Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
15/05/2025, 08:50
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
Resource
win11-20250502-en
General
-
Target
JaffaCakes118_04790caa27d1509760e7198453a9e020.exe
-
Size
566KB
-
MD5
04790caa27d1509760e7198453a9e020
-
SHA1
c1ff34dcb140247a58ae426451ec4e756d5e028c
-
SHA256
765b9de605acc7bf32215d7f7a78f68fada8330839a9c4d89be685eb8e8c1f2e
-
SHA512
46a0a3a84df09ae86d22a5bee8ef11d6c9ff0f89ca08eba6bab60cde11476b496738d6aacde0b7ba761db41bbce9427912b9b54bc87983f5687443dc157af2f0
-
SSDEEP
12288:HMiJ2HX6uWbMmEZ/HGb4x5fvpG/sQ1XUwBI6aUVPM:K36ufb84x5pG/9zBZxM
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
UAC bypass 3 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (56) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\International\Geo\Nation wiocwQIg.exe -
Executes dropped EXE 5 IoCs
pid Process 1772 wiocwQIg.exe 2068 dIcgkEwY.exe 2292 kqQcYEAI.exe 5000 dIcgkEwY.exe 3632 wiocwQIg.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 7 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dIcgkEwY.exe = "C:\\ProgramData\\hAAQsoEM\\dIcgkEwY.exe" JaffaCakes118_04790caa27d1509760e7198453a9e020.exe Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiocwQIg.exe = "C:\\Users\\Admin\\TUQcIYgM\\wiocwQIg.exe" wiocwQIg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dIcgkEwY.exe = "C:\\ProgramData\\hAAQsoEM\\dIcgkEwY.exe" dIcgkEwY.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dIcgkEwY.exe = "C:\\ProgramData\\hAAQsoEM\\dIcgkEwY.exe" kqQcYEAI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dIcgkEwY.exe = "C:\\ProgramData\\hAAQsoEM\\dIcgkEwY.exe" dIcgkEwY.exe Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiocwQIg.exe = "C:\\Users\\Admin\\TUQcIYgM\\wiocwQIg.exe" wiocwQIg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiocwQIg.exe = "C:\\Users\\Admin\\TUQcIYgM\\wiocwQIg.exe" JaffaCakes118_04790caa27d1509760e7198453a9e020.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\TUQcIYgM kqQcYEAI.exe File opened for modification C:\Windows\SysWOW64\sheHidePing.xlsb wiocwQIg.exe File opened for modification C:\Windows\SysWOW64\sheReceiveProtect.docx wiocwQIg.exe File opened for modification C:\Windows\SysWOW64\sheShowRepair.docx wiocwQIg.exe File opened for modification C:\Windows\SysWOW64\sheUnlockFormat.xlsb wiocwQIg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\TUQcIYgM\wiocwQIg kqQcYEAI.exe File created C:\Windows\SysWOW64\shell32.dll.exe wiocwQIg.exe File opened for modification C:\Windows\SysWOW64\sheDisconnectRevoke.docx wiocwQIg.exe File opened for modification C:\Windows\SysWOW64\sheUnprotectWait.docx wiocwQIg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dIcgkEwY.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_04790caa27d1509760e7198453a9e020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_04790caa27d1509760e7198453a9e020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_04790caa27d1509760e7198453a9e020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_04790caa27d1509760e7198453a9e020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kqQcYEAI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_04790caa27d1509760e7198453a9e020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_04790caa27d1509760e7198453a9e020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiocwQIg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_04790caa27d1509760e7198453a9e020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_04790caa27d1509760e7198453a9e020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_04790caa27d1509760e7198453a9e020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_04790caa27d1509760e7198453a9e020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_04790caa27d1509760e7198453a9e020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_04790caa27d1509760e7198453a9e020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_04790caa27d1509760e7198453a9e020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiocwQIg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_04790caa27d1509760e7198453a9e020.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 4448 reg.exe 1368 reg.exe 1368 reg.exe 3852 reg.exe 1556 reg.exe 2236 reg.exe 4088 reg.exe 4604 reg.exe 1556 reg.exe 2672 reg.exe 4952 reg.exe 3680 reg.exe 740 reg.exe 2072 reg.exe 1644 reg.exe 3140 reg.exe 4340 reg.exe 2808 reg.exe 2432 reg.exe 4736 reg.exe 3852 reg.exe 4012 reg.exe 4256 reg.exe 4604 reg.exe 2740 reg.exe 2980 reg.exe 3680 reg.exe 4436 reg.exe 2996 reg.exe 2268 reg.exe 3620 reg.exe 4668 reg.exe 2304 reg.exe 1720 reg.exe 1444 reg.exe 3020 reg.exe 1952 reg.exe 2116 reg.exe 4140 reg.exe 2344 reg.exe 3680 reg.exe 3612 reg.exe 1368 reg.exe 4132 reg.exe 3492 reg.exe 2160 reg.exe 3960 reg.exe 4960 reg.exe 2228 reg.exe 4928 reg.exe 1840 reg.exe 2220 reg.exe 2456 reg.exe 5016 reg.exe 944 reg.exe 1928 reg.exe 4736 reg.exe 3164 reg.exe 804 reg.exe 4596 reg.exe 4844 reg.exe 2808 reg.exe 2980 reg.exe 1228 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 656 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 656 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 656 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 656 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 1248 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 1248 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 1248 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 1248 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 1956 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 1956 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 1956 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 1956 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 3692 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 3692 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 3692 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 3692 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 1504 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 1504 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 1504 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 1504 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 1384 