5496
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d168025⤵
- Suspicious behavior: EnumeratesProcesses
PID:3964 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"26⤵PID:3712
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d168027⤵
- Suspicious behavior: EnumeratesProcesses
PID:1400 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"28⤵PID:5204
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d168029⤵
- Suspicious behavior: EnumeratesProcesses
PID:880 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"30⤵PID:4064
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d168031⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5740 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"32⤵PID:384
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d168033⤵PID:3256
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"34⤵
- System Location Discovery: System Language Discovery
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d168035⤵PID:6072
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"36⤵PID:4748
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d168037⤵PID:5976
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"38⤵PID:5940
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d168039⤵PID:5348
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"40⤵PID:4000
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d168041⤵PID:2656
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"42⤵PID:2340
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d168043⤵PID:5236
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"44⤵PID:2564
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d168045⤵PID:5140
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"46⤵PID:5820
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d168047⤵PID:4832
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"48⤵PID:5768
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d168049⤵
- System Location Discovery: System Language Discovery
PID:1336 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"50⤵PID:5228
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d168051⤵
- System Location Discovery: System Language Discovery
PID:4804 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"52⤵
- System Location Discovery: System Language Discovery
PID:3924 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d168053⤵PID:3376
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"54⤵
- System Location Discovery: System Language Discovery
PID:6072 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d168055⤵PID:4812
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"56⤵PID:5808
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d168057⤵PID:3104
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"58⤵PID:1216
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d168059⤵PID:5752
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"60⤵
- System Location Discovery: System Language Discovery
PID:1996 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d168061⤵PID:2320
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"62⤵PID:5224
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d168063⤵PID:1228
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"64⤵PID:4048
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d168065⤵PID:6040
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"66⤵PID:3376
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d168067⤵PID:3164
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"68⤵PID:1136
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d168069⤵PID:2108
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"70⤵PID:6068
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d168071⤵PID:4488
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"72⤵
- System Location Discovery: System Language Discovery
PID:3464 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d168073⤵PID:2884
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"74⤵PID:5612
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d168075⤵PID:5104
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"76⤵PID:5300
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d168077⤵PID:1480
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"78⤵
- System Location Discovery: System Language Discovery
PID:3000 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d168079⤵PID:3976
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"80⤵PID:4356
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d168081⤵PID:1404
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"82⤵PID:2000
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d168083⤵
- System Location Discovery: System Language Discovery
PID:2340 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"84⤵PID:6060
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d168085⤵PID:1456
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"86⤵PID:3164
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d168087⤵PID:5336
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"88⤵PID:1684
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV189⤵PID:2108
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d168089⤵
- System Location Discovery: System Language Discovery
PID:2816 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"90⤵
- System Location Discovery: System Language Discovery
PID:3140 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV191⤵PID:5248
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d168091⤵PID:5616
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"92⤵PID:3968
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV193⤵PID:2884
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d168093⤵PID:4316
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"94⤵PID:384
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d168095⤵
- System Location Discovery: System Language Discovery
PID:3256 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"96⤵PID:2404
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d168097⤵PID:2900
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"98⤵
- System Location Discovery: System Language Discovery
PID:5584 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d168099⤵PID:1644
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"100⤵
- System Location Discovery: System Language Discovery
PID:2624 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680101⤵PID:3016
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"102⤵PID:2328
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680103⤵PID:6044
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"104⤵PID:1532
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680105⤵PID:3760
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"106⤵
- System Location Discovery: System Language Discovery
PID:5968 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1107⤵PID:3736
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680107⤵PID:3376
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"108⤵PID:4812
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1109⤵PID:4488
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680109⤵PID:420
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"110⤵PID:4064
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680111⤵PID:5616
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"112⤵PID:896
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1113⤵PID:5104
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680113⤵PID:1420
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"114⤵PID:4884
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680115⤵PID:2380
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"116⤵PID:5860
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680117⤵PID:4896
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"118⤵
- System Location Discovery: System Language Discovery
PID:356 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680119⤵PID:692
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"120⤵PID:5148
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680121⤵PID:5476
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_047c408df84c32f8d5712456276d1680"122⤵
- System Location Discovery: System Language Discovery
PID:2000
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-