Analysis
-
max time kernel
149s -
max time network
104s -
platform
windows11-21h2_x64 -
resource
win11-20250502-en -
resource tags
arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system -
submitted
15/05/2025, 08:27
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_0475de00c9bce316241130435645babf.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
JaffaCakes118_0475de00c9bce316241130435645babf.exe
Resource
win11-20250502-en
General
-
Target
JaffaCakes118_0475de00c9bce316241130435645babf.exe
-
Size
204KB
-
MD5
0475de00c9bce316241130435645babf
-
SHA1
5bfa1fe3bdad3d46ae012b18d993f57dd1420b4d
-
SHA256
0c45532f97a92d269cd4abb03f3a495c63fc794001c21c93100770e861d1ee35
-
SHA512
2aca8dd648723156f9ab7f39c4fd38d17a1c14db6c5638be3283a68e5474a37276b95afe95eea9c9841003420dcc6afd973e465f1a5ab69eaff1728053687338
-
SSDEEP
6144:LFwxPvUv55jeg02222L2u23up22222222222222222222222222222222222f22j:LixPvUvzjexcL3QcNSgBV5hFd
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
UAC bypass 3 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (88) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 4 IoCs
pid Process 4624 WGgAMcsk.exe 3060 XagEsYcA.exe 3648 WGgAMcsk.exe 4808 XagEsYcA.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Run\WGgAMcsk.exe = "C:\\Users\\Admin\\lgAwYQEo\\WGgAMcsk.exe" JaffaCakes118_0475de00c9bce316241130435645babf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XagEsYcA.exe = "C:\\ProgramData\\ecckUcQw\\XagEsYcA.exe" JaffaCakes118_0475de00c9bce316241130435645babf.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Run\WGgAMcsk.exe = "C:\\Users\\Admin\\lgAwYQEo\\WGgAMcsk.exe" WGgAMcsk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XagEsYcA.exe = "C:\\ProgramData\\ecckUcQw\\XagEsYcA.exe" XagEsYcA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XagEsYcA.exe = "C:\\ProgramData\\ecckUcQw\\XagEsYcA.exe" XagEsYcA.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Run\WGgAMcsk.exe = "C:\\Users\\Admin\\lgAwYQEo\\WGgAMcsk.exe" WGgAMcsk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_0475de00c9bce316241130435645babf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_0475de00c9bce316241130435645babf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_0475de00c9bce316241130435645babf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_0475de00c9bce316241130435645babf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_0475de00c9bce316241130435645babf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_0475de00c9bce316241130435645babf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_0475de00c9bce316241130435645babf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_0475de00c9bce316241130435645babf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 5112 reg.exe 3704 reg.exe 1520 reg.exe 3476 Process not Found 5984 reg.exe 5304 reg.exe 3860 reg.exe 6100 reg.exe 3388 reg.exe 784 reg.exe 5672 reg.exe 4868 reg.exe 392 Process not Found 1920 Process not Found 4024 reg.exe 1640 reg.exe 2924 reg.exe 5596 Process not Found 4028 reg.exe 5952 reg.exe 1380 reg.exe 856 reg.exe 6084 reg.exe 416 reg.exe 1640 reg.exe 5176 reg.exe 6028 reg.exe 2188 reg.exe 5736 reg.exe 5044 reg.exe 2040 Process not Found 4616 reg.exe 4484 reg.exe 5288 reg.exe 3860 reg.exe 2052 reg.exe 5548 Process not Found 3904 reg.exe 4004 reg.exe 1276 reg.exe 6040 Process not Found 2204 reg.exe 5540 reg.exe 1264 reg.exe 1240 reg.exe 5224 reg.exe 1060 reg.exe 1760 reg.exe 5820 Process not Found 5756 reg.exe 5828 reg.exe 4348 reg.exe 5532 reg.exe 3368 reg.exe 5216 Process not Found 5348 reg.exe 1556 reg.exe 4484 reg.exe 1584 Process not Found 5904 Process not Found 1488 Process not Found 4964 reg.exe 2928 reg.exe 5272 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3012 JaffaCakes118_0475de00c9bce316241130435645babf.exe 3012 JaffaCakes118_0475de00c9bce316241130435645babf.exe 3012 JaffaCakes118_0475de00c9bce316241130435645babf.exe 3012 JaffaCakes118_0475de00c9bce316241130435645babf.exe 4456 JaffaCakes118_0475de00c9bce316241130435645babf.exe 4456 JaffaCakes118_0475de00c9bce316241130435645babf.exe 4456 JaffaCakes118_0475de00c9bce316241130435645babf.exe 4456 JaffaCakes118_0475de00c9bce316241130435645babf.exe 3688 JaffaCakes118_0475de00c9bce316241130435645babf.exe 3688 JaffaCakes118_0475de00c9bce316241130435645babf.exe 3688 JaffaCakes118_0475de00c9bce316241130435645babf.exe 3688 JaffaCakes118_0475de00c9bce316241130435645babf.exe 3032 JaffaCakes118_0475de00c9bce316241130435645babf.exe 