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 1384 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 1384 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 1384 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 2968 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 2968 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 2968 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 2968 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 4440 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 4440 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 4440 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 4440 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 3208 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 3208 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 3208 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 3208 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 4552 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 4552 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 4552 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 4552 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 3844 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 3844 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 3844 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 3844 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 4232 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 4232 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 4232 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 4232 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 1928 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 1928 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 1928 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 1928 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 4308 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 4308 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 4308 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 4308 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 3776 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 3776 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 3776 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 3776 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 3080 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 3080 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 3080 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 3080 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe -
Suspicious use of FindShellTrayWindow 22 IoCs
pid Process 1772 wiocwQIg.exe 1772 wiocwQIg.exe 1772 wiocwQIg.exe 1772 wiocwQIg.exe 1772 wiocwQIg.exe 1772 wiocwQIg.exe 1772 wiocwQIg.exe 1772 wiocwQIg.exe 1772 wiocwQIg.exe 1772 wiocwQIg.exe 1772 wiocwQIg.exe 1772 wiocwQIg.exe 1772 wiocwQIg.exe 1772 wiocwQIg.exe 1772 wiocwQIg.exe 1772 wiocwQIg.exe 1772 wiocwQIg.exe 1772 wiocwQIg.exe 1772 wiocwQIg.exe 1772 wiocwQIg.exe 1772 wiocwQIg.exe 1772 wiocwQIg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 656 wrote to memory of 1772 656 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 88 PID 656 wrote to memory of 1772 656 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 88 PID 656 wrote to memory of 1772 656 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 88 PID 656 wrote to memory of 2068 656 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 90 PID 656 wrote to memory of 2068 656 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 90 PID 656 wrote to memory of 2068 656 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 90 PID 852 wrote to memory of 5000 852 cmd.exe 96 PID 852 wrote to memory of 5000 852 cmd.exe 96 PID 852 wrote to memory of 5000 852 cmd.exe 96 PID 656 wrote to memory of 1712 656 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 97 PID 656 wrote to memory of 1712 656 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 97 PID 656 wrote to memory of 1712 656 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 97 PID 656 wrote to memory of 4844 656 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 99 PID 656 wrote to memory of 4844 656 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 99 PID 656 wrote to memory of 4844 656 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 99 PID 4044 wrote to memory of 3632 4044 cmd.exe 100 PID 4044 wrote to memory of 3632 4044 cmd.exe 100 PID 4044 wrote to memory of 3632 4044 cmd.exe 100 PID 656 wrote to memory of 1840 656 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 101 PID 656 wrote to memory of 1840 656 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 101 PID 656 wrote to memory of 1840 656 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 101 PID 656 wrote to memory of 3852 656 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 102 PID 656 wrote to memory of 3852 656 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 102 PID 656 wrote to memory of 3852 656 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 102 PID 1712 wrote to memory of 1248 1712 cmd.exe 106 PID 1712 wrote to memory of 1248 1712 cmd.exe 106 PID 1712 wrote to memory of 1248 1712 cmd.exe 106 PID 1248 wrote to memory of 2344 1248 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 107 PID 1248 wrote to memory of 2344 1248 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 107 PID 1248 wrote to memory of 2344 1248 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 107 PID 1248 wrote to memory of 3492 1248 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 108 PID 1248 wrote to memory of 3492 1248 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 108 PID 1248 wrote to memory of 3492 1248 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 108 PID 1248 wrote to memory of 2468 1248 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 109 PID 1248 wrote to memory of 2468 1248 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 109 PID 1248 wrote to memory of 2468 1248 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 109 PID 1248 wrote to memory of 2916 1248 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 110 PID 1248 wrote to memory of 2916 1248 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 110 PID 1248 wrote to memory of 2916 1248 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 110 PID 1248 wrote to memory of 2024 1248 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 111 PID 1248 wrote to memory of 2024 1248 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 111 PID 1248 wrote to memory of 2024 1248 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 111 PID 2024 wrote to memory of 3644 2024 cmd.exe 117 PID 2024 wrote to memory of 3644 2024 cmd.exe 117 PID 2024 wrote to memory of 3644 2024 cmd.exe 117 PID 2344 wrote to memory of 1956 2344 cmd.exe 118 PID 2344 wrote to memory of 1956 2344 cmd.exe 118 PID 2344 wrote to memory of 1956 2344 cmd.exe 118 PID 1956 wrote to memory of 3208 1956 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 119 PID 1956 wrote to memory of 3208 1956 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 119 PID 1956 wrote to memory of 3208 1956 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 119 PID 1956 wrote to memory of 4908 1956 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 121 PID 1956 wrote to memory of 4908 1956 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 121 PID 1956 wrote to memory of 4908 1956 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 121 PID 1956 wrote to memory of 2808 1956 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 122 PID 1956 wrote to memory of 2808 1956 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 122 PID 1956 wrote to memory of 2808 1956 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 122 PID 1956 wrote to memory of 4952 1956 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 170 PID 1956 wrote to memory of 4952 1956 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 170 PID 1956 wrote to memory of 4952 1956 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 170 PID 1956 wrote to memory of 3804 1956 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 124 PID 1956 wrote to memory of 3804 1956 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 124 PID 1956 wrote to memory of 3804 1956 JaffaCakes118_04790caa27d1509760e7198453a9e020.exe 124 PID 3208 wrote to memory of 3692 3208 cmd.exe 129
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Users\Admin\TUQcIYgM\wiocwQIg.exe"C:\Users\Admin\TUQcIYgM\wiocwQIg.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:1772
-
-
C:\ProgramData\hAAQsoEM\dIcgkEwY.exe"C:\ProgramData\hAAQsoEM\dIcgkEwY.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2068
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"2⤵
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e0203⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"4⤵
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e0205⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"6⤵
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e0207⤵
- Suspicious behavior: EnumeratesProcesses
PID:3692 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"8⤵PID:516
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e0209⤵
- Suspicious behavior: EnumeratesProcesses
PID:1504 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"10⤵PID:1556
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02011⤵
- Suspicious behavior: EnumeratesProcesses
PID:1384 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"12⤵PID:1872
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02013⤵
- Suspicious behavior: EnumeratesProcesses
PID:2968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"14⤵PID:4292
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02015⤵
- Suspicious behavior: EnumeratesProcesses
PID:4440 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"16⤵
- System Location Discovery: System Language Discovery
PID:1492 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02017⤵
- Suspicious behavior: EnumeratesProcesses
PID:3208 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"18⤵PID:4344
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02019⤵
- Suspicious behavior: EnumeratesProcesses
PID:4552 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"20⤵PID:432
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02021⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3844 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"22⤵PID:4120
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02023⤵
- Suspicious behavior: EnumeratesProcesses
PID:4232 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"24⤵PID:4408
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02025⤵
- Suspicious behavior: EnumeratesProcesses
PID:1928 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"26⤵PID:3864
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02027⤵
- Suspicious behavior: EnumeratesProcesses
PID:4308 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"28⤵PID:2160
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02029⤵
- Suspicious behavior: EnumeratesProcesses
PID:3776 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"30⤵PID:4092
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02031⤵
- Suspicious behavior: EnumeratesProcesses
PID:3080 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"32⤵PID:2460
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02033⤵PID:4744
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"34⤵PID:3628
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02035⤵PID:3100
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"36⤵PID:4932
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02037⤵PID:3892
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"38⤵PID:1644
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02039⤵
- System Location Discovery: System Language Discovery
PID:3504 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"40⤵PID:772
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02041⤵
- System Location Discovery: System Language Discovery
PID:4192 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"42⤵PID:4504
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02043⤵PID:4112
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"44⤵PID:4252
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02045⤵PID:3876
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"46⤵PID:2748