3032 JaffaCakes118_0475de00c9bce316241130435645babf.exe 3032 JaffaCakes118_0475de00c9bce316241130435645babf.exe 3032 JaffaCakes118_0475de00c9bce316241130435645babf.exe 6020 JaffaCakes118_0475de00c9bce316241130435645babf.exe 6020 JaffaCakes118_0475de00c9bce316241130435645babf.exe 6020 JaffaCakes118_0475de00c9bce316241130435645babf.exe 6020 JaffaCakes118_0475de00c9bce316241130435645babf.exe 1332 JaffaCakes118_0475de00c9bce316241130435645babf.exe 1332 JaffaCakes118_0475de00c9bce316241130435645babf.exe 1332 JaffaCakes118_0475de00c9bce316241130435645babf.exe 1332 JaffaCakes118_0475de00c9bce316241130435645babf.exe 3044 JaffaCakes118_0475de00c9bce316241130435645babf.exe 3044 JaffaCakes118_0475de00c9bce316241130435645babf.exe 3044 JaffaCakes118_0475de00c9bce316241130435645babf.exe 3044 JaffaCakes118_0475de00c9bce316241130435645babf.exe 2164 JaffaCakes118_0475de00c9bce316241130435645babf.exe 2164 JaffaCakes118_0475de00c9bce316241130435645babf.exe 2164 JaffaCakes118_0475de00c9bce316241130435645babf.exe 2164 JaffaCakes118_0475de00c9bce316241130435645babf.exe 4628 JaffaCakes118_0475de00c9bce316241130435645babf.exe 4628 JaffaCakes118_0475de00c9bce316241130435645babf.exe 4628 JaffaCakes118_0475de00c9bce316241130435645babf.exe 4628 JaffaCakes118_0475de00c9bce316241130435645babf.exe 5084 JaffaCakes118_0475de00c9bce316241130435645babf.exe 5084 JaffaCakes118_0475de00c9bce316241130435645babf.exe 5084 JaffaCakes118_0475de00c9bce316241130435645babf.exe 5084 JaffaCakes118_0475de00c9bce316241130435645babf.exe 4064 JaffaCakes118_0475de00c9bce316241130435645babf.exe 4064 JaffaCakes118_0475de00c9bce316241130435645babf.exe 4064 JaffaCakes118_0475de00c9bce316241130435645babf.exe 4064 JaffaCakes118_0475de00c9bce316241130435645babf.exe 4788 JaffaCakes118_0475de00c9bce316241130435645babf.exe 4788 JaffaCakes118_0475de00c9bce316241130435645babf.exe 4788 JaffaCakes118_0475de00c9bce316241130435645babf.exe 4788 JaffaCakes118_0475de00c9bce316241130435645babf.exe 5196 JaffaCakes118_0475de00c9bce316241130435645babf.exe 5196 JaffaCakes118_0475de00c9bce316241130435645babf.exe 5196 JaffaCakes118_0475de00c9bce316241130435645babf.exe 5196 JaffaCakes118_0475de00c9bce316241130435645babf.exe 2040 JaffaCakes118_0475de00c9bce316241130435645babf.exe 2040 JaffaCakes118_0475de00c9bce316241130435645babf.exe 2040 JaffaCakes118_0475de00c9bce316241130435645babf.exe 2040 JaffaCakes118_0475de00c9bce316241130435645babf.exe 784 JaffaCakes118_0475de00c9bce316241130435645babf.exe 784 JaffaCakes118_0475de00c9bce316241130435645babf.exe 784 JaffaCakes118_0475de00c9bce316241130435645babf.exe 784 JaffaCakes118_0475de00c9bce316241130435645babf.exe 2360 JaffaCakes118_0475de00c9bce316241130435645babf.exe 2360 JaffaCakes118_0475de00c9bce316241130435645babf.exe 2360 JaffaCakes118_0475de00c9bce316241130435645babf.exe 2360 JaffaCakes118_0475de00c9bce316241130435645babf.exe -
Suspicious use of FindShellTrayWindow 19 IoCs
pid Process 4624 WGgAMcsk.exe 4624 WGgAMcsk.exe 4624 WGgAMcsk.exe 4624 WGgAMcsk.exe 4624 WGgAMcsk.exe 4624 WGgAMcsk.exe 4624 WGgAMcsk.exe 4624 WGgAMcsk.exe 4624 WGgAMcsk.exe 4624 WGgAMcsk.exe 4624 WGgAMcsk.exe 4624 WGgAMcsk.exe 4624 WGgAMcsk.exe 4624 WGgAMcsk.exe 4624 WGgAMcsk.exe 4624 WGgAMcsk.exe 4624 WGgAMcsk.exe 4624 WGgAMcsk.exe 4624 WGgAMcsk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3012 wrote to memory of 4624 3012 JaffaCakes118_0475de00c9bce316241130435645babf.exe 80 PID 3012 wrote to memory of 4624 3012 JaffaCakes118_0475de00c9bce316241130435645babf.exe 80 PID 3012 wrote to memory of 4624 3012 JaffaCakes118_0475de00c9bce316241130435645babf.exe 80 PID 3012 wrote to memory of 3060 3012 JaffaCakes118_0475de00c9bce316241130435645babf.exe 82 PID 3012 wrote to memory of 3060 3012 JaffaCakes118_0475de00c9bce316241130435645babf.exe 82 PID 3012 wrote to memory of 3060 3012 JaffaCakes118_0475de00c9bce316241130435645babf.exe 82 PID 3012 wrote to memory of 1464 3012 JaffaCakes118_0475de00c9bce316241130435645babf.exe 84 PID 3012 wrote to memory of 1464 3012 JaffaCakes118_0475de00c9bce316241130435645babf.exe 84 PID 3012 wrote to memory of 1464 3012 JaffaCakes118_0475de00c9bce316241130435645babf.exe 84 PID 3012 wrote to memory of 4596 3012 JaffaCakes118_0475de00c9bce316241130435645babf.exe 88 PID 3012 wrote to memory of 4596 3012 JaffaCakes118_0475de00c9bce316241130435645babf.exe 88 PID 3012 wrote to memory of 4596 3012 JaffaCakes118_0475de00c9bce316241130435645babf.exe 88 PID 3012 wrote to memory of 2928 3012 