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02047⤵PID:3024
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"48⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02049⤵
- System Location Discovery: System Language Discovery
PID:3620 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"50⤵PID:4900
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02051⤵PID:4016
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"52⤵PID:2672
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV153⤵PID:3724
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02053⤵PID:3016
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"54⤵PID:3968
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02055⤵PID:4344
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"56⤵
- System Location Discovery: System Language Discovery
PID:1908 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV157⤵PID:3792
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02057⤵
- System Location Discovery: System Language Discovery
PID:3544 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"58⤵PID:4340
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02059⤵PID:4248
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"60⤵PID:3080
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02061⤵PID:2616
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"62⤵PID:2304
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02063⤵PID:3012
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"64⤵PID:8
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02065⤵PID:432
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"66⤵PID:4580
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02067⤵PID:3964
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"68⤵PID:804
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02069⤵PID:2968
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"70⤵PID:3620
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02071⤵PID:1204
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"72⤵PID:4412
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02073⤵PID:3028
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"74⤵PID:3088
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02075⤵PID:3544
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"76⤵
- System Location Discovery: System Language Discovery
PID:432 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02077⤵PID:4132
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"78⤵PID:4520
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02079⤵PID:1720
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"80⤵PID:2792
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02081⤵PID:1980
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"82⤵PID:3128
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02083⤵PID:2812
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"84⤵PID:4012
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02085⤵PID:4020
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"86⤵PID:3080
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02087⤵PID:2672
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"88⤵PID:3996
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02089⤵PID:3964
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"90⤵
- System Location Discovery: System Language Discovery
PID:3664 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02091⤵PID:2732
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"92⤵PID:5060
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02093⤵
- System Location Discovery: System Language Discovery
PID:4720 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"94⤵PID:3172
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02095⤵PID:3852
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"96⤵PID:3800
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV197⤵PID:4140
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02097⤵
- System Location Discovery: System Language Discovery
PID:1968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"98⤵PID:3368
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e02099⤵PID:4656
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"100⤵PID:1672
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020101⤵PID:3644
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"102⤵PID:3440
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020103⤵PID:2532
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"104⤵PID:4440
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020105⤵PID:2072
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"106⤵PID:2968
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020107⤵
- System Location Discovery: System Language Discovery
PID:4800 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"108⤵PID:2408
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1109⤵PID:772
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020109⤵PID:3988
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"110⤵PID:3800
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020111⤵
- System Location Discovery: System Language Discovery
PID:1368 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"112⤵PID:4088
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020113⤵PID:3680
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"114⤵
- System Location Discovery: System Language Discovery
PID:3944 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020115⤵
- System Location Discovery: System Language Discovery
PID:2404 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"116⤵PID:2616
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1117⤵PID:3852
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020117⤵PID:1460
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"118⤵PID:1600
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1119⤵PID:3456
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020119⤵PID:3524
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"120⤵PID:3544
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020121⤵PID:4900
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04790caa27d1509760e7198453a9e020"122⤵PID:4448
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-