JaffaCakes118_0475de00c9bce316241130435645babf.exe 89 PID 3012 wrote to memory of 2928 3012 JaffaCakes118_0475de00c9bce316241130435645babf.exe 89 PID 3012 wrote to memory of 2928 3012 JaffaCakes118_0475de00c9bce316241130435645babf.exe 89 PID 3012 wrote to memory of 2984 3012 JaffaCakes118_0475de00c9bce316241130435645babf.exe 90 PID 3012 wrote to memory of 2984 3012 JaffaCakes118_0475de00c9bce316241130435645babf.exe 90 PID 3012 wrote to memory of 2984 3012 JaffaCakes118_0475de00c9bce316241130435645babf.exe 90 PID 3012 wrote to memory of 2728 3012 JaffaCakes118_0475de00c9bce316241130435645babf.exe 91 PID 3012 wrote to memory of 2728 3012 JaffaCakes118_0475de00c9bce316241130435645babf.exe 91 PID 3012 wrote to memory of 2728 3012 JaffaCakes118_0475de00c9bce316241130435645babf.exe 91 PID 1464 wrote to memory of 4456 1464 cmd.exe 96 PID 1464 wrote to memory of 4456 1464 cmd.exe 96 PID 1464 wrote to memory of 4456 1464 cmd.exe 96 PID 3160 wrote to memory of 3648 3160 cmd.exe 97 PID 3160 wrote to memory of 3648 3160 cmd.exe 97 PID 3160 wrote to memory of 3648 3160 cmd.exe 97 PID 6056 wrote to memory of 4808 6056 cmd.exe 98 PID 6056 wrote to memory of 4808 6056 cmd.exe 98 PID 6056 wrote to memory of 4808 6056 cmd.exe 98 PID 2728 wrote to memory of 4652 2728 cmd.exe 99 PID 2728 wrote to memory of 4652 2728 cmd.exe 99 PID 2728 wrote to memory of 4652 2728 cmd.exe 99 PID 4456 wrote to memory of 4788 4456 JaffaCakes118_0475de00c9bce316241130435645babf.exe 100 PID 4456 wrote to memory of 4788 4456 JaffaCakes118_0475de00c9bce316241130435645babf.exe 100 PID 4456 wrote to memory of 4788 4456 JaffaCakes118_0475de00c9bce316241130435645babf.exe 100 PID 4788 wrote to memory of 3688 4788 cmd.exe 102 PID 4788 wrote to memory of 3688 4788 cmd.exe 102 PID 4788 wrote to memory of 3688 4788 cmd.exe 102 PID 4456 wrote to memory of 4736 4456 JaffaCakes118_0475de00c9bce316241130435645babf.exe 103 PID 4456 wrote to memory of 4736 4456 JaffaCakes118_0475de00c9bce316241130435645babf.exe 103 PID 4456 wrote to memory of 4736 4456 JaffaCakes118_0475de00c9bce316241130435645babf.exe 103 PID 4456 wrote to memory of 5232 4456 JaffaCakes118_0475de00c9bce316241130435645babf.exe 104 PID 4456 wrote to memory of 5232 4456 JaffaCakes118_0475de00c9bce316241130435645babf.exe 104 PID 4456 wrote to memory of 5232 4456 JaffaCakes118_0475de00c9bce316241130435645babf.exe 104 PID 4456 wrote to memory of 2276 4456 JaffaCakes118_0475de00c9bce316241130435645babf.exe 105 PID 4456 wrote to memory of 2276 4456 JaffaCakes118_0475de00c9bce316241130435645babf.exe 105 PID 4456 wrote to memory of 2276 4456 JaffaCakes118_0475de00c9bce316241130435645babf.exe 105 PID 4456 wrote to memory of 5688 4456 JaffaCakes118_0475de00c9bce316241130435645babf.exe 106 PID 4456 wrote to memory of 5688 4456 JaffaCakes118_0475de00c9bce316241130435645babf.exe 106 PID 4456 wrote to memory of 5688 4456 JaffaCakes118_0475de00c9bce316241130435645babf.exe 106 PID 5688 wrote to memory of 5184 5688 cmd.exe 111 PID 5688 wrote to memory of 5184 5688 cmd.exe 111 PID 5688 wrote to memory of 5184 5688 cmd.exe 111 PID 3688 wrote to memory of 5496 3688 JaffaCakes118_0475de00c9bce316241130435645babf.exe 112 PID 3688 wrote to memory of 5496 3688 JaffaCakes118_0475de00c9bce316241130435645babf.exe 112 PID 3688 wrote to memory of 5496 3688 JaffaCakes118_0475de00c9bce316241130435645babf.exe 112 PID 3688 wrote to memory of 5712 3688 JaffaCakes118_0475de00c9bce316241130435645babf.exe 114 PID 3688 wrote to memory of 5712 3688 JaffaCakes118_0475de00c9bce316241130435645babf.exe 114 PID 3688 wrote to memory of 5712 3688 JaffaCakes118_0475de00c9bce316241130435645babf.exe 114 PID 3688 wrote to memory of 2168 3688 JaffaCakes118_0475de00c9bce316241130435645babf.exe 115 PID 3688 wrote to memory of 2168 3688 JaffaCakes118_0475de00c9bce316241130435645babf.exe 115 PID 3688 wrote to memory of 2168 3688 JaffaCakes118_0475de00c9bce316241130435645babf.exe 115 PID 3688 wrote to memory of 2204 3688 JaffaCakes118_0475de00c9bce316241130435645babf.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Users\Admin\lgAwYQEo\WGgAMcsk.exe"C:\Users\Admin\lgAwYQEo\WGgAMcsk.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
PID:4624
-
-
C:\ProgramData\ecckUcQw\XagEsYcA.exe"C:\ProgramData\ecckUcQw\XagEsYcA.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3060
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"2⤵
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"4⤵
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"6⤵PID:5496
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf7⤵
- Suspicious behavior: EnumeratesProcesses
PID:3032 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"8⤵PID:3332
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf9⤵
- Suspicious behavior: EnumeratesProcesses
PID:6020 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"10⤵
- System Location Discovery: System Language Discovery
PID:2236 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf11⤵
- Suspicious behavior: EnumeratesProcesses
PID:1332 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"12⤵PID:5624
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf13⤵
- Suspicious behavior: EnumeratesProcesses
PID:3044 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"14⤵PID:5340
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf15⤵
- Suspicious behavior: EnumeratesProcesses
PID:2164 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"16⤵PID:4448
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf17⤵
- Suspicious behavior: EnumeratesProcesses
PID:4628 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"18⤵PID:2664
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf19⤵
- Suspicious behavior: EnumeratesProcesses
PID:5084 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"20⤵PID:2272
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf21⤵
- Suspicious behavior: EnumeratesProcesses
PID:4064 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"22⤵PID:4028
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf23⤵
- Suspicious behavior: EnumeratesProcesses
PID:4788 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"24⤵PID:5476
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf25⤵
- Suspicious behavior: EnumeratesProcesses
PID:5196 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"26⤵PID:6024
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf27⤵
- Suspicious behavior: EnumeratesProcesses
PID:2040 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"28⤵PID:1368
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf29⤵
- Suspicious behavior: EnumeratesProcesses
PID:784 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"30⤵PID:3644
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf31⤵
- Suspicious behavior: EnumeratesProcesses
PID:2360 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"32⤵
- System Location Discovery: System Language Discovery
PID:1572 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf33⤵PID:2164
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"34⤵PID:5740
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf35⤵PID:5060
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"36⤵PID:5700
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf37⤵
- System Location Discovery: System Language Discovery
PID:1520 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"38⤵PID:5184
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf39⤵PID:2228
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"40⤵PID:3368
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf41⤵PID:3032
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"42⤵PID:5724
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf43⤵PID:5552
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"44⤵PID:1492
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf45⤵PID:3592
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"46⤵PID:1864
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf47⤵PID:1828
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"48⤵PID:3168
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf49⤵PID:5044
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"50⤵
- System Location Discovery: System Language Discovery
PID:2132 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf51⤵PID:752
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"52⤵PID:5156
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf53⤵PID:4936
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"54⤵PID:5304
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf55⤵PID:2664
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"56⤵PID:1444
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf57⤵PID:3372
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"58⤵PID:1436
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf59⤵PID:4004
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"60⤵PID:2384
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf61⤵PID:3276
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"62⤵PID:2236
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf63⤵PID:1640
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"64⤵PID:1808
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf65⤵PID:1760
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"66⤵PID:1396
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf67⤵PID:4908
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"68⤵PID:5316
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf69⤵PID:2120
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"70⤵PID:2356
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf71⤵PID:4348
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"72⤵PID:4240
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf73⤵PID:5096
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"74⤵PID:5192
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf75⤵PID:896
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"76⤵PID:2256
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf77⤵PID:1656
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"78⤵PID:3336
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV179⤵PID:2332
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf79⤵PID:5104
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"80⤵PID:5932
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf81⤵PID:984
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"82⤵PID:1060
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf83⤵PID:6140
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"84⤵PID:5624
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf85⤵PID:4248
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"86⤵PID:5832
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf87⤵PID:1048
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"88⤵PID:5400
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf89⤵PID:8
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"90⤵PID:2356
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf91⤵PID:5584
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"92⤵PID:3056
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf93⤵PID:1444
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"94⤵PID:3032
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf95⤵PID:3080
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"96⤵PID:4844
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf97⤵PID:5056
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"98⤵PID:2572
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf99⤵PID:1660
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"100⤵PID:5492
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf101⤵PID:2724
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"102⤵PID:2012
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1103⤵PID:1060
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf103⤵PID:3876
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"104⤵PID:640
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf105⤵PID:6080
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"106⤵PID:4316
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf107⤵PID:3092
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"108⤵PID:1240
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf109⤵PID:2824
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"110⤵PID:5220
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf111⤵PID:2316
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"112⤵PID:5848
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf113⤵PID:324
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"114⤵PID:2624
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf115⤵
- System Location Discovery: System Language Discovery
PID:4512 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"116⤵PID:820
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf117⤵PID:4732
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"118⤵PID:3052
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf119⤵
- System Location Discovery: System Language Discovery
PID:996 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"120⤵PID:6108
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1121⤵PID:5492
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf121⤵PID:5904
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0475de00c9bce316241130435645babf"122⤵PID:2112